From 57ab88a1cbb52080226290c941584887af48cfa6 Mon Sep 17 00:00:00 2001
From: hukirala <31215997+krlydm@users.noreply.github.com>
Date: Thu, 10 Feb 2022 13:23:44 +0100
Subject: [PATCH 1/4] Implement optional disable for the managed security group
creation.
---
modules/runners/README.md | 1 +
modules/runners/main.tf | 1 +
modules/runners/variables.tf | 6 ++++++
3 files changed, 8 insertions(+)
diff --git a/modules/runners/README.md b/modules/runners/README.md
index 83bb8d2b91..27697a2714 100644
--- a/modules/runners/README.md
+++ b/modules/runners/README.md
@@ -122,6 +122,7 @@ yarn run dist
| [egress\_rules](#input\_egress\_rules) | List of egress rules for the GitHub runner instances. | list(object({
cidr_blocks = list(string)
ipv6_cidr_blocks = list(string)
prefix_list_ids = list(string)
from_port = number
protocol = string
security_groups = list(string)
self = bool
to_port = number
description = string
})) | [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": null,
"from_port": 0,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": null,
"protocol": "-1",
"security_groups": null,
"self": null,
"to_port": 0
}
]
| no |
| [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no |
| [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no |
+| [enable\_managed\_runner\_security\_group](#inputenable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
| [enable\_organization\_runners](#input\_enable\_organization\_runners) | n/a | `bool` | n/a | yes |
| [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes |
| [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no |
diff --git a/modules/runners/main.tf b/modules/runners/main.tf
index a5a61863b5..2fd22700e9 100644
--- a/modules/runners/main.tf
+++ b/modules/runners/main.tf
@@ -136,6 +136,7 @@ resource "aws_launch_template" "runner" {
}
resource "aws_security_group" "runner_sg" {
+ count = var.enable_managed_runner_security_group ? 1 : 0
name_prefix = "${var.environment}-github-actions-runner-sg"
description = "Github Actions Runner security group"
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
index 8072f521f5..b62fbb3e7e 100644
--- a/modules/runners/variables.tf
+++ b/modules/runners/variables.tf
@@ -318,6 +318,12 @@ variable "enable_cloudwatch_agent" {
default = true
}
+variable "enable_managed_runner_security_group" {
+ description = "Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`."
+ type = bool
+ default = true
+}
+
variable "cloudwatch_config" {
description = "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
type = string
From 825efb2c64ea5844fc7ad1ebd6a3e1247747840e Mon Sep 17 00:00:00 2001
From: hukirala <31215997+krlydm@users.noreply.github.com>
Date: Thu, 10 Feb 2022 13:28:35 +0100
Subject: [PATCH 2/4] Create security group disablement variable.
---
README.md | 1 +
main.tf | 1 +
variables.tf | 6 ++++++
3 files changed, 8 insertions(+)
diff --git a/README.md b/README.md
index fac0d22548..9f7225cfb1 100644
--- a/README.md
+++ b/README.md
@@ -402,6 +402,7 @@ In case the setup does not work as intended follow the trace of events:
| [delay\_webhook\_event](#input\_delay\_webhook\_event) | The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event. | `number` | `30` | no |
| [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no |
| [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no |
+| [enable\_managed\_runner\_security\_group](#inputenable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
| [enable\_organization\_runners](#input\_enable\_organization\_runners) | Register runners to organization, instead of repo level | `bool` | `false` | no |
| [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
| [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no |
diff --git a/main.tf b/main.tf
index 292671811c..c71d73aa79 100644
--- a/main.tf
+++ b/main.tf
@@ -107,6 +107,7 @@ module "runners" {
github_app_parameters = local.github_app_parameters
enable_organization_runners = var.enable_organization_runners
enable_ephemeral_runners = var.enable_ephemeral_runners
+ enable_managed_runner_security_group = var.enable_managed_runner_security_group
scale_down_schedule_expression = var.scale_down_schedule_expression
minimum_running_time_in_minutes = var.minimum_running_time_in_minutes
runner_boot_time_in_minutes = var.runner_boot_time_in_minutes
diff --git a/variables.tf b/variables.tf
index a104cc9851..a6b61447f1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -501,6 +501,12 @@ variable "enable_ephemeral_runners" {
default = false
}
+variable "enable_managed_runner_security_group" {
+ description = "Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`."
+ type = bool
+ default = true
+}
+
variable "runner_os" {
description = "The Operating System to use for GitHub Actions Runners (linux,win)"
type = string
From bac9b57d85bd12ba0cfe6bfe4ebbbf402e1ce817 Mon Sep 17 00:00:00 2001
From: hukirala <31215997+krlydm@users.noreply.github.com>
Date: Fri, 11 Feb 2022 13:37:20 +0100
Subject: [PATCH 3/4] Fix launch template creation issue.
---
modules/runners/main.tf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/runners/main.tf b/modules/runners/main.tf
index 2fd22700e9..e3e32f9c58 100644
--- a/modules/runners/main.tf
+++ b/modules/runners/main.tf
@@ -88,7 +88,7 @@ resource "aws_launch_template" "runner" {
key_name = var.key_name
vpc_security_group_ids = compact(concat(
- [aws_security_group.runner_sg.id],
+ var.enable_managed_runner_security_group ? [aws_security_group.runner_sg[0].id] : [],
var.runner_additional_security_group_ids,
))
From 8c88b24409bd86bb383cfff172070aba7fe2c766 Mon Sep 17 00:00:00 2001
From: hukirala <31215997+krlydm@users.noreply.github.com>
Date: Fri, 11 Feb 2022 15:26:12 +0100
Subject: [PATCH 4/4] Fix formatting error.
---
modules/runners/main.tf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/runners/main.tf b/modules/runners/main.tf
index e3e32f9c58..60826522b6 100644
--- a/modules/runners/main.tf
+++ b/modules/runners/main.tf
@@ -136,7 +136,7 @@ resource "aws_launch_template" "runner" {
}
resource "aws_security_group" "runner_sg" {
- count = var.enable_managed_runner_security_group ? 1 : 0
+ count = var.enable_managed_runner_security_group ? 1 : 0
name_prefix = "${var.environment}-github-actions-runner-sg"
description = "Github Actions Runner security group"