forked from philips-labs/terraform-aws-github-runner
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
394 lines (324 loc) · 16 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
locals {
tags = merge(var.tags, {
"ghr:environment" = var.prefix
})
github_app_parameters = {
id = module.ssm.parameters.github_app_id
key_base64 = module.ssm.parameters.github_app_key_base64
}
runner_labels = sort(distinct(concat(["self-hosted", var.runner_os, var.runner_architecture], var.runner_extra_labels)))
ssm_root_path = var.ssm_paths.use_prefix ? "/${var.ssm_paths.root}/${var.prefix}" : "/${var.ssm_paths.root}"
}
resource "random_string" "random" {
length = 24
special = false
upper = false
}
data "aws_iam_policy_document" "deny_unsecure_transport" {
statement {
sid = "DenyUnsecureTransport"
effect = "Deny"
principals {
type = "AWS"
identifiers = ["*"]
}
actions = [
"sqs:*"
]
resources = [
"*"
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}
resource "aws_sqs_queue_policy" "build_queue_policy" {
queue_url = aws_sqs_queue.queued_builds.id
policy = data.aws_iam_policy_document.deny_unsecure_transport.json
}
resource "aws_sqs_queue_policy" "webhook_events_workflow_job_queue_policy" {
count = var.enable_workflow_job_events_queue ? 1 : 0
queue_url = aws_sqs_queue.webhook_events_workflow_job_queue[0].id
policy = data.aws_iam_policy_document.deny_unsecure_transport.json
}
resource "aws_sqs_queue" "queued_builds" {
name = "${var.prefix}-queued-builds${var.enable_fifo_build_queue ? ".fifo" : ""}"
delay_seconds = var.delay_webhook_event
visibility_timeout_seconds = var.runners_scale_up_lambda_timeout
message_retention_seconds = var.job_queue_retention_in_seconds
fifo_queue = var.enable_fifo_build_queue
receive_wait_time_seconds = 0
content_based_deduplication = var.enable_fifo_build_queue
redrive_policy = var.redrive_build_queue.enabled ? jsonencode({
deadLetterTargetArn = aws_sqs_queue.queued_builds_dlq[0].arn,
maxReceiveCount = var.redrive_build_queue.maxReceiveCount
}) : null
sqs_managed_sse_enabled = var.queue_encryption.sqs_managed_sse_enabled
kms_master_key_id = var.queue_encryption.kms_master_key_id
kms_data_key_reuse_period_seconds = var.queue_encryption.kms_data_key_reuse_period_seconds
tags = var.tags
}
resource "aws_sqs_queue" "webhook_events_workflow_job_queue" {
count = var.enable_workflow_job_events_queue ? 1 : 0
name = "${var.prefix}-webhook_events_workflow_job_queue"
delay_seconds = var.workflow_job_queue_configuration.delay_seconds
visibility_timeout_seconds = var.workflow_job_queue_configuration.visibility_timeout_seconds
message_retention_seconds = var.workflow_job_queue_configuration.message_retention_seconds
fifo_queue = false
receive_wait_time_seconds = 0
content_based_deduplication = false
redrive_policy = null
sqs_managed_sse_enabled = var.queue_encryption.sqs_managed_sse_enabled
kms_master_key_id = var.queue_encryption.kms_master_key_id
kms_data_key_reuse_period_seconds = var.queue_encryption.kms_data_key_reuse_period_seconds
tags = var.tags
}
resource "aws_sqs_queue_policy" "build_queue_dlq_policy" {
count = var.redrive_build_queue.enabled ? 1 : 0
queue_url = aws_sqs_queue.queued_builds.id
policy = data.aws_iam_policy_document.deny_unsecure_transport.json
}
resource "aws_sqs_queue" "queued_builds_dlq" {
count = var.redrive_build_queue.enabled ? 1 : 0
name = "${var.prefix}-queued-builds_dead_letter${var.enable_fifo_build_queue ? ".fifo" : ""}"
sqs_managed_sse_enabled = var.queue_encryption.sqs_managed_sse_enabled
kms_master_key_id = var.queue_encryption.kms_master_key_id
kms_data_key_reuse_period_seconds = var.queue_encryption.kms_data_key_reuse_period_seconds
fifo_queue = var.enable_fifo_build_queue
tags = var.tags
}
module "ssm" {
source = "./modules/ssm"
kms_key_arn = var.kms_key_arn
path_prefix = "${local.ssm_root_path}/${var.ssm_paths.app}"
github_app = var.github_app
tags = local.tags
}
module "webhook" {
source = "./modules/webhook"
ssm_paths = {
root = local.ssm_root_path
webhook = var.ssm_paths.webhook
}
prefix = var.prefix
tags = local.tags
kms_key_arn = var.kms_key_arn
runner_matcher_config = {
(aws_sqs_queue.queued_builds.id) = {
id : aws_sqs_queue.queued_builds.id
arn : aws_sqs_queue.queued_builds.arn
fifo : var.enable_fifo_build_queue
matcherConfig : {
labelMatchers : [local.runner_labels]
exactMatch : var.enable_runner_workflow_job_labels_check_all
}
}
}
sqs_workflow_job_queue = length(aws_sqs_queue.webhook_events_workflow_job_queue) > 0 ? aws_sqs_queue.webhook_events_workflow_job_queue[0] : null
