diff --git a/examples/arm64/main.tf b/examples/arm64/main.tf
index 1ea26c9066..c541177cd4 100644
--- a/examples/arm64/main.tf
+++ b/examples/arm64/main.tf
@@ -19,7 +19,7 @@ module "runners" {
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
- environment = local.environment
+ prefix = local.environment
tags = {
Project = "ProjectX"
}
diff --git a/examples/default/main.tf b/examples/default/main.tf
index 6ee90a15c8..d273cc0558 100644
--- a/examples/default/main.tf
+++ b/examples/default/main.tf
@@ -19,7 +19,7 @@ module "runners" {
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
- environment = local.environment
+ prefix = local.environment
tags = {
Project = "ProjectX"
}
diff --git a/examples/ephemeral/main.tf b/examples/ephemeral/main.tf
index 9abaef9e8d..89735a2e83 100644
--- a/examples/ephemeral/main.tf
+++ b/examples/ephemeral/main.tf
@@ -16,7 +16,7 @@ module "runners" {
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
- environment = local.environment
+ prefix = local.environment
tags = {
Project = "ProjectX"
}
diff --git a/examples/permissions-boundary/main.tf b/examples/permissions-boundary/main.tf
index 1d1eb792ed..c4fc4630f3 100644
--- a/examples/permissions-boundary/main.tf
+++ b/examples/permissions-boundary/main.tf
@@ -35,7 +35,7 @@ module "runners" {
subnet_ids = module.vpc.private_subnets
kms_key_arn = aws_kms_key.github.key_id
- environment = local.environment
+ prefix = local.environment
tags = {
Project = "ProjectX"
}
diff --git a/examples/prebuilt/main.tf b/examples/prebuilt/main.tf
index 710f6c1f60..9134dfc464 100644
--- a/examples/prebuilt/main.tf
+++ b/examples/prebuilt/main.tf
@@ -15,7 +15,7 @@ module "runners" {
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
- environment = local.environment
+ prefix = local.environment
github_app = {
key_base64 = var.github_app_key_base64
diff --git a/examples/ubuntu/main.tf b/examples/ubuntu/main.tf
index e03ac544e7..cad0e1ca59 100644
--- a/examples/ubuntu/main.tf
+++ b/examples/ubuntu/main.tf
@@ -16,7 +16,7 @@ module "runners" {
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
- environment = local.environment
+ prefix = local.environment
tags = {
Project = "ProjectX"
}
diff --git a/examples/windows/main.tf b/examples/windows/main.tf
index 0a1d770c64..359b654c9a 100644
--- a/examples/windows/main.tf
+++ b/examples/windows/main.tf
@@ -10,10 +10,10 @@ resource "random_id" "random" {
module "runners" {
source = "../../"
- aws_region = local.aws_region
- vpc_id = module.vpc.vpc_id
- subnet_ids = module.vpc.private_subnets
- environment = local.environment
+ aws_region = local.aws_region
+ vpc_id = module.vpc.vpc_id
+ subnet_ids = module.vpc.private_subnets
+ prefix = local.environment
github_app = {
key_base64 = var.github_app_key_base64
diff --git a/main.tf b/main.tf
index c7f5601cba..7f460be4f8 100644
--- a/main.tf
+++ b/main.tf
@@ -1,7 +1,6 @@
locals {
tags = merge(var.tags, {
- Environment = var.environment,
- "ghr:environment" = format("%s", var.environment)
+ "ghr:environment" = var.prefix
})
s3_action_runner_url = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key}"
@@ -50,7 +49,7 @@ resource "aws_sqs_queue_policy" "build_queue_policy" {
}
resource "aws_sqs_queue" "queued_builds" {
- name = "${var.environment}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}"
+ name = "${var.prefix}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}"
delay_seconds = var.delay_webhook_event
visibility_timeout_seconds = var.runners_scale_up_lambda_timeout
message_retention_seconds = var.job_queue_retention_in_seconds
@@ -74,7 +73,7 @@ resource "aws_sqs_queue_policy" "build_queue_dlq_policy" {
resource "aws_sqs_queue" "queued_builds_dlq" {
count = var.redrive_build_queue.enabled ? 1 : 0
- name = "${var.environment}-queued-builds_dead_letter"
+ name = "${var.prefix}-queued-builds_dead_letter"
tags = var.tags
}
@@ -83,7 +82,7 @@ module "ssm" {
source = "./modules/ssm"
kms_key_arn = var.kms_key_arn
