Skip to content

Latest commit

 

History

History
220 lines (182 loc) · 22.5 KB

File metadata and controls

220 lines (182 loc) · 22.5 KB

Module - Runner binaries syncer

This module is treated as internal module, breaking changes will not trigger a major release bump.

This module creates a lambda that will sync GitHub action binary to a S3 bucket, the lambda will be triggered via a CloudWatch event. The distribution is cached to avoid the latency of downloading the distribution during the setup. After deployment the lambda will be triggered via an S3 object created at deployment time.

Usages

Usage examples are available in the root module. By default the root module will assume local zip files containing the lambda distribution are available. See the download lambda module for more information.

Lambda Function

The Lambda function is written in TypeScript and requires Node 12.x and yarn. Sources are located in [./lambdas/runners-binaries-syncer].

Install

cd lambdas/runners
yarn install

Test

Test are implemented with Jest, calls to AWS and GitHub are mocked.

yarn run test

Package

To compile all TypeScript/JavaScript sources in a single file ncc is used.

yarn run dist

Requirements

Name Version
terraform >= 1.3.0
aws ~> 4.0

Providers

Name Version
aws ~> 4.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_event_rule.syncer resource
aws_cloudwatch_event_target.syncer resource
aws_cloudwatch_log_group.syncer resource
aws_iam_role.syncer_lambda resource
aws_iam_role_policy.lambda_kms resource
aws_iam_role_policy.lambda_logging resource
aws_iam_role_policy.lambda_syncer_vpc resource
aws_iam_role_policy.syncer resource
aws_iam_role_policy_attachment.syncer_vpc_execution_role resource
aws_lambda_function.syncer resource
aws_lambda_permission.on_deploy resource
aws_lambda_permission.syncer resource
aws_s3_bucket.action_dist resource
aws_s3_bucket_acl.action_dist_acl resource
aws_s3_bucket_lifecycle_configuration.bucket-config resource
aws_s3_bucket_logging.action_dist_logging resource
aws_s3_bucket_notification.on_deploy resource
aws_s3_bucket_policy.action_dist_sse_policy resource
aws_s3_bucket_public_access_block.action_dist resource
aws_s3_bucket_server_side_encryption_configuration.action_dist resource
aws_s3_object.trigger resource
aws_caller_identity.current data source
aws_iam_policy_document.action_dist_sse_policy data source
aws_iam_policy_document.lambda_assume_role_policy data source

Inputs

Name Description Type Default Required
aws_partition (optional) partition for the base arn if not 'aws' string "aws" no
distribution_bucket_name Bucket for storing the action runner distribution. string n/a yes
enable_event_rule_binaries_syncer Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution bool true no
environment A name that identifies the environment, used as prefix and for tagging. string null no
lambda_architecture AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86_64' functions. string "arm64" no
lambda_principals (Optional) add extra principals to the role created for execution of the lambda, e.g. for local testing.
list(object({
type = string
identifiers = list(string)
}))
[] no
lambda_runtime AWS Lambda runtime. string "nodejs18.x" no
lambda_s3_bucket S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. string null no
lambda_schedule_expression Scheduler expression for action runner binary syncer. string "cron(27 * * * ? *)" no
lambda_security_group_ids List of security group IDs associated with the Lambda function. list(string) [] no
lambda_subnet_ids List of subnets in which the action runners will be launched, the subnets needs to be subnets in the vpc_id. list(string) [] no
lambda_timeout Time out of the lambda in seconds. number 300 no
lambda_zip File location of the lambda zip file. string null no
log_level Logging level for lambda logging. Valid values are 'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. string "info" no
log_type Logging format for lambda logging. Valid values are 'json', 'pretty', 'hidden'. string null no
logging_kms_key_id Specifies the kms key id to encrypt the logs with string null no
logging_retention_in_days Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. number 7 no
prefix The prefix used for naming resources string "github-actions" no
role_path The path that will be added to the role, if not set the environment name will be used. string null no
role_permissions_boundary Permissions boundary that will be added to the created role for the lambda. string null no
runner_allow_prerelease_binaries (Deprecated, no longer used), allow the runners to update to prerelease binaries. bool null no
runner_architecture The platform architecture of the runner instance_type. string "x64" no
runner_os The EC2 Operating System type to use for action runner instances (linux,windows). string "linux" no
s3_logging_bucket Bucket for action runner distribution bucket access logging. string null no
s3_logging_bucket_prefix Bucket prefix for action runner distribution bucket access logging. string null no
server_side_encryption_configuration Map containing server-side encryption configuration. any
{
"rule": {
"apply_server_side_encryption_by_default": {
"sse_algorithm": "AES256"
}
}
}
no
syncer_lambda_s3_key S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas. string null no
syncer_lambda_s3_object_version S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket. string null no
tags Map of tags that will be added to created resources. By default resources will be tagged with name and environment. map(string) {} no

