Apply gate: resolve team from GitHub API for team-based roles (#95)

Alexanderamiri · web-flow · commit f5432424ea8f · 2026-03-18T00:32:26.000Z
## Summary The apply gate Lambda used the old per-app role pattern (`javabin-ci-app-{repo}`). Updated to resolve team from GitHub API (same as the CI broker) and assume `javabin-ci-team-{team}`. Also includes the boundary ARN construction fix from PR #94. ### Changes - **`shared/github.py`**: Extracted GitHub App auth + team resolution from ci_broker into shared module - **`ci_broker/handler.py`**: Uses `shared.github.resolve_team()` instead of inline copy - **`apply_gate/handler.py`**: Uses `shared.github.resolve_team()` to find team, assumes `javabin-ci-team-{team}` - **`lambdas/main.tf`**: Added SSM read for GitHub App creds to gate role. Switched ci_broker + apply_gate archives to `source{}` blocks to include shared module. - **`registry.py`** + **`platform-data/main.tf`**: Construct boundary ARN instead of data source ## Test plan - [ ] Merge, wait for apply (deploys updated Lambdas) - [ ] Retrigger test app CI — apply gate should resolve team and assume correct role
diff --git a/terraform/lambda-src/apply_gate/handler.py b/terraform/lambda-src/apply_gate/handler.py
@@ -7,7 +7,7 @@
 
 The signing key lives in SSM. Only this Lambda can read it. CI roles invoke
 the Lambda but never see the key. Temp credentials are issued via STS
-AssumeRole on the app's CI role.
+AssumeRole on the team's CI role (resolved from GitHub team membership).
 """
 
 import hashlib
@@ -18,6 +18,7 @@
 import time
 
 import boto3
+from shared.github import resolve_team
 
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.INFO)
@@ -204,9 +205,18 @@ def action_status(event):
 
 
 def _issue_credentials(repo_name):
-    """Assume the app's CI role and return temporary credentials."""
+    """Resolve team from GitHub and assume the team's CI role."""
     account_id = os.environ.get("ACCOUNT_ID", "")
-    role_arn = f"arn:aws:iam::{account_id}:role/{PROJECT}-ci-app-{repo_name}"
+
+    team = resolve_team(repo_name)
+    if not team:
+        raise RuntimeError(
+            f"Repo '{repo_name}' is not in any GitHub team. "
+            f"Add it at https://github.com/orgs/javaBin/teams"
+        )
+
+    role_arn = f"arn:aws:iam::{account_id}:role/{PROJECT}-ci-team-{team}"
+    logger.info("Assuming team role %s for repo %s", role_arn, repo_name)
 
     resp = sts.assume_role(
         RoleArn=role_arn,
diff --git a/terraform/lambda-src/ci_broker/handler.py b/terraform/lambda-src/ci_broker/handler.py
@@ -13,26 +13,18 @@
 import json
 import logging
 import os
-import time
-import urllib.request
 
 import boto3
+from shared.github import resolve_team
 
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.INFO)
 
-ssm = boto3.client("ssm")
 sts = boto3.client("sts")
 
 ACCOUNT_ID = os.environ.get("AWS_ACCOUNT_ID", "")
 PROJECT = os.environ.get("PROJECT", "javabin")
 GITHUB_ORG = os.environ.get("GITHUB_ORG", "javaBin")
-GITHUB_APP_ID_PARAM = os.environ.get("GITHUB_APP_ID_PARAM", "/javabin/platform/github-app-id")
-GITHUB_APP_KEY_PARAM = os.environ.get("GITHUB_APP_KEY_PARAM", "/javabin/platform/github-app-key")
-
-# Cache GitHub App token across invocations (valid for 1 hour)
-_token_cache = {"token": None, "expires_at": 0}
-_ssm_cache = {}
 
 PLAN_DURATION = 3600   # 1 hour for plan
 DEPLOY_DURATION = 900  # 15 minutes for deploy
@@ -42,120 +34,6 @@
     "deploy": f"{PROJECT}-ci-deploy-",
 }
 