- environment = var.environment
+ prefix = var.prefix
github_app = var.github_app
tags = local.tags
}
@@ -92,7 +91,7 @@ module "webhook" {
source = "./modules/webhook"
aws_region = var.aws_region
- environment = var.environment
+ prefix = var.prefix
tags = local.tags
kms_key_arn = var.kms_key_arn
@@ -127,7 +126,7 @@ module "runners" {
aws_partition = var.aws_partition
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
- environment = var.environment
+ prefix = var.prefix
tags = local.tags
s3_bucket_runner_binaries = module.runner_binaries.bucket
@@ -214,11 +213,11 @@ module "runners" {
module "runner_binaries" {
source = "./modules/runner-binaries-syncer"
- aws_region = var.aws_region
- environment = var.environment
- tags = local.tags
+ aws_region = var.aws_region
+ prefix = var.prefix
+ tags = local.tags
- distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}"
+ distribution_bucket_name = "${var.prefix}-dist-${random_string.random.result}"
runner_os = var.runner_os
runner_architecture = var.runner_architecture
@@ -244,10 +243,10 @@ module "runner_binaries" {
}
resource "aws_resourcegroups_group" "resourcegroups_group" {
- name = "${var.environment}-group"
+ name = "${var.prefix}-group"
resource_query {
query = templatefile("${path.module}/templates/resource-group.json", {
- environment = var.environment
+ environment = var.prefix
})
}
}
diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
index e73dad69c3..a7118a6844 100644
--- a/modules/runner-binaries-syncer/runner-binaries-syncer.tf
+++ b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
@@ -1,6 +1,6 @@
locals {
lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/runner-binaries-syncer/runner-binaries-syncer.zip" : var.lambda_zip
- role_path = var.role_path == null ? "/${var.environment}/" : var.role_path
+ role_path = var.role_path == null ? "/${var.prefix}/" : var.role_path
gh_binary_os_label = {
windows = "win",
linux = "linux"
@@ -13,7 +13,7 @@ resource "aws_lambda_function" "syncer" {
s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
- function_name = "${var.environment}-syncer"
+ function_name = "${var.prefix}-syncer"
role = aws_iam_role.syncer_lambda.arn
handler = "index.handler"
runtime = "nodejs14.x"
@@ -63,7 +63,7 @@ resource "aws_cloudwatch_log_group" "syncer" {
}
resource "aws_iam_role" "syncer_lambda" {
- name = "${var.environment}-action-syncer-lambda-role"
+ name = "${var.prefix}-action-syncer-lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
path = local.role_path
permissions_boundary = var.role_permissions_boundary
@@ -92,7 +92,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
}
resource "aws_iam_role_policy" "lambda_logging" {
- name = "${var.environment}-lambda-logging-policy-syncer"
+ name = "${var.prefix}-lambda-logging-policy-syncer"
role = aws_iam_role.syncer_lambda.id
policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
@@ -101,7 +101,7 @@ resource "aws_iam_role_policy" "lambda_logging" {
}
resource "aws_iam_role_policy" "syncer" {
- name = "${var.environment}-lambda-syncer-s3-policy"
+ name = "${var.prefix}-lambda-syncer-s3-policy"
role = aws_iam_role.syncer_lambda.id
policy = templatefile("${path.module}/policies/lambda-syncer.json", {
@@ -110,7 +110,7 @@ resource "aws_iam_role_policy" "syncer" {
}
resource "aws_cloudwatch_event_rule" "syncer" {
- name = "${var.environment}-syncer-rule"
+ name = "${var.prefix}-syncer-rule"
schedule_expression = var.lambda_schedule_expression
tags = var.tags
}
diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf
index 37023b0486..436608a6ab 100644
--- a/modules/runner-binaries-syncer/variables.tf
+++ b/modules/runner-binaries-syncer/variables.tf
@@ -12,6 +12,18 @@ variable "tags" {
variable "environment" {
description = "A name that identifies the environment, used as prefix and for tagging."
type = string
+ default = null
+
+ validation {
+ condition = var.environment == null
+ error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value."
