Merge pull request github-aws-runners#2331 from philips-labs/develop

chore: Release

.editorconfig

@@ -1,2 +1,13 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
 [*]
+indent_style = space
+indent_size = 2
+tab_width = 2
 end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.vscode/extensions.json

@@ -5,7 +5,6 @@
     // Extension identifier format: ${publisher}.${name}. Example: vscode.csharp
     "editorconfig.editorconfig",
     "yzhang.markdown-all-in-one",
-    "sonarsource.sonarlint-vscode",
     "hashicorp.terraform"
   ]
 }

README.md

@@ -309,8 +309,7 @@ The example for [ephemeral runners](./examples/ephemeral) is based on the [defau
 
 ### Prebuilt Images
 
-This module also allows you to run agents from a prebuilt AMI to gain faster startup times. You can find more information in [the image README.md](/images/README.md)
-
+This module also allows you to run agents from a prebuilt AMI to gain faster startup times. You can find more information in [the image README.md](/images/README.md). When the GitHub runner is part of the AMI you can disable the binary syncer by setting `enable_runner_binaries_syncer = false`.
 
 ## Examples
 
@@ -407,6 +406,7 @@ In case the setup does not work as intended follow the trace of events:
 | <a name="input_enable_job_queued_check"></a> [enable\_job\_queued\_check](#input\_enable\_job\_queued\_check) | Only scale if the job event received by the scale up lambda is is in the state queued. By default enabled for non ephemeral runners and disabled for ephemeral. Set this variable to overwrite the default behavior. | `bool` | `null` | no |
 | <a name="input_enable_managed_runner_security_group"></a> [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
 | <a name="input_enable_organization_runners"></a> [enable\_organization\_runners](#input\_enable\_organization\_runners) | Register runners to organization, instead of repo level | `bool` | `false` | no |
+| <a name="input_enable_runner_binaries_syncer"></a> [enable\_runner\_binaries\_syncer](#input\_enable\_runner\_binaries\_syncer) | Option to disable the lambda to sync GitHub runner distribution, usefull when using a pre-build AMI. | `bool` | `true` | no |
 | <a name="input_enable_runner_detailed_monitoring"></a> [enable\_runner\_detailed\_monitoring](#input\_enable\_runner\_detailed\_monitoring) | Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details. | `bool` | `false` | no |
 | <a name="input_enable_ssm_on_runners"></a> [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
 | <a name="input_enabled_userdata"></a> [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI. | `bool` | `true` | no |

examples/prebuilt/README.md

@@ -1,6 +1,9 @@
 # Action runners deployment with prebuilt image
 
-This module shows how to create GitHub action runners using a prebuilt AMI for the runners
+This module shows how to create GitHub action runners using a prebuilt AMI for the runners.
+
+- Configured to run with org level runners.
+- GitHub runner binary syncer is not deployed.
 
 ## Usages
 
@@ -56,7 +59,7 @@ module "runners" {
   ...
   # set the name of the ami to use
   ami_filter        = { name = ["github-runner-amzn2-x86_64-2021*"] }
-  # provide the owner id of 
+  # provide the owner id of
   ami_owners        = ["<your owner id>"]
 
   enabled_userdata = false

examples/prebuilt/main.tf

@@ -15,7 +15,8 @@ module "runners" {
   vpc_id                          = module.vpc.vpc_id
   subnet_ids                      = module.vpc.private_subnets
 
-  prefix = local.environment
+  prefix                      = local.environment
+  enable_organization_runners = false
 
   github_app = {
     key_base64     = var.github_app_key_base64
@@ -36,6 +37,9 @@ module "runners" {
   ami_filter       = { name = [var.ami_name_filter] }
   ami_owners       = [data.aws_caller_identity.current.account_id]
 
+  # disable binary syncer since github agent is already installed in the AMI.
+  enable_runner_binaries_syncer = false
+
   # enable access to the runners via SSM
   enable_ssm_on_runners = true
 

examples/prebuilt/outputs.tf

@@ -1,9 +1,3 @@
-output "runners" {
-  value = {
-    lambda_syncer_name = module.runners.binaries_syncer.lambda.function_name
-  }
-}
-
 output "webhook_endpoint" {
   value = module.runners.webhook.endpoint
 }

examples/ubuntu/main.tf

@@ -46,7 +46,7 @@ module "runners" {
   ami_owners        = ["099720109477"] # Canonical's Amazon account ID
 
   ami_filter = {
-    name = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+    name = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
   }
 
