From 1a25b2c6bced8ab4657ace64ef0b6694140856de Mon Sep 17 00:00:00 2001
From: imishchuk-carbon <igor.mishchuk@carbonhealth.com>
Date: Thu, 26 Oct 2023 08:40:30 +0300
Subject: [PATCH] feat: Add public IP association to github runner (#3547)

### Description

* Add option to associate public IP with runner (disabled by default)

Fixes
[3528](https://github.com/philips-labs/terraform-aws-github-runner/issues/3528)

Suggested changes have been used in our env for over a month and it
works as expected.

### Checklists

**Development and testing:**
- [x] All tests related to the changed code pass in development
- [x] Pull request is ready for review

---------

Co-authored-by: Niek Palm <npalm@users.noreply.github.com>
---
 modules/multi-runner/README.md    |  1 +
 modules/multi-runner/runners.tf   |  1 +
 modules/multi-runner/variables.tf |  6 ++++++
 modules/runners/README.md         |  1 +
 modules/runners/main.tf           | 16 ++++++++++++++--
 modules/runners/variables.tf      |  6 ++++++
 6 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md
index 5a84f441..e1aded59 100644
--- a/modules/multi-runner/README.md
+++ b/modules/multi-runner/README.md
@@ -116,6 +116,7 @@ module "multi-runner" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_associate_public_ipv4_address"></a> [associate\_public\_ipv4\_address](#input\_associate\_public\_ipv4\_address) | Associate public IPv4 with the runner. Only tested with IPv4 | `bool` | `false` | no |
 | <a name="input_aws_partition"></a> [aws\_partition](#input\_aws\_partition) | (optiona) partition in the arn namespace to use if not 'aws' | `string` | `"aws"` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
 | <a name="input_cloudwatch_config"></a> [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no |
diff --git a/modules/multi-runner/runners.tf b/modules/multi-runner/runners.tf
index 917f8b01..e2960e85 100644
--- a/modules/multi-runner/runners.tf
+++ b/modules/multi-runner/runners.tf
@@ -103,4 +103,5 @@ module "runners" {
   pool_lambda_timeout                        = var.pool_lambda_timeout
   pool_runner_owner                          = each.value.runner_config.pool_runner_owner
   pool_lambda_reserved_concurrent_executions = var.pool_lambda_reserved_concurrent_executions
+  associate_public_ipv4_address              = var.associate_public_ipv4_address
 }
diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf
index dbe17d2d..638bfa9f 100644
--- a/modules/multi-runner/variables.tf
+++ b/modules/multi-runner/variables.tf
@@ -556,3 +556,9 @@ variable "lambda_tracing_mode" {
   type        = string
   default     = null
 }
+
+variable "associate_public_ipv4_address" {
+  description = "Associate public IPv4 with the runner. Only tested with IPv4"
+  type        = bool
+  default     = false
+}
diff --git a/modules/runners/README.md b/modules/runners/README.md
index a6826a2e..7c9c9718 100644
--- a/modules/runners/README.md
+++ b/modules/runners/README.md
@@ -126,6 +126,7 @@ yarn run dist
 | <a name="input_ami_id_ssm_parameter_name"></a> [ami\_id\_ssm\_parameter\_name](#input\_ami\_id\_ssm\_parameter\_name) | Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no |
 | <a name="input_ami_kms_key_arn"></a> [ami\_kms\_key\_arn](#input\_ami\_kms\_key\_arn) | Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI | `string` | `null` | no |
 | <a name="input_ami_owners"></a> [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | <pre>[<br>  "amazon"<br>]</pre> | no |
+| <a name="input_associate_public_ipv4_address"></a> [associate\_public\_ipv4\_address](#input\_associate\_public\_ipv4\_address) | Associate public IPv4 with the runner. Only tested with IPv4 | `bool` | `false` | no |
 | <a name="input_aws_partition"></a> [aws\_partition](#input\_aws\_partition) | (optional) partition for the base arn if not 'aws' | `string` | `"aws"` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
 | <a name="input_block_device_mappings"></a> [block\_device\_mappings](#input\_block\_device\_mappings) | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`. | <pre>list(object({<br>    delete_on_termination = optional(bool, true)<br>    device_name           = optional(string, "/dev/xvda")<br>    encrypted             = optional(bool, true)<br>    iops                  = optional(number)<br>    kms_key_id            = optional(string)<br>    snapshot_id           = optional(string)<br>    throughput            = optional(number)<br>    volume_size           = number<br>    volume_type           = optional(string, "gp3")<br>  }))</pre> | <pre>[<br>  {<br>    "volume_size": 30<br>  }<br>]</pre> | no |
diff --git a/modules/runners/main.tf b/modules/runners/main.tf
index f768033f..070511d4 100644
--- a/modules/runners/main.tf
+++ b/modules/runners/main.tf
@@ -119,10 +119,10 @@ resource "aws_launch_template" "runner" {
   key_name                             = var.key_name
   ebs_optimized                        = var.ebs_optimized
 
-  vpc_security_group_ids = compact(concat(
+  vpc_security_group_ids = !var.associate_public_ipv4_address ? compact(concat(
     var.enable_managed_runner_security_group ? [aws_security_group.runner_sg[0].id] : [],
     var.runner_additional_security_group_ids,
-  ))
+  )) : []
 
   tag_specifications {
     resource_type = "instance"
@@ -176,6 +176,18 @@ resource "aws_launch_template" "runner" {
   tags = local.tags
 
   update_default_version = true
+
+  dynamic "network_interfaces" {
+    for_each = var.associate_public_ipv4_address ? [var.associate_public_ipv4_address] : []
+    iterator = associate_public_ipv4_address
+    content {
+      associate_public_ip_address = associate_public_ipv4_address.value
+      security_groups = compact(concat(
+        var.enable_managed_runner_security_group ? [aws_security_group.runner_sg[0].id] : [],
+        var.runner_additional_security_group_ids,
+      ))
+    }
+  }
 }
 
 resource "aws_security_group" "runner_sg" {
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
index 3433e8d1..15a94a79 100644
--- a/modules/runners/variables.tf
+++ b/modules/runners/variables.tf
@@ -622,3 +622,9 @@ variable "enable_jit_config" {
   type        = bool
   default     = null
 }
+
+variable "associate_public_ipv4_address" {
+  description = "Associate public IPv4 with the runner. Only tested with IPv4"
+  type        = bool
+  default     = false
+}