diff --git a/README.md b/README.md index e72a76b05a..534c6acabc 100644 --- a/README.md +++ b/README.md @@ -129,8 +129,7 @@ Go to GitHub and [create a new app](https://docs.github.com/en/developers/apps/c - `Self-hosted runners`: Read & write (to register runner) 8. Save the new app. 9. On the General page, make a note of the "App ID" and "Client ID" parameters. -10. Create a new client secret and also write it down. -11. Generate a new private key and save the `app.private-key.pem` file. +10. Generate a new private key and save the `app.private-key.pem` file. ### Setup terraform module @@ -174,8 +173,6 @@ module "github-runner" { github_app = { key_base64 = "base64string" id = "1" - client_id = "c-123" - client_secret = "client_secret" webhook_secret = "webhook_secret" } @@ -377,7 +374,7 @@ No requirements. | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | | ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | ghes\_url | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no | -| github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). |
object({
key_base64 = string
id = string
client_id = string
client_secret = string
webhook_secret = string
})
| n/a | yes | +| github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). |
object({
key_base64 = string
id = string
webhook_secret = string
})
| n/a | yes | | idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. |
list(object({
cron = string
timeZone = string
idleCount = number
}))
| `[]` | no | | instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no | | instance\_type | [DEPRECATED] See instance\_types. | `string` | `"m5.large"` | no | diff --git a/examples/default/main.tf b/examples/default/main.tf index ae3ec2c2ba..126aea0dd4 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -27,8 +27,6 @@ module "runners" { github_app = { key_base64 = var.github_app_key_base64 id = var.github_app_id - client_id = var.github_app_client_id - client_secret = var.github_app_client_secret webhook_secret = random_password.random.result } @@ -48,9 +46,14 @@ module "runners" { # idleCount = 1 # }] - # disable KMS and encryption - # encrypt_secrets = false - # Let the module manage the service linked role # create_service_linked_role_spot = true + + instance_types = ["m5.large", "c5.large"] + + # override delay of events in seconds + delay_webhook_event = 5 + + # override scaling down + scale_down_schedule_expression = "cron(* * * * ? *)" } diff --git a/examples/ubuntu/main.tf b/examples/ubuntu/main.tf index 60c397eb26..6cadee69d4 100644 --- a/examples/ubuntu/main.tf +++ b/examples/ubuntu/main.tf @@ -22,8 +22,6 @@ module "runners" { github_app = { key_base64 = var.github_app_key_base64 id = var.github_app_id - client_id = var.github_app_client_id - client_secret = var.github_app_client_secret webhook_secret = random_password.random.result } diff --git a/main.tf b/main.tf index 89a2889582..54cc18dd4f 100644 --- a/main.tf +++ b/main.tf @@ -9,10 +9,8 @@ locals { ami_filter = length(var.ami_filter) > 0 ? var.ami_filter : local.runner_architecture == "arm64" ? { name = ["amzn2-ami-hvm-2*-arm64-gp2"] } : { name = ["amzn2-ami-hvm-2.*-x86_64-ebs"] } github_app_parameters = { - client_id = module.ssm.parameters.github_app_client_id - client_secret = module.ssm.parameters.github_app_client_secret - id = module.ssm.parameters.github_app_id - key_base64 = module.ssm.parameters.github_app_key_base64 + id = module.ssm.parameters.github_app_id + key_base64 = module.ssm.parameters.github_app_key_base64 } } diff --git a/modules/runners/README.md b/modules/runners/README.md index 752ca37093..f27097c81f 100644 --- a/modules/runners/README.md +++ b/modules/runners/README.md @@ -58,6 +58,31 @@ No requirements. |------|---------| | aws | n/a | +## Modules + +No Modules. + +## Resources + +| Name | +|------| +| [aws_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | +| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | +| [aws_cloudwatch_event_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | +| [aws_cloudwatch_event_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | +| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | +| [aws_iam_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | +| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | +| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | +| [aws_iam_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | +| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | +| [aws_lambda_event_source_mapping](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | +| [aws_lambda_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | +| [aws_lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | +| [aws_launch_template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | +| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | +| [aws_ssm_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | + ## Inputs | Name | Description | Type | Default | Required | @@ -73,8 +98,9 @@ No requirements. | enable\_organization\_runners | n/a | `bool` | n/a | yes | | enable\_ssm\_on\_runners | Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes | | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | +| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | ghes\_url | GitHub Enterprise Server URL. DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no | -| github\_app\_parameters | Parameter Store for GitHub App Parameters. |
