xdr-terraform-modules/thirdparty/terraform-aws-github-runner/main.tf

locals {
  tags = merge(var.tags, {
    "ghr:environment" = var.prefix
  })

  s3_action_runner_url = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key}"
  github_app_parameters = {
    id         = module.ssm.parameters.github_app_id
    key_base64 = module.ssm.parameters.github_app_key_base64
  }

  default_runner_labels = "self-hosted,${var.runner_os},${var.runner_architecture}"
}

resource "random_string" "random" {
  length  = 24
  special = false
  upper   = false
}

data "aws_iam_policy_document" "deny_unsecure_transport" {
  statement {
    sid = "DenyUnsecureTransport"

    effect = "Deny"

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    actions = [
      "sqs:*"
    ]

    resources = [
      "*"
    ]

    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
  }
}

resource "aws_sqs_queue_policy" "build_queue_policy" {
  queue_url = aws_sqs_queue.queued_builds.id
  policy    = data.aws_iam_policy_document.deny_unsecure_transport.json
}

resource "aws_sqs_queue" "queued_builds" {
  name                        = "${var.prefix}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}"
  delay_seconds               = var.delay_webhook_event
  visibility_timeout_seconds  = var.runners_scale_up_lambda_timeout
  message_retention_seconds   = var.job_queue_retention_in_seconds
  fifo_queue                  = var.fifo_build_queue
  receive_wait_time_seconds   = 0
  content_based_deduplication = var.fifo_build_queue
  redrive_policy = var.redrive_build_queue.enabled ? jsonencode({
    deadLetterTargetArn = aws_sqs_queue.queued_builds_dlq[0].arn,
    maxReceiveCount     = var.redrive_build_queue.maxReceiveCount
  }) : null

  tags = var.tags
}


resource "aws_sqs_queue_policy" "build_queue_dlq_policy" {
  count     = var.redrive_build_queue.enabled ? 1 : 0
  queue_url = aws_sqs_queue.queued_builds.id
  policy    = data.aws_iam_policy_document.deny_unsecure_transport.json
}

resource "aws_sqs_queue" "queued_builds_dlq" {
  count = var.redrive_build_queue.enabled ? 1 : 0
  name  = "${var.prefix}-queued-builds_dead_letter"

  tags = var.tags
}

module "ssm" {
  source = "./modules/ssm"

  kms_key_arn = var.kms_key_arn
  prefix      = var.prefix
  github_app  = var.github_app
  tags        = local.tags
}

module "webhook" {
  source = "./modules/webhook"

  aws_region  = var.aws_region
  prefix      = var.prefix
  tags        = local.tags
  kms_key_arn = var.kms_key_arn

  sqs_build_queue               = aws_sqs_queue.queued_builds
  sqs_build_queue_fifo          = var.fifo_build_queue
  github_app_webhook_secret_arn = module.ssm.parameters.github_app_webhook_secret.arn

  lambda_s3_bucket                 = var.lambda_s3_bucket
  webhook_lambda_s3_key            = var.webhook_lambda_s3_key
  webhook_lambda_s3_object_version = var.webhook_lambda_s3_object_version
  lambda_runtime                   = var.lambda_runtime
  lambda_architecture              = var.lambda_architecture
  lambda_zip                       = var.webhook_lambda_zip
  lambda_timeout                   = var.webhook_lambda_timeout
  logging_retention_in_days        = var.logging_retention_in_days
  logging_kms_key_id               = var.logging_kms_key_id

  # labels
  enable_workflow_job_labels_check = var.runner_enable_workflow_job_labels_check
  workflow_job_labels_check_all    = var.runner_enable_workflow_job_labels_check_all
  runner_labels                    = var.runner_extra_labels != "" ? "${local.default_runner_labels},${var.runner_extra_labels}" : local.default_runner_labels

  role_path                 = var.role_path
  role_permissions_boundary = var.role_permissions_boundary
  repository_white_list     = var.repository_white_list

  log_type  = var.log_type
  log_level = var.log_level
}

module "runners" {
  source = "./modules/runners"

  aws_region    = var.aws_region
  aws_partition = var.aws_partition
  vpc_id        = var.vpc_id
  subnet_ids    = var.subnet_ids
  prefix        = var.prefix
  tags          = local.tags

  s3_bucket_runner_binaries   = module.runner_binaries.bucket
  s3_location_runner_binaries = local.s3_action_runner_url

  runner_os                     = var.runner_os
  instance_types                = var.instance_types
  instance_target_capacity_type = var.instance_target_capacity_type
  instance_allocation_strategy  = var.instance_allocation_strategy
  instance_max_spot_price       = var.instance_max_spot_price
  block_device_mappings         = var.block_device_mappings

  runner_architecture = var.runner_architecture
  ami_filter          = var.ami_filter
  ami_owners          = var.ami_owners