-EXCLUDED_TEAMS = {"platform"}
-
-
-def _get_ssm(param_name):
-    if param_name not in _ssm_cache:
-        resp = ssm.get_parameter(Name=param_name, WithDecryption=True)
-        _ssm_cache[param_name] = resp["Parameter"]["Value"]
-    return _ssm_cache[param_name]
-
-
-def _github_app_token():
-    """Generate a GitHub App installation token (cached for 50 minutes)."""
-    now = time.time()
-    if _token_cache["token"] and _token_cache["expires_at"] > now:
-        return _token_cache["token"]
-
-    import subprocess
-    import tempfile
-
-    app_id = _get_ssm(GITHUB_APP_ID_PARAM)
-    private_key = _get_ssm(GITHUB_APP_KEY_PARAM)
-
-    # Build JWT (Header.Payload.Signature)
-    import base64
-    import hashlib
-    import hmac
-
-    header = base64.urlsafe_b64encode(json.dumps(
-        {"alg": "RS256", "typ": "JWT"}).encode()).rstrip(b"=").decode()
-
-    iat = int(now) - 60
-    exp = iat + 600
-    payload = base64.urlsafe_b64encode(json.dumps(
-        {"iss": app_id, "iat": iat, "exp": exp}).encode()).rstrip(b"=").decode()
-
-    signing_input = f"{header}.{payload}"
-
-    # Sign with RS256 using openssl (available in Lambda runtime)
-    with tempfile.NamedTemporaryFile(mode="w", suffix=".pem", delete=False) as f:
-        f.write(private_key)
-        key_file = f.name
-
-    result = subprocess.run(
-        ["openssl", "dgst", "-sha256", "-sign", key_file],
-        input=signing_input.encode(),
-        capture_output=True,
-    )
-    os.unlink(key_file)
-
-    if result.returncode != 0:
-        raise RuntimeError(f"JWT signing failed: {result.stderr.decode()}")
-
-    signature = base64.urlsafe_b64encode(result.stdout).rstrip(b"=").decode()
-    jwt_token = f"{signing_input}.{signature}"
-
-    # Exchange JWT for installation token
-    # First, find the installation ID for the org
-    req = urllib.request.Request(
-        f"https://api.github.com/app/installations",
-        headers={
-            "Authorization": f"Bearer {jwt_token}",
-            "Accept": "application/vnd.github+json",
-        },
-    )
-    with urllib.request.urlopen(req) as resp:
-        installations = json.loads(resp.read())
-
-    install_id = None
-    for inst in installations:
-        if inst.get("account", {}).get("login") == GITHUB_ORG:
-            install_id = inst["id"]
-            break
-
-    if not install_id:
-        raise RuntimeError(f"No GitHub App installation found for {GITHUB_ORG}")
-
-    req = urllib.request.Request(
-        f"https://api.github.com/app/installations/{install_id}/access_tokens",
-        method="POST",
-        headers={
-            "Authorization": f"Bearer {jwt_token}",
-            "Accept": "application/vnd.github+json",
-        },
-    )
-    with urllib.request.urlopen(req) as resp:
-        token_resp = json.loads(resp.read())
-
-    _token_cache["token"] = token_resp["token"]
-    _token_cache["expires_at"] = now + 3000  # Cache for ~50 minutes
-    return _token_cache["token"]
-
-
-def _resolve_team(repo_name):
-    """Resolve which team a repo belongs to via GitHub API."""
-    token = _github_app_token()
-    req = urllib.request.Request(
-        f"https://api.github.com/repos/{GITHUB_ORG}/{repo_name}/teams",
-        headers={
-            "Authorization": f"token {token}",
-            "Accept": "application/vnd.github+json",
-        },
-    )
-    try:
-        with urllib.request.urlopen(req) as resp:
-            teams = json.loads(resp.read())
-    except urllib.error.HTTPError as e:
-        logger.error("GitHub API error for %s: %s", repo_name, e)
-        return None
-
-    for team in teams:
-        if team["slug"] not in EXCLUDED_TEAMS:
-            return team["slug"]
-    return None
-
 
 def _assume_role(role_arn, session_name, duration):
     """Assume an IAM role and return temporary credentials."""
@@ -183,7 +61,7 @@ def handler(event, context):
         return {"error": f"Invalid action: {action}. Must be plan or deploy", "approved": False}
 
