Merge pull request philips-labs#2518 from philips-labs/develop

chore: Release

MAINTAINERS.md

@@ -1,2 +1,3 @@
-Gertjan Maas <gertjan.maas@philips.com>
+Navdeep Gupta <navdeep.gupta@philips.com>
 Niek Palm <[email protected]>
+Scott Guymer <[email protected]>

README.md

@@ -26,6 +26,7 @@ This [Terraform](https://www.terraform.io/) module creates the required infrastr
 - [Sub modules](#sub-modules)
   - [ARM64 configuration for submodules](#arm64-configuration-for-submodules)
 - [Debugging](#debugging)
+- [Security Consideration](#security-consideration)
 - [Requirements](#requirements)
 - [Providers](#providers)
 - [Modules](#modules)
@@ -352,6 +353,14 @@ In case the setup does not work as intended follow the trace of events:
 - Once an EC2 instance is running, you can connect to it in the EC2 user interface using Session Manager (use `enable_ssm_on_runners = true`). Check the user data script using `cat /var/log/user-data.log`. By default several log files of the instances are streamed to AWS CloudWatch, look for a log group named `<environment>/runners`. In the log group you should see at least the log streams for the user data installation and runner agent.
 - Registered instances should show up in the Settings - Actions page of the repository or organization (depending on the installation mode).
 
+## Security Consideration
+
+This module creates resources in your AWS infrastructure, and EC2 instances for hosting the self-hosted runners on-demand. IAM permissions are set to a minimal level, and could be further limit by using permission boundaries. Instances permissions are limit to retrieve and delete the registration token, access the instance own tags, and terminate the instance itself.
+
+The examples are using standard AMI's for different operation systems. Instances are not hardened, and sudo operation are not blocked. To provide an out of the box working expierence by default the module installs and configure the runner. However secrets are not hard coded, they finally end up in the memory of the instances. You can harden the instance by providing your own AMI and overwriting the cloud-init script.
+
+We welcome any improvement to the standard module to make the default as secure as possible, in the end it remains your responsibility to keep your environment secure.
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -380,7 +389,6 @@ In case the setup does not work as intended follow the trace of events:
 
 | Name | Type |
 |------|------|
-| [aws_resourcegroups_group.resourcegroups_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource |
 | [aws_sqs_queue.queued_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue.queued_builds_dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue_policy.build_queue_dlq_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
@@ -409,6 +417,7 @@ In case the setup does not work as intended follow the trace of events:
 | <a name="input_enable_runner_binaries_syncer"></a> [enable\_runner\_binaries\_syncer](#input\_enable\_runner\_binaries\_syncer) | Option to disable the lambda to sync GitHub runner distribution, useful when using a pre-build AMI. | `bool` | `true` | no |
 | <a name="input_enable_runner_detailed_monitoring"></a> [enable\_runner\_detailed\_monitoring](#input\_enable\_runner\_detailed\_monitoring) | Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details. | `bool` | `false` | no |
 | <a name="input_enable_ssm_on_runners"></a> [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
+| <a name="input_enable_user_data_debug_logging_runner"></a> [enable\_user\_data\_debug\_logging\_runner](#input\_enable\_user\_data\_debug\_logging\_runner) | Option to enable debug logging for user-data, this logs all secrets as well. | `bool` | `false` | no |
 | <a name="input_enabled_userdata"></a> [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI. | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | `null` | no |
 | <a name="input_fifo_build_queue"></a> [fifo\_build\_queue](#input\_fifo\_build\_queue) | Enable a FIFO queue to remain the order of events received by the webhook. Suggest to set to true for repo level runners. | `bool` | `false` | no |
@@ -451,9 +460,9 @@ In case the setup does not work as intended follow the trace of events:
 | <a name="input_runner_allow_prerelease_binaries"></a> [runner\_allow\_prerelease\_binaries](#input\_runner\_allow\_prerelease\_binaries) | (Deprecated, no longer used), allow the runners to update to prerelease binaries. | `bool` | `null` | no |
 | <a name="input_runner_architecture"></a> [runner\_architecture](#input\_runner\_architecture) | The platform architecture of the runner instance\_type. | `string` | `"x64"` | no |
 | <a name="input_runner_as_root"></a> [runner\_as\_root](#input\_runner\_as\_root) | Run the action runner under the root user. Variable `runner_run_as` will be ignored. | `bool` | `false` | no |
+| <a name="input_runner_binaries_s3_logging_bucket"></a> [runner\_binaries\_s3\_logging\_bucket](#input\_runner\_binaries\_s3\_logging\_bucket) | Bucket for action runner distribution bucket access logging. | `string` | `null` | no |
+| <a name="input_runner_binaries_s3_logging_bucket_prefix"></a> [runner\_binaries\_s3\_logging\_bucket\_prefix](#input\_runner\_binaries\_s3\_logging\_bucket\_prefix) | Bucket prefix for action runner distribution bucket access logging. | `string` | `null` | no |
 | <a name="input_runner_binaries_s3_sse_configuration"></a> [runner\_binaries\_s3\_sse\_configuration](#input\_runner\_binaries\_s3\_sse\_configuration) | Map containing server-side encryption configuration for runner-binaries S3 bucket. | `any` | `{}` | no |
-| <a name="input_runner_binaries_s3_logging_bucket"></a> [runner\_binaries\_s3\_logging\_bucket](#input\_runner\_binaries\_s3\_logging\_bucket)                                   | Bucket for action runner distribution bucket access logging. | `string` | `null` | no |
-| <a name="input_runner_binaries_s3_logging_bucket_prefix"></a> [runner\_binaries\_s3\_logging\_bucket\_prefix](#input\_runner\_binaries\_s3\logging\_bucket\_prefix)             | Bucket prefix for action runner distribution bucket access logging. | `string` | `null` | no |
 | <a name="input_runner_binaries_syncer_lambda_timeout"></a> [runner\_binaries\_syncer\_lambda\_timeout](#input\_runner\_binaries\_syncer\_lambda\_timeout) | Time out of the binaries sync lambda in seconds. | `number` | `300` | no |
 | <a name="input_runner_binaries_syncer_lambda_zip"></a> [runner\_binaries\_syncer\_lambda\_zip](#input\_runner\_binaries\_syncer\_lambda\_zip) | File location of the binaries sync lambda zip file. | `string` | `null` | no |
 | <a name="input_runner_boot_time_in_minutes"></a> [runner\_boot\_time\_in\_minutes](#input\_runner\_boot\_time\_in\_minutes) | The minimum time for an EC2 runner to boot and register as a runner. | `number` | `5` | no |