  sqs_build_queue                      = aws_sqs_queue.queued_builds
  github_app_parameters                = local.github_app_parameters
  enable_organization_runners          = var.enable_organization_runners
  enable_ephemeral_runners             = var.enable_ephemeral_runners
  enable_job_queued_check              = var.enable_job_queued_check
  disable_runner_autoupdate            = var.disable_runner_autoupdate
  enable_managed_runner_security_group = var.enable_managed_runner_security_group
  enable_runner_detailed_monitoring    = var.enable_runner_detailed_monitoring
  scale_down_schedule_expression       = var.scale_down_schedule_expression
  minimum_running_time_in_minutes      = var.minimum_running_time_in_minutes
  runner_boot_time_in_minutes          = var.runner_boot_time_in_minutes
  runner_extra_labels                  = var.runner_extra_labels
  runner_as_root                       = var.runner_as_root
  runner_run_as                        = var.runner_run_as
  runners_maximum_count                = var.runners_maximum_count
  idle_config                          = var.idle_config
  enable_ssm_on_runners                = var.enable_ssm_on_runners
  egress_rules                         = var.runner_egress_rules
  runner_additional_security_group_ids = var.runner_additional_security_group_ids
  metadata_options                     = var.runner_metadata_options

  lambda_s3_bucket                 = var.lambda_s3_bucket
  runners_lambda_s3_key            = var.runners_lambda_s3_key
  runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
  lambda_runtime                   = var.lambda_runtime
  lambda_architecture              = var.lambda_architecture
  lambda_zip                       = var.runners_lambda_zip
  lambda_timeout_scale_up          = var.runners_scale_up_lambda_timeout
  lambda_timeout_scale_down        = var.runners_scale_down_lambda_timeout
  lambda_subnet_ids                = var.lambda_subnet_ids
  lambda_security_group_ids        = var.lambda_security_group_ids
  logging_retention_in_days        = var.logging_retention_in_days
  logging_kms_key_id               = var.logging_kms_key_id
  enable_cloudwatch_agent          = var.enable_cloudwatch_agent
  cloudwatch_config                = var.cloudwatch_config
  runner_log_files                 = var.runner_log_files
  runner_group_name                = var.runner_group_name

  scale_up_reserved_concurrent_executions = var.scale_up_reserved_concurrent_executions

  instance_profile_path     = var.instance_profile_path
  role_path                 = var.role_path
  role_permissions_boundary = var.role_permissions_boundary

  enabled_userdata      = var.enabled_userdata
  userdata_template     = var.userdata_template
  userdata_pre_install  = var.userdata_pre_install
  userdata_post_install = var.userdata_post_install
  key_name              = var.key_name
  runner_ec2_tags       = var.runner_ec2_tags

  create_service_linked_role_spot = var.create_service_linked_role_spot

  runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns

  ghes_url        = var.ghes_url
  ghes_ssl_verify = var.ghes_ssl_verify

  kms_key_arn = var.kms_key_arn

  log_type  = var.log_type
  log_level = var.log_level

  pool_config                                = var.pool_config
  pool_lambda_timeout                        = var.pool_lambda_timeout
  pool_runner_owner                          = var.pool_runner_owner
  pool_lambda_reserved_concurrent_executions = var.pool_lambda_reserved_concurrent_executions
}

module "runner_binaries" {
  source = "./modules/runner-binaries-syncer"

  aws_region = var.aws_region
  prefix     = var.prefix
  tags       = local.tags

  distribution_bucket_name = "${var.prefix}-dist-${random_string.random.result}"

  runner_os                        = var.runner_os
  runner_architecture              = var.runner_architecture
  runner_allow_prerelease_binaries = var.runner_allow_prerelease_binaries

  lambda_s3_bucket                = var.lambda_s3_bucket
  syncer_lambda_s3_key            = var.syncer_lambda_s3_key
  syncer_lambda_s3_object_version = var.syncer_lambda_s3_object_version
  lambda_runtime                  = var.lambda_runtime
  lambda_architecture             = var.lambda_architecture
  lambda_zip                      = var.runner_binaries_syncer_lambda_zip
  lambda_timeout                  = var.runner_binaries_syncer_lambda_timeout
  logging_retention_in_days       = var.logging_retention_in_days
  logging_kms_key_id              = var.logging_kms_key_id

  server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration

  role_path                 = var.role_path
  role_permissions_boundary = var.role_permissions_boundary

  log_type  = var.log_type
  log_level = var.log_level

  lambda_principals = var.lambda_principals
}

resource "aws_resourcegroups_group" "resourcegroups_group" {
  name = "${var.prefix}-group"
  resource_query {
    query = templatefile("${path.module}/templates/resource-group.json", {
      environment = var.prefix
    })
  }
}