Prebuilt runner image using packer

.ci/build.ps1

@@ -0,0 +1,8 @@
+$TOP_DIR=$(git rev-parse --show-toplevel)
+$OUTPUT_DIR="$TOP_DIR/lambda_output"
+
+New-Item "$OUTPUT_DIR" -ItemType Directory -ErrorAction SilentlyContinue
+
+$env:DOCKER_BUILDKIT=1 
+docker build --no-cache --target=final --output=type=local,dest="$OUTPUT_DIR" -f "$TOP_DIR/.ci/Dockerfile" "$TOP_DIR"
+

.editorconfig

@@ -0,0 +1,2 @@
+[*]
+end_of_line = lf

.github/workflows/packer-build.yml

@@ -0,0 +1,35 @@
+name: "Packer checks"
+on:
+  push:
+    branches:
+      - master
+      - develop
+  pull_request:
+    paths:
+      - "images/**"
+      - ".github/workflows/packer-build.yml"
+
+env:  
+  AWS_REGION: eu-west-1
+
+jobs:
+  verify_packer:
+    name: Verify image    
+    runs-on: ubuntu-latest
+    container:
+      image: hashicorp/packer:1.7.8
+    defaults:
+      run:
+        working-directory: images/linux-amzn2
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v2
+
+      - name: packer init
+        run: packer init .
+
+      - name: check terraform formatting
+        run: packer fmt -recursive -check=true .        
+
+      - name: packer validate
+        run: packer validate .

images/install-runner.sh

@@ -0,0 +1,8 @@
+#!/bin/bash -e
+
+user_name=ec2-user
+
+## This wrapper file re-uses scripts in the /modules/runners/templates directory
+## of this repo. These are the same that are used by the user_data functionality 
+## to bootstrap the instance if it is started from an existing AMI.
+${install_runner}

images/linux-amzn2/github_agent.linux.pkr.hcl

@@ -0,0 +1,87 @@
+packer {
+  required_plugins {
+    amazon = {
+      version = ">= 0.0.2"
+      source  = "github.com/hashicorp/amazon"
+    }
+  }
+}
+
+variable "action_runner_url" {
+  description = "The URL to the tarball of the action runner"
+  type        = string
+  default     = "https://github.com/actions/runner/releases/download/v2.284.0/actions-runner-linux-x64-2.284.0.tar.gz"
+}
+
+variable "region" {
+  description = "The region to build the image in"
+  type        = string
+  default     = "eu-west-1"
+}
+
+source "amazon-ebs" "githubrunner" {
+  ami_name      = "github-runner-amzn2-${formatdate("YYYYMMDDhhmm", timestamp())}"
+  instance_type = "m3.medium"
+  region        = var.region
+  source_ami_filter {
+    filters = {
+      name                = "amzn2-ami-hvm-2.*-x86_64-ebs"
+      root-device-type    = "ebs"
+      virtualization-type = "hvm"
+    }
+    most_recent = true
+    owners      = ["137112412989"]
+  }
+  ssh_username = "ec2-user"
+  tags = {
+    OS_Version    = "amzn2"
+    Release       = "Latest"
+    Base_AMI_Name = "{{ .SourceAMIName }}"
+  }
+}
+
+build {
+  name = "githubactions-runner"
+  sources = [
+    "source.amazon-ebs.githubrunner"
+  ]
+  provisioner "shell" {
+    environment_vars = []
+    inline = [
+      "sudo yum update -y",
+      "sudo yum install -y amazon-cloudwatch-agent curl jq git",
+      "sudo amazon-linux-extras install docker",
+      "sudo systemctl enable docker.service",
+      "sudo systemctl enable containerd.service",
+      "sudo service docker start",
+      "sudo usermod -a -G docker ec2-user",
+    ]
+  }
+
+  provisioner "shell" {
+    environment_vars = [
+      "RUNNER_TARBALL_URL=${var.action_runner_url}"
+    ]
+    inline = [templatefile("../install-runner.sh", {
+      install_runner = templatefile("../../modules/runners/templates/install-runner.sh", {
+        ARM_PATCH                       = ""
+        S3_LOCATION_RUNNER_DISTRIBUTION = ""
+      })
+    })]
+  }
+
+  provisioner "file" {
+    content = templatefile("../start-runner.sh", {
+      start_runner = templatefile("../../modules/runners/templates/start-runner.sh", {})
+    })
+    destination = "/tmp/start-runner.sh"
+  }
+
+  provisioner "shell" {
+    inline = [
+      "sudo mv /tmp/start-runner.sh /var/lib/cloud/scripts/per-boot/start-runner.sh",
+      "sudo chmod +x /var/lib/cloud/scripts/per-boot/start-runner.sh",
+    ]
+  }
+
+}

