From 1288c81de1b9905a71b8f44c03efaf526384b0f2 Mon Sep 17 00:00:00 2001 From: Trevor Wood Date: Mon, 12 Feb 2024 08:18:20 -0500 Subject: [PATCH] feat: allow setting VPC and subnets per runner (#3467) This allows passing in a different VPC and subnet IDs for each runner config and falling back to the "global" value set via the existing `vpc_id` and `subnet_ids` variables. --------- Co-authored-by: Niek Palm --- .terraform.lock.hcl | 45 +++++++++++++++++++ examples/arm64/.terraform.lock.hcl | 2 +- examples/base/.terraform.lock.hcl | 25 +++++++++++ examples/default/.terraform.lock.hcl | 2 +- examples/ephemeral/.terraform.lock.hcl | 2 +- examples/lambdas-download/.terraform.lock.hcl | 2 +- examples/multi-runner/.terraform.lock.hcl | 2 +- examples/multi-runner/main.tf | 22 ++++++++- .../templates/runner-configs/linux-x64.yaml | 2 + .../permissions-boundary/.terraform.lock.hcl | 2 +- examples/permissions-boundary/setup/main.tf | 3 +- examples/prebuilt/.terraform.lock.hcl | 2 +- examples/ubuntu/.terraform.lock.hcl | 2 +- examples/windows/.terraform.lock.hcl | 2 +- modules/multi-runner/README.md | 3 -- modules/multi-runner/runners.tf | 4 +- modules/multi-runner/variables.tf | 4 ++ 17 files changed, 109 insertions(+), 17 deletions(-) create mode 100644 .terraform.lock.hcl create mode 100644 examples/base/.terraform.lock.hcl diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000000..b4043fb5eb --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,45 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.31.0" + constraints = "~> 5.27" + hashes = [ + "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", + "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", + "zh:2fe4884cb9642f48a5889f8dff8f5f511418a18537a9dfa77ada3bcdad391e4e", + "zh:36d8bdd72fe61d816d0049c179f495bc6f1e54d8d7b07c45b62e5e1696882a89", + "zh:539dd156e3ec608818eb21191697b230117437a58587cbd02ce533202a4dd520", + "zh:6a53f4b57ac4eb3479fc0d8b6e301ca3a27efae4c55d9f8bd24071b12a03361c", + "zh:6faeb8ff6792ca7af1c025255755ad764667a300291cc10cea0c615479488c87", + "zh:7d9423149b323f6d0df5b90c4d9029e5455c670aea2a7eb6fef4684ba7eb2e0b", + "zh:8235badd8a5d0993421cacf5ead48fac73d3b5a25c8a68599706a404b1f70730", + "zh:860b4f60842b2879c5128b7e386c8b49adeda9287fed12c5cd74861bb659bbcd", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b021fceaf9382c8fe3c6eb608c24d01dce3d11ba7e65bb443d51ca9b90e9b237", + "zh:b38b0bfc1c69e714e80cf1c9ea06e687ee86aa9f45694be28eb07adcebbe0489", + "zh:c972d155f6c01af9690a72adfb99cfc24ef5ef311ca92ce46b9b13c5c153f572", + "zh:e0dd29920ec84fdb6026acff44dcc1fb1a24a0caa093fa04cdbc713d384c651d", + "zh:e3127ebd2cb0374cd1808f911e6bffe2f4ac4d84317061381242353f3a7bc27d", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.0" + constraints = "~> 3.0" + hashes = [ + "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=", + "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", + "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", + "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", + "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d", + "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17", + "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21", + "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839", + "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0", + "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c", + "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e", + ] +} diff --git a/examples/arm64/.terraform.lock.hcl b/examples/arm64/.terraform.lock.hcl index d4bafa90bd..60a47db0b8 100644 --- a/examples/arm64/.terraform.lock.hcl +++ b/examples/arm64/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.31.0" - constraints = ">= 5.0.0, ~> 5.2" + constraints = ">= 5.0.0, ~> 5.27" hashes = [ "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", diff --git a/examples/base/.terraform.lock.hcl b/examples/base/.terraform.lock.hcl new file mode 100644 index 0000000000..2cee4d651f --- /dev/null +++ b/examples/base/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.31.0" + constraints = ">= 5.0.0, ~> 5.27" + hashes = [ + "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", + "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", + "zh:2fe4884cb9642f48a5889f8dff8f5f511418a18537a9dfa77ada3bcdad391e4e", + "zh:36d8bdd72fe61d816d0049c179f495bc6f1e54d8d7b07c45b62e5e1696882a89", + "zh:539dd156e3ec608818eb21191697b230117437a58587cbd02ce533202a4dd520", + "zh:6a53f4b57ac4eb3479fc0d8b6e301ca3a27efae4c55d9f8bd24071b12a03361c", + "zh:6faeb8ff6792ca7af1c025255755ad764667a300291cc10cea0c615479488c87", + "zh:7d9423149b323f6d0df5b90c4d9029e5455c670aea2a7eb6fef4684ba7eb2e0b", + "zh:8235badd8a5d0993421cacf5ead48fac73d3b5a25c8a68599706a404b1f70730", + "zh:860b4f60842b2879c5128b7e386c8b49adeda9287fed12c5cd74861bb659bbcd", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b021fceaf9382c8fe3c6eb608c24d01dce3d11ba7e65bb443d51ca9b90e9b237", + "zh:b38b0bfc1c69e714e80cf1c9ea06e687ee86aa9f45694be28eb07adcebbe0489", + "zh:c972d155f6c01af9690a72adfb99cfc24ef5ef311ca92ce46b9b13c5c153f572", + "zh:e0dd29920ec84fdb6026acff44dcc1fb1a24a0caa093fa04cdbc713d384c651d", + "zh:e3127ebd2cb0374cd1808f911e6bffe2f4ac4d84317061381242353f3a7bc27d", + ] +} diff --git a/examples/default/.terraform.lock.hcl b/examples/default/.terraform.lock.hcl index d4bafa90bd..60a47db0b8 100644 --- a/examples/default/.terraform.lock.hcl +++ b/examples/default/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.31.0" - constraints = ">= 5.0.0, ~> 5.2" + constraints = ">= 5.0.0, ~> 5.27" hashes = [ "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", diff --git a/examples/ephemeral/.terraform.lock.hcl b/examples/ephemeral/.terraform.lock.hcl index d4bafa90bd..60a47db0b8 100644 --- a/examples/ephemeral/.terraform.lock.hcl +++ b/examples/ephemeral/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.31.0" - constraints = ">= 5.0.0, ~> 5.2" + constraints = ">= 5.0.0, ~> 5.27" hashes = [ "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", diff --git a/examples/lambdas-download/.terraform.lock.hcl b/examples/lambdas-download/.terraform.lock.hcl index c31c31c646..da897cd060 100644 --- a/examples/lambdas-download/.terraform.lock.hcl +++ b/examples/lambdas-download/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.31.0" - constraints = "~> 5.2" + constraints = "~> 5.27" hashes = [ "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", diff --git a/examples/multi-runner/.terraform.lock.hcl b/examples/multi-runner/.terraform.lock.hcl index d4bafa90bd..60a47db0b8 100644 --- a/examples/multi-runner/.terraform.lock.hcl +++ b/examples/multi-runner/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.31.0" - constraints = ">= 5.0.0, ~> 5.2" + constraints = ">= 5.0.0, ~> 5.27" hashes = [ "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf index b1ab05b427..389aab82b0 100644 --- a/examples/multi-runner/main.tf +++ b/examples/multi-runner/main.tf @@ -3,7 +3,27 @@ locals { aws_region = "eu-west-1" # Load runner configurations from Yaml files - multi_runner_config = { for c in fileset("${path.module}/templates/runner-configs", "*.yaml") : trimsuffix(c, ".yaml") => yamldecode(file("${path.module}/templates/runner-configs/${c}")) } + multi_runner_config_files = { + for c in fileset("${path.module}/templates/runner-configs", "*.yaml") : + + trimsuffix(c, ".yaml") => yamldecode(file("${path.module}/templates/runner-configs/${c}")) + } + multi_runner_config = { + for k, v in local.multi_runner_config_files : + + k => merge( + v, + { + runner_config = merge( + v.runner_config, + { + subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null + vpc_id = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null + } + ) + } + ) + } } resource "random_id" "random" { diff --git a/examples/multi-runner/templates/runner-configs/linux-x64.yaml b/examples/multi-runner/templates/runner-configs/linux-x64.yaml index 884938d0d3..84d9aa650e 100644 --- a/examples/multi-runner/templates/runner-configs/linux-x64.yaml +++ b/examples/multi-runner/templates/runner-configs/linux-x64.yaml @@ -9,6 +9,8 @@ runner_config: runner_architecture: x64 runner_name_prefix: amazon-x64_ enable_ssm_on_runners: true + vpc_id: ${vpc_id} + subnet_ids: ${subnet_ids} instance_types: - m5ad.large - m5a.large diff --git a/examples/permissions-boundary/.terraform.lock.hcl b/examples/permissions-boundary/.terraform.lock.hcl index 4ff040062a..f5f3c3a23c 100644 --- a/examples/permissions-boundary/.terraform.lock.hcl +++ b/examples/permissions-boundary/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.31.0" - constraints = ">= 5.0.0, ~> 5.2" + constraints = ">= 5.0.0, ~> 5.27" hashes = [ "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", diff --git a/examples/permissions-boundary/setup/main.tf b/examples/permissions-boundary/setup/main.tf index 63fd737a9c..1c91c82fd5 100644 --- a/examples/permissions-boundary/setup/main.tf +++ b/examples/permissions-boundary/setup/main.tf @@ -3,8 +3,7 @@ data "aws_caller_identity" "current" {} module "iam" { source = "../../../modules/setup-iam-permissions" - environment = "boundaries" - account_id = data.aws_caller_identity.current.account_id + account_id = data.aws_caller_identity.current.account_id