From f7edfd09da506fad14d42f35fa2fc406132b6615 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Thu, 24 Feb 2022 17:25:47 +0100 Subject: [PATCH 1/8] feat: Add option to disable auto update --- .../runners/lambdas/runners/src/scale-runners/scale-up.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts b/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts index 8e6106e47f..cb49c4ab70 100644 --- a/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts +++ b/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts @@ -23,6 +23,7 @@ interface CreateGitHubRunnerConfig { runnerGroup: string | undefined; runnerOwner: string; runnerType: 'Org' | 'Repo'; + disableUpdate: boolean; } interface CreateEC2RunnerConfig { @@ -40,7 +41,8 @@ function generateRunnerServiceConfig(githubRunnerConfig: CreateGitHubRunnerConfi githubRunnerConfig.runnerGroup !== undefined ? `--runnergroup ${githubRunnerConfig.runnerGroup} ` : ''; const configBaseUrl = githubRunnerConfig.ghesBaseUrl ? githubRunnerConfig.ghesBaseUrl : 'https://github.com'; const ephemeralArgument = githubRunnerConfig.ephemeral ? '--ephemeral ' : ''; - const runnerArgs = `--token ${token} ${labelsArgument}${ephemeralArgument}`; + const disableUpdateArgument = githubRunnerConfig.disableUpdate ? '--disableupdate ' : ''; + const runnerArgs = `--token ${token} ${labelsArgument}${ephemeralArgument}${disableUpdateArgument}`; return githubRunnerConfig.runnerType === 'Org' ? `--url ${configBaseUrl}/${githubRunnerConfig.runnerOwner} ${runnerArgs}${runnerGroupArgument}`.trim() : `--url ${configBaseUrl}/${githubRunnerConfig.runnerOwner} ${runnerArgs}`.trim(); @@ -141,6 +143,7 @@ export async function scaleUp(eventSource: string, payload: ActionRequestMessage const instanceTypes = process.env.INSTANCE_TYPES.split(','); const instanceTargetTargetCapacityType = process.env.INSTANCE_TARGET_CAPACITY_TYPE; const ephemeralEnabled = yn(process.env.ENABLE_EPHEMERAL_RUNNERS, { default: false }); + const disableUpdate = yn(process.env.DISABLE_UPDATE_RUNNERS, { default: false }); const launchTemplateName = process.env.LAUNCH_TEMPLATE_NAME; const instanceMaxSpotPrice = process.env.INSTANCE_MAX_SPOT_PRICE; const instanceAllocationStrategy = process.env.INSTANCE_ALLOCATION_STRATEGY || 'lowest-price'; // same as AWS default @@ -195,6 +198,7 @@ export async function scaleUp(eventSource: string, payload: ActionRequestMessage runnerGroup, runnerOwner, runnerType, + disableUpdate, }, { ec2instanceCriteria: { From 050edbf9c3f9b33505542507ccc7186f2b1fa10f Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 25 Feb 2022 10:52:58 +0100 Subject: [PATCH 2/8] Add junit test --- modules/runners/lambdas/runners/src/pool/pool.ts | 2 +- .../lambdas/runners/src/scale-runners/scale-up.test.ts | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/runners/lambdas/runners/src/pool/pool.ts b/modules/runners/lambdas/runners/src/pool/pool.ts index eea185ef5d..b38f0a4647 100644 --- a/modules/runners/lambdas/runners/src/pool/pool.ts +++ b/modules/runners/lambdas/runners/src/pool/pool.ts @@ -60,7 +60,7 @@ export async function adjust(event: PoolEvent): Promise { if (topUp > 0) { logger.info(`The pool will be topped up with ${topUp} runners.`); await createRunners( - { ephemeral, ghesBaseUrl, runnerExtraLabels, runnerGroup, runnerOwner, runnerType: 'Org' }, + { ephemeral, ghesBaseUrl, runnerExtraLabels, runnerGroup, runnerOwner, runnerType: 'Org', disableUpdate: false }, { ec2instanceCriteria: { instanceTypes, diff --git a/modules/runners/lambdas/runners/src/scale-runners/scale-up.test.ts b/modules/runners/lambdas/runners/src/scale-runners/scale-up.test.ts index 00158b9bf4..2433fba778 100644 --- a/modules/runners/lambdas/runners/src/scale-runners/scale-up.test.ts +++ b/modules/runners/lambdas/runners/src/scale-runners/scale-up.test.ts @@ -528,6 +528,13 @@ describe('scaleUp with public GH', () => { expect(createRunner).toBeCalledWith(expectedRunnerParams); }); + it('disable auto update on the runner.', async () => { + process.env.DISABLE_UPDATE_RUNNERS = 'true'; + await scaleUpModule.scaleUp('aws:sqs', TEST_DATA); + expectedRunnerParams.runnerServiceConfig = expectedRunnerParams.runnerServiceConfig + ` --disableupdate`; + expect(createRunner).toBeCalledWith(expectedRunnerParams); + }); + it('Scaling error should cause reject so retry can be triggered.', async () => { process.env.RUNNERS_MAXIMUM_COUNT = '1'; process.env.ENABLE_EPHEMERAL_RUNNERS = 'true'; From 8d694d8d3fe767193f72a0d9bb743acf598948e2 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 25 Feb 2022 11:01:17 +0100 Subject: [PATCH 3/8] Add disable_update_runners to Terraform --- README.md | 5 +++-- examples/default/main.tf | 8 ++++---- main.tf | 1 + modules/runner-binaries-syncer/README.md | 2 +- modules/runners/README.md | 5 +++-- modules/runners/scale-up.tf | 11 ++++++----- modules/runners/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 8 files changed, 30 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index a6950239fb..b7600fd2b8 100644 --- a/README.md +++ b/README.md @@ -400,9 +400,10 @@ In case the setup does not work as intended follow the trace of events: | [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no | | [create\_service\_linked\_role\_spot](#input\_create\_service\_linked\_role\_spot) | (optional) create the serviced linked role for spot instances that is required by the scale-up lambda. | `bool` | `false` | no | | [delay\_webhook\_event](#input\_delay\_webhook\_event) | The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event. | `number` | `30` | no | +| [disable\_update\_runners](#input\_disable\_update\_runners) | Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/) | `bool` | `true` | no | | [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no | | [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no | -| [enable\_managed\_runner\_security\_group](#inputenable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no | +| [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no | | [enable\_organization\_runners](#input\_enable\_organization\_runners) | Register runners to organization, instead of repo level | `bool` | `false` | no | | [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no | | [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no | @@ -454,7 +455,7 @@ In case the setup does not work as intended follow the trace of events: | [runner\_iam\_role\_managed\_policy\_arns](#input\_runner\_iam\_role\_managed\_policy\_arns) | Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role | `list(string)` | `[]` | no | | [runner\_log\_files](#input\_runner\_log\_files) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | 
list(object({
    log_group_name   = string
    prefix_log_group = bool
    file_path        = string
    log_stream_name  = string
  }))
| `null` | no | | [runner\_metadata\_options](#input\_runner\_metadata\_options) | Metadata options for the ec2 runner instances. | `map(any)` | 
{
  "http_endpoint": "enabled",
  "http_put_response_hop_limit": 1,
  "http_tokens": "optional"
}
| no | -| [runner\_os](#input\_runner\_os) | The Operating System to use for GitHub Actions Runners (linux,win) | `string` | `"linux"` | no | +| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no | | [runner\_run\_as](#input\_runner\_run\_as) | Run the GitHub actions agent as user. | `string` | `"ec2-user"` | no | | [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no | | [runners\_lambda\_s3\_object\_version](#input\_runners\_lambda\_s3\_object\_version) | S3 object version for runners lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no | diff --git a/examples/default/main.tf b/examples/default/main.tf index 68d8903049..0f6acbc837 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -31,11 +31,11 @@ module "runners" { } # Grab zip files via lambda_download - webhook_lambda_zip = "lambdas-download/webhook.zip" - runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip" - runners_lambda_zip = "lambdas-download/runners.zip" + # webhook_lambda_zip = "lambdas-download/webhook.zip" + # runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip" + # runners_lambda_zip = "lambdas-download/runners.zip" - enable_organization_runners = false + enable_organization_runners = true runner_extra_labels = "default,example" # enable access to the runners via SSM diff --git a/main.tf b/main.tf index c71d73aa79..e518b8a403 100644 --- a/main.tf +++ b/main.tf @@ -107,6 +107,7 @@ module "runners" { github_app_parameters = local.github_app_parameters enable_organization_runners = var.enable_organization_runners enable_ephemeral_runners = var.enable_ephemeral_runners + disable_update_runners = var.disable_update_runners enable_managed_runner_security_group = var.enable_managed_runner_security_group scale_down_schedule_expression = var.scale_down_schedule_expression minimum_running_time_in_minutes = var.minimum_running_time_in_minutes diff --git a/modules/runner-binaries-syncer/README.md b/modules/runner-binaries-syncer/README.md index de7e67aa49..f67060d82e 100644 --- a/modules/runner-binaries-syncer/README.md +++ b/modules/runner-binaries-syncer/README.md @@ -92,7 +92,7 @@ No modules. | [role\_permissions\_boundary](#input\_role\_permissions\_boundary) | Permissions boundary that will be added to the created role for the lambda. | `string` | `null` | no | | [runner\_allow\_prerelease\_binaries](#input\_runner\_allow\_prerelease\_binaries) | Allow the runners to update to prerelease binaries. | `bool` | `false` | no | | [runner\_architecture](#input\_runner\_architecture) | The platform architecture of the runner instance\_type. | `string` | `"x64"` | no | -| [runner\_os](#input\_runner\_os) | The operating system for the runner instance (linux, win), defaults to 'linux' | `string` | `"linux"` | no | +| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no | | [server\_side\_encryption\_configuration](#input\_server\_side\_encryption\_configuration) | Map containing server-side encryption configuration. | `any` | `{}` | no | | [syncer\_lambda\_s3\_key](#input\_syncer\_lambda\_s3\_key) | S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no | | [syncer\_lambda\_s3\_object\_version](#input\_syncer\_lambda\_s3\_object\_version) | S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no | diff --git a/modules/runners/README.md b/modules/runners/README.md index 9150f51c6d..9bf6ac2162 100644 --- a/modules/runners/README.md +++ b/modules/runners/README.md @@ -119,10 +119,11 @@ yarn run dist | [block\_device\_mappings](#input\_block\_device\_mappings) | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops` | `map(string)` | `{}` | no | | [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no | | [create\_service\_linked\_role\_spot](#input\_create\_service\_linked\_role\_spot) | (optional) create the service linked role for spot instances that is required by the scale-up lambda. | `bool` | `false` | no | +| [disable\_update\_runners](#input\_disable\_update\_runners) | Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/) | `bool` | `true` | no | | [egress\_rules](#input\_egress\_rules) | List of egress rules for the GitHub runner instances. | 
list(object({
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    prefix_list_ids  = list(string)
    from_port        = number
    protocol         = string
    security_groups  = list(string)
    self             = bool
    to_port          = number
    description      = string
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": null,
    "from_port": 0,
    "ipv6_cidr_blocks": [
      "::/0"
    ],
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "self": null,
    "to_port": 0
  }
]
| no | | [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no | | [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no | -| [enable\_managed\_runner\_security\_group](#inputenable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no | +| [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no | | [enable\_organization\_runners](#input\_enable\_organization\_runners) | n/a | `bool` | n/a | yes | | [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes | | [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no | @@ -167,7 +168,7 @@ yarn run dist | [runner\_group\_name](#input\_runner\_group\_name) | Name of the runner group. | `string` | `"Default"` | no | | [runner\_iam\_role\_managed\_policy\_arns](#input\_runner\_iam\_role\_managed\_policy\_arns) | Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role | `list(string)` | `[]` | no | | [runner\_log\_files](#input\_runner\_log\_files) | (optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream. | 
