From 3c3ef19b176811d96f3fa821aadb10576847fb72 Mon Sep 17 00:00:00 2001 From: Alix Lourme Date: Fri, 1 Oct 2021 13:01:20 +0200 Subject: [PATCH] feat: Add option to disable SSL verification support for GitHub Enterprise Server (#1216) * Disable SSL verification support for GitHub Enterprise Server * Terraform formatting Close #1207 Co-authored-by: Niek Palm Co-authored-by: Niek Palm --- README.md | 1 + main.tf | 3 ++- modules/runners/main.tf | 1 + modules/runners/scale-down.tf | 1 + modules/runners/scale-up.tf | 1 + modules/runners/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 7 files changed, 18 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2edffdbec7..24a1acbbc5 100644 --- a/README.md +++ b/README.md @@ -359,6 +359,7 @@ No requirements. | enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | | ghes\_url | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no | +| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to `false` when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | 
object({
    key_base64     = string
    id             = string
    client_id      = string
    client_secret  = string
    webhook_secret = string
  })
| n/a | yes | | idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | 
list(object({
    cron      = string
    timeZone  = string
    idleCount = number
  }))
| `[]` | no | | instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no | diff --git a/main.tf b/main.tf index 36aa30fe20..3745dc3a27 100644 --- a/main.tf +++ b/main.tf @@ -128,7 +128,8 @@ module "runners" { runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns - ghes_url = var.ghes_url + ghes_url = var.ghes_url + ghes_ssl_verify = var.ghes_ssl_verify kms_key_arn = var.kms_key_arn } diff --git a/modules/runners/main.tf b/modules/runners/main.tf index 5c510c3d3c..f36ec06b05 100644 --- a/modules/runners/main.tf +++ b/modules/runners/main.tf @@ -108,6 +108,7 @@ resource "aws_launch_template" "runner" { enable_cloudwatch_agent = var.enable_cloudwatch_agent ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner[0].name : "" ghes_url = var.ghes_url + ghes_ssl_verify = var.ghes_ssl_verify install_config_runner = local.install_config_runner })) diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf index 431cdc8ddb..406abe5d6f 100644 --- a/modules/runners/scale-down.tf +++ b/modules/runners/scale-down.tf @@ -18,6 +18,7 @@ resource "aws_lambda_function" "scale_down" { RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes SCALE_DOWN_CONFIG = jsonencode(var.idle_config) GHES_URL = var.ghes_url + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 PARAMETER_GITHUB_APP_CLIENT_ID_NAME = var.github_app_parameters.client_id.name PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = var.github_app_parameters.client_secret.name PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index d7b4f6b080..435294e29b 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -17,6 +17,7 @@ resource "aws_lambda_function" "scale_up" { ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners ENVIRONMENT = var.environment GHES_URL = var.ghes_url + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 RUNNER_EXTRA_LABELS = var.runner_extra_labels RUNNER_GROUP_NAME = var.runner_group_name RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index eed34f89e1..aaf10d449b 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -303,6 +303,12 @@ variable "ghes_url" { default = null } +variable "ghes_ssl_verify" { + description = "GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure)." + type = bool + default = true +} + variable "lambda_subnet_ids" { description = "List of subnets in which the lambda will be launched, the subnets needs to be subnets in the `vpc_id`." type = list(string) diff --git a/variables.tf b/variables.tf index 6b9c9fb1a8..2a9b831be2 100644 --- a/variables.tf +++ b/variables.tf @@ -313,6 +313,12 @@ variable "ghes_url" { default = null } +variable "ghes_ssl_verify" { + description = "GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure)." + type = bool + default = true +} + variable "lambda_subnet_ids" { description = "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`." type = list(string)