## Retrieve instance metadata Write-Host "Retrieving TOKEN from AWS API" $token=Invoke-RestMethod -Method PUT -Uri "http://169.254.169.254/latest/api/token" -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "180"} $metadata=Invoke-RestMethod -Uri "http://169.254.169.254/latest/dynamic/instance-identity/document" -Headers @{"X-aws-ec2-metadata-token" = $token} $Region = $metadata.region Write-Host "Reteieved REGION from AWS API ($Region)" $InstanceId = $metadata.instanceId Write-Host "Reteieved InstanceId from AWS API ($InstanceId)" $tags=aws ec2 describe-tags --region "$Region" --filters "Name=resource-id,Values=$InstanceId" | ConvertFrom-Json Write-Host "Retrieved tags from AWS API" $environment=$tags.Tags.where( {$_.Key -eq 'ghr:environment'}).value Write-Host "Reteieved ghr:environment tag - ($environment)" $parameters=$(aws ssm get-parameters-by-path --path "/$environment/runner" --region "$Region" --query "Parameters[*].{Name:Name,Value:Value}") | ConvertFrom-Json Write-Host "Retrieved parameters from AWS SSM" $run_as=$parameters.where( {$_.Name -eq "/$environment/runner/run-as"}).value Write-Host "Retrieved /$environment/runner/run-as parameter - ($run_as)" $enable_cloudwatch_agent=$parameters.where( {$_.Name -eq "/$environment/runner/enable-cloudwatch"}).value Write-Host "Retrieved /$environment/runner/enable-cloudwatch parameter - ($enable_cloudwatch_agent)" $agent_mode=$parameters.where( {$_.Name -eq "/$environment/runner/agent-mode"}).value Write-Host "Retrieved /$environment/runner/agent-mode parameter - ($agent_mode)" if ($enable_cloudwatch_agent -eq "true") { Write-Host "Enabling CloudWatch Agent" & 'C:\Program Files\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent-ctl.ps1' -a fetch-config -m ec2 -s -c "ssm:$environment-cloudwatch_agent_config_runner" } ## Configure the runner Write-Host "Get GH Runner config from AWS SSM" $config = $null $i = 0 do { $config = (aws ssm get-parameters --names "$environment-$InstanceId" --with-decryption --region $Region --query "Parameters[*].{Name:Name,Value:Value}" | ConvertFrom-Json)[0].value Write-Host "Waiting for GH Runner config to become available in AWS SSM ($i/30)" Start-Sleep 1 $i++ } while (($null -eq $config) -and ($i -lt 30)) Write-Host "Delete GH Runner token from AWS SSM" aws ssm delete-parameter --name "$environment-$InstanceId" --region $Region # Create or update user if (-not($run_as)) { Write-Host "No user specified, using default ec2-user account" $run_as="ec2-user" } Add-Type -AssemblyName "System.Web" $password = [System.Web.Security.Membership]::GeneratePassword(24, 4) $securePassword = ConvertTo-SecureString $password -AsPlainText -Force $username = $run_as if (!(Get-LocalUser -Name $username -ErrorAction Ignore)) { New-LocalUser -Name $username -Password $securePassword Write-Host "Created new user ($username)" } else { Set-LocalUser -Name $username -Password $securePassword Write-Host "Changed password for user ($username)" } # Add user to groups foreach ($group in @("Administrators", "docker-users")) { if ((Get-LocalGroup -Name "$group" -ErrorAction Ignore) -and !(Get-LocalGroupMember -Group "$group" -Member $username -ErrorAction Ignore)) { Add-LocalGroupMember -Group "$group" -Member $username Write-Host "Added $username to $group group" } } # Disable User Access Control (UAC) # TODO investigate if this is needed or if its overkill - https://github.com/philips-labs/terraform-aws-github-runner/issues/1505 Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Force Write-Host "Disabled User Access Control (UAC)" $configCmd = ".\config.cmd --unattended --name $InstanceId --work `"_work`" $config" Write-Host "Configure GH Runner as user $run_as" Invoke-Expression $configCmd Write-Host "Starting the runner as user $run_as" Write-Host "Installing the runner as a service" $action = New-ScheduledTaskAction -WorkingDirectory "$pwd" -Execute "run.cmd" $trigger = Get-CimClass "MSFT_TaskRegistrationTrigger" -Namespace "Root/Microsoft/Windows/TaskScheduler" Register-ScheduledTask -TaskName "runnertask" -Action $action -Trigger $trigger -User $username -Password $password -RunLevel Highest -Force Write-Host "Starting the runner in persistent mode" Write-Host "Starting runner after $(((get-date) - (gcim Win32_OperatingSystem).LastBootUpTime).tostring("hh':'mm':'ss''"))"