list(object({
    log_group_name   = string
    prefix_log_group = bool
    file_path        = string
    log_stream_name  = string
  }))
| `null` | no | -| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,win). | `string` | `"linux"` | no | +| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no | | [runner\_run\_as](#input\_runner\_run\_as) | Run the GitHub actions agent as user. | `string` | `"ec2-user"` | no | | [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no | | [runners\_lambda\_s3\_object\_version](#input\_runners\_lambda\_s3\_object\_version) | S3 object version for runners lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no | diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index 632439520e..48c771cbb2 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -15,9 +15,15 @@ resource "aws_lambda_function" "scale_up" { environment { variables = { + DISABLE_UPDATE_RUNNERS = var.disable_update_runners + ENABLE_EPHEMERAL_RUNNERS = var.enable_ephemeral_runners ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners ENVIRONMENT = var.environment GHES_URL = var.ghes_url + INSTANCE_ALLOCATION_STRATEGY = var.instance_allocation_strategy + INSTANCE_MAX_SPOT_PRICE = var.instance_max_spot_price + INSTANCE_TARGET_CAPACITY_TYPE = var.instance_target_capacity_type + INSTANCE_TYPES = join(",", var.instance_types) LAUNCH_TEMPLATE_NAME = aws_launch_template.runner.name LOG_LEVEL = var.log_level LOG_TYPE = var.log_type @@ -28,11 +34,6 @@ resource "aws_lambda_function" "scale_up" { RUNNER_GROUP_NAME = var.runner_group_name RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count SUBNET_IDS = join(",", var.subnet_ids) - ENABLE_EPHEMERAL_RUNNERS = var.enable_ephemeral_runners - INSTANCE_TYPES = join(",", var.instance_types) - INSTANCE_TARGET_CAPACITY_TYPE = var.instance_target_capacity_type - INSTANCE_MAX_SPOT_PRICE = var.instance_max_spot_price - INSTANCE_ALLOCATION_STRATEGY = var.instance_allocation_strategy } } diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index 1a4802a44d..204c151595 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -495,3 +495,9 @@ variable "pool_config" { })) default = [] } + +variable "disable_update_runners" { + description = "Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)" + type = bool + default = true +} diff --git a/variables.tf b/variables.tf index a6e635fe08..f54d813a5b 100644 --- a/variables.tf +++ b/variables.tf @@ -585,3 +585,9 @@ variable "pool_config" { })) default = [] } + +variable "disable_update_runners" { + description = "Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)" + type = bool + default = true +} From 53d50c00a2901bfac1e68b7ffab1bb92bff6ef40 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 25 Feb 2022 11:02:00 +0100 Subject: [PATCH 4/8] Add disable_update_runners to Terraform --- examples/default/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/default/main.tf b/examples/default/main.tf index 0f6acbc837..68d8903049 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -31,11 +31,11 @@ module "runners" { } # Grab zip files via lambda_download - # webhook_lambda_zip = "lambdas-download/webhook.zip" - # runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip" - # runners_lambda_zip = "lambdas-download/runners.zip" + webhook_lambda_zip = "lambdas-download/webhook.zip" + runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip" + runners_lambda_zip = "lambdas-download/runners.zip" - enable_organization_runners = true + enable_organization_runners = false runner_extra_labels = "default,example" # enable access to the runners via SSM From 901229aacdc62a7702b6ee173be404649b3ed8d5 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 25 Feb 2022 11:39:15 +0100 Subject: [PATCH 5/8] set default to false --- README.md | 2 +- variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b7600fd2b8..5d7f25dd42 100644 --- a/README.md +++ b/README.md @@ -400,7 +400,7 @@ In case the setup does not work as intended follow the trace of events: | [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no | | [create\_service\_linked\_role\_spot](#input\_create\_service\_linked\_role\_spot) | (optional) create the serviced linked role for spot