+ }
+}
+
+variable "prefix" {
+ description = "The prefix used for naming resources"
+ type = string
+ default = "github-actions"
}
variable "distribution_bucket_name" {
diff --git a/modules/runners/README.md b/modules/runners/README.md
index 4c6b82a082..13fb5efdc1 100644
--- a/modules/runners/README.md
+++ b/modules/runners/README.md
@@ -130,7 +130,7 @@ yarn run dist
| [enable\_runner\_detailed\_monitoring](#input\_enable\_runner\_detailed\_monitoring) | Enable detailed monitoring for runners | `bool` | `false` | no |
| [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes |
| [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no |
-| [environment](#input\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
+| [prefix](#input\_prefix) | The prefix used for naming resources | `string` | `github-actions` | no |
| [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no |
| [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no |
| [github\_app\_parameters](#input\_github\_app\_parameters) | Parameter Store for GitHub App Parameters. | object({
key_base64 = map(string)
id = map(string)
}) | n/a | yes |
@@ -171,7 +171,7 @@ yarn run dist
| [runner\_extra\_labels](#input\_runner\_extra\_labels) | Extra labels for the runners (GitHub). Separate each label by a comma | `string` | `""` | no |
| [runner\_group\_name](#input\_runner\_group\_name) | Name of the runner group. | `string` | `"Default"` | no |
| [runner\_iam\_role\_managed\_policy\_arns](#input\_runner\_iam\_role\_managed\_policy\_arns) | Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role | `list(string)` | `[]` | no |
-| [runner\_log\_files](#input\_runner\_log\_files) | (optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream. | list(object({
log_group_name = string
prefix_log_group = bool
file_path = string
log_stream_name = string
})) | `null` | no |
+| [runner\_log\_files](#input\_runner\_log\_files) | (optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream. | list(object({
log_group_name = string
prefix_log_group = bool
file_path = string
log_stream_name = string
})) | `null` | no |
| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no |
| [runner\_run\_as](#input\_runner\_run\_as) | Run the GitHub actions agent as user. | `string` | `"ec2-user"` | no |
| [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
@@ -183,7 +183,7 @@ yarn run dist
| [scale\_up\_reserved\_concurrent\_executions](#input\_scale\_up\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `1` | no |
| [sqs\_build\_queue](#input\_sqs\_build\_queue) | SQS queue to consume accepted build events. | object({
arn = string
}) | n/a | yes |
| [subnet\_ids](#input\_subnet\_ids) | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | n/a | yes |
-| [tags](#input\_tags) | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | Map of tags that will be added to created resources. By default resources will be tagged with name. | `map(string)` | `{}` | no |
| [userdata\_post\_install](#input\_userdata\_post\_install) | User-data script snippet to insert after GitHub action runner install | `string` | `""` | no |
| [userdata\_pre\_install](#input\_userdata\_pre\_install) | User-data script snippet to insert before GitHub action runner install | `string` | `""` | no |
| [userdata\_template](#input\_userdata\_template) | Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored. | `string` | `null` | no |
diff --git a/modules/runners/lambdas/runners/src/aws/runners.test.ts b/modules/runners/lambdas/runners/src/aws/runners.test.ts
index 38ee9e798a..a18759463f 100644
--- a/modules/runners/lambdas/runners/src/aws/runners.test.ts
+++ b/modules/runners/lambdas/runners/src/aws/runners.test.ts
@@ -101,7 +101,7 @@ describe('list instances', () => {
Filters: [
{ Name: 'tag:Application', Values: ['github-action-runner'] },
{ Name: 'instance-state-name', Values: ['running', 'pending'] },
- { Name: 'tag:Environment', Values: [ENVIRONMENT] },
+ { Name: 'tag:ghr:environment', Values: [ENVIRONMENT] },
],
});
});
diff --git a/modules/runners/lambdas/runners/src/aws/runners.ts b/modules/runners/lambdas/runners/src/aws/runners.ts
index f5f8e449a6..20a2d93770 100644
--- a/modules/runners/lambdas/runners/src/aws/runners.ts
+++ b/modules/runners/lambdas/runners/src/aws/runners.ts
@@ -54,7 +54,7 @@ export async function listEC2Runners(filters: ListRunnerFilters | undefined = un
if (filters) {
if (filters.environment !== undefined) {
- ec2Filters.push({ Name: 'tag:Environment', Values: [filters.environment] });
+ ec2Filters.push({ Name: 'tag:ghr:environment', Values: [filters.environment] });
}
