resource "random_id" "random" {
  byte_length = 20
}


################################################################################
### Hybrid account
################################################################################

# Ignoring tfsec issues within the third party module:
# TODO: Revisit these
# tfsec:ignore:aws-vpc-no-public-egress-sgr
# tfsec:ignore:aws-sqs-enable-queue-encryption
# tfsec:ignore:aws-s3-encryption-customer-key
# tfsec:ignore:aws-s3-enable-bucket-encryption
# tfsec:ignore:aws-autoscaling-enforce-http-token-imds
# tfsec:ignore:aws-s3-enable-versioning
# tfsec:ignore:aws-api-gateway-enable-access-logging
module "runners" {
  source                          = "../../thirdparty/terraform-aws-github-runner"
  create_service_linked_role_spot = false
  aws_partition                   = var.aws_partition
  aws_region                      = var.aws_region
  vpc_id                          = var.vpc_id
  subnet_ids                      = var.public_subnets # should these be private?

  ghes_url = local.ghes_url
  prefix   = lower("${var.org}-github-runners")
  tags     = merge(local.standard_tags, var.tags, { org = var.org })

  github_app = {
    key_base64     = local.webhook_key
    id             = var.github_app_id
    webhook_secret = random_id.random.hex
  }

  # Spot or on-demand
  instance_target_capacity_type = "spot"

  # configure the block device mappings, default for Amazon Linux2
  block_device_mappings = [{
    device_name           = "/dev/xvda"
    delete_on_termination = true
    volume_type           = "gp3"
    volume_size           = 10
    encrypted             = true
    iops                  = null
  }]

  lambda_s3_bucket      = "afsxdr-binaries"
  webhook_lambda_s3_key = "terraform-aws-github/webhook.zip"
  syncer_lambda_s3_key  = "terraform-aws-github/runner-binaries-syncer.zip"
  runners_lambda_s3_key = "terraform-aws-github/runners.zip"

  enable_organization_runners = true
  runner_extra_labels         = "default"

  role_path             = "/lambda/"
  instance_profile_path = "/lambda/"

  # enable access to the runners via SSM
  enable_ssm_on_runners = true

  # use S3 or KMS SSE to runners S3 bucket
  runner_binaries_s3_sse_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        sse_algorithm = "AES256"
      }
    }
  }

  # Uncommet idle config to have idle runners from 9 to 5 in time zone Amsterdam
  # idle_config = [{
  #   cron      = "* * 9-17 * * *"
  #   timeZone  = "Europe/Amsterdam"
  #   idleCount = 1
  # }]

  # Let the module manage the service linked role
  # create_service_linked_role_spot = true

  instance_types = ["m5a.large", "c5a.large"]

  # override delay of events in seconds
  delay_webhook_event   = 5
  runners_maximum_count = 1

  # set up a fifo queue to remain order
  fifo_build_queue = true

  # override scaling down
  #scale_down_schedule_expression = "cron(* * * * ? *)"
}