instances that is required by the scale-up lambda. | `bool` | `false` | no | | [delay\_webhook\_event](#input\_delay\_webhook\_event) | The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event. | `number` | `30` | no | -| [disable\_update\_runners](#input\_disable\_update\_runners) | Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/) | `bool` | `true` | no | +| [disable\_update\_runners](#input\_disable\_update\_runners) | Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/) | `bool` | `false` | no | | [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no | | [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no | | [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no | diff --git a/variables.tf b/variables.tf index f54d813a5b..e1546fb9df 100644 --- a/variables.tf +++ b/variables.tf @@ -589,5 +589,5 @@ variable "pool_config" { variable "disable_update_runners" { description = "Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)" type = bool - default = true + default = false } From 60d7b572148c959dc89fe6aa160a4d491617540e Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 25 Feb 2022 11:47:30 +0100 Subject: [PATCH 6/8] review --- README.md | 2 +- main.tf | 2 +- modules/runners/README.md | 2 +- .../runners/lambdas/runners/src/scale-runners/scale-up.test.ts | 2 +- modules/runners/lambdas/runners/src/scale-runners/scale-up.ts | 2 +- modules/runners/scale-up.tf | 2 +- modules/runners/variables.tf | 2 +- variables.tf | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5d7f25dd42..9d59e2989c 100644 --- a/README.md +++ b/README.md @@ -400,7 +400,7 @@ In case the setup does not work as intended follow the trace of events: | [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no | | [create\_service\_linked\_role\_spot](#input\_create\_service\_linked\_role\_spot) | (optional) create the serviced linked role for spot instances that is required by the scale-up lambda. | `bool` | `false` | no | | [delay\_webhook\_event](#input\_delay\_webhook\_event) | The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event. | `number` | `30` | no | -| [disable\_update\_runners](#input\_disable\_update\_runners) | Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/) | `bool` | `false` | no | +| [disable\_runner\_autoupdate](#input\_disable\_runner\_autoupdate) | Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/) | `bool` | `false` | no | | [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no | | [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no | | [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no | diff --git a/main.tf b/main.tf index e518b8a403..aaf0a56dd9 100644 --- a/main.tf +++ b/main.tf @@ -107,7 +107,7 @@ module "runners" { github_app_parameters = local.github_app_parameters enable_organization_runners = var.enable_organization_runners enable_ephemeral_runners = var.enable_ephemeral_runners - disable_update_runners = var.disable_update_runners + disable_runner_autoupdate = var.disable_runner_autoupdate enable_managed_runner_security_group = var.enable_managed_runner_security_group scale_down_schedule_expression = var.scale_down_schedule_expression minimum_running_time_in_minutes = var.minimum_running_time_in_minutes diff --git a/modules/runners/README.md b/modules/runners/README.md index 9bf6ac2162..d701010105 100644 --- a/modules/runners/README.md +++ b/modules/runners/README.md @@ -119,7 +119,7 @@ yarn run dist | [block\_device\_mappings](#input\_block\_device\_mappings) | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops` | `map(string)` | `{}` | no | | [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no | | [create\_service\_linked\_role\_spot](#input\_create\_service\_linked\_role\_spot) | (optional) create the service linked role for spot instances that is required by the scale-up lambda. | `bool` | `false` | no | -| [disable\_update\_runners](#input\_disable\_update\_runners) | Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/) | `bool` | `true` | no | +| [disable\_runner\_autoupdate](#input\_disable\_runner\_autoupdate) | Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/) | `bool` | `true` | no | | [egress\_rules](#input\_egress\_rules) | List of egress rules for the GitHub runner instances. | 