examples/base/main.tf

@@ -0,0 +1,8 @@
+resource "aws_resourcegroups_group" "resourcegroups_group" {
+  name = "${var.prefix}-group"
+  resource_query {
+    query = templatefile("${path.module}/templates/resource-group.json", {
+      example = var.prefix
+    })
+  }
+}

examples/base/outputs.tf

@@ -0,0 +1,3 @@
+output "vpc" {
+  value = module.vpc
+}

templates/resource-group.json → examples/base/templates/resource-group.json

@@ -2,8 +2,8 @@
   "ResourceTypeFilters": ["AWS::AllSupported"],
   "TagFilters": [
     {
-      "Key": "Environment",
-      "Values": ["${environment}"]
+      "Key": "Example",
+      "Values": ["${example}"]
     }
   ]
 }

examples/base/variables.tf

@@ -0,0 +1,9 @@
+variable "prefix" {
+  description = "Prefix used for resource naming."
+  type        = string
+}
+
+variable "aws_region" {
+  description = "AWS region to create the VPC, assuming zones `a` and `b` exists."
+  type        = string
+}

examples/base/vpc.tf

@@ -0,0 +1,16 @@
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "3.16.0"
+
+  name = "${var.prefix}-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = ["${var.aws_region}a", "${var.aws_region}b"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
+
+  enable_dns_hostnames    = true
+  enable_nat_gateway      = true
+  map_public_ip_on_launch = false
+  single_nat_gateway      = true
+}

examples/default/main.tf

@@ -7,17 +7,19 @@ resource "random_id" "random" {
   byte_length = 20
 }
 
+module "base" {
+  source = "../base"
 
-################################################################################
-### Hybrid account
-################################################################################
+  prefix     = local.environment
+  aws_region = local.aws_region
+}
 
 module "runners" {
   source                          = "../../"
   create_service_linked_role_spot = true
   aws_region                      = local.aws_region
-  vpc_id                          = module.vpc.vpc_id
-  subnet_ids                      = module.vpc.private_subnets
+  vpc_id                          = module.base.vpc.vpc_id
+  subnet_ids                      = module.base.vpc.private_subnets
 
   prefix = local.environment
   tags = {

examples/default/providers.tf

@@ -1,3 +1,9 @@
 provider "aws" {
   region = local.aws_region
+
+  default_tags {
+    tags = {
+      Example = local.environment
+    }
+  }
 }

examples/ephemeral/main.tf

@@ -9,12 +9,20 @@ resource "random_id" "random" {
 
 data "aws_caller_identity" "current" {}
 
+
+module "base" {
+  source = "../base"
+
+  prefix     = local.environment
+  aws_region = local.aws_region
+}
+
 module "runners" {
   source                          = "../../"
   create_service_linked_role_spot = true
   aws_region                      = local.aws_region
-  vpc_id                          = module.vpc.vpc_id
-  subnet_ids                      = module.vpc.private_subnets
+  vpc_id                          = module.base.vpc.vpc_id
+  subnet_ids                      = module.base.vpc.private_subnets
 