if (filters.runnerType && filters.runnerOwner) {
ec2Filters.push({ Name: `tag:Type`, Values: [filters.runnerType] });
diff --git a/modules/runners/logging.tf b/modules/runners/logging.tf
index 9f4ab3ee90..4051ad415c 100644
--- a/modules/runners/logging.tf
+++ b/modules/runners/logging.tf
@@ -30,7 +30,7 @@ locals {
]
)
logfiles = var.enable_cloudwatch_agent ? [for l in local.runner_log_files : {
- "log_group_name" : l.prefix_log_group ? "/github-self-hosted-runners/${var.environment}/${l.log_group_name}" : "/${l.log_group_name}"
+ "log_group_name" : l.prefix_log_group ? "/github-self-hosted-runners/${var.prefix}/${l.log_group_name}" : "/${l.log_group_name}"
"log_stream_name" : l.log_stream_name
"file_path" : l.file_path
}] : []
@@ -42,7 +42,7 @@ locals {
resource "aws_ssm_parameter" "cloudwatch_agent_config_runner" {
count = var.enable_cloudwatch_agent ? 1 : 0
- name = "${var.environment}-cloudwatch_agent_config_runner"
+ name = "${var.prefix}-cloudwatch_agent_config_runner"
type = "String"
value = var.cloudwatch_config != null ? var.cloudwatch_config : templatefile("${path.module}/templates/cloudwatch_config.json", {
logfiles = jsonencode(local.logfiles)
diff --git a/modules/runners/main.tf b/modules/runners/main.tf
index f8fc25d97c..a3d009c28a 100644
--- a/modules/runners/main.tf
+++ b/modules/runners/main.tf
@@ -1,15 +1,15 @@
locals {
tags = merge(
{
- "Name" = format("%s-action-runner", var.environment)
+ "Name" = format("%s-action-runner", var.prefix)
},
var.tags,
)
name_sg = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"]
name_runner = var.overrides["name_runner"] == "" ? local.tags["Name"] : var.overrides["name_runner"]
- role_path = var.role_path == null ? "/${var.environment}/" : var.role_path
- instance_profile_path = var.instance_profile_path == null ? "/${var.environment}/" : var.instance_profile_path
+ role_path = var.role_path == null ? "/${var.prefix}/" : var.role_path
+ instance_profile_path = var.instance_profile_path == null ? "/${var.prefix}/" : var.instance_profile_path
lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/runners/runners.zip" : var.lambda_zip
userdata_template = var.userdata_template == null ? local.default_userdata_template[var.runner_os] : var.userdata_template
kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : ""
@@ -54,7 +54,7 @@ data "aws_ami" "runner" {
}
resource "aws_launch_template" "runner" {
- name = "${var.environment}-action-runner"
+ name = "${var.prefix}-action-runner"
dynamic "block_device_mappings" {
for_each = var.block_device_mappings != null ? var.block_device_mappings : []
@@ -131,7 +131,7 @@ resource "aws_launch_template" "runner" {
ghes_url = var.ghes_url
ghes_ssl_verify = var.ghes_ssl_verify
## retain these for backwards compatibility
- environment = var.environment
+ environment = var.prefix
enable_cloudwatch_agent = var.enable_cloudwatch_agent
ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner[0].name : ""
})) : ""
@@ -143,7 +143,7 @@ resource "aws_launch_template" "runner" {
resource "aws_security_group" "runner_sg" {
count = var.enable_managed_runner_security_group ? 1 : 0
- name_prefix = "${var.environment}-github-actions-runner-sg"
+ name_prefix = "${var.prefix}-github-actions-runner-sg"
description = "Github Actions Runner security group"
vpc_id = var.vpc_id
diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
index 2e6351ac00..5ba9004b14 100644
--- a/modules/runners/policies-runner.tf
+++ b/modules/runners/policies-runner.tf
@@ -1,7 +1,7 @@
data "aws_caller_identity" "current" {}
resource "aws_iam_role" "runner" {
- name = "${var.environment}-runner-role"
+ name = "${var.prefix}-runner-role"
assume_role_policy = templatefile("${path.module}/policies/instance-role-trust-policy.json", {})
path = local.role_path
permissions_boundary = var.role_permissions_boundary
@@ -9,7 +9,7 @@ resource "aws_iam_role" "runner" {
}
resource "aws_iam_instance_profile" "runner" {
- name = "${var.environment}-runner-profile"
+ name = "${var.prefix}-runner-profile"
role = aws_iam_role.runner.name
path = local.instance_profile_path
}
@@ -26,8 +26,8 @@ resource "aws_iam_role_policy" "ssm_parameters" {
role = aws_iam_role.runner.name
policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json",
{
- arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"
- arn_ssm_parameters_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"
+ arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.prefix}-*"
+ arn_ssm_parameters_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.prefix}/*"
}
)
}
diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf
index 593ace1b29..c8c54ce2c5 100644
