Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
AFS
/
xdr-terraform-modules
2
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Ağaç: b7b5ad1706
Dallar Biçim İmleri
xdr-terraform-m...
/
thirdparty
/
terraform-aws-github-runner
/
modules
/
runners
/
main.tf

main.tf 6.1 KB
Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183 
  1. locals {
    2. 

  2.   tags = merge(
    3. 

  3.     {
    4. 

  4.       "Name" = format("%s-action-runner", var.prefix)
    5. 

  5.     },
    6. 

  6.     var.tags,
    7. 

  7.   )
    8. 

  8. 

  9.   name_sg               = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"]
    10. 

  10.   name_runner           = var.overrides["name_runner"] == "" ? local.tags["Name"] : var.overrides["name_runner"]
    11. 

  11.   role_path             = var.role_path == null ? "/${var.prefix}/" : var.role_path
    12. 

  12.   instance_profile_path = var.instance_profile_path == null ? "/${var.prefix}/" : var.instance_profile_path
    13. 

  13.   lambda_zip            = var.lambda_zip == null ? "${path.module}/lambdas/runners/runners.zip" : var.lambda_zip
    14. 

  14.   userdata_template     = var.userdata_template == null ? local.default_userdata_template[var.runner_os] : var.userdata_template
    15. 

  15.   kms_key_arn           = var.kms_key_arn != null ? var.kms_key_arn : ""
    16. 

  16. 

  17.   default_ami = {
    18. 

  18.     "windows" = { name = ["Windows_Server-20H2-English-Core-ContainersLatest-*"] }
    19. 

  19.     "linux"   = var.runner_architecture == "arm64" ? { name = ["amzn2-ami-kernel-5.*-hvm-*-arm64-gp2"] } : { name = ["amzn2-ami-kernel-5.*-hvm-*-x86_64-gp2"] }
    20. 

  20.   }
    21. 

  21. 

  22.   default_userdata_template = {
    23. 

  23.     "windows" = "${path.module}/templates/user-data.ps1"
    24. 

  24.     "linux"   = "${path.module}/templates/user-data.sh"
    25. 

  25.   }
    26. 

  26. 

  27.   userdata_install_runner = {
    28. 

  28.     "windows" = "${path.module}/templates/install-runner.ps1"
    29. 

  29.     "linux"   = "${path.module}/templates/install-runner.sh"
    30. 

  30.   }
    31. 

  31. 

  32.   userdata_start_runner = {
    33. 

  33.     "windows" = "${path.module}/templates/start-runner.ps1"
    34. 

  34.     "linux"   = "${path.module}/templates/start-runner.sh"
    35. 

  35.   }
    36. 

  36. 

  37.   ami_filter = coalesce(var.ami_filter, local.default_ami[var.runner_os])
    38. 

  38. 

  39.   enable_job_queued_check = var.enable_job_queued_check == null ? !var.enable_ephemeral_runners : var.enable_job_queued_check
    40. 

  40. }
    41. 

  41. 

  42. data "aws_ami" "runner" {
    43. 

  43.   most_recent = "true"
    44. 

  44. 

  45.   dynamic "filter" {
    46. 

  46.     for_each = local.ami_filter
    47. 

  47.     content {
    48. 

  48.       name   = filter.key
    49. 

  49.       values = filter.value
    50. 

  50.     }
    51. 

  51.   }
    52. 

  52. 

  53.   owners = var.ami_owners
    54. 

  54. }
    55. 

  55. 

  56. # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
    57. 

  57. resource "aws_launch_template" "runner" {
    58. 

  58.   # checkov:skip=CKV_AWS_79: see tfsec explanation
    59. 

  59.   name = "${var.prefix}-action-runner"
    60. 

  60. 

  61.   dynamic "block_device_mappings" {
    62. 

  62.     for_each = var.block_device_mappings != null ? var.block_device_mappings : []
    63. 

  63.     content {
    64. 

  64.       device_name = block_device_mappings.value.device_name
    65. 

  65. 

  66.       ebs {
    67. 

  67.         delete_on_termination = block_device_mappings.value.delete_on_termination
    68. 

  68.         volume_type           = block_device_mappings.value.volume_type
    69. 

  69.         volume_size           = block_device_mappings.value.volume_size
    70. 

  70.         encrypted             = block_device_mappings.value.encrypted
    71. 

  71.         iops                  = block_device_mappings.value.iops
    72. 

  72.       }
    73. 

  73.     }
    74. 

  74.   }
    75. 

  75. 

  76.   dynamic "metadata_options" {
    77. 

  77.     for_each = var.metadata_options != null ? [var.metadata_options] : []
    78. 

  78. 

  79.     content {
    80. 

  80.       http_endpoint               = metadata_options.value.http_endpoint
    81. 

  81.       http_tokens                 = metadata_options.value.http_tokens
    82. 