images/start-runner.sh

@@ -0,0 +1,9 @@
+#!/bin/bash -e
+exec > >(tee /var/log/runner-startup.log | logger -t user-data -s 2>/dev/console) 2>&1
+
+cd /home/ec2-user/actions-runner
+
+## This wrapper file re-uses scripts in the /modules/runners/templates directory
+## of this repo. These are the same that are used by the user_data functionality 
+## to bootstrap the instance if it is started from an existing AMI.
+${start_runner}

main.tf

@@ -1,6 +1,7 @@
 locals {
   tags = merge(var.tags, {
-    Environment = var.environment
+    Environment       = var.environment,
+    "ghr:environment" = format("%s", var.environment)
   })
 
   s3_action_runner_url = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key}"

modules/runners/logging.tf

@@ -28,7 +28,7 @@ resource "aws_cloudwatch_log_group" "gh_runners" {
 }
 
 resource "aws_iam_role_policy" "cloudwatch" {
-  count = var.enable_ssm_on_runners ? 1 : 0
+  count = var.enable_cloudwatch_agent ? 1 : 0
   name  = "CloudWatchLogginAndMetrics"
   role  = aws_iam_role.runner.name
   policy = templatefile("${path.module}/policies/instance-cloudwatch-policy.json",

modules/runners/main.tf

@@ -3,20 +3,18 @@ locals {
     {
       "Name" = format("%s-action-runner", var.environment)
     },
-    {
-      "Environment" = format("%s", var.environment)
-    },
     var.tags,
   )
 
-  name_sg                        = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"]
-  name_runner                    = var.overrides["name_runner"] == "" ? local.tags["Name"] : var.overrides["name_runner"]
-  role_path                      = var.role_path == null ? "/${var.environment}/" : var.role_path
-  instance_profile_path          = var.instance_profile_path == null ? "/${var.environment}/" : var.instance_profile_path
-  lambda_zip                     = var.lambda_zip == null ? "${path.module}/lambdas/runners/runners.zip" : var.lambda_zip
-  userdata_template              = var.userdata_template == null ? "${path.module}/templates/user-data.sh" : var.userdata_template
-  userdata_arm_patch             = "${path.module}/templates/arm-runner-patch.tpl"
-  userdata_install_config_runner = "${path.module}/templates/install-config-runner.sh"
+  name_sg                 = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"]
+  name_runner             = var.overrides["name_runner"] == "" ? local.tags["Name"] : var.overrides["name_runner"]
+  role_path               = var.role_path == null ? "/${var.environment}/" : var.role_path
+  instance_profile_path   = var.instance_profile_path == null ? "/${var.environment}/" : var.instance_profile_path
+  lambda_zip              = var.lambda_zip == null ? "${path.module}/lambdas/runners/runners.zip" : var.lambda_zip
+  userdata_template       = var.userdata_template == null ? "${path.module}/templates/user-data.sh" : var.userdata_template
+  userdata_arm_patch      = "${path.module}/templates/arm-runner-patch.tpl"
+  userdata_install_runner = "${path.module}/templates/install-runner.sh"
+  userdata_start_runner   = "${path.module}/templates/start-runner.sh"
 
   instance_types = distinct(var.instance_types == null ? [var.instance_type] : var.instance_types)
 