--- a/modules/runners/pool.tf
+++ b/modules/runners/pool.tf
@@ -4,7 +4,7 @@ module "pool" {
source = "./pool"
config = {
- environment = var.environment
+ prefix = var.prefix
ghes = {
ssl_verify = var.ghes_ssl_verify
url = var.ghes_url
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
index 3a4b1e7fd4..3c5d77de5d 100644
--- a/modules/runners/pool/main.tf
+++ b/modules/runners/pool/main.tf
@@ -5,7 +5,7 @@ resource "aws_lambda_function" "pool" {
s3_object_version = var.config.lambda.s3_object_version != null ? var.config.lambda.s3_object_version : null
filename = var.config.lambda.s3_bucket == null ? var.config.lambda.zip : null
source_code_hash = var.config.lambda.s3_bucket == null ? filebase64sha256(var.config.lambda.zip) : null
- function_name = "${var.config.environment}-pool"
+ function_name = "${var.config.prefix}-pool"
role = aws_iam_role.pool.arn
handler = "index.adjustPool"
runtime = "nodejs14.x"
@@ -18,7 +18,7 @@ resource "aws_lambda_function" "pool" {
variables = {
DISABLE_RUNNER_AUTOUPDATE = var.config.runner.disable_runner_autoupdate
ENABLE_EPHEMERAL_RUNNERS = var.config.runner.ephemeral
- ENVIRONMENT = var.config.environment
+ ENVIRONMENT = var.config.prefix
GHES_URL = var.config.ghes.url
INSTANCE_ALLOCATION_STRATEGY = var.config.instance_allocation_strategy
INSTANCE_MAX_SPOT_PRICE = var.config.instance_max_spot_price
@@ -54,7 +54,7 @@ resource "aws_cloudwatch_log_group" "pool" {
}
resource "aws_iam_role" "pool" {
- name = "${var.config.environment}-action-pool-lambda-role"
+ name = "${var.config.prefix}-action-pool-lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
path = var.config.role_path
permissions_boundary = var.config.role_permissions_boundary
@@ -62,7 +62,7 @@ resource "aws_iam_role" "pool" {
}
resource "aws_iam_role_policy" "pool" {
- name = "${var.config.environment}-lambda-pool-policy"
+ name = "${var.config.prefix}-lambda-pool-policy"
role = aws_iam_role.pool.name
policy = templatefile("${path.module}/policies/lambda-pool.json", {
arn_runner_instance_role = var.config.runner.role.arn
@@ -73,7 +73,7 @@ resource "aws_iam_role_policy" "pool" {
}
resource "aws_iam_role_policy" "pool_logging" {
- name = "${var.config.environment}-lambda-logging"
+ name = "${var.config.prefix}-lambda-logging"
role = aws_iam_role.pool.name
policy = templatefile("${path.module}/../policies/lambda-cloudwatch.json", {
log_group_arn = aws_cloudwatch_log_group.pool.arn
@@ -101,7 +101,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
resource "aws_cloudwatch_event_rule" "pool" {
count = length(var.config.pool)
- name = "${var.config.environment}-pool-${count.index}-rule"
+ name = "${var.config.prefix}-pool-${count.index}-rule"
schedule_expression = var.config.pool[count.index].schedule_expression
tags = var.config.tags
}
diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf
index 579a37f904..29ee1d2f5f 100644
--- a/modules/runners/pool/variables.tf
+++ b/modules/runners/pool/variables.tf
@@ -41,7 +41,7 @@ variable "config" {
instance_target_capacity_type = string
instance_allocation_strategy = string
instance_max_spot_price = string
- environment = string
+ prefix = string
pool = list(object({
schedule_expression = string
size = number
diff --git a/modules/runners/runner-config.tf b/modules/runners/runner-config.tf
index 591ab90be0..e4745a1a9a 100644
--- a/modules/runners/runner-config.tf
+++ b/modules/runners/runner-config.tf
@@ -1,19 +1,19 @@
resource "aws_ssm_parameter" "runner_config_run_as" {
- name = "/${var.environment}/runner/run-as"
+ name = "/${var.prefix}/runner/run-as"
type = "String"
value = var.runner_as_root ? "root" : var.runner_run_as
tags = local.tags
}
resource "aws_ssm_parameter" "runner_agent_mode" {
- name = "/${var.environment}/runner/agent-mode"
+ name = "/${var.prefix}/runner/agent-mode"
type = "String"
value = var.enable_ephemeral_runners ? "ephemeral" : "persistent"
tags = local.tags
}
resource "aws_ssm_parameter" "runner_enable_cloudwatch" {
- name = "/${var.environment}/runner/enable-cloudwatch"
+ name = "/${var.prefix}/runner/enable-cloudwatch"
type = "String"
value = var.enable_cloudwatch_agent
tags = local.tags
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
index a1c30fcf9b..34a77e90c1 100644
--- a/modules/runners/scale-down.tf
+++ b/modules/runners/scale-down.tf
@@ -11,7 +11,7 @@ resource "aws_lambda_function" "scale_down" {
s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
- function_name = "${var.environment}-scale-down"
+ function_name = "${var.prefix}-scale-down"
role = aws_iam_role.scale_down.arn
handler = "index.scaleDownHandler"
runtime = "nodejs14.x"