github_app_parameters = {
webhook_secret = module.ssm.parameters.github_app_webhook_secret
}
lambda_s3_bucket = var.lambda_s3_bucket
webhook_lambda_s3_key = var.webhook_lambda_s3_key
webhook_lambda_s3_object_version = var.webhook_lambda_s3_object_version
webhook_lambda_apigateway_access_log_settings = var.webhook_lambda_apigateway_access_log_settings
lambda_runtime = var.lambda_runtime
lambda_architecture = var.lambda_architecture
lambda_zip = var.webhook_lambda_zip
lambda_memory_size = var.webhook_lambda_memory_size
lambda_timeout = var.webhook_lambda_timeout
tracing_config = var.tracing_config
logging_retention_in_days = var.logging_retention_in_days
logging_kms_key_id = var.logging_kms_key_id
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
repository_white_list = var.repository_white_list
lambda_subnet_ids = var.lambda_subnet_ids
lambda_security_group_ids = var.lambda_security_group_ids
aws_partition = var.aws_partition
log_level = var.log_level
}
module "runners" {
source = "./modules/runners"
aws_region = var.aws_region
aws_partition = var.aws_partition
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
prefix = var.prefix
tags = local.tags
ssm_paths = {
root = local.ssm_root_path
tokens = "${var.ssm_paths.runners}/tokens"
config = "${var.ssm_paths.runners}/config"
}
s3_runner_binaries = var.enable_runner_binaries_syncer ? {
arn = module.runner_binaries[0].bucket.arn
id = module.runner_binaries[0].bucket.id
key = module.runner_binaries[0].runner_distribution_object_key
} : null
runner_os = var.runner_os
instance_types = var.instance_types
instance_target_capacity_type = var.instance_target_capacity_type
instance_allocation_strategy = var.instance_allocation_strategy
instance_max_spot_price = var.instance_max_spot_price
block_device_mappings = var.block_device_mappings
runner_architecture = var.runner_architecture
ami_filter = var.ami_filter
ami_owners = var.ami_owners
ami_id_ssm_parameter_name = var.ami_id_ssm_parameter_name
ami_kms_key_arn = var.ami_kms_key_arn
sqs_build_queue = aws_sqs_queue.queued_builds
github_app_parameters = local.github_app_parameters
enable_organization_runners = var.enable_organization_runners
enable_ephemeral_runners = var.enable_ephemeral_runners
enable_jit_config = var.enable_jit_config
enable_job_queued_check = var.enable_job_queued_check
enable_on_demand_failover_for_errors = var.enable_runner_on_demand_failover_for_errors
disable_runner_autoupdate = var.disable_runner_autoupdate
enable_managed_runner_security_group = var.enable_managed_runner_security_group
enable_runner_detailed_monitoring = var.enable_runner_detailed_monitoring
scale_down_schedule_expression = var.scale_down_schedule_expression
minimum_running_time_in_minutes = var.minimum_running_time_in_minutes
runner_boot_time_in_minutes = var.runner_boot_time_in_minutes
runner_labels = local.runner_labels
runner_as_root = var.runner_as_root
runner_run_as = var.runner_run_as
runners_maximum_count = var.runners_maximum_count
idle_config = var.idle_config
enable_ssm_on_runners = var.enable_ssm_on_runners
egress_rules = var.runner_egress_rules
runner_additional_security_group_ids = var.runner_additional_security_group_ids
metadata_options = var.runner_metadata_options
credit_specification = var.runner_credit_specification
enable_runner_binaries_syncer = var.enable_runner_binaries_syncer
lambda_s3_bucket = var.lambda_s3_bucket
runners_lambda_s3_key = var.runners_lambda_s3_key
runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
lambda_runtime = var.lambda_runtime
lambda_architecture = var.lambda_architecture
lambda_zip = var.runners_lambda_zip
lambda_scale_up_memory_size = coalesce(var.runners_scale_up_Lambda_memory_size, var.runners_scale_up_lambda_memory_size)
lambda_scale_down_memory_size = var.runners_scale_down_lambda_memory_size
lambda_timeout_scale_up = var.runners_scale_up_lambda_timeout
lambda_timeout_scale_down = var.runners_scale_down_lambda_timeout
lambda_subnet_ids = var.lambda_subnet_ids
lambda_security_group_ids = var.lambda_security_group_ids
tracing_config = var.tracing_config
logging_retention_in_days = var.logging_retention_in_days
logging_kms_key_id = var.logging_kms_key_id
enable_cloudwatch_agent = var.enable_cloudwatch_agent
cloudwatch_config = var.cloudwatch_config
runner_log_files = var.runner_log_files
runner_group_name = var.runner_group_name
runner_name_prefix = var.runner_name_prefix
