diff --git a/README.md b/README.md
index 86354d19cd..a7231875ed 100644
--- a/README.md
+++ b/README.md
@@ -444,7 +444,7 @@ In case the setup does not work as intended follow the trace of events:
| [role\_permissions\_boundary](#input\_role\_permissions\_boundary) | Permissions boundary that will be added to the created roles. | `string` | `null` | no |
| [runner\_additional\_security\_group\_ids](#input\_runner\_additional\_security\_group\_ids) | (optional) List of additional security groups IDs to apply to the runner | `list(string)` | `[]` | no |
| [runner\_allow\_prerelease\_binaries](#input\_runner\_allow\_prerelease\_binaries) | Allow the runners to update to prerelease binaries. | `bool` | `false` | no |
-| [runner\_as\_root](#input\_runner\_as\_root) | Run the action runner under the root user. | `bool` | `false` | no |
+| [runner\_as\_root](#input\_runner\_as\_root) | Run the action runner under the root user. Variable `runner_run_as` will be ingored. | `bool` | `false` | no |
| [runner\_binaries\_s3\_sse\_configuration](#input\_runner\_binaries\_s3\_sse\_configuration) | Map containing server-side encryption configuration for runner-binaries S3 bucket. | `any` | `{}` | no |
| [runner\_binaries\_syncer\_lambda\_timeout](#input\_runner\_binaries\_syncer\_lambda\_timeout) | Time out of the binaries sync lambda in seconds. | `number` | `300` | no |
| [runner\_binaries\_syncer\_lambda\_zip](#input\_runner\_binaries\_syncer\_lambda\_zip) | File location of the binaries sync lambda zip file. | `string` | `null` | no |
@@ -457,6 +457,7 @@ In case the setup does not work as intended follow the trace of events:
| [runner\_log\_files](#input\_runner\_log\_files) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | list(object({
log_group_name = string
prefix_log_group = bool
file_path = string
log_stream_name = string
})) | `null` | no |
| [runner\_metadata\_options](#input\_runner\_metadata\_options) | Metadata options for the ec2 runner instances. | `map(any)` | {
"http_endpoint": "enabled",
"http_put_response_hop_limit": 1,
"http_tokens": "optional"
} | no |
| [runner\_os](#input\_runner\_os) | The Operating System to use for GitHub Actions Runners (linux,win) | `string` | `"linux"` | no |
+| [runner\_run\_as](#input\_runner\_run\_as) | Run the GitHub actions agent as user. | `string` | `"ec2-user"` | no |
| [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
| [runners\_lambda\_s3\_object\_version](#input\_runners\_lambda\_s3\_object\_version) | S3 object version for runners lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no |
| [runners\_lambda\_zip](#input\_runners\_lambda\_zip) | File location of the lambda zip file for scaling runners. | `string` | `null` | no |
diff --git a/examples/ubuntu/main.tf b/examples/ubuntu/main.tf
index 346d6f4edd..65c71cd25a 100644
--- a/examples/ubuntu/main.tf
+++ b/examples/ubuntu/main.tf
@@ -35,6 +35,7 @@ module "runners" {
# enable access to the runners via SSM
enable_ssm_on_runners = true
+ runner_run_as = "runners"
userdata_template = "./templates/user-data.sh"
ami_owners = ["099720109477"] # Canonical's Amazon account ID
@@ -75,6 +76,4 @@ module "runners" {
# idleCount = 1
# }]
- # disable KMS and encryption
- # encrypt_secrets = false
}
diff --git a/examples/ubuntu/outputs.tf b/examples/ubuntu/outputs.tf
index fe4a965473..c50214f566 100644
--- a/examples/ubuntu/outputs.tf
+++ b/examples/ubuntu/outputs.tf
@@ -4,9 +4,12 @@ output "runners" {
}
}
-output "webhook" {
- value = {
- secret = random_id.random.hex
- endpoint = module.runners.webhook.endpoint
- }
+output "webhook_endpoint" {
+ value = module.runners.webhook.endpoint
}
+
+output "webhook_secret" {
+ sensitive = true
+ value = random_id.random.hex
+}
+
diff --git a/examples/ubuntu/templates/user-data.sh b/examples/ubuntu/templates/user-data.sh
index a556d9bf9d..fcae68423b 100644
--- a/examples/ubuntu/templates/user-data.sh
+++ b/examples/ubuntu/templates/user-data.sh
@@ -62,10 +62,12 @@ su -l $USER_NAME -c "systemctl --user enable docker"
${install_runner}
# config runner for rootless docker
-cd /home/$USER_NAME/actions-runner/
+cd /opt/actions-runner/
echo DOCKER_HOST=unix:///run/user/$USER_ID/docker.sock >>.env
echo PATH=/home/$USER_NAME/bin:$PATH >>.env
${post_install}
+cd /opt/actions-runner
+
${start_runner}
diff --git a/main.tf b/main.tf
index 4d9f60dc97..f2a695990a 100644
--- a/main.tf
+++ b/main.tf
@@ -110,6 +110,7 @@ module "runners" {
runner_boot_time_in_minutes = var.runner_boot_time_in_minutes
runner_extra_labels = var.runner_extra_labels
runner_as_root = var.runner_as_root
+ runner_run_as = var.runner_run_as
runners_maximum_count = var.runners_maximum_count
idle_config = var.idle_config
enable_ssm_on_runners = var.enable_ssm_on_runners
diff --git a/modules/runners/README.md b/modules/runners/README.md
index 6f9772e561..7f070635a9 100644
--- a/modules/runners/README.md
+++ b/modules/runners/README.md
@@ -150,7 +150,7 @@ No modules.
