From 0031fc84089fd58f22408801d8b126ef68ef0689 Mon Sep 17 00:00:00 2001 From: Alix Lourme Date: Wed, 29 Sep 2021 12:32:49 +0200 Subject: [PATCH 1/2] Disable SSL verification support for GitHub Enterprise Server --- README.md | 1 + main.tf | 3 ++- modules/runners/main.tf | 1 + modules/runners/scale-down.tf | 1 + modules/runners/scale-up.tf | 1 + modules/runners/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 7 files changed, 18 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ead428f14d..329a24b2ad 100644 --- a/README.md +++ b/README.md @@ -376,6 +376,7 @@ No requirements. | enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | | ghes\_url | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no | +| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to `false` when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). |
object({
key_base64 = string
id = string
client_id = string
client_secret = string
webhook_secret = string
})
| n/a | yes | | idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. |
list(object({
cron = string
timeZone = string
idleCount = number
}))
| `[]` | no | | instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no | diff --git a/main.tf b/main.tf index 36aa30fe20..3745dc3a27 100644 --- a/main.tf +++ b/main.tf @@ -128,7 +128,8 @@ module "runners" { runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns - ghes_url = var.ghes_url + ghes_url = var.ghes_url + ghes_ssl_verify = var.ghes_ssl_verify kms_key_arn = var.kms_key_arn } diff --git a/modules/runners/main.tf b/modules/runners/main.tf index ca00ec0f2e..564e6968e3 100644 --- a/modules/runners/main.tf +++ b/modules/runners/main.tf @@ -104,6 +104,7 @@ resource "aws_launch_template" "runner" { enable_cloudwatch_agent = var.enable_cloudwatch_agent ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner[0].name : "" ghes_url = var.ghes_url + ghes_ssl_verify = var.ghes_ssl_verify install_config_runner = local.install_config_runner })) diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf index 431cdc8ddb..2ce4e62f75 100644 --- a/modules/runners/scale-down.tf +++ b/modules/runners/scale-down.tf @@ -18,6 +18,7 @@ resource "aws_lambda_function" "scale_down" { RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes SCALE_DOWN_CONFIG = jsonencode(var.idle_config) GHES_URL = var.ghes_url + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1 PARAMETER_GITHUB_APP_CLIENT_ID_NAME = var.github_app_parameters.client_id.name PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = var.github_app_parameters.client_secret.name PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index d7b4f6b080..001c0b53b0 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -17,6 +17,7 @@ resource "aws_lambda_function" "scale_up" { ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners ENVIRONMENT = var.environment GHES_URL = var.ghes_url + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1 RUNNER_EXTRA_LABELS = var.runner_extra_labels RUNNER_GROUP_NAME = var.runner_group_name RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index bc3f6be0c0..63c97dfd0a 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -303,6 +303,12 @@ variable "ghes_url" { default = null } +variable "ghes_ssl_verify" { + description = "GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure)." + type = bool + default = true +} + variable "lambda_subnet_ids" { description = "List of subnets in which the lambda will be launched, the subnets needs to be subnets in the `vpc_id`." type = list(string) diff --git a/variables.tf b/variables.tf index fca140b685..5debb65f3e 100644 --- a/variables.tf +++ b/variables.tf @@ -313,6 +313,12 @@ variable "ghes_url" { default = null } +variable "ghes_ssl_verify" { + description = "GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure)." + type = bool + default = true +} + variable "lambda_subnet_ids" { description = "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`." type = list(string) From 9112e50ec9ac01d37989f26a26d07e2e3bdadbbf Mon Sep 17 00:00:00 2001 From: Alix Lourme Date: Thu, 30 Sep 2021 15:43:35 +0200 Subject: [PATCH 2/2] Fix Terraform format Co-authored-by: Niek Palm --- modules/runners/scale-down.tf | 2 +- modules/runners/scale-up.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf index 2ce4e62f75..406abe5d6f 100644 --- a/modules/runners/scale-down.tf +++ b/modules/runners/scale-down.tf @@ -18,7 +18,7 @@ resource "aws_lambda_function" "scale_down" { RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes SCALE_DOWN_CONFIG = jsonencode(var.idle_config) GHES_URL = var.ghes_url - NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1 + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 PARAMETER_GITHUB_APP_CLIENT_ID_NAME = var.github_app_parameters.client_id.name PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = var.github_app_parameters.client_secret.name PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index 001c0b53b0..435294e29b 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -17,7 +17,7 @@ resource "aws_lambda_function" "scale_up" { ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners ENVIRONMENT = var.environment GHES_URL = var.ghes_url - NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1 + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 RUNNER_EXTRA_LABELS = var.runner_extra_labels RUNNER_GROUP_NAME = var.runner_group_name RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count