@@ -21,7 +21,7 @@ resource "aws_lambda_function" "scale_down" {
environment {
variables = {
- ENVIRONMENT = var.environment
+ ENVIRONMENT = var.prefix
GHES_URL = var.ghes_url
LOG_LEVEL = var.log_level
LOG_TYPE = var.log_type
@@ -51,7 +51,7 @@ resource "aws_cloudwatch_log_group" "scale_down" {
}
resource "aws_cloudwatch_event_rule" "scale_down" {
- name = "${var.environment}-scale-down-rule"
+ name = "${var.prefix}-scale-down-rule"
schedule_expression = var.scale_down_schedule_expression
tags = var.tags
}
@@ -70,7 +70,7 @@ resource "aws_lambda_permission" "scale_down" {
}
resource "aws_iam_role" "scale_down" {
- name = "${var.environment}-action-scale-down-lambda-role"
+ name = "${var.prefix}-action-scale-down-lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
path = local.role_path
permissions_boundary = var.role_permissions_boundary
@@ -78,7 +78,7 @@ resource "aws_iam_role" "scale_down" {
}
resource "aws_iam_role_policy" "scale_down" {
- name = "${var.environment}-lambda-scale-down-policy"
+ name = "${var.prefix}-lambda-scale-down-policy"
role = aws_iam_role.scale_down.name
policy = templatefile("${path.module}/policies/lambda-scale-down.json", {
github_app_id_arn = var.github_app_parameters.id.arn
@@ -88,7 +88,7 @@ resource "aws_iam_role_policy" "scale_down" {
}
resource "aws_iam_role_policy" "scale_down_logging" {
- name = "${var.environment}-lambda-logging"
+ name = "${var.prefix}-lambda-logging"
role = aws_iam_role.scale_down.name
policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
log_group_arn = aws_cloudwatch_log_group.scale_down.arn
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
index 00a1d7e122..6e39308abc 100644
--- a/modules/runners/scale-up.tf
+++ b/modules/runners/scale-up.tf
@@ -4,7 +4,7 @@ resource "aws_lambda_function" "scale_up" {
s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
- function_name = "${var.environment}-scale-up"
+ function_name = "${var.prefix}-scale-up"
role = aws_iam_role.scale_up.arn
handler = "index.scaleUpHandler"
runtime = "nodejs14.x"
@@ -19,7 +19,7 @@ resource "aws_lambda_function" "scale_up" {
ENABLE_EPHEMERAL_RUNNERS = var.enable_ephemeral_runners
ENABLE_JOB_QUEUED_CHECK = local.enable_job_queued_check
ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners
- ENVIRONMENT = var.environment
+ ENVIRONMENT = var.prefix
GHES_URL = var.ghes_url
INSTANCE_ALLOCATION_STRATEGY = var.instance_allocation_strategy
INSTANCE_MAX_SPOT_PRICE = var.instance_max_spot_price
@@ -69,7 +69,7 @@ resource "aws_lambda_permission" "scale_runners_lambda" {
}
resource "aws_iam_role" "scale_up" {
- name = "${var.environment}-action-scale-up-lambda-role"
+ name = "${var.prefix}-action-scale-up-lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
path = local.role_path
permissions_boundary = var.role_permissions_boundary
@@ -77,7 +77,7 @@ resource "aws_iam_role" "scale_up" {
}
resource "aws_iam_role_policy" "scale_up" {
- name = "${var.environment}-lambda-scale-up-policy"
+ name = "${var.prefix}-lambda-scale-up-policy"
role = aws_iam_role.scale_up.name
policy = templatefile("${path.module}/policies/lambda-scale-up.json", {
arn_runner_instance_role = aws_iam_role.runner.arn
@@ -90,7 +90,7 @@ resource "aws_iam_role_policy" "scale_up" {
resource "aws_iam_role_policy" "scale_up_logging" {
- name = "${var.environment}-lambda-logging"
+ name = "${var.prefix}-lambda-logging"
role = aws_iam_role.scale_up.name
policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
log_group_arn = aws_cloudwatch_log_group.scale_up.arn
@@ -99,7 +99,7 @@ resource "aws_iam_role_policy" "scale_up_logging" {
resource "aws_iam_role_policy" "service_linked_role" {
count = var.create_service_linked_role_spot ? 1 : 0
- name = "${var.environment}-service_linked_role"
+ name = "${var.prefix}-service_linked_role"
role = aws_iam_role.scale_up.name
policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition })
}
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
index 91b77806fa..6fabdf3ac5 100644
--- a/modules/runners/variables.tf
+++ b/modules/runners/variables.tf
@@ -24,7 +24,7 @@ variable "overrides" {
}
variable "tags" {
- description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment."
+ description = "Map of tags that will be added to created resources. By default resources will be tagged with name."
type = map(string)
default = {}
}
@@ -32,6 +32,18 @@ variable "tags" {
variable "environment" {
description = "A name that identifies the environment, used as prefix and for tagging."
type = string
+ default = null
+
+ validation {
+ condition = var.environment == null
+ error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value."