   # Custom build AMI, no custom userdata needed.

examples/ubuntu/templates/user-data.sh

@@ -7,13 +7,14 @@ ${pre_install}
 apt-get update
 DEBIAN_FRONTEND=noninteractive apt-get install -y \
     awscli \
-    jq \
+    build-essential \
     curl \
-    wget \
     git \
+    iptables \
+    jq \
     uidmap \
-    build-essential \
-    unzip
+    unzip \
+    wget
 
 user_name=ubuntu
 user_id=$(id -ru $user_name)
@@ -43,16 +44,16 @@ WantedBy=default.target
 
 EOF
 
-echo export XDG_RUNTIME_DIR=/run/user/$user_id >>/home/$user_name/.profile
+echo export XDG_RUNTIME_DIR=/run/user/$user_id >>/home/$user_name/.bashrc
 
 systemctl daemon-reload
 systemctl enable [email protected]
 systemctl start [email protected]
 
 curl -fsSL https://get.docker.com/rootless >>/opt/rootless.sh && chmod 755 /opt/rootless.sh
 su -l $user_name -c /opt/rootless.sh
-echo export DOCKER_HOST=unix:///run/user/$user_id/docker.sock >>/home/$user_name/.profile
-echo export PATH=/home/$user_name/bin:$PATH >>/home/$user_name/.profile
+echo export DOCKER_HOST=unix:///run/user/$user_id/docker.sock >>/home/$user_name/.bashrc
+echo export PATH=/home/$user_name/bin:$PATH >>/home/$user_name/.bashrc
 
 # Run docker service by default
 loginctl enable-linger $user_name

images/linux-amzn2/github_agent.linux.pkr.hcl

@@ -10,7 +10,7 @@ packer {
 variable "runner_version" {
   description = "The version (no v prefix) of the runner software to install https://github.com/actions/runner/releases"
   type        = string
-  default     = "2.286.1"
+  default     = "2.295.0"
 }
 
 variable "region" {

main.tf

@@ -3,7 +3,6 @@ locals {
     "ghr:environment" = var.prefix
   })
 
-  s3_action_runner_url = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key}"
   github_app_parameters = {
     id         = module.ssm.parameters.github_app_id
     key_base64 = module.ssm.parameters.github_app_key_base64
@@ -134,8 +133,11 @@ module "runners" {
   prefix        = var.prefix
   tags          = local.tags
 
-  s3_bucket_runner_binaries   = module.runner_binaries.bucket
-  s3_location_runner_binaries = local.s3_action_runner_url
+  s3_runner_binaries = var.enable_runner_binaries_syncer ? {
+    arn = module.runner_binaries[0].bucket.arn
+    id  = module.runner_binaries[0].bucket.id
+    key = module.runner_binaries[0].runner_distribution_object_key
+  } : null
 
   runner_os                     = var.runner_os
   instance_types                = var.instance_types
@@ -169,6 +171,7 @@ module "runners" {
   runner_additional_security_group_ids = var.runner_additional_security_group_ids
   metadata_options                     = var.runner_metadata_options
 
+  enable_runner_binaries_syncer    = var.enable_runner_binaries_syncer
   lambda_s3_bucket                 = var.lambda_s3_bucket
   runners_lambda_s3_key            = var.runners_lambda_s3_key
   runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
@@ -218,6 +221,8 @@ module "runners" {
 }
 
 module "runner_binaries" {
+  count = var.enable_runner_binaries_syncer ? 1 : 0
+
   source = "./modules/runner-binaries-syncer"
 
   aws_region = var.aws_region

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/package.json

@@ -18,12 +18,12 @@
     "@octokit/rest": "^19.0.3",
     "@trivago/prettier-plugin-sort-imports": "^3.3.0",
     "@types/jest": "^27.5.0",
-    "@types/node": "^18.6.3",
+    "@types/node": "^18.6.5",
     "@types/request": "^2.48.8",
     "@typescript-eslint/eslint-plugin": "^4.33.0",
     "@typescript-eslint/parser": "^4.33.0",
     "@vercel/ncc": "^0.34.0",
-    "aws-sdk": "^2.1187.0",
+    "aws-sdk": "^2.1194.0",
     "eslint": "^7.32.0",
     "eslint-plugin-prettier": "4.2.1",
     "jest": "^27.5.1",

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/yarn.lock

@@ -982,10 +982,10 @@
   resolved "https://registry.yarnpkg.com/@types/json-schema/-/json-schema-7.0.9.tgz#97edc9037ea0c38585320b28964dde3b39e4660d"
   integrity sha512-qcUXuemtEu+E5wZSJHNxUXeCZhAfXKQ41D+duX+VYPde7xyEVZci+/oXKJL13tnRs9lR2pr4fod59GT6/X1/yQ==
 
