feat: allow setting VPC and subnets per runner (#3467)

This allows passing in a different VPC and subnet IDs for each runner
config and falling back to the "global" value set via the existing
`vpc_id` and `subnet_ids` variables.

---------

Co-authored-by: Niek Palm <[email protected]>

examples/multi-runner/main.tf

@@ -3,7 +3,27 @@ locals {
   aws_region  = "eu-west-1"
 
   # Load runner configurations from Yaml files
-  multi_runner_config = { for c in fileset("${path.module}/templates/runner-configs", "*.yaml") : trimsuffix(c, ".yaml") => yamldecode(file("${path.module}/templates/runner-configs/${c}")) }
+  multi_runner_config_files = {
+    for c in fileset("${path.module}/templates/runner-configs", "*.yaml") :
+
+    trimsuffix(c, ".yaml") => yamldecode(file("${path.module}/templates/runner-configs/${c}"))
+  }
+  multi_runner_config = {
+    for k, v in local.multi_runner_config_files :
+
+    k => merge(
+      v,
+      {
+        runner_config = merge(
+          v.runner_config,
+          {
+            subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null
+            vpc_id     = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null
+          }
+        )
+      }
+    )
+  }
 }
 
 resource "random_id" "random" {

examples/multi-runner/templates/runner-configs/linux-x64.yaml

@@ -9,6 +9,8 @@ runner_config:
   runner_architecture: x64
   runner_name_prefix: amazon-x64_
   enable_ssm_on_runners: true
+  vpc_id: ${vpc_id}
+  subnet_ids: ${subnet_ids}
   instance_types:
     - m5ad.large
     - m5a.large

examples/permissions-boundary/setup/main.tf

@@ -3,8 +3,7 @@ data "aws_caller_identity" "current" {}
 module "iam" {
   source = "../../../modules/setup-iam-permissions"
 
-  environment = "boundaries"
-  account_id  = data.aws_caller_identity.current.account_id
+  account_id = data.aws_caller_identity.current.account_id
 
   namespaces = {
     boundary_namespace         = "boundaries"

modules/multi-runner/README.md

@@ -11,12 +11,10 @@ For each configuration:
 - When enabled, the [distribution syncer](https://philips-labs.github.io/terraform-aws-github-runner/modules/internal/runner-binaries-syncer/) is deployed for each unique combination of OS and architecture.
 - For each configuration a queue is created and [runner module](https://philips-labs.github.io/terraform-aws-github-runner/modules/internal/runners/) is deployed
 
-
 ## Matching
 
 Matching of the configuration is done based on the labels specified in labelMatchers configuration. The webhook is processing the `workflow_job` event and match the labels against the labels specified in labelMatchers configuration in the order of configuration with exact-match true first, followed by all exact matches false.
 
-
 ## The catch
 
 Controlling which event is taken up by which runner is not to this module. It is completely done by GitHub. This means when potentially different runners can run the same job there is nothing that can be done to guarantee a certain runner will take up the job.
@@ -30,7 +28,6 @@ Jobs not defining all all labels but for example only `[self-hosted, linux]` cou
 
 A complete example is available in the examples, see the [multi-runner example](https://philips-labs.github.io/terraform-aws-github-runner/examples/) for actual implementation.
 
-
 ```hcl
 
 module "multi-runner" {

modules/multi-runner/runners.tf

@@ -3,8 +3,8 @@ module "runners" {
   for_each      = local.runner_config
   aws_region    = var.aws_region
   aws_partition = var.aws_partition
-  vpc_id        = var.vpc_id
-  subnet_ids    = var.subnet_ids
+  vpc_id        = coalesce(each.value.runner_config.vpc_id, var.vpc_id)
+  subnet_ids    = coalesce(each.value.runner_config.subnet_ids, var.subnet_ids)
   prefix        = "${var.prefix}-${each.key}"
   tags = merge(local.tags, {
     "ghr:environment" = "${var.prefix}-${each.key}"

modules/multi-runner/variables.tf

@@ -78,6 +78,8 @@ variable "multi_runner_config" {
       userdata_post_install                   = optional(string, "")
       runner_ec2_tags                         = optional(map(string), {})
       runner_iam_role_managed_policy_arns     = optional(list(string), [])
+      vpc_id                                  = optional(string, null)
+      subnet_ids                              = optional(list(string), null)
       idle_config = optional(list(object({
         cron             = string
         timeZone         = string
@@ -169,6 +171,8 @@ variable "multi_runner_config" {
         userdata_post_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"
         runner_ec2_tags: "Map of tags that will be added to the launch template instance tag specifications."
         runner_iam_role_managed_policy_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
+        vpc_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`."
+        subnet_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`."
         idle_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle."
         runner_log_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
         block_device_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."