  82.       http_put_response_hop_limit = metadata_options.value.http_put_response_hop_limit
    83. 

  83.     }
    84. 

  84.   }
    85. 

  85. 

  86.   monitoring {
    87. 

  87.     enabled = var.enable_runner_detailed_monitoring
    88. 

  88.   }
    89. 

  89. 

  90.   iam_instance_profile {
    91. 

  91.     name = aws_iam_instance_profile.runner.name
    92. 

  92.   }
    93. 

  93. 

  94.   instance_initiated_shutdown_behavior = "terminate"
    95. 

  95.   image_id                             = data.aws_ami.runner.id
    96. 

  96.   key_name                             = var.key_name
    97. 

  97. 

  98.   vpc_security_group_ids = compact(concat(
    99. 

  99.     var.enable_managed_runner_security_group ? [aws_security_group.runner_sg[0].id] : [],
    100. 

  100.     var.runner_additional_security_group_ids,
    101. 

  101.   ))
    102. 

  102. 

  103.   tag_specifications {
    104. 

  104.     resource_type = "instance"
    105. 

  105.     tags = merge(
    106. 

  106.       local.tags,
    107. 

  107.       {
    108. 

  108.         "Name" = format("%s", local.name_runner)
    109. 

  109.       },
    110. 

  110.       var.runner_ec2_tags
    111. 

  111.     )
    112. 

  112.   }
    113. 

  113. 

  114.   tag_specifications {
    115. 

  115.     resource_type = "volume"
    116. 

  116.     tags = merge(
    117. 

  117.       local.tags,
    118. 

  118.       {
    119. 

  119.         "Name" = format("%s", local.name_runner)
    120. 

  120.       },
    121. 

  121.     )
    122. 

  122.   }
    123. 

  123. 

  124. 

  125.   user_data = var.enabled_userdata ? base64encode(templatefile(local.userdata_template, {
    126. 

  126.     pre_install = var.userdata_pre_install
    127. 

  127.     install_runner = templatefile(local.userdata_install_runner[var.runner_os], {
    128. 

  128.       S3_LOCATION_RUNNER_DISTRIBUTION = var.s3_location_runner_binaries
    129. 

  129.       RUNNER_ARCHITECTURE             = var.runner_architecture
    130. 

  130.     })
    131. 

  131.     post_install    = var.userdata_post_install
    132. 

  132.     start_runner    = templatefile(local.userdata_start_runner[var.runner_os], {})
    133. 

  133.     ghes_url        = var.ghes_url
    134. 

  134.     ghes_ssl_verify = var.ghes_ssl_verify
    135. 

  135.     ## retain these for backwards compatibility
    136. 

  136.     environment                     = var.prefix
    137. 

  137.     enable_cloudwatch_agent         = var.enable_cloudwatch_agent
    138. 

  138.     ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner[0].name : ""
    139. 

  139.   })) : ""
    140. 

  140. 

  141.   tags = local.tags
    142. 

  142. 

  143.   update_default_version = true
    144. 

  144. }
    145. 

  145. 

  146. #----------------------------------------------------------------------------
    147. 

  147. # GH Actions Security Group
    148. 

  148. #----------------------------------------------------------------------------
    149. 

  149. # tfsec:ignore:aws-ec2-no-public-egress-sgr GH runner requires /0 egress access
    150. 

  150. resource "aws_security_group" "runner_sg" {
    151. 

  151.   count       = var.enable_managed_runner_security_group ? 1 : 0
    152. 

  152.   name_prefix = "${var.prefix}-github-actions-runner-sg"
    153. 

  153.   description = "Github Actions Runner security group"
    154. 

  154. 

  155.   vpc_id = var.vpc_id
    156. 

  156. 

  157. #----------------------------------------------------------------------------
    158. 

  158. # EGRESS
    159. 

  159. #----------------------------------------------------------------------------
    160. 

  160.   dynamic "egress" {
    161. 

  161.     for_each = var.egress_rules
    162. 

  162.     iterator = each
    163. 

  163. 

  164.     content {
    165. 

  165.       cidr_blocks      = each.value.cidr_blocks
    166. 

  166.       ipv6_cidr_blocks = each.value.ipv6_cidr_blocks
    167. 

  167.       prefix_list_ids  = each.value.prefix_list_ids
    168. 

  168.       from_port        = each.value.from_port
    169. 

  169.       protocol         = each.value.protocol
    170. 

  170.       security_groups  = each.value.security_groups
    171. 

  171.       self             = each.value.self
    172. 

  172.       to_port          = each.value.to_port
    173. 

  173.       description      = each.value.description
    174. 

  174.     }
    175. 

  175.   }
    176. 

  176. 

  177.   tags = merge(
    178. 

  178.     local.tags,
    179. 

  179.     {
    180. 

  180.       "Name" = format("%s", local.name_sg)
    181. 

  181.     },
    182. 

  182.   )
    183. 

  183. }
    184.