+ }
+}
+
+variable "prefix" {
+ description = "The prefix used for naming resources"
+ type = string
+ default = "github-actions"
}
variable "s3_bucket_runner_binaries" {
@@ -243,13 +255,13 @@ variable "role_permissions_boundary" {
}
variable "role_path" {
- description = "The path that will be added to the role; if not set, the environment name will be used."
+ description = "The path that will be added to the role; if not set, the prefix will be used."
type = string
default = null
}
variable "instance_profile_path" {
- description = "The path that will be added to the instance_profile, if not set the environment name will be used."
+ description = "The path that will be added to the instance_profile, if not set the prefix will be used."
type = string
default = null
}
@@ -357,7 +369,7 @@ variable "cloudwatch_config" {
}
variable "runner_log_files" {
- description = "(optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream."
+ description = "(optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream."
type = list(object({
log_group_name = string
prefix_log_group = bool
diff --git a/modules/setup-iam-permissions/main.tf b/modules/setup-iam-permissions/main.tf
index a577dfd482..ce39031058 100644
--- a/modules/setup-iam-permissions/main.tf
+++ b/modules/setup-iam-permissions/main.tf
@@ -1,7 +1,7 @@
data "aws_caller_identity" "current" {}
resource "aws_iam_role" "deploy" {
- name = "${var.environment}-terraform"
+ name = "${var.prefix}-terraform"
permissions_boundary = aws_iam_policy.deploy_boundary.arn
assume_role_policy = templatefile("${path.module}/policies/assume-role-for-account.json", {
@@ -11,7 +11,7 @@ resource "aws_iam_role" "deploy" {
}
resource "aws_iam_policy" "boundary" {
- name = "${var.environment}-boundary"
+ name = "${var.prefix}-boundary"
path = "/${var.namespaces.boundary_namespace}/"
policy = templatefile("${path.module}/policies/boundary.json", {
@@ -22,7 +22,7 @@ resource "aws_iam_policy" "boundary" {
}
resource "aws_iam_policy" "deploy" {
- name = "${var.environment}-terraform"
+ name = "${var.prefix}-terraform"
path = "/"
policy = templatefile("${path.module}/policies/deploy-policy.json", {
@@ -36,7 +36,7 @@ resource "aws_iam_role_policy_attachment" "deploy" {
}
resource "aws_iam_policy" "deploy_boundary" {
- name = "${var.environment}-terraform-boundary"
+ name = "${var.prefix}-terraform-boundary"
path = "/${var.namespaces.boundary_namespace}/"
policy = templatefile("${path.module}/policies/deploy-boundary.json", {
diff --git a/modules/setup-iam-permissions/variables.tf b/modules/setup-iam-permissions/variables.tf
index a67d56648c..833ee873f5 100644
--- a/modules/setup-iam-permissions/variables.tf
+++ b/modules/setup-iam-permissions/variables.tf
@@ -1,6 +1,18 @@
variable "environment" {
description = "A name that identifies the environment, used as prefix and for tagging."
type = string
+ default = null
+
+ validation {
+ condition = var.environment == null
+ error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value."
+ }
+}
+
+variable "prefix" {
+ description = "The prefix used for naming resources"
+ type = string
+ default = "github-actions"
}
variable "namespaces" {
diff --git a/modules/ssm/ssm.tf b/modules/ssm/ssm.tf
index 91f1d17cdf..9b4d96cb1f 100644
--- a/modules/ssm/ssm.tf
+++ b/modules/ssm/ssm.tf
@@ -1,5 +1,5 @@
resource "aws_ssm_parameter" "github_app_id" {
- name = "/actions_runner/${var.environment}/github_app_id"
+ name = "/actions_runner/${var.prefix}/github_app_id"
type = "SecureString"
value = var.github_app.id
key_id = local.kms_key_arn
@@ -7,7 +7,7 @@ resource "aws_ssm_parameter" "github_app_id" {
}
resource "aws_ssm_parameter" "github_app_key_base64" {
- name = "/actions_runner/${var.environment}/github_app_key_base64"
+ name = "/actions_runner/${var.prefix}/github_app_key_base64"
type = "SecureString"
value = var.github_app.key_base64
key_id = local.kms_key_arn
@@ -15,7 +15,7 @@ resource "aws_ssm_parameter" "github_app_key_base64" {
}
resource "aws_ssm_parameter" "github_app_webhook_secret" {
- name = "/actions_runner/${var.environment}/github_app_webhook_secret"
+ name = "/actions_runner/${var.prefix}/github_app_webhook_secret"
type = "SecureString"
value = var.github_app.webhook_secret
key_id = local.kms_key_arn
diff --git a/modules/ssm/variables.tf b/modules/ssm/variables.tf
index 7528d0721c..4078ad6d1c 100644
--- a/modules/ssm/variables.tf
+++ b/modules/ssm/variables.tf
@@ -10,6 +10,18 @@ variable "github_app" {
variable "environment" {
description = "A name that identifies the environment, used as prefix and for tagging."
type = string
+ default = null
+
+ validation {
+ condition = var.environment == null
+ error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value."