namespaces = { boundary_namespace = "boundaries" diff --git a/examples/prebuilt/.terraform.lock.hcl b/examples/prebuilt/.terraform.lock.hcl index d4bafa90bd..60a47db0b8 100644 --- a/examples/prebuilt/.terraform.lock.hcl +++ b/examples/prebuilt/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.31.0" - constraints = ">= 5.0.0, ~> 5.2" + constraints = ">= 5.0.0, ~> 5.27" hashes = [ "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", diff --git a/examples/ubuntu/.terraform.lock.hcl b/examples/ubuntu/.terraform.lock.hcl index d4bafa90bd..60a47db0b8 100644 --- a/examples/ubuntu/.terraform.lock.hcl +++ b/examples/ubuntu/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.31.0" - constraints = ">= 5.0.0, ~> 5.2" + constraints = ">= 5.0.0, ~> 5.27" hashes = [ "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", diff --git a/examples/windows/.terraform.lock.hcl b/examples/windows/.terraform.lock.hcl index d4bafa90bd..60a47db0b8 100644 --- a/examples/windows/.terraform.lock.hcl +++ b/examples/windows/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.31.0" - constraints = ">= 5.0.0, ~> 5.2" + constraints = ">= 5.0.0, ~> 5.27" hashes = [ "h1:ltxyuBWIy9cq0kIKDJH1jeWJy/y7XJLjS4QrsQK4plA=", "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d", diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md index d5d7c121db..a66de6c4eb 100644 --- a/modules/multi-runner/README.md +++ b/modules/multi-runner/README.md @@ -11,12 +11,10 @@ For each configuration: - When enabled, the [distribution syncer](https://philips-labs.github.io/terraform-aws-github-runner/modules/internal/runner-binaries-syncer/) is deployed for each unique combination of OS and architecture. - For each configuration a queue is created and [runner module](https://philips-labs.github.io/terraform-aws-github-runner/modules/internal/runners/) is deployed - ## Matching Matching of the configuration is done based on the labels specified in labelMatchers configuration. The webhook is processing the `workflow_job` event and match the labels against the labels specified in labelMatchers configuration in the order of configuration with exact-match true first, followed by all exact matches false. - ## The catch Controlling which event is taken up by which runner is not to this module. It is completely done by GitHub. This means when potentially different runners can run the same job there is nothing that can be done to guarantee a certain runner will take up the job. @@ -30,7 +28,6 @@ Jobs not defining all all labels but for example only `[self-hosted, linux]` cou A complete example is available in the examples, see the [multi-runner example](https://philips-labs.github.io/terraform-aws-github-runner/examples/) for actual implementation. - ```hcl module "multi-runner" { diff --git a/modules/multi-runner/runners.tf b/modules/multi-runner/runners.tf index 6289e45b10..59f9587916 100644 --- a/modules/multi-runner/runners.tf +++ b/modules/multi-runner/runners.tf @@ -3,8 +3,8 @@ module "runners" { for_each = local.runner_config aws_region = var.aws_region aws_partition = var.aws_partition - vpc_id = var.vpc_id - subnet_ids = var.subnet_ids + vpc_id = coalesce(each.value.runner_config.vpc_id, var.vpc_id) + subnet_ids = coalesce(each.value.runner_config.subnet_ids, var.subnet_ids) prefix = "${var.prefix}-${each.key}" tags = merge(local.tags, { "ghr:environment" = "${var.prefix}-${each.key}" diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf index 919d7fbdd9..01dfd6cd46 100644 --- a/modules/multi-runner/variables.tf +++ b/modules/multi-runner/variables.tf @@ -78,6 +78,8 @@ variable "multi_runner_config" { userdata_post_install = optional(string, "") runner_ec2_tags = optional(map(string), {}) runner_iam_role_managed_policy_arns = optional(list(string), []) + vpc_id = optional(string, null) + subnet_ids = optional(list(string), null) idle_config = optional(list(object({ cron = string timeZone = string @@ -169,6 +171,8 @@ variable "multi_runner_config" { userdata_post_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances" runner_ec2_tags: "Map of tags that will be added to the launch template instance tag specifications." runner_iam_role_managed_policy_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role" + vpc_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`." + subnet_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`." idle_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle." runner_log_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details." block_device_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."