| [role\_permissions\_boundary](#input\_role\_permissions\_boundary) | Permissions boundary that will be added to the created role for the lambda. | `string` | `null` | no |
| [runner\_additional\_security\_group\_ids](#input\_runner\_additional\_security\_group\_ids) | (optional) List of additional security groups IDs to apply to the runner | `list(string)` | `[]` | no |
| [runner\_architecture](#input\_runner\_architecture) | The platform architecture of the runner instance\_type. | `string` | `"x64"` | no |
-| [runner\_as\_root](#input\_runner\_as\_root) | Run the action runner under the root user. | `bool` | `false` | no |
+| [runner\_as\_root](#input\_runner\_as\_root) | Run the action runner under the root user. Variable `runner_run_as` will be ingored. | `bool` | `false` | no |
| [runner\_boot\_time\_in\_minutes](#input\_runner\_boot\_time\_in\_minutes) | The minimum time for an EC2 runner to boot and register as a runner. | `number` | `5` | no |
| [runner\_ec2\_tags](#input\_runner\_ec2\_tags) | Map of tags that will be added to the launch template instance tag specificatons. | `map(string)` | `{}` | no |
| [runner\_extra\_labels](#input\_runner\_extra\_labels) | Extra labels for the runners (GitHub). Separate each label by a comma | `string` | `""` | no |
@@ -158,6 +158,7 @@ No modules.
| [runner\_iam\_role\_managed\_policy\_arns](#input\_runner\_iam\_role\_managed\_policy\_arns) | Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role | `list(string)` | `[]` | no |
| [runner\_log\_files](#input\_runner\_log\_files) | (optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream. | list(object({
log_group_name = string
prefix_log_group = bool
file_path = string
log_stream_name = string
})) | `null` | no |
| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,win). | `string` | `"linux"` | no |
+| [runner\_run\_as](#input\_runner\_run\_as) | Run the GitHub actions agent as user. | `string` | `"ec2-user"` | no |
| [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
| [runners\_lambda\_s3\_object\_version](#input\_runners\_lambda\_s3\_object\_version) | S3 object version for runners lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no |
| [runners\_maximum\_count](#input\_runners\_maximum\_count) | The maximum number of runners that will be created. | `number` | `3` | no |
diff --git a/modules/runners/runner-config.tf b/modules/runners/runner-config.tf
index 83ec7929cd..591ab90be0 100644
--- a/modules/runners/runner-config.tf
+++ b/modules/runners/runner-config.tf
@@ -1,7 +1,7 @@
resource "aws_ssm_parameter" "runner_config_run_as" {
name = "/${var.environment}/runner/run-as"
type = "String"
- value = var.runner_as_root ? "root" : "ec2-user"
+ value = var.runner_as_root ? "root" : var.runner_run_as
tags = local.tags
}
diff --git a/modules/runners/templates/install-runner.sh b/modules/runners/templates/install-runner.sh
index 1a0246eb85..9ca7d4913e 100644
--- a/modules/runners/templates/install-runner.sh
+++ b/modules/runners/templates/install-runner.sh
@@ -12,10 +12,9 @@ fi
file_name="actions-runner.tar.gz"
echo "Creating actions-runner directory for the GH Action installtion"
-cd /home/"$user_name"
+cd /opt/
mkdir actions-runner && cd actions-runner
-
if [[ -n "$RUNNER_TARBALL_URL" ]]; then
echo "Downloading the GH Action runner from $RUNNER_TARBALL_URL to $file_name"
curl -o $file_name -L "$RUNNER_TARBALL_URL"
diff --git a/modules/runners/templates/start-runner.sh b/modules/runners/templates/start-runner.sh
index 3cedc0862b..2de1b584a4 100644
--- a/modules/runners/templates/start-runner.sh
+++ b/modules/runners/templates/start-runner.sh
@@ -58,6 +58,8 @@ if [[ "$run_as" == "root" ]]; then
export RUNNER_ALLOW_RUNASROOT=1
fi
+chown -R $run_as .
+
echo "Configure GH Runner as user $run_as"
sudo --preserve-env=RUNNER_ALLOW_RUNASROOT -u "$run_as" -- ./config.sh --unattended --name "$instance_id" --work "_work" $${config}
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
index c46e88340a..6e092f48ab 100644
--- a/modules/runners/variables.tf
+++ b/modules/runners/variables.tf
@@ -208,11 +208,17 @@ variable "instance_profile_path" {
}
variable "runner_as_root" {
- description = "Run the action runner under the root user."
+ description = "Run the action runner under the root user. Variable `runner_run_as` will be ingored."
type = bool
default = false
}
+variable "runner_run_as" {
+ description = "Run the GitHub actions agent as user."
+ type = string
+ default = "ec2-user"
+}
+
variable "runners_maximum_count" {
description = "The maximum number of runners that will be created."
type = number
diff --git a/variables.tf b/variables.tf
index 2dbb2b80d7..02c200ba7f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -148,11 +148,17 @@ variable "instance_type" {
}
variable "runner_as_root" {
- description = "Run the action runner under the root user."
+ description = "Run the action runner under the root user. Variable `runner_run_as` will be ingored."
type = bool
default = false
}
+variable "runner_run_as" {
+ description = "Run the GitHub actions agent as user."
+ type = string
+ default = "ec2-user"
+}
+
variable "runners_maximum_count" {
description = "The maximum number of runners that will be created."
type = number