-
Notifications
You must be signed in to change notification settings - Fork 629
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from philips-labs/feature/add-runner-infra
Create infra code for runners
- Loading branch information
Showing
20 changed files
with
511 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
locals { | ||
environment = "default-action-runners" | ||
aws_region = "eu-west-1" | ||
} | ||
|
||
module "runners" { | ||
source = "../../" | ||
|
||
aws_region = local.aws_region | ||
vpc_id = module.vpc.vpc_id | ||
|
||
environment = local.environment | ||
tags = { | ||
Project = "ProjectX" | ||
} | ||
|
||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
output "action_runners" { | ||
value = { | ||
runners = module.runners.runners | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
provider "aws" { | ||
region = local.aws_region | ||
version = "2.59" | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
module "vpc" { | ||
source = "git::https://github.com/philips-software/terraform-aws-vpc.git?ref=2.1.0" | ||
|
||
environment = local.environment | ||
aws_region = local.aws_region | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
resource "random_string" "random" { | ||
length = 24 | ||
special = false | ||
upper = false | ||
} | ||
|
||
module "dsitrubtion_cache" { | ||
source = "./modules/action-runner-binary-cache" | ||
|
||
aws_region = var.aws_region | ||
environment = var.environment | ||
tags = var.tags | ||
|
||
distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}" | ||
} | ||
|
||
module "runners" { | ||
source = "./modules/runners" | ||
|
||
aws_region = var.aws_region | ||
vpc_id = var.vpc_id | ||
environment = var.environment | ||
tags = var.tags | ||
|
||
s3_location_runner_distribution = module.dsitrubtion_cache.s3_location_runner_distribution | ||
} | ||
|
||
|
||
resource "aws_iam_policy" "dist_bucket" { | ||
name = "${var.environment}-gh-distribution-bucket" | ||
path = "/" | ||
description = "Policy for the runner to download the github action runner." | ||
|
||
policy = templatefile("${path.module}/policies/action-runner-s3-policy.json", | ||
{ | ||
s3_arn = module.dsitrubtion_cache.distribution_bucket.arn | ||
} | ||
) | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "dist_bucket" { | ||
role = module.runners.role.name | ||
policy_arn = aws_iam_policy.dist_bucket.arn | ||
} | ||
|
||
resource "aws_resourcegroups_group" "resourcegroups_group" { | ||
name = "${var.environment}-group" | ||
|
||
resource_query { | ||
query = <<-JSON | ||
{ | ||
"ResourceTypeFilters": [ | ||
"AWS::AllSupported" | ||
], | ||
"TagFilters": [ | ||
{ | ||
"Key": "Environment", | ||
"Values": ["${var.environment}"] | ||
} | ||
] | ||
} | ||
JSON | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
locals { | ||
action_runner_distribution_object_key = "actions-runner-linux.tar.gz" | ||
} | ||
|
||
resource "aws_s3_bucket" "action_dist" { | ||
bucket = var.distribution_bucket_name | ||
acl = "private" | ||
force_destroy = true | ||
tags = var.tags | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
output "distribution_bucket" { | ||
value = aws_s3_bucket.action_dist | ||
} | ||
|
||
output "s3_location_runner_distribution" { | ||
value = "s3://${aws_s3_bucket.action_dist.id}/${local.action_runner_distribution_object_key}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
variable "aws_region" { | ||
description = "AWS region." | ||
type = string | ||
} | ||
|
||
variable "tags" { | ||
description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment." | ||
type = map(string) | ||
default = {} | ||
} | ||
|
||
variable "environment" { | ||
description = "A name that identifies the environment, used as prefix and for tagging." | ||
type = string | ||
} | ||
|
||
variable "distribution_bucket_name" { | ||
description = "Bucket for storing the action runner distribution." | ||
type = string | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# Action runner module | ||
|
||
The module create resources to facilitate the `orchestrator labmda` to recreate action runners. | ||
|
||
- *launch template* : A launch template is created that can create an action runner, by default a spot instance is requested. For configuration parameters SSM is used. | ||
- *security group* : Security groups attached to the action runner. | ||
- *s3 bucket* : To avoid the action runner distribution to be downloaded from Github every time (which could be slow), a version is cached in a S3 bucket. | ||
- *policies and roles* : Policies and roles for the action runner. By default the session manager is enabled |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
locals { | ||
name_sg = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"] | ||
|
||
tags = merge( | ||
{ | ||
"Name" = format("%s", var.environment) | ||
}, | ||
{ | ||