list(object({
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    prefix_list_ids  = list(string)
    from_port        = number
    protocol         = string
    security_groups  = list(string)
    self             = bool
    to_port          = number
    description      = string
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": null,
    "from_port": 0,
    "ipv6_cidr_blocks": [
      "::/0"
    ],
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "self": null,
    "to_port": 0
  }
]
| no | | [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no | | [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no | diff --git a/modules/runners/lambdas/runners/src/scale-runners/scale-up.test.ts b/modules/runners/lambdas/runners/src/scale-runners/scale-up.test.ts index 2433fba778..09e143ee46 100644 --- a/modules/runners/lambdas/runners/src/scale-runners/scale-up.test.ts +++ b/modules/runners/lambdas/runners/src/scale-runners/scale-up.test.ts @@ -529,7 +529,7 @@ describe('scaleUp with public GH', () => { }); it('disable auto update on the runner.', async () => { - process.env.DISABLE_UPDATE_RUNNERS = 'true'; + process.env.DISABLE_RUNNER_AUTOUPDATE = 'true'; await scaleUpModule.scaleUp('aws:sqs', TEST_DATA); expectedRunnerParams.runnerServiceConfig = expectedRunnerParams.runnerServiceConfig + ` --disableupdate`; expect(createRunner).toBeCalledWith(expectedRunnerParams); diff --git a/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts b/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts index cb49c4ab70..7d102708f9 100644 --- a/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts +++ b/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts @@ -143,7 +143,7 @@ export async function scaleUp(eventSource: string, payload: ActionRequestMessage const instanceTypes = process.env.INSTANCE_TYPES.split(','); const instanceTargetTargetCapacityType = process.env.INSTANCE_TARGET_CAPACITY_TYPE; const ephemeralEnabled = yn(process.env.ENABLE_EPHEMERAL_RUNNERS, { default: false }); - const disableUpdate = yn(process.env.DISABLE_UPDATE_RUNNERS, { default: false }); + const disableUpdate = yn(process.env.DISABLE_RUNNER_AUTOUPDATE, { default: false }); const launchTemplateName = process.env.LAUNCH_TEMPLATE_NAME; const instanceMaxSpotPrice = process.env.INSTANCE_MAX_SPOT_PRICE; const instanceAllocationStrategy = process.env.INSTANCE_ALLOCATION_STRATEGY || 'lowest-price'; // same as AWS default diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index 48c771cbb2..234e4f7667 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -15,7 +15,7 @@ resource "aws_lambda_function" "scale_up" { environment { variables = { - DISABLE_UPDATE_RUNNERS = var.disable_update_runners + DISABLE_RUNNER_AUTOUPDATE = var.disable_runner_autoupdate ENABLE_EPHEMERAL_RUNNERS = var.enable_ephemeral_runners ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners ENVIRONMENT = var.environment diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index 204c151595..59d93f6749 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -496,7 +496,7 @@ variable "pool_config" { default = [] } -variable "disable_update_runners" { +variable "disable_runner_autoupdate" { description = "Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)" type = bool default = true diff --git a/variables.tf b/variables.tf index e1546fb9df..5865e32225 100644 --- a/variables.tf +++ b/variables.tf @@ -586,7 +586,7 @@ variable "pool_config" { default = [] } -variable "disable_update_runners" { +variable "disable_runner_autoupdate" { description = "Disable the auto update of the github runner agent. Be-aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)" type = bool default = false From a0e27fe32ba0b125b56dd71afee05483d99c51e8 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 25 Feb 2022 12:41:14 +0100 Subject: [PATCH 7/8] Add option to disable auto update to the pool --- examples/default/main.tf | 10 +++++----- modules/runners/lambdas/runners/src/pool/pool.ts | 11 ++++++++++- .../lambdas/runners/src/scale-runners/scale-up.ts | 8 ++++---- modules/runners/pool.tf | 13 +++++++------ modules/runners/pool/main.tf | 13 +++++++------ modules/runners/pool/variables.tf | 5 +++-- 6 files changed, 36 insertions(+), 24 deletions(-) diff --git a/examples/default/main.tf b/examples/default/main.tf index 68d8903049..6e0e154ffb 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -31,13 +31,13 @@ module "runners" { } # Grab zip files via lambda_download - webhook_lambda_zip = "lambdas-download/webhook.zip" - runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip" - runners_lambda_zip = "lambdas-download/runners.zip" + # webhook_lambda_zip = "lambdas-download/webhook.zip" + # runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip" + # runners_lambda_zip = "lambdas-download/runners.zip" - enable_organization_runners = false + enable_organization_runners = true runner_extra_labels = "default,example" - + disable_runner_autoupdate = true # enable access to the runners via SSM enable_ssm_on_runners = true diff --git a/modules/runners/lambdas/runners/src/pool/pool.ts b/modules/runners/lambdas/runners/src/pool/pool.ts index b38f0a4647..e98200073b 100644 --- a/modules/runners/lambdas/runners/src/pool/pool.ts +++ b/modules/runners/lambdas/runners/src/pool/pool.ts @@ -21,6 +21,7 @@ export async function adjust(event: PoolEvent): Promise { const instanceTypes = process.env.INSTANCE_TYPES.split(','); const instanceTargetTargetCapacityType = process.env.INSTANCE_TARGET_CAPACITY_TYPE; const ephemeral = yn(process.env.ENABLE_EPHEMERAL_RUNNERS, { default: false }); + const disableAutoUpdate = yn(process.env.DISABLE_RUNNER_AUTOUPDATE, { default: false }); const launchTemplateName = process.env.LAUNCH_TEMPLATE_NAME; const instanceMaxSpotPrice = process.env.INSTANCE_MAX_SPOT_PRICE; const instanceAllocationStrategy = process.env.INSTANCE_ALLOCATION_STRATEGY || 'lowest-price'; // same as AWS default @@ -60,7 +61,15 @@ export async function adjust(event: PoolEvent): Promise { if (topUp > 0) { logger.info(`The pool will be topped up with ${topUp} runners.`); await createRunners( - { ephemeral, ghesBaseUrl, runnerExtraLabels, runnerGroup, runnerOwner, runnerType: 'Org', disableUpdate: false }, + { + ephemeral, + ghesBaseUrl, + runnerExtraLabels, + runnerGroup, + runnerOwner, + runnerType: 'Org', + disableAutoUpdate: disableAutoUpdate, + }, { ec2instanceCriteria: { instanceTypes, diff --git a/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts b/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts index 7d102708f9..f643c95813 100644 --- a/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts +++ b/modules/runners/lambdas/runners/src/scale-runners/scale-up.ts @@ -23,7 +23,7 @@ interface CreateGitHubRunnerConfig { runnerGroup: string | undefined; runnerOwner: string; runnerType: 'Org' | 'Repo'; - disableUpdate: boolean; + disableAutoUpdate: boolean; } interface CreateEC2RunnerConfig { @@ -41,7 +41,7 @@ function generateRunnerServiceConfig(githubRunnerConfig: CreateGitHubRunnerConfi githubRunnerConfig.runnerGroup !== undefined ? `--runnergroup ${githubRunnerConfig.runnerGroup} ` : ''; const configBaseUrl = githubRunnerConfig.ghesBaseUrl ? githubRunnerConfig.ghesBaseUrl : 'https://github.com'; const ephemeralArgument = githubRunnerConfig.ephemeral ? '--ephemeral ' : ''; - const disableUpdateArgument = githubRunnerConfig.disableUpdate ? '--disableupdate ' : ''; + const disableUpdateArgument = githubRunnerConfig.disableAutoUpdate ? '--disableupdate ' : ''; const runnerArgs = `--token ${token} ${labelsArgument}${ephemeralArgument}${disableUpdateArgument}`; return githubRunnerConfig.runnerType === 'Org' ? `--url ${configBaseUrl}/${githubRunnerConfig.runnerOwner} ${runnerArgs}${runnerGroupArgument}`.trim() @@ -143,7 +143,7 @@ export async function scaleUp(eventSource: string, payload: ActionRequestMessage const instanceTypes = process.env.INSTANCE_TYPES.split(','); const instanceTargetTargetCapacityType = process.env.INSTANCE_TARGET_CAPACITY_TYPE; const ephemeralEnabled = yn(process.env.ENABLE_EPHEMERAL_RUNNERS, { default: false }); - const disableUpdate = yn(process.env.DISABLE_RUNNER_AUTOUPDATE, { default: false }); + const disableAutoUpdate = yn(process.env.DISABLE_RUNNER_AUTOUPDATE, { default: false }); const launchTemplateName = process.env.LAUNCH_TEMPLATE_NAME; const instanceMaxSpotPrice = process.env.INSTANCE_MAX_SPOT_PRICE; const