     # Resolve team from GitHub
-    team = _resolve_team(repo)
+    team = resolve_team(repo)
     if not team:
         logger.warning("Repo %s does not belong to any team", repo)
         return {
diff --git a/terraform/lambda-src/shared/github.py b/terraform/lambda-src/shared/github.py
@@ -0,0 +1,143 @@
+"""GitHub App authentication and team resolution.
+
+Shared by ci_broker and apply_gate Lambdas. Uses the platform GitHub App
+to generate installation tokens and resolve repo→team membership.
+"""
+
+import base64
+import json
+import logging
+import os
+import subprocess
+import tempfile
+import time
+import urllib.error
+import urllib.request
+
+import boto3
+
+logger = logging.getLogger(__name__)
+
+ssm = boto3.client("ssm")
+
+GITHUB_ORG = os.environ.get("GITHUB_ORG", "javaBin")
+GITHUB_APP_ID_PARAM = os.environ.get(
+    "GITHUB_APP_ID_PARAM", "/javabin/platform/github-app-id"
+)
+GITHUB_APP_KEY_PARAM = os.environ.get(
+    "GITHUB_APP_KEY_PARAM", "/javabin/platform/github-app-key"
+)
+
+EXCLUDED_TEAMS = {"platform"}
+
+# Cache across invocations
+_token_cache = {"token": None, "expires_at": 0}
+_ssm_cache = {}
+
+
+def _get_ssm(param_name):
+    if param_name not in _ssm_cache:
+        resp = ssm.get_parameter(Name=param_name, WithDecryption=True)
+        _ssm_cache[param_name] = resp["Parameter"]["Value"]
+    return _ssm_cache[param_name]
+
+
+def github_app_token():
+    """Generate a GitHub App installation token (cached for 50 minutes)."""
+    now = time.time()
+    if _token_cache["token"] and _token_cache["expires_at"] > now:
+        return _token_cache["token"]
+
+    app_id = _get_ssm(GITHUB_APP_ID_PARAM)
+    private_key = _get_ssm(GITHUB_APP_KEY_PARAM)
+
+    # Build JWT (Header.Payload.Signature)
+    header = base64.urlsafe_b64encode(json.dumps(
+        {"alg": "RS256", "typ": "JWT"}).encode()).rstrip(b"=").decode()
+
+    iat = int(now) - 60
+    exp = iat + 600
+    payload = base64.urlsafe_b64encode(json.dumps(
+        {"iss": app_id, "iat": iat, "exp": exp}).encode()).rstrip(b"=").decode()
+
+    signing_input = f"{header}.{payload}"
+
+    # Sign with RS256 using openssl (available in Lambda runtime)
+    with tempfile.NamedTemporaryFile(mode="w", suffix=".pem", delete=False) as f:
+        f.write(private_key)
+        key_file = f.name
+
+    result = subprocess.run(
+        ["openssl", "dgst", "-sha256", "-sign", key_file],
+        input=signing_input.encode(),
+        capture_output=True,
+    )
+    os.unlink(key_file)
+
+    if result.returncode != 0:
+        raise RuntimeError(f"JWT signing failed: {result.stderr.decode()}")
+
+    signature = base64.urlsafe_b64encode(result.stdout).rstrip(b"=").decode()
+    jwt_token = f"{signing_input}.{signature}"
+
+    # Exchange JWT for installation token
+    req = urllib.request.Request(
+        "https://api.github.com/app/installations",
+        headers={
+            "Authorization": f"Bearer {jwt_token}",
+            "Accept": "application/vnd.github+json",
+        },
+    )
+    with urllib.request.urlopen(req) as resp:
+        installations = json.loads(resp.read())
+
+    install_id = None
+    for inst in installations:
+        if inst.get("account", {}).get("login") == GITHUB_ORG:
+            install_id = inst["id"]
+            break
+
+    if not install_id:
+        raise RuntimeError(f"No GitHub App installation found for {GITHUB_ORG}")
+
+    req = urllib.request.Request(
+        f"https://api.github.com/app/installations/{install_id}/access_tokens",
+        method="POST",
+        headers={
+            "Authorization": f"Bearer {jwt_token}",
+            "Accept": "application/vnd.github+json",
+        },
+    )
+    with urllib.request.urlopen(req) as resp:
+        token_resp = json.loads(resp.read())
+
+    _token_cache["token"] = token_resp["token"]
+    _token_cache["expires_at"] = now + 3000  # Cache for ~50 minutes
+    return _token_cache["token"]
+
+
+def resolve_team(repo_name):
+    """Resolve which team a repo belongs to via GitHub API.
+
+    Returns the team slug, or None if the repo isn't in any team.
+    Excludes platform-internal teams (e.g. 'platform').
+    """
+    token = github_app_token()
+    req = urllib.request.Request(
+        f"https://api.github.com/repos/{GITHUB_ORG}/{repo_name}/teams",
+        headers={
+            "Authorization": f"token {token}",
+            "Accept": "application/vnd.github+json",
+        },
+    )
+    try:
+        with urllib.request.urlopen(req) as resp:
+            teams = json.loads(resp.read())
+    except urllib.error.HTTPError as e:
+        logger.error("GitHub API error for %s: %s", repo_name, e)
+        return None
+
+    for team in teams:
+        if team["slug"] not in EXCLUDED_TEAMS:
+            return team["slug"]
+    return None
diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
@@ -1266,7 +1266,19 @@ data "archive_file" "apply_gate" {
   type             = "zip"
   output_path      = "${path.module}/builds/apply_gate.zip"
   output_file_mode = "0644"
-  source_dir       = "${local.lambda_src_path}/apply_gate"
+
+  source {
+    content  = file("${local.lambda_src_path}/apply_gate/handler.py")
+    filename = "handler.py"
+  }
+  source {
+    content  = file("${local.lambda_src_path}/shared/__init__.py")
+    filename = "shared/__init__.py"
+  }
+  source {
+    content  = file("${local.lambda_src_path}/shared/github.py")
+    filename = "shared/github.py"
+  }
 }
 
