From 5eb27b0fcf3bf01561f7ec25cada9f9d7bb0407e Mon Sep 17 00:00:00 2001 From: Lucas Santos dos Anjos Date: Wed, 1 Mar 2023 14:58:20 +0000 Subject: [PATCH] feat(syncer): add option to disable runner syncer lambda trigger (#2986) * feat: Adding option to disable lambda syncer trigger * feat: Adding option to disable lambda syncer trigger, fixing README.md replacement * feat: Adding option to disable lambda syncer trigger on multi-runner module * feat: Adding option to disable lambda syncer trigger on multi-runner module, fix README.md --------- Co-authored-by: Lucas Santos Anjos Co-authored-by: Niek Palm --- README.md | 1 + main.tf | 1 + modules/multi-runner/README.md | 1 + modules/multi-runner/runner-binaries.tf | 19 ++++++++++--------- modules/multi-runner/variables.tf | 6 ++++++ modules/runner-binaries-syncer/README.md | 1 + .../runner-binaries-syncer.tf | 1 + modules/runner-binaries-syncer/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 9 files changed, 33 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 1a45b50b8b..88f3357afd 100644 --- a/README.md +++ b/README.md @@ -457,6 +457,7 @@ We welcome any improvement to the standard module to make the default as secure | [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no | | [enable\_enable\_fifo\_build\_queue](#input\_enable\_enable\_fifo\_build\_queue) | DEPCRECATED: Replaced by `enable_fifo_build_queue` / `fifo_build_queue`. | `string` | `null` | no | | [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no | +| [enable\_event\_rule\_binaries\_syncer](#input\_enable\_event\_rule\_binaries\_syncer) | Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution | `bool` | `true` | no | | [enable\_fifo\_build\_queue](#input\_enable\_fifo\_build\_queue) | Enable a FIFO queue to remain the order of events received by the webhook. Suggest to set to true for repo level runners. | `bool` | `false` | no | | [enable\_job\_queued\_check](#input\_enable\_job\_queued\_check) | Only scale if the job event received by the scale up lambda is is in the state queued. By default enabled for non ephemeral runners and disabled for ephemeral. Set this variable to overwrite the default behavior. | `bool` | `null` | no | | [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no | diff --git a/main.tf b/main.tf index 2ca1bf85e4..18f2a3cd71 100644 --- a/main.tf +++ b/main.tf @@ -300,6 +300,7 @@ module "runner_binaries" { logging_retention_in_days = var.logging_retention_in_days logging_kms_key_id = var.logging_kms_key_id + enable_event_rule_binaries_syncer = var.enable_event_rule_binaries_syncer server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration role_path = var.role_path diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md index 94814851a9..40011bec60 100644 --- a/modules/multi-runner/README.md +++ b/modules/multi-runner/README.md @@ -120,6 +120,7 @@ module "multi-runner" { | [aws\_partition](#input\_aws\_partition) | (optiona) partition in the arn namespace to use if not 'aws' | `string` | `"aws"` | no | | [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes | | [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no | +| [enable\_event\_rule\_binaries\_syncer](#input\_enable\_event\_rule\_binaries\_syncer) | Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution | `bool` | `true` | no | | [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no | | [enable\_workflow\_job\_events\_queue](#input\_enable\_workflow\_job\_events\_queue) | Enabling this experimental feature will create a secondory sqs queue to wich a copy of the workflow\_job event will be delivered. | `bool` | `false` | no | | [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | diff --git a/modules/multi-runner/runner-binaries.tf b/modules/multi-runner/runner-binaries.tf index 3951b57350..cccdd77de5 100644 --- a/modules/multi-runner/runner-binaries.tf +++ b/modules/multi-runner/runner-binaries.tf @@ -9,15 +9,16 @@ module "runner_binaries" { runner_os = each.value.os_type runner_architecture = each.value.architecture - lambda_s3_bucket = var.lambda_s3_bucket - syncer_lambda_s3_key = var.syncer_lambda_s3_key - syncer_lambda_s3_object_version = var.syncer_lambda_s3_object_version - lambda_runtime = var.lambda_runtime - lambda_architecture = var.lambda_architecture - lambda_zip = var.runner_binaries_syncer_lambda_zip - lambda_timeout = var.runner_binaries_syncer_lambda_timeout - logging_retention_in_days = var.logging_retention_in_days - logging_kms_key_id = var.logging_kms_key_id + lambda_s3_bucket = var.lambda_s3_bucket + syncer_lambda_s3_key = var.syncer_lambda_s3_key + syncer_lambda_s3_object_version = var.syncer_lambda_s3_object_version + lambda_runtime = var.lambda_runtime + lambda_architecture = var.lambda_architecture + lambda_zip = var.runner_binaries_syncer_lambda_zip + lambda_timeout = var.runner_binaries_syncer_lambda_timeout + logging_retention_in_days = var.logging_retention_in_days + logging_kms_key_id = var.logging_kms_key_id + enable_event_rule_binaries_syncer = var.enable_event_rule_binaries_syncer server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf index 433c9da056..faaf379f25 100644 --- a/modules/multi-runner/variables.tf +++ b/modules/multi-runner/variables.tf @@ -343,6 +343,12 @@ variable "syncer_lambda_s3_object_version" { default = null } +variable "enable_event_rule_binaries_syncer" { + type = bool + default = true + description = "Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution" +} + variable "queue_encryption" { description = "Configure how data on queues managed by the modules in ecrypted at REST. Options are encryped via SSE, non encrypted and via KMSS. By default encryptes via SSE is enabled. See for more details the Terraform `aws_sqs_queue` resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue." type = object({ diff --git a/modules/runner-binaries-syncer/README.md b/modules/runner-binaries-syncer/README.md index e8430250a2..b444dfc698 100644 --- a/modules/runner-binaries-syncer/README.md +++ b/modules/runner-binaries-syncer/README.md @@ -88,6 +88,7 @@ No modules. |------|-------------|------|---------|:--------:| | [aws\_partition](#input\_aws\_partition) | (optional) partition for the base arn if not 'aws' | `string` | `"aws"` | no | | [distribution\_bucket\_name](#input\_distribution\_bucket\_name) | Bucket for storing the action runner distribution. | `string` | n/a | yes | +| [enable\_event\_rule\_binaries\_syncer](#input\_enable\_event\_rule\_binaries\_syncer) | Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution | `bool` | `true` | no | | [environment](#input\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | `null` | no | | [lambda\_architecture](#input\_lambda\_architecture) | AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions. | `string` | `"arm64"` | no | | [lambda\_principals](#input\_lambda\_principals) | (Optional) add extra principals to the role created for execution of the lambda, e.g. for local testing. | 
list(object({
    type        = string
    identifiers = list(string)
  }))
| `[]` | no | diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf index b3f0a4bdb3..6c9f247f72 100644 --- a/modules/runner-binaries-syncer/runner-binaries-syncer.tf +++ b/modules/runner-binaries-syncer/runner-binaries-syncer.tf @@ -121,6 +121,7 @@ resource "aws_cloudwatch_event_rule" "syncer" { name = "${var.prefix}-syncer-rule" schedule_expression = var.lambda_schedule_expression tags = var.tags + is_enabled = var.enable_event_rule_binaries_syncer } resource "aws_cloudwatch_event_target" "syncer" { diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf index eb023a4057..23980198a3 100644 --- a/modules/runner-binaries-syncer/variables.tf +++ b/modules/runner-binaries-syncer/variables.tf @@ -56,6 +56,12 @@ variable "s3_logging_bucket_prefix" { } } +variable "enable_event_rule_binaries_syncer" { + type = bool + default = true + description = "Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution" +} + variable "lambda_schedule_expression" { description = "Scheduler expression for action runner binary syncer." type = string diff --git a/variables.tf b/variables.tf index 38bbbdccf2..70e713d610 100644 --- a/variables.tf +++ b/variables.tf @@ -707,6 +707,12 @@ variable "enable_runner_binaries_syncer" { default = true } +variable "enable_event_rule_binaries_syncer" { + type = bool + default = true + description = "Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution" +} + variable "queue_encryption" { description = "Configure how data on queues managed by the modules in ecrypted at REST. Options are encryped via SSE, non encrypted and via KMSS. By default encryptes via SSE is enabled. See for more details the Terraform `aws_sqs_queue` resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue." type = object({