diff --git a/README.md b/README.md index d1c667d29e..e72a76b05a 100644 --- a/README.md +++ b/README.md @@ -342,6 +342,23 @@ No requirements. | aws | n/a | | random | n/a | +## Modules + +| Name | Source | Version | +|------|--------|---------| +| runner_binaries | ./modules/runner-binaries-syncer | | +| runners | ./modules/runners | | +| ssm | ./modules/ssm | | +| webhook | ./modules/webhook | | + +## Resources + +| Name | +|------| +| [aws_resourcegroups_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | +| [aws_sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | +| [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | + ## Inputs | Name | Description | Type | Default | Required | @@ -353,12 +370,13 @@ No requirements. | cloudwatch\_config | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no | | create\_service\_linked\_role\_spot | (optional) create the serviced linked role for spot instances that is required by the scale-up lambda. | `bool` | `false` | no | | delay\_webhook\_event | The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event. | `number` | `30` | no | +| disable\_check\_wokflow\_job\_labels | Disable the the check of workflow labels for received workflow job events. | `bool` | `false` | no | | enable\_cloudwatch\_agent | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no | | enable\_organization\_runners | Register runners to organization, instead of repo level | `bool` | `false` | no | | enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | +| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | ghes\_url | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no | -| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to `false` when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). |
object({| n/a | yes | | idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. |
key_base64 = string
id = string
client_id = string
client_secret = string
webhook_secret = string
})
list(object({| `[]` | no | | instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no | @@ -415,7 +433,6 @@ No requirements. | runners | n/a | | ssm\_parameters | n/a | | webhook | n/a | - ## Contribution diff --git a/main.tf b/main.tf index 3745dc3a27..89a2889582 100644 --- a/main.tf +++ b/main.tf @@ -60,6 +60,7 @@ module "webhook" { lambda_timeout = var.webhook_lambda_timeout logging_retention_in_days = var.logging_retention_in_days runner_extra_labels = var.runner_extra_labels + disable_check_wokflow_job_labels = var.disable_check_wokflow_job_labels role_path = var.role_path role_permissions_boundary = var.role_permissions_boundary diff --git a/modules/webhook/README.md b/modules/webhook/README.md index 86d029bbb9..9a2897ba29 100644 --- a/modules/webhook/README.md +++ b/modules/webhook/README.md @@ -68,6 +68,7 @@ No Modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | aws\_region | AWS region. | `string` | n/a | yes | +| disable\_check\_wokflow\_job\_labels | Disable the the check of workflow labels. | `bool` | `false` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | | github\_app\_webhook\_secret\_arn | n/a | `string` | n/a | yes | | kms\_key\_arn | Optional CMK Key ARN to be used for Parameter Store. | `string` | `null` | no | @@ -76,7 +77,7 @@ No Modules. | lambda\_zip | File location of the lambda zip file. | `string` | `null` | no | | logging\_retention\_in\_days | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `7` | no | | repository\_white\_list | List of repositories allowed to use the github app | `list(string)` | `[]` | no | -| role\_path | The path that will be added to the role, if not set the environment name will be used. | `string` | `null` | no | +| role\_path | The path that will be added to the role; if not set, the environment name will be used. | `string` | `null` | no | | role\_permissions\_boundary | Permissions boundary that will be added to the created role for the lambda. | `string` | `null` | no | | runner\_extra\_labels | Extra labels for the runners (GitHub). Separate each label by a comma | `string` | `""` | no | | sqs\_build\_queue | SQS queue to publish accepted build events. |
cron = string
timeZone = string
idleCount = number