"Environment" = format("%s", var.environment) | ||
}, | ||
var.tags, | ||
) | ||
} | ||
|
||
data "aws_ami" "runner" { | ||
most_recent = "true" | ||
|
||
dynamic "filter" { | ||
for_each = var.ami_filter | ||
content { | ||
name = filter.key | ||
values = filter.value | ||
} | ||
} | ||
|
||
owners = var.ami_owners | ||
} | ||
|
||
resource "aws_launch_template" "runner" { | ||
name = "${var.environment}-action-runner" | ||
|
||
dynamic "block_device_mappings" { | ||
for_each = [var.block_device_mappings] | ||
content { | ||
device_name = "/dev/xvda" | ||
|
||
ebs { | ||
delete_on_termination = lookup(block_device_mappings.value, "delete_on_termination", true) | ||
volume_type = lookup(block_device_mappings.value, "volume_type", "gp2") | ||
volume_size = lookup(block_device_mappings.value, "volume_size", 30) | ||
encrypted = lookup(block_device_mappings.value, "encrypted", true) | ||
iops = lookup(block_device_mappings.value, "iops", null) | ||
} | ||
} | ||
} | ||
|
||
iam_instance_profile { | ||
name = aws_iam_instance_profile.runner.name | ||
} | ||
|
||
instance_initiated_shutdown_behavior = "terminate" | ||
|
||
instance_market_options { | ||
market_type = var.market_options | ||
} | ||
|
||
image_id = data.aws_ami.runner.id | ||
instance_type = var.instance_type | ||
|
||
vpc_security_group_ids = [aws_security_group.runner_sg.id] | ||
|
||
tag_specifications { | ||
resource_type = "instance" | ||
tags = local.tags | ||
} | ||
|
||
user_data = base64encode(templatefile("${path.module}/templates/user-data.sh", { | ||
environment = var.environment | ||
pre_install = var.userdata_pre_install | ||
post_install = var.userdata_post_install | ||
s3_location_runner_distribution = var.s3_location_runner_distribution | ||
})) | ||
} | ||
|
||
resource "aws_security_group" "runner_sg" { | ||
name_prefix = "${var.environment}-github-actions-runner-sg" | ||
description = "Github Actions Runner security group" | ||
|
||
vpc_id = var.vpc_id | ||
|
||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
tags = merge( | ||
local.tags, | ||
{ | ||
"Name" = format("%s", local.name_sg) | ||
}, | ||
) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
output "launch_template" { | ||
value = aws_launch_template.runner | ||
} | ||
|
||
output "role" { | ||
value = aws_iam_role.runner | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
data "aws_caller_identity" "current" {} | ||
|
||
resource "aws_iam_role" "runner" { | ||
name = "${var.environment}-github-action-runners-runner-role" | ||
assume_role_policy = templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) | ||
tags = local.tags | ||
} | ||
|
||
resource "aws_iam_instance_profile" "runner" { | ||
name = "${var.environment}-github-action-runners-profile" | ||
role = aws_iam_role.runner.name | ||
} | ||
|
||
resource "aws_iam_policy" "runner_session_manager_policy" { | ||
name = "${var.environment}-github-action-runners-session-manager" | ||
path = "/" | ||
description = "Policy session manager." | ||
|
||
policy = templatefile("${path.module}/policies/instance-session-manager-policy.json", {}) | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "runner_session_manager_policy" { | ||
role = aws_iam_role.runner.name | ||
policy_arn = aws_iam_policy.runner_session_manager_policy.arn | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" { | ||
role = aws_iam_role.runner.name | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" | ||
} | ||
|
||
resource "aws_iam_policy" "ssm_parameters" { | ||
name = "${var.environment}-runner-ssm-parameters" | ||
path = "/" | ||
description = "Policy for the runner to download the github action runner." | ||
|
||
policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json", | ||
{ | ||
arn_ssm_parameters = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*" | ||
} | ||
) | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "ssm_parameters" { | ||
role = aws_iam_role.runner.name | ||
policy_arn = aws_iam_policy.ssm_parameters.arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "ec2.amazonaws.com" | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} |
15 changes: 15 additions & 0 deletions
15
modules/runners/policies/instance-session-manager-policy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"ssmmessages:CreateControlChannel", | ||
"ssmmessages:CreateDataChannel", | ||
"ssmmessages:OpenControlChannel", | ||
"ssmmessages:OpenDataChannel" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} |
15 changes: 15 additions & 0 deletions
15
modules/runners/policies/instance-ssm-parameters-policy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": ["ssm:DeleteParameter"], | ||
"Resource": "${arn_ssm_parameters}" | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Action": ["ssm:GetParameters"], | ||
"Resource": "${arn_ssm_parameters}" | ||
} | ||
] | ||
} |
Oops, something went wrong.