scale_up_reserved_concurrent_executions = var.scale_up_reserved_concurrent_executions
associate_public_ipv4_address = var.associate_public_ipv4_address
instance_profile_path = var.instance_profile_path
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
enable_userdata = var.enable_userdata
enable_user_data_debug_logging = var.enable_user_data_debug_logging_runner
userdata_template = var.userdata_template
userdata_content = var.userdata_content
userdata_pre_install = var.userdata_pre_install
userdata_post_install = var.userdata_post_install
key_name = var.key_name
runner_ec2_tags = var.runner_ec2_tags
create_service_linked_role_spot = var.create_service_linked_role_spot
runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns
ghes_url = var.ghes_url
ghes_ssl_verify = var.ghes_ssl_verify
kms_key_arn = var.kms_key_arn
log_level = var.log_level
pool_config = var.pool_config
pool_lambda_memory_size = var.pool_lambda_memory_size
pool_lambda_timeout = var.pool_lambda_timeout
pool_runner_owner = var.pool_runner_owner
pool_lambda_reserved_concurrent_executions = var.pool_lambda_reserved_concurrent_executions
ssm_housekeeper = var.runners_ssm_housekeeper
}
module "runner_binaries" {
count = var.enable_runner_binaries_syncer ? 1 : 0
source = "./modules/runner-binaries-syncer"
prefix = var.prefix
tags = local.tags
distribution_bucket_name = lower("${var.prefix}-dist-${random_string.random.result}")
s3_logging_bucket = var.runner_binaries_s3_logging_bucket
s3_logging_bucket_prefix = var.runner_binaries_s3_logging_bucket_prefix
runner_os = var.runner_os
runner_architecture = var.runner_architecture
lambda_s3_bucket = var.lambda_s3_bucket
syncer_lambda_s3_key = var.syncer_lambda_s3_key
syncer_lambda_s3_object_version = var.syncer_lambda_s3_object_version
lambda_runtime = var.lambda_runtime
lambda_architecture = var.lambda_architecture
lambda_zip = var.runner_binaries_syncer_lambda_zip
lambda_memory_size = var.runner_binaries_syncer_lambda_memory_size
lambda_timeout = var.runner_binaries_syncer_lambda_timeout
tracing_config = var.tracing_config
logging_retention_in_days = var.logging_retention_in_days
logging_kms_key_id = var.logging_kms_key_id
state_event_rule_binaries_syncer = var.state_event_rule_binaries_syncer
server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration
s3_versioning = var.runner_binaries_s3_versioning
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
log_level = var.log_level
lambda_subnet_ids = var.lambda_subnet_ids
lambda_security_group_ids = var.lambda_security_group_ids
aws_partition = var.aws_partition
lambda_principals = var.lambda_principals
}
module "ami_housekeeper" {
count = var.enable_ami_housekeeper ? 1 : 0
source = "./modules/ami-housekeeper"
prefix = var.prefix
tags = local.tags
aws_partition = var.aws_partition
lambda_zip = var.ami_housekeeper_lambda_zip
lambda_s3_bucket = var.lambda_s3_bucket
lambda_s3_key = var.ami_housekeeper_lambda_s3_key
lambda_s3_object_version = var.ami_housekeeper_lambda_s3_object_version
lambda_architecture = var.lambda_architecture
lambda_principals = var.lambda_principals
lambda_runtime = var.lambda_runtime
lambda_security_group_ids = var.lambda_security_group_ids
lambda_subnet_ids = var.lambda_subnet_ids
lambda_timeout = var.ami_housekeeper_lambda_timeout
tracing_config = var.tracing_config
logging_retention_in_days = var.logging_retention_in_days
logging_kms_key_id = var.logging_kms_key_id
log_level = var.log_level
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
cleanup_config = var.ami_housekeeper_cleanup_config
lambda_schedule_expression = var.ami_housekeeper_lambda_schedule_expression
}
locals {
lambda_instance_termination_watcher = {
prefix = var.prefix
tags = local.tags
aws_partition = var.aws_partition
architecture = var.lambda_architecture
principals = var.lambda_principals
runtime = var.lambda_runtime
security_group_ids = var.lambda_security_group_ids
subnet_ids = var.lambda_subnet_ids
log_level = var.log_level
logging_kms_key_id = var.logging_kms_key_id
logging_retention_in_days = var.logging_retention_in_days
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
metrics_namespace = var.metrics_namespace
s3_bucket = var.lambda_s3_bucket
tracing_config = var.tracing_config
}
}
module "instance_termination_watcher" {
source = "./modules/termination-watcher"
count = var.instance_termination_watcher.enable ? 1 : 0
config = merge(local.lambda_instance_termination_watcher, var.instance_termination_watcher)
}