@@ -113,31 +111,26 @@ resource "aws_launch_template" "runner" {
 
 
   user_data = base64encode(templatefile(local.userdata_template, {
+    pre_install = var.userdata_pre_install
+    install_runner = templatefile(local.userdata_install_runner, {
+      S3_LOCATION_RUNNER_DISTRIBUTION = var.s3_location_runner_binaries
+      ARM_PATCH                       = var.runner_architecture == "arm64" ? templatefile(local.userdata_arm_patch, {}) : ""
+    })
+    post_install    = var.userdata_post_install
+    start_runner    = templatefile(local.userdata_start_runner, {})
+    ghes_url        = var.ghes_url
+    ghes_ssl_verify = var.ghes_ssl_verify
+    ## retain these for backwards compatibility
     environment                     = var.environment
-    pre_install                     = var.userdata_pre_install
-    post_install                    = var.userdata_post_install
     enable_cloudwatch_agent         = var.enable_cloudwatch_agent
     ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner[0].name : ""
-    ghes_url                        = var.ghes_url
-    ghes_ssl_verify                 = var.ghes_ssl_verify
-    install_config_runner           = local.install_config_runner
   }))
 
   tags = local.tags
 
   update_default_version = true
 }
 
-locals {
-  arm_patch = var.runner_architecture == "arm64" ? templatefile(local.userdata_arm_patch, {}) : ""
-  install_config_runner = templatefile(local.userdata_install_config_runner, {
-    environment                     = var.environment
-    s3_location_runner_distribution = var.s3_location_runner_binaries
-    run_as_root_user                = var.runner_as_root ? "root" : ""
-    arm_patch                       = local.arm_patch
-  })
-}
-
 resource "aws_security_group" "runner_sg" {
   name_prefix = "${var.environment}-github-actions-runner-sg"
   description = "Github Actions Runner security group"

modules/runners/policies-runner.tf

@@ -26,7 +26,10 @@ resource "aws_iam_role_policy" "ssm_parameters" {
   role = aws_iam_role.runner.name
   policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json",
     {
-      arn_ssm_parameters = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"
+      arn_ssm_parameters = jsonencode([
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"
+      ])
     }
   )
 }
@@ -41,6 +44,12 @@ resource "aws_iam_role_policy" "dist_bucket" {
   )
 }
 
+resource "aws_iam_role_policy" "describe_tags" {
+  name   = "runner-describe-tags"
+  role   = aws_iam_role.runner.name
+  policy = templatefile("${path.module}/policies/instance-describe-tags-policy.json", {})
+}
+
 resource "aws_iam_role_policy_attachment" "managed_policies" {
   count      = length(var.runner_iam_role_managed_policy_arns)
   role       = aws_iam_role.runner.name

modules/runners/policies/instance-describe-tags-policy.json

@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {          
+          "Effect": "Allow",
+          "Action": "ec2:DescribeTags",
+          "Resource": "*"
+      }
+  ]
+}

modules/runners/policies/instance-ssm-parameters-policy.json

@@ -6,15 +6,16 @@
       "Action": [
         "ssm:DeleteParameter"
       ],
-      "Resource": "${arn_ssm_parameters}"
+      "Resource": ${arn_ssm_parameters}
     },
     {
       "Effect": "Allow",
       "Action": [
+        "ssm:GetParameter",
         "ssm:GetParameters",
-        "ssm:GetParameter"
+        "ssm:GetParametersByPath"
       ],
-      "Resource": "${arn_ssm_parameters}"
+      "Resource": ${arn_ssm_parameters}
     }
   ]
 }

modules/runners/runner-config.tf

@@ -0,0 +1,21 @@
+resource "aws_ssm_parameter" "runner_config_run_as" {
+  name  = "/${var.environment}/runner/run-as"
+  type  = "String"
+  value = var.runner_as_root ? "root" : "ec2-user"
+  tags  = local.tags
+}
+
+resource "aws_ssm_parameter" "runner_agent_mode" {
+  name = "/${var.environment}/runner/agent-mode"
+  type = "String"
+  # TODO: Update this to allow for ephemeral runners
+  value = "persistent"
+  tags  = local.tags
+}
+
+resource "aws_ssm_parameter" "runner_enable_cloudwatch" {
+  name  = "/${var.environment}/runner/enable-cloudwatch"
+  type  = "String"
+  value = var.enable_cloudwatch_agent
+  tags  = local.tags
+}