   prefix = local.environment
   tags = {

examples/ephemeral/providers.tf

@@ -1,3 +1,8 @@
 provider "aws" {
   region = local.aws_region
+  default_tags {
+    tags = {
+      Example = local.environment
+    }
+  }
 }

examples/prebuilt/main.tf

@@ -1,5 +1,6 @@
 locals {
   environment = "prebuilt"
+  aws_region  = "eu-west-1"
 }
 
 resource "random_id" "random" {
@@ -8,12 +9,19 @@ resource "random_id" "random" {
 
 data "aws_caller_identity" "current" {}
 
+module "base" {
+  source = "../base"
+
+  prefix     = local.environment
+  aws_region = local.aws_region
+}
+
 module "runners" {
   source                          = "../../"
   create_service_linked_role_spot = true
-  aws_region                      = var.aws_region
-  vpc_id                          = module.vpc.vpc_id
-  subnet_ids                      = module.vpc.private_subnets
+  aws_region                      = local.aws_region
+  vpc_id                          = module.base.vpc.vpc_id
+  subnet_ids                      = module.base.vpc.private_subnets
 
   prefix                      = local.environment
   enable_organization_runners = false

examples/prebuilt/providers.tf

@@ -1,3 +1,8 @@
 provider "aws" {
-  region = var.aws_region
+  region = local.aws_region
+  default_tags {
+    tags = {
+      Example = local.environment
+    }
+  }
 }

examples/prebuilt/variables.tf

@@ -12,8 +12,3 @@ variable "ami_name_filter" {
   type    = string
   default = "github-runner-amzn2-x86_64-*"
 }
-
-variable "aws_region" {
-  type    = string
-  default = "eu-west-1"
-}

examples/ubuntu/main.tf

@@ -9,12 +9,20 @@ resource "random_id" "random" {
 
 data "aws_caller_identity" "current" {}
 
+
+module "base" {
+  source = "../base"
+
+  prefix     = local.environment
+  aws_region = local.aws_region
+}
+
 module "runners" {
   source = "../../"
 
   aws_region = local.aws_region
-  vpc_id     = module.vpc.vpc_id
-  subnet_ids = module.vpc.private_subnets
+  vpc_id     = module.base.vpc.vpc_id
+  subnet_ids = module.base.vpc.private_subnets
 
   prefix = local.environment
   tags = {
@@ -32,7 +40,7 @@ module "runners" {
   # runners_lambda_zip                = "lambdas-download/runners.zip"
 
   enable_organization_runners = false
-  runner_extra_labels         = "ubuntu,example"
+  runner_extra_labels         = "default,example"
 
   # enable access to the runners via SSM
   enable_ssm_on_runners = true
@@ -102,4 +110,6 @@ module "runners" {
   #   idleCount = 1
   # }]
 
+  # Enable logging all commands of user_data, secrets will be logged!!!
+  # enable_user_data_debug_logging_runner = true
 }

examples/ubuntu/providers.tf

@@ -1,6 +1,10 @@
 provider "aws" {
   region = local.aws_region
-
+  default_tags {
+    tags = {
+      Example = local.environment
+    }
+  }
   // If you use roles with specific permissions please add your role
   // assume_role {
   //   role_arn = "arn:aws:iam::123456789012:role/MyAdminRole"

examples/ubuntu/templates/user-data.sh

@@ -1,6 +1,17 @@
-#!/bin/bash -x
+#!/bin/bash
 exec > >(tee /var/log/user-data.log | logger -t user-data -s 2>/dev/console) 2>&1
 
+
+# AWS suggest to create a log for debug purpose based on https://aws.amazon.com/premiumsupport/knowledge-center/ec2-linux-log-user-data/
+# As side effect all command, set +x disable debugging explicitly.
+#
+# An alternative for masking tokens could be: exec > >(sed 's/--token\ [^ ]* /--token\ *** /g' > /var/log/user-data.log) 2>&1
+set +x
+
+%{ if enable_debug_logging }
+set -x
+%{ endif }
+
 ${pre_install}
 
 # Install AWS CLI

examples/windows/main.tf

@@ -7,12 +7,19 @@ resource "random_id" "random" {
   byte_length = 20
 }
 
+module "base" {
+  source = "../base"
+
+  prefix     = local.environment
+  aws_region = local.aws_region
+}
+
 module "runners" {
   source = "../../"
 
   aws_region = local.aws_region
-  vpc_id     = module.vpc.vpc_id
-  subnet_ids = module.vpc.private_subnets
+  vpc_id     = module.base.vpc.vpc_id
+  subnet_ids = module.base.vpc.private_subnets
   prefix     = local.environment
 
   github_app = {

examples/windows/providers.tf

@@ -1,3 +1,8 @@
 provider "aws" {
   region = local.aws_region
+  default_tags {
+    tags = {
+      Example = local.environment
+    }
+  }
 }