-"@types/node@*", "@types/node@^18.6.3":
-  version "18.6.3"
-  resolved "https://registry.yarnpkg.com/@types/node/-/node-18.6.3.tgz#4e4a95b6fe44014563ceb514b2598b3e623d1c98"
-  integrity sha512-6qKpDtoaYLM+5+AFChLhHermMQxc3TOEFIDzrZLPRGHPrLEwqFkkT5Kx3ju05g6X7uDPazz3jHbKPX0KzCjntg==
+"@types/node@*", "@types/node@^18.6.5":
+  version "18.6.5"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-18.6.5.tgz#06caea822caf9e59d5034b695186ee74154d2802"
+  integrity sha512-Xjt5ZGUa5WusGZJ4WJPbOT8QOqp6nDynVFRKcUt32bOgvXEoc6o085WNkYTMO7ifAj2isEfQQ2cseE+wT6jsRw==
 
 "@types/prettier@^2.1.5":
   version "2.4.2"
@@ -1262,10 +1262,10 @@ available-typed-arrays@^1.0.5:
   resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz#92f95616501069d07d10edb2fc37d3e1c65123b7"
   integrity sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==
 
-aws-sdk@^2.1187.0:
-  version "2.1187.0"
-  resolved "https://registry.yarnpkg.com/aws-sdk/-/aws-sdk-2.1187.0.tgz#eb928d64305630f53b8f6dad5c7b91fec8f04622"
-  integrity sha512-QcxQ3asIhH9QQnN/5JO3MaHRjwcy3/AsBzcAjPU+lHZGV0drnuDmg3ZkZuAa/mOgQ3MEi68G3gYD+481QJgnMg==
+aws-sdk@^2.1194.0:
+  version "2.1194.0"
+  resolved "https://registry.yarnpkg.com/aws-sdk/-/aws-sdk-2.1194.0.tgz#6a820684fa3f58ea40caf90d302414a23df7c308"
+  integrity sha512-wbgib7r7sHPkZIhqSMduueKYqe+DrFyxsKnUKHj6hdNcRKqEeqzvKp4olWmFs/3z3qU8+g78kBXr9rujvko1ug==
   dependencies:
     buffer "4.9.2"
     events "1.1.1"

modules/runners/README.md

@@ -127,6 +127,7 @@ yarn run dist
 | <a name="input_enable_job_queued_check"></a> [enable\_job\_queued\_check](#input\_enable\_job\_queued\_check) | Only scale if the job event received by the scale up lambda is is in the state queued. By default enabled for non ephemeral runners and disabled for ephemeral. Set this variable to overwrite the default behavior. | `bool` | `null` | no |
 | <a name="input_enable_managed_runner_security_group"></a> [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
 | <a name="input_enable_organization_runners"></a> [enable\_organization\_runners](#input\_enable\_organization\_runners) | n/a | `bool` | n/a | yes |
+| <a name="input_enable_runner_binaries_syncer"></a> [enable\_runner\_binaries\_syncer](#input\_enable\_runner\_binaries\_syncer) | Option to disable the lambda to sync GitHub runner distribution, usefull when using a pre-build AMI. | `bool` | `true` | no |
 | <a name="input_enable_runner_detailed_monitoring"></a> [enable\_runner\_detailed\_monitoring](#input\_enable\_runner\_detailed\_monitoring) | Enable detailed monitoring for runners | `bool` | `false` | no |
 | <a name="input_enable_ssm_on_runners"></a> [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes |
 | <a name="input_enabled_userdata"></a> [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no |
@@ -180,8 +181,7 @@ yarn run dist
 | <a name="input_runners_lambda_s3_key"></a> [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
 | <a name="input_runners_lambda_s3_object_version"></a> [runners\_lambda\_s3\_object\_version](#input\_runners\_lambda\_s3\_object\_version) | S3 object version for runners lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no |
 | <a name="input_runners_maximum_count"></a> [runners\_maximum\_count](#input\_runners\_maximum\_count) | The maximum number of runners that will be created. | `number` | `3` | no |
-| <a name="input_s3_bucket_runner_binaries"></a> [s3\_bucket\_runner\_binaries](#input\_s3\_bucket\_runner\_binaries) | n/a | <pre>object({<br>    arn = string<br>  })</pre> | n/a | yes |
-| <a name="input_s3_location_runner_binaries"></a> [s3\_location\_runner\_binaries](#input\_s3\_location\_runner\_binaries) | S3 location of runner distribution. | `string` | n/a | yes |
+| <a name="input_s3_runner_binaries"></a> [s3\_runner\_binaries](#input\_s3\_runner\_binaries) | Bucket details for cached GitHub binary. | <pre>object({<br>    arn = string<br>    id  = string<br>    key = string<br>  })</pre> | n/a | yes |
 | <a name="input_scale_down_schedule_expression"></a> [scale\_down\_schedule\_expression](#input\_scale\_down\_schedule\_expression) | Scheduler expression to check every x for scale down. | `string` | `"cron(*/5 * * * ? *)"` | no |
 | <a name="input_scale_up_reserved_concurrent_executions"></a> [scale\_up\_reserved\_concurrent\_executions](#input\_scale\_up\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `1` | no |
 | <a name="input_sqs_build_queue"></a> [sqs\_build\_queue](#input\_sqs\_build\_queue) | SQS queue to consume accepted build events. | <pre>object({<br>    arn = string<br>  })</pre> | n/a | yes |