+ }
+}
+
+variable "prefix" {
+ description = "The prefix used for naming resources"
+ type = string
+ default = "github-actions"
}
variable "kms_key_arn" {
diff --git a/modules/webhook/main.tf b/modules/webhook/main.tf
index ad536051da..b330913158 100644
--- a/modules/webhook/main.tf
+++ b/modules/webhook/main.tf
@@ -1,11 +1,11 @@
locals {
webhook_endpoint = "webhook"
- role_path = var.role_path == null ? "/${var.environment}/" : var.role_path
+ role_path = var.role_path == null ? "/${var.prefix}/" : var.role_path
lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/webhook/webhook.zip" : var.lambda_zip
}
resource "aws_apigatewayv2_api" "webhook" {
- name = "${var.environment}-github-action-webhook"
+ name = "${var.prefix}-github-action-webhook"
protocol_type = "HTTP"
tags = var.tags
}
diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
index d719ad45d9..9753fbae7d 100644
--- a/modules/webhook/variables.tf
+++ b/modules/webhook/variables.tf
@@ -6,6 +6,18 @@ variable "aws_region" {
variable "environment" {
description = "A name that identifies the environment, used as prefix and for tagging."
type = string
+ default = null
+
+ validation {
+ condition = var.environment == null
+ error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value."
+ }
+}
+
+variable "prefix" {
+ description = "The prefix used for naming resources"
+ type = string
+ default = "github-actions"
}
variable "github_app_webhook_secret_arn" {
diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf
index 25e9c4d60a..2e3c6836d4 100644
--- a/modules/webhook/webhook.tf
+++ b/modules/webhook/webhook.tf
@@ -4,7 +4,7 @@ resource "aws_lambda_function" "webhook" {
s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null
filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
- function_name = "${var.environment}-webhook"
+ function_name = "${var.prefix}-webhook"
role = aws_iam_role.webhook_lambda.arn
handler = "index.githubWebhook"
runtime = "nodejs14.x"
@@ -13,7 +13,7 @@ resource "aws_lambda_function" "webhook" {
environment {
variables = {
ENABLE_WORKFLOW_JOB_LABELS_CHECK = var.enable_workflow_job_labels_check
- ENVIRONMENT = var.environment
+ ENVIRONMENT = var.prefix
LOG_LEVEL = var.log_level
LOG_TYPE = var.log_type
REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
}
resource "aws_iam_role" "webhook_lambda" {
- name = "${var.environment}-action-webhook-lambda-role"
+ name = "${var.prefix}-action-webhook-lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
path = local.role_path
permissions_boundary = var.role_permissions_boundary
@@ -61,7 +61,7 @@ resource "aws_iam_role" "webhook_lambda" {
}
resource "aws_iam_role_policy" "webhook_logging" {
- name = "${var.environment}-lambda-logging-policy"
+ name = "${var.prefix}-lambda-logging-policy"
role = aws_iam_role.webhook_lambda.name
policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
log_group_arn = aws_cloudwatch_log_group.webhook.arn
@@ -69,7 +69,7 @@ resource "aws_iam_role_policy" "webhook_logging" {
}
resource "aws_iam_role_policy" "webhook_sqs" {
- name = "${var.environment}-lambda-webhook-publish-sqs-policy"
+ name = "${var.prefix}-lambda-webhook-publish-sqs-policy"
role = aws_iam_role.webhook_lambda.name
policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
@@ -78,7 +78,7 @@ resource "aws_iam_role_policy" "webhook_sqs" {
}
resource "aws_iam_role_policy" "webhook_ssm" {
- name = "${var.environment}-lambda-webhook-publish-ssm-policy"
+ name = "${var.prefix}-lambda-webhook-publish-ssm-policy"
role = aws_iam_role.webhook_lambda.name
policy = templatefile("${path.module}/policies/lambda-ssm.json", {
diff --git a/variables.tf b/variables.tf
index fc0102c61b..a837afb8cf 100644
--- a/variables.tf
+++ b/variables.tf
@@ -22,6 +22,18 @@ variable "tags" {
variable "environment" {
description = "A name that identifies the environment, used as prefix and for tagging."
type = string
+ default = null
+
+ validation {
+ condition = var.environment == null
+ error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value."
+ }
+}
+
+variable "prefix" {
+ description = "The prefix used for naming resources"
+ type = string
+ default = "github-actions"
}
variable "enable_organization_runners" {