 resource "aws_iam_role" "apply_gate" {
@@ -1311,6 +1323,15 @@ resource "aws_iam_role_policy" "apply_gate" {
         Action   = "sts:AssumeRole"
         Resource = "arn:aws:iam::${var.aws_account_id}:role/${var.project}-ci-team-*"
       },
+      {
+        Sid    = "ReadGitHubAppCredentials"
+        Effect = "Allow"
+        Action = "ssm:GetParameter"
+        Resource = [
+          "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/${var.project}/platform/github-app-id",
+          "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/${var.project}/platform/github-app-key",
+        ]
+      },
     ]
   })
 }
@@ -1349,7 +1370,19 @@ data "archive_file" "ci_broker" {
   type             = "zip"
   output_path      = "${path.module}/builds/ci_broker.zip"
   output_file_mode = "0644"
-  source_dir       = "${local.lambda_src_path}/ci_broker"
+
+  source {
+    content  = file("${local.lambda_src_path}/ci_broker/handler.py")
+    filename = "handler.py"
+  }
+  source {
+    content  = file("${local.lambda_src_path}/shared/__init__.py")
+    filename = "shared/__init__.py"
+  }
+  source {
+    content  = file("${local.lambda_src_path}/shared/github.py")
+    filename = "shared/github.py"
+  }
 }
 
 resource "aws_iam_role" "ci_broker" {
