From 8467eecef83e4f92d33e088a7eecb5457c245d55 Mon Sep 17 00:00:00 2001 From: "Duraki, Aldin" Date: Thu, 15 Sep 2022 16:26:28 +0200 Subject: [PATCH 1/2] feat: Support s3 bucket logging Allow s3 bucket logging configuration support --- README.md | 2 ++ main.tf | 2 ++ modules/runner-binaries-syncer/main.tf | 8 ++++-- modules/runner-binaries-syncer/variables.tf | 27 ++++++++++++++++++++- variables.tf | 25 +++++++++++++++++++ 5 files changed, 61 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2a04e3f1e1..30465dee2a 100644 --- a/README.md +++ b/README.md @@ -451,6 +451,8 @@ In case the setup does not work as intended follow the trace of events: | [runner\_architecture](#input\_runner\_architecture) | The platform architecture of the runner instance\_type. | `string` | `"x64"` | no | | [runner\_as\_root](#input\_runner\_as\_root) | Run the action runner under the root user. Variable `runner_run_as` will be ignored. | `bool` | `false` | no | | [runner\_binaries\_s3\_sse\_configuration](#input\_runner\_binaries\_s3\_sse\_configuration) | Map containing server-side encryption configuration for runner-binaries S3 bucket. | `any` | `{}` | no | +| [runner\_binaries\_s3\_logging\_bucket](#input\_runner\_binaries\_s3\_logging\_bucket) | Bucket for action runner distribution bucket access logging. | `string` | `null` | no | +| [runner\_binaries\_s3\_logging\_bucket\_prefix](#input\_runner\_binaries\_s3\logging\_bucket\_prefix) | Bucket prefix for action runner distribution bucket access logging. | `string` | `null` | no | | [runner\_binaries\_syncer\_lambda\_timeout](#input\_runner\_binaries\_syncer\_lambda\_timeout) | Time out of the binaries sync lambda in seconds. | `number` | `300` | no | | [runner\_binaries\_syncer\_lambda\_zip](#input\_runner\_binaries\_syncer\_lambda\_zip) | File location of the binaries sync lambda zip file. | `string` | `null` | no | | [runner\_boot\_time\_in\_minutes](#input\_runner\_boot\_time\_in\_minutes) | The minimum time for an EC2 runner to boot and register as a runner. | `number` | `5` | no | diff --git a/main.tf b/main.tf index 3a3525bd3b..730719f11c 100644 --- a/main.tf +++ b/main.tf @@ -230,6 +230,8 @@ module "runner_binaries" { tags = local.tags distribution_bucket_name = "${var.prefix}-dist-${random_string.random.result}" + s3_logging_bucket = var.runner_binaries_s3_logging_bucket + s3_logging_bucket_prefix = var.runner_binaries_s3_logging_bucket_prefix runner_os = var.runner_os runner_architecture = var.runner_architecture diff --git a/modules/runner-binaries-syncer/main.tf b/modules/runner-binaries-syncer/main.tf index a62f4efa74..e431a877b2 100644 --- a/modules/runner-binaries-syncer/main.tf +++ b/modules/runner-binaries-syncer/main.tf @@ -28,8 +28,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" { days = 35 storage_class = "INTELLIGENT_TIERING" } - - } } @@ -64,7 +62,13 @@ resource "aws_s3_bucket_public_access_block" "action_dist" { restrict_public_buckets = true } +resource "aws_s3_bucket_logging" "action_dist_logging" { + count = var.s3_logging_bucket != null ? 1 : 0 + bucket = aws_s3_bucket.action_dist.id + target_bucket = var.s3_logging_bucket + target_prefix = var.s3_logging_bucket_prefix != null ? var.s3_logging_bucket_prefix : var.distribution_bucket_name +} data "aws_iam_policy_document" "action_dist_sse_policy" { count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0 diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf index b0de0c0d08..4d70862617 100644 --- a/modules/runner-binaries-syncer/variables.tf +++ b/modules/runner-binaries-syncer/variables.tf @@ -36,6 +36,31 @@ variable "distribution_bucket_name" { condition = can(regex("^[a-z0-9-]*$", var.distribution_bucket_name)) } } + +variable "s3_logging_bucket" { + description = "Bucket for action runner distribution bucket access logging." + type = string + default = null + + # Make sure the bucket name only contains legal characters + validation { + error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name." + condition = var.s3_logging_bucket == null || can(regex("^[a-z0-9-]*$", var.s3_logging_bucket)) + } +} + +variable "s3_logging_bucket_prefix" { + description = "Bucket prefix for action runner distribution bucket access logging." + type = string + default = null + + # Make sure the bucket name only contains legal characters + validation { + error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name." + condition = var.s3_logging_bucket_prefix == null || can(regex("^[a-z0-9-]*$", var.s3_logging_bucket_prefix)) + } +} + variable "lambda_schedule_expression" { description = "Scheduler expression for action runner binary syncer." type = string @@ -196,4 +221,4 @@ variable "lambda_architecture" { condition = contains(["arm64", "x86_64"], var.lambda_architecture) error_message = "`lambda_architecture` value is not valid, valid values are: `arm64` and `x86_64`." } -} \ No newline at end of file +} diff --git a/variables.tf b/variables.tf index 76934cd79f..bd0d6fd49f 100644 --- a/variables.tf +++ b/variables.tf @@ -135,6 +135,31 @@ variable "runner_binaries_s3_sse_configuration" { default = {} } +variable "runner_binaries_s3_logging_bucket" { + description = "Bucket for action runner distribution bucket access logging." + type = string + default = null + + # Make sure the bucket name only contains legal characters + validation { + error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name." + condition = var.runner_binaries_s3_logging_bucket == null || can(regex("^[a-z0-9-]*$", var.runner_binaries_s3_logging_bucket)) + } +} + +variable "runner_binaries_s3_logging_bucket_prefix" { + description = "Bucket prefix for action runner distribution bucket access logging." + type = string + default = null + + # Make sure the bucket name only contains legal characters + validation { + error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name." + condition = var.runner_binaries_s3_logging_bucket_prefix == null || can(regex("^[a-z0-9-]*$", var.runner_binaries_s3_logging_bucket_prefix)) + } +} + + variable "role_permissions_boundary" { description = "Permissions boundary that will be added to the created roles." type = string From 4612655ac6cbc2678fbc0189386ebdb647a8e479 Mon Sep 17 00:00:00 2001 From: "Duraki, Aldin" Date: Thu, 15 Sep 2022 17:12:58 +0200 Subject: [PATCH 2/2] adjust bucket prefix regex and validation error --- variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/variables.tf b/variables.tf index bd0d6fd49f..8ecd5ca791 100644 --- a/variables.tf +++ b/variables.tf @@ -152,10 +152,10 @@ variable "runner_binaries_s3_logging_bucket_prefix" { type = string default = null - # Make sure the bucket name only contains legal characters + # Make sure the bucket prefix only contains legal characters validation { - error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name." - condition = var.runner_binaries_s3_logging_bucket_prefix == null || can(regex("^[a-z0-9-]*$", var.runner_binaries_s3_logging_bucket_prefix)) + error_message = "Only alphanumeric characters, hyphens followed by single slashes allowed in the bucket prefix." + condition = var.runner_binaries_s3_logging_bucket_prefix == null || can(regex("^(([a-zA-Z0-9-])+(\\/?))*$", var.runner_binaries_s3_logging_bucket_prefix)) } }