object({
key_base64 = map(string)
id = map(string)
client_id = map(string)
client_secret = map(string)
})
| n/a | yes | +| github\_app\_parameters | Parameter Store for GitHub App Parameters. |
object({
key_base64 = map(string)
id = map(string)
})
| n/a | yes | | idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. |
list(object({
cron = string
timeZone = string
idleCount = number
}))
| `[]` | no | | instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no | | instance\_type | [DEPRECATED] See instance\_types. | `string` | `"m5.large"` | no | @@ -126,7 +152,6 @@ No requirements. | role\_runner | n/a | | role\_scale\_down | n/a | | role\_scale\_up | n/a | - ## Philips Forest diff --git a/modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts b/modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts index bd19f46e7c..3e42a26d41 100644 --- a/modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts +++ b/modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts @@ -16,12 +16,8 @@ jest.mock('@octokit/auth-app'); const cleanEnv = process.env; const ENVIRONMENT = 'dev'; const GITHUB_APP_ID = '1'; -const GITHUB_APP_CLIENT_ID = '1'; -const GITHUB_APP_CLIENT_SECRET = 'client_secret'; const PARAMETER_GITHUB_APP_ID_NAME = `/actions-runner/${ENVIRONMENT}/github_app_id`; const PARAMETER_GITHUB_APP_KEY_BASE64_NAME = `/actions-runner/${ENVIRONMENT}/github_app_key_base64`; -const PARAMETER_GITHUB_APP_CLIENT_ID_NAME = `/actions-runner/${ENVIRONMENT}/github_app_client_id`; -const PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = `/actions-runner/${ENVIRONMENT}/github_app_client_secret`; const mockedGet = mocked(getParameterValue); @@ -31,8 +27,6 @@ beforeEach(() => { process.env = { ...cleanEnv }; process.env.PARAMETER_GITHUB_APP_ID_NAME = PARAMETER_GITHUB_APP_ID_NAME; process.env.PARAMETER_GITHUB_APP_KEY_BASE64_NAME = PARAMETER_GITHUB_APP_KEY_BASE64_NAME; - process.env.PARAMETER_GITHUB_APP_CLIENT_ID_NAME = PARAMETER_GITHUB_APP_CLIENT_ID_NAME; - process.env.PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME; nock.disableNetConnect(); }); @@ -83,14 +77,8 @@ describe('Test createGithubAppAuth', () => { appId: parseInt(GITHUB_APP_ID), privateKey: decryptedValue, installationId, - clientId: GITHUB_APP_CLIENT_ID, - clientSecret: GITHUB_APP_CLIENT_SECRET, }; - mockedGet - .mockResolvedValueOnce(GITHUB_APP_ID) - .mockResolvedValueOnce(b64) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET); + mockedGet.mockResolvedValueOnce(GITHUB_APP_ID).mockResolvedValueOnce(b64); const mockedAuth = jest.fn(); mockedAuth.mockResolvedValue({ token }); @@ -104,8 +92,6 @@ describe('Test createGithubAppAuth', () => { // Assert expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_ID_NAME); expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_KEY_BASE64_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_ID_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME); expect(mockedCreatAppAuth).toBeCalledTimes(1); expect(mockedCreatAppAuth).toBeCalledWith(authOptions); @@ -126,16 +112,10 @@ describe('Test createGithubAppAuth', () => { appId: parseInt(GITHUB_APP_ID), privateKey: decryptedValue, installationId, - clientId: GITHUB_APP_CLIENT_ID, - clientSecret: GITHUB_APP_CLIENT_SECRET, request: mockedRequestInterface.defaults({ baseUrl: githubServerUrl }), }; - mockedGet - .mockResolvedValueOnce(GITHUB_APP_ID) - .mockResolvedValueOnce(b64) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET); + mockedGet.mockResolvedValueOnce(GITHUB_APP_ID).mockResolvedValueOnce(b64); const mockedAuth = jest.fn(); mockedAuth.mockResolvedValue({ token }); // eslint-disable-next-line @typescript-eslint/no-unused-vars @@ -149,8 +129,6 @@ describe('Test createGithubAppAuth', () => { // Assert expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_ID_NAME); expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_KEY_BASE64_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_ID_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME); expect(mockedCreatAppAuth).toBeCalledTimes(1); expect(mockedCreatAppAuth).toBeCalledWith(authOptions); @@ -172,16 +150,10 @@ describe('Test createGithubAppAuth', () => { const authOptions = { appId: parseInt(GITHUB_APP_ID), privateKey: decryptedValue, - clientId: GITHUB_APP_CLIENT_ID, - clientSecret: GITHUB_APP_CLIENT_SECRET, request: mockedRequestInterface.defaults({ baseUrl: githubServerUrl }), }; - mockedGet - .mockResolvedValueOnce(GITHUB_APP_ID) - .mockResolvedValueOnce(b64) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET); + mockedGet.mockResolvedValueOnce(GITHUB_APP_ID).mockResolvedValueOnce(b64); const mockedAuth = jest.fn(); mockedAuth.mockResolvedValue({ token }); mockedCreatAppAuth.mockImplementation(() => { @@ -194,8 +166,6 @@ describe('Test createGithubAppAuth', () => { // Assert expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_ID_NAME); expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_KEY_BASE64_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_ID_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME); expect(mockedCreatAppAuth).toBeCalledTimes(1); expect(mockedCreatAppAuth).toBeCalledWith(authOptions); diff --git a/modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts b/modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts index cda6e5d3ab..18f040468b 100644 --- a/modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts +++ b/modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts @@ -49,8 +49,6 @@ async function createAuth(installationId: number | undefined, ghesApiUrl: string await getParameterValue(process.env.PARAMETER_GITHUB_APP_KEY_BASE64_NAME), 'base64', ).toString(), - clientId: await getParameterValue(process.env.PARAMETER_GITHUB_APP_CLIENT_ID_NAME), - clientSecret: await getParameterValue(process.env.PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME), }; if (installationId) authOptions = { ...authOptions, installationId }; diff --git a/modules/runners/policies/lambda-scale-down.json b/modules/runners/policies/lambda-scale-down.json index b201de9356..c63d54741f 100644 --- a/modules/runners/policies/lambda-scale-down.json +++ b/modules/runners/policies/lambda-scale-down.json @@ -32,8 +32,6 @@ ], "Resource": [ "${github_app_key_base64_arn}", - "${github_app_client_secret_arn}", - "${github_app_client_id_arn}", "${github_app_id_arn}" ] %{ if kms_key_arn != "" ~} diff --git a/modules/runners/policies/lambda-scale-up.json b/modules/runners/policies/lambda-scale-up.json index 8ff4b2469f..057bb77068 100644 --- a/modules/runners/policies/lambda-scale-up.json +++ b/modules/runners/policies/lambda-scale-up.json @@ -45,8 +45,6 @@ ], "Resource": [ "${github_app_key_base64_arn}", - "${github_app_client_secret_arn}", - "${github_app_client_id_arn}", "${github_app_id_arn}" ] }, diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf index 88e68cb446..1b131819a7 100644 --- a/modules/runners/scale-down.tf +++ b/modules/runners/scale-down.tf @@ -13,16 +13,14 @@ resource "aws_lambda_function" "scale_down" { environment { variables = { - ENVIRONMENT = var.environment - MINIMUM_RUNNING_TIME_IN_MINUTES = var.minimum_running_time_in_minutes - RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes - SCALE_DOWN_CONFIG = jsonencode(var.idle_config) - GHES_URL = var.ghes_url - NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 - PARAMETER_GITHUB_APP_CLIENT_ID_NAME = var.github_app_parameters.client_id.name - PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = var.github_app_parameters.client_secret.name - PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name - PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name + ENVIRONMENT = var.environment + MINIMUM_RUNNING_TIME_IN_MINUTES = var.minimum_running_time_in_minutes + RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes + SCALE_DOWN_CONFIG = jsonencode(var.idle_config) + GHES_URL = var.ghes_url + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 + PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name + PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name } } @@ -72,11 +70,9 @@ resource "aws_iam_role_policy" "scale_down" { name = "${var.environment}-lambda-scale-down-policy" role = aws_iam_role.scale_down.name policy = templatefile("${path.module}/policies/lambda-scale-down.json", { - github_app_client_id_arn = var.github_app_parameters.client_id.arn - github_app_client_secret_arn = var.github_app_parameters.client_secret.arn - github_app_id_arn = var.github_app_parameters.id.arn - github_app_key_base64_arn = var.github_app_parameters.key_base64.arn - kms_key_arn = local.kms_key_arn + github_app_id_arn = var.github_app_parameters.id.arn + github_app_key_base64_arn = var.github_app_parameters.key_base64.arn + kms_key_arn = local.kms_key_arn }) } diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index 32457bed2e..afd0fbc5cf 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -14,19 +14,17 @@ resource "aws_lambda_function" "scale_up" { environment { variables = { - ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners - ENVIRONMENT = var.environment - GHES_URL = var.ghes_url - NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 - RUNNER_EXTRA_LABELS = var.runner_extra_labels - RUNNER_GROUP_NAME = var.runner_group_name - RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count - LAUNCH_TEMPLATE_NAME = join(",", [for template in aws_launch_template.runner : template.name]) - SUBNET_IDS = join(",", var.subnet_ids) - PARAMETER_GITHUB_APP_CLIENT_ID_NAME = var.github_app_parameters.client_id.name - PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = var.github_app_parameters.client_secret.name - PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name - PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name + ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners + ENVIRONMENT = var.environment + GHES_URL = var.ghes_url + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 + RUNNER_EXTRA_LABELS = var.runner_extra_labels + RUNNER_GROUP_NAME = var.runner_group_name + RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count + LAUNCH_TEMPLATE_NAME = join(",", [for template in aws_launch_template.runner : template.name]) + SUBNET_IDS = join(",", var.subnet_ids) + PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name + PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name } } @@ -70,13 +68,11 @@ resource "aws_iam_role_policy" "scale_up" { name = "${var.environment}-lambda-scale-up-policy" role = aws_iam_role.scale_up.name policy = templatefile("${path.module}/policies/lambda-scale-up.json", { - arn_runner_instance_role = aws_iam_role.runner.arn - sqs_arn = var.sqs_build_queue.arn - github_app_client_id_arn = var.github_app_parameters.client_id.arn - github_app_client_secret_arn = var.github_app_parameters.client_secret.arn - github_app_id_arn = var.github_app_parameters.id.arn - github_app_key_base64_arn = var.github_app_parameters.key_base64.arn - kms_key_arn = local.kms_key_arn + arn_runner_instance_role = aws_iam_role.runner.arn + sqs_arn = var.sqs_build_queue.arn + github_app_id_arn = var.github_app_parameters.id.arn + github_app_key_base64_arn = var.github_app_parameters.key_base64.arn + kms_key_arn = local.kms_key_arn }) } diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index aaf10d449b..ba8fcbd5ec 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -116,10 +116,8 @@ variable "enable_organization_runners" { variable "github_app_parameters" { description = "Parameter Store for GitHub App Parameters." type = object({ - key_base64 = map(string) - id = map(string) - client_id = map(string) - client_secret = map(string) + key_base64 = map(string) + id = map(string) }) } diff --git a/modules/ssm/outputs.tf b/modules/ssm/outputs.tf index 7a61c60202..3545a839c3 100644 --- a/modules/ssm/outputs.tf +++ b/modules/ssm/outputs.tf @@ -1,13 +1,5 @@ output "parameters" { value = { - github_app_client_id = { - name = aws_ssm_parameter.github_app_client_id.name - arn = aws_ssm_parameter.github_app_client_id.arn - } - github_app_client_secret = { - name = aws_ssm_parameter.github_app_client_secret.name - arn = aws_ssm_parameter.github_app_client_secret.arn - } github_app_id = { name = aws_ssm_parameter.github_app_id.name arn = aws_ssm_parameter.github_app_id.arn diff --git a/modules/ssm/ssm.tf b/modules/ssm/ssm.tf index 3605bb4833..91f1d17cdf 100644 --- a/modules/ssm/ssm.tf +++ b/modules/ssm/ssm.tf @@ -1,19 +1,3 @@ -resource "aws_ssm_parameter" "github_app_client_id" { - name = "/actions_runner/${var.environment}/github_app_client_id" - type = "SecureString" - value = var.github_app.client_id - key_id = local.kms_key_arn - tags = var.tags -} - -resource "aws_ssm_parameter" "github_app_client_secret" { - name = "/actions_runner/${var.environment}/github_app_client_secret" - type = "SecureString" - value = var.github_app.client_secret - key_id = local.kms_key_arn - tags = var.tags -} - resource "aws_ssm_parameter" "github_app_id" { name = "/actions_runner/${var.environment}/github_app_id" type = "SecureString" diff --git a/modules/ssm/variables.tf b/modules/ssm/variables.tf index 6cb03951c0..7528d0721c 100644 --- a/modules/ssm/variables.tf +++ b/modules/ssm/variables.tf @@ -3,8 +3,6 @@ variable "github_app" { type = object({ key_base64 = string id = string - client_id = string - client_secret = string webhook_secret = string }) } diff --git a/variables.tf b/variables.tf index eadafe1128..eb3bf3ce73 100644 --- a/variables.tf +++ b/variables.tf @@ -35,8 +35,6 @@ variable "github_app" { type = object({ key_base64 = string id = string - client_id = string - client_secret = string webhook_secret = string }) }