modules/runners/main.tf

@@ -122,11 +122,10 @@ resource "aws_launch_template" "runner" {
     )
   }
 
-
   user_data = var.enabled_userdata ? base64encode(templatefile(local.userdata_template, {
     pre_install = var.userdata_pre_install
     install_runner = templatefile(local.userdata_install_runner[var.runner_os], {
-      S3_LOCATION_RUNNER_DISTRIBUTION = var.s3_location_runner_binaries
+      S3_LOCATION_RUNNER_DISTRIBUTION = var.enable_runner_binaries_syncer ? "s3://${var.s3_runner_binaries.id}/${var.s3_runner_binaries.key}" : ""
       RUNNER_ARCHITECTURE             = var.runner_architecture
     })
     post_install    = var.userdata_post_install

modules/runners/policies-runner.tf

@@ -33,11 +33,13 @@ resource "aws_iam_role_policy" "ssm_parameters" {
 }
 
 resource "aws_iam_role_policy" "dist_bucket" {
+  count = var.enable_runner_binaries_syncer ? 1 : 0
+
   name = "distribution-bucket"
   role = aws_iam_role.runner.name
   policy = templatefile("${path.module}/policies/instance-s3-policy.json",
     {
-      s3_arn = var.s3_bucket_runner_binaries.arn
+      s3_arn = "${var.s3_runner_binaries.arn}/${var.s3_runner_binaries.key}"
     }
   )
 }

modules/runners/policies/instance-s3-policy.json

@@ -5,7 +5,7 @@
       "Sid": "githubActionDist",
       "Effect": "Allow",
       "Action": ["s3:GetObject", "s3:GetObjectAcl"],
-      "Resource": ["${s3_arn}/*"]
+      "Resource": ["${s3_arn}"]
     }
   ]
 }

modules/runners/variables.tf

@@ -46,17 +46,15 @@ variable "prefix" {
   default     = "github-actions"
 }
 
-variable "s3_bucket_runner_binaries" {
+variable "s3_runner_binaries" {
+  description = "Bucket details for cached GitHub binary."
   type = object({
     arn = string
+    id  = string
+    key = string
   })
 }
 
-variable "s3_location_runner_binaries" {
-  description = "S3 location of runner distribution."
-  type        = string
-}
-
 variable "block_device_mappings" {
   description = "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."
   type = list(object({
@@ -566,4 +564,10 @@ variable "lambda_architecture" {
     condition     = contains(["arm64", "x86_64"], var.lambda_architecture)
     error_message = "`lambda_architecture` value is not valid, valid values are: `arm64` and `x86_64`."
   }
-}
+}
+
+variable "enable_runner_binaries_syncer" {
+  description = "Option to disable the lambda to sync GitHub runner distribution, usefull when using a pre-build AMI."
+  type        = bool
+  default     = true
+}

modules/webhook/lambdas/webhook/package.json

@@ -21,11 +21,11 @@
     "@types/aws-lambda": "^8.10.101",
     "@types/express": "^4.17.11",
     "@types/jest": "^27.5.0",
-    "@types/node": "^18.6.3",
+    "@types/node": "^18.7.2",
     "@typescript-eslint/eslint-plugin": "^4.33.0",
     "@typescript-eslint/parser": "^4.33.0",
     "@vercel/ncc": "0.34.0",
-    "aws-sdk": "^2.1187.0",
+    "aws-sdk": "^2.1194.0",
     "body-parser": "^1.20.0",
     "eslint": "^7.32.0",
     "eslint-plugin-prettier": "4.2.1",
@@ -39,9 +39,9 @@
     "typescript": "^4.7.4"
   },
   "dependencies": {
-    "@aws-sdk/client-ssm": "^3.138.0",
+    "@aws-sdk/client-ssm": "^3.145.0",
     "@octokit/rest": "^19.0.3",
-    "@octokit/webhooks": "^10.0.9",
+    "@octokit/webhooks": "^10.1.0",
     "aws-lambda": "^1.0.7",
     "tslog": "^3.3.3"
   }