instanceAllocationStrategy = process.env.INSTANCE_ALLOCATION_STRATEGY || 'lowest-price'; // same as AWS default @@ -198,7 +198,7 @@ export async function scaleUp(eventSource: string, payload: ActionRequestMessage runnerGroup, runnerOwner, runnerType, - disableUpdate, + disableAutoUpdate, }, { ec2instanceCriteria: { diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf index 235ee877dd..6c749a5ca5 100644 --- a/modules/runners/pool.tf +++ b/modules/runners/pool.tf @@ -32,12 +32,13 @@ module "pool" { role_path = local.role_path role_permissions_boundary = var.role_permissions_boundary runner = { - ephemeral = var.enable_ephemeral_runners - extra_labels = var.runner_extra_labels - launch_template = aws_launch_template.runner - group_name = var.runner_group_name - pool_owner = var.pool_runner_owner - role = aws_iam_role.runner + disable_runner_autoupdate = var.disable_runner_autoupdate + ephemeral = var.enable_ephemeral_runners + extra_labels = var.runner_extra_labels + launch_template = aws_launch_template.runner + group_name = var.runner_group_name + pool_owner = var.pool_runner_owner + role = aws_iam_role.runner } subnet_ids = var.subnet_ids tags = local.tags diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf index 7de74454f7..8c8c24bc04 100644 --- a/modules/runners/pool/main.tf +++ b/modules/runners/pool/main.tf @@ -16,9 +16,14 @@ resource "aws_lambda_function" "pool" { environment { variables = { - RUNNER_OWNER = var.config.runner.pool_owner + DISABLE_RUNNER_AUTOUPDATE = var.config.runner.disable_runner_autoupdate + ENABLE_EPHEMERAL_RUNNERS = var.config.runner.ephemeral ENVIRONMENT = var.config.environment GHES_URL = var.config.ghes.url + INSTANCE_ALLOCATION_STRATEGY = var.config.instance_allocation_strategy + INSTANCE_MAX_SPOT_PRICE = var.config.instance_max_spot_price + INSTANCE_TARGET_CAPACITY_TYPE = var.config.instance_target_capacity_type + INSTANCE_TYPES = join(",", var.config.instance_types) LAUNCH_TEMPLATE_NAME = var.config.runner.launch_template.name LOG_LEVEL = var.config.lambda.log_level LOG_TYPE = var.config.lambda.log_type @@ -27,12 +32,8 @@ resource "aws_lambda_function" "pool" { PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.config.github_app_parameters.key_base64.name RUNNER_EXTRA_LABELS = var.config.runner.extra_labels RUNNER_GROUP_NAME = var.config.runner.group_name + RUNNER_OWNER = var.config.runner.pool_owner SUBNET_IDS = join(",", var.config.subnet_ids) - ENABLE_EPHEMERAL_RUNNERS = var.config.runner.ephemeral - INSTANCE_TYPES = join(",", var.config.instance_types) - INSTANCE_TARGET_CAPACITY_TYPE = var.config.instance_target_capacity_type - INSTANCE_MAX_SPOT_PRICE = var.config.instance_max_spot_price - INSTANCE_ALLOCATION_STRATEGY = var.config.instance_allocation_strategy } } diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf index 66b8eeadc2..0fcbe345f9 100644 --- a/modules/runners/pool/variables.tf +++ b/modules/runners/pool/variables.tf @@ -24,8 +24,9 @@ variable "config" { }) subnet_ids = list(string) runner = object({ - ephemeral = bool - extra_labels = string + disable_runner_autoupdate = bool + ephemeral = bool + extra_labels = string launch_template = object({ name = string }) From 04f700a056985817b62929dd850380a5508bf315 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 25 Feb 2022 12:43:20 +0100 Subject: [PATCH 8/8] revert example --- examples/default/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/default/main.tf b/examples/default/main.tf index 6e0e154ffb..68d8903049 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -31,13 +31,13 @@ module "runners" { } # Grab zip files via lambda_download - # webhook_lambda_zip = "lambdas-download/webhook.zip" - # runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip" - # runners_lambda_zip = "lambdas-download/runners.zip" + webhook_lambda_zip = "lambdas-download/webhook.zip" + runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip" + runners_lambda_zip = "lambdas-download/runners.zip" - enable_organization_runners = true + enable_organization_runners = false runner_extra_labels = "default,example" - disable_runner_autoupdate = true + # enable access to the runners via SSM enable_ssm_on_runners = true