}))
object({| n/a | yes | diff --git a/modules/webhook/lambdas/webhook/package.json b/modules/webhook/lambdas/webhook/package.json index 443afcbe53..f4fb540249 100644 --- a/modules/webhook/lambdas/webhook/package.json +++ b/modules/webhook/lambdas/webhook/package.json @@ -42,4 +42,4 @@ "@octokit/webhooks": "^9.12.0", "aws-lambda": "^1.0.6" } -} +} \ No newline at end of file diff --git a/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts b/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts index 797257630a..401c53d8fc 100644 --- a/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts +++ b/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts @@ -46,6 +46,9 @@ describe('handler', () => { }); describe('Test for workflowjob event: ', () => { + beforeEach(() => { + process.env.DISABLE_CHECK_WORKFLOW_JOB_LABELS = 'false'; + }); it('handles workflow job events', async () => { const event = JSON.stringify(workflowjob_event); const resp = await handle( @@ -139,8 +142,8 @@ describe('handler', () => { expect(sendActionRequest).toBeCalled(); }); - it('Check runner a runner with multiple labels accept a job with a subset of labels.', async () => { - process.env.RUNNER_LABELS = '["test", "linux"]'; + it('Check runner a self hosted runner will run a job marked with only self-hosted', async () => { + process.env.RUNNER_LABELS = '["test", "test2"]'; const event = JSON.stringify({ ...workflowjob_event, workflow_job: { @@ -156,13 +159,13 @@ describe('handler', () => { expect(sendActionRequest).toBeCalled(); }); - it('Check runner labels in mixed order', async () => { - process.env.RUNNER_LABELS = '["test", "linux"]'; + it('Check runner labels for a strict job (2 labels should match)', async () => { + process.env.RUNNER_LABELS = '["test", "test2"]'; const event = JSON.stringify({ ...workflowjob_event, workflow_job: { ...workflowjob_event.workflow_job, - labels: ['self-hosted', 'linux', 'test'], + labels: ['self-hosted', 'linux', 'test', 'test2'], }, }); const resp = await handle( @@ -173,8 +176,25 @@ describe('handler', () => { expect(sendActionRequest).toBeCalled(); }); + it('Check event is accepted for disabled workflow check', async () => { + process.env.DISABLE_CHECK_WORKFLOW_JOB_LABELS = 'true'; + process.env.RUNNER_LABELS = '["test", "no-check"]'; + const event = JSON.stringify({ + ...workflowjob_event, + workflow_job: { + ...workflowjob_event.workflow_job, + labels: ['self-hosted', 'linux', 'test', 'test2'], + }, + }); + const resp = await handle( + { 'X-Hub-Signature': await webhooks.sign(event), 'X-GitHub-Event': 'workflow_job' }, + event, + ); + expect(resp).toBe(200); + expect(sendActionRequest).toBeCalled(); + }); it('Check not allowed runner label is declined', async () => { - process.env.RUNNER_LABELS = '["test", "linux"]'; + process.env.RUNNER_LABELS = '["test"]'; const event = JSON.stringify({ ...workflowjob_event, workflow_job: { diff --git a/modules/webhook/lambdas/webhook/src/webhook/handler.ts b/modules/webhook/lambdas/webhook/src/webhook/handler.ts index 1b2c4d5d08..038df6a1b1 100644 --- a/modules/webhook/lambdas/webhook/src/webhook/handler.ts +++ b/modules/webhook/lambdas/webhook/src/webhook/handler.ts @@ -71,7 +71,9 @@ async function handleWorkflowJob(body: WorkflowJob, githubEvent: string): Promis return 403; } - if (isRunnerNotAllowed(body)) { + const disableCheckWorkflowJobLabelsEnv = process.env.DISABLE_CHECK_WORKFLOW_JOB_LABELS || 'false'; + const disableCheckWorkflowJobLabels = JSON.parse(disableCheckWorkflowJobLabelsEnv) as boolean; + if (!disableCheckWorkflowJobLabels && !canRunJob(body)) { console.error(`Received event contains runner labels '${body.workflow_job.labels}' that are not accepted.`); return 403; } @@ -115,24 +117,32 @@ async function handleCheckRun(body: CheckRunEvent, githubEvent: string): Promise } function isRepoNotAllowed(body: WorkflowJob | CheckRunEvent): boolean { - const repositoryWhiteListEnv = (process.env.REPOSITORY_WHITE_LIST as string) || '[]'; + const repositoryWhiteListEnv = process.env.REPOSITORY_WHITE_LIST || '[]'; const repositoryWhiteList = JSON.parse(repositoryWhiteListEnv) as Array
id = string
arn = string
})