Outputs

Name Description
bucket n/a
lambda n/a
lambda_log_group n/a
lambda_role n/a
runner_distribution_object_key n/a

Requirements

Name Version
terraform >= 1.3.0
aws ~> 4.0

Providers

Name Version
aws ~> 4.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_event_rule.syncer resource
aws_cloudwatch_event_target.syncer resource
aws_cloudwatch_log_group.syncer resource
aws_iam_role.syncer_lambda resource
aws_iam_role_policy.lambda_kms resource
aws_iam_role_policy.lambda_logging resource
aws_iam_role_policy.lambda_syncer_vpc resource
aws_iam_role_policy.syncer resource
aws_iam_role_policy_attachment.syncer_vpc_execution_role resource
aws_lambda_function.syncer resource
aws_lambda_permission.on_deploy resource
aws_lambda_permission.syncer resource
aws_s3_bucket.action_dist resource
aws_s3_bucket_acl.action_dist_acl resource
aws_s3_bucket_lifecycle_configuration.bucket-config resource
aws_s3_bucket_logging.action_dist_logging resource
aws_s3_bucket_notification.on_deploy resource
aws_s3_bucket_policy.action_dist_sse_policy resource
aws_s3_bucket_public_access_block.action_dist resource
aws_s3_bucket_server_side_encryption_configuration.action_dist resource
aws_s3_object.trigger resource
aws_caller_identity.current data source
aws_iam_policy_document.action_dist_sse_policy data source
aws_iam_policy_document.lambda_assume_role_policy data source

Inputs

Name Description Type Default Required
aws_partition (optional) partition for the base arn if not 'aws' string "aws" no
distribution_bucket_name Bucket for storing the action runner distribution. string n/a yes
enable_event_rule_binaries_syncer Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution bool true no
environment A name that identifies the environment, used as prefix and for tagging. string null no
lambda_architecture AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86_64' functions. string "arm64" no
lambda_principals (Optional) add extra principals to the role created for execution of the lambda, e.g. for local testing.
list(object({
type = string
identifiers = list(string)
}))
[] no
lambda_runtime AWS Lambda runtime. string "nodejs18.x" no
lambda_s3_bucket S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. string null no
lambda_schedule_expression Scheduler expression for action runner binary syncer. string "cron(27 * * * ? *)" no
lambda_security_group_ids List of security group IDs associated with the Lambda function. list(string) [] no
lambda_subnet_ids List of subnets in which the action runners will be launched, the subnets needs to be subnets in the vpc_id. list(string) [] no
lambda_timeout Time out of the lambda in seconds. number 300 no
lambda_zip File location of the lambda zip file. string null no
log_level Logging level for lambda logging. Valid values are 'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. string "info" no
log_type Logging format for lambda logging. Valid values are 'json', 'pretty', 'hidden'. string null no
logging_kms_key_id Specifies the kms key id to encrypt the logs with string null no
logging_retention_in_days Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. number 7 no
prefix The prefix used for naming resources string "github-actions" no
role_path The path that will be added to the role, if not set the environment name will be used. string null no
role_permissions_boundary Permissions boundary that will be added to the created role for the lambda. string null no
runner_allow_prerelease_binaries (Deprecated, no longer used), allow the runners to update to prerelease binaries. bool null no
runner_architecture The platform architecture of the runner instance_type. string "x64" no
runner_os The EC2 Operating System type to use for action runner instances (linux,windows). string "linux" no
s3_logging_bucket Bucket for action runner distribution bucket access logging. string null no
s3_logging_bucket_prefix Bucket prefix for action runner distribution bucket access logging. string null no
server_side_encryption_configuration Map containing server-side encryption configuration. any
{
"rule": {
"apply_server_side_encryption_by_default": {
"sse_algorithm": "AES256"
}
}
}
no
syncer_lambda_s3_key S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas. string null no
syncer_lambda_s3_object_version S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket. string null no
tags Map of tags that will be added to created resources. By default resources will be tagged with name and environment. map(string) {} no

Outputs

Name Description
bucket n/a
lambda n/a
lambda_log_group n/a
lambda_role n/a
runner_distribution_object_key n/a