Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support s3 bucket logging #2430

Merged
merged 2 commits into from
Oct 6, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,8 @@ In case the setup does not work as intended follow the trace of events:
| <a name="input_runner_architecture"></a> [runner\_architecture](#input\_runner\_architecture) | The platform architecture of the runner instance\_type. | `string` | `"x64"` | no |
| <a name="input_runner_as_root"></a> [runner\_as\_root](#input\_runner\_as\_root) | Run the action runner under the root user. Variable `runner_run_as` will be ignored. | `bool` | `false` | no |
| <a name="input_runner_binaries_s3_sse_configuration"></a> [runner\_binaries\_s3\_sse\_configuration](#input\_runner\_binaries\_s3\_sse\_configuration) | Map containing server-side encryption configuration for runner-binaries S3 bucket. | `any` | `{}` | no |
| <a name="input_runner_binaries_s3_logging_bucket"></a> [runner\_binaries\_s3\_logging\_bucket](#input\_runner\_binaries\_s3\_logging\_bucket) | Bucket for action runner distribution bucket access logging. | `string` | `null` | no |
| <a name="input_runner_binaries_s3_logging_bucket_prefix"></a> [runner\_binaries\_s3\_logging\_bucket\_prefix](#input\_runner\_binaries\_s3\logging\_bucket\_prefix) | Bucket prefix for action runner distribution bucket access logging. | `string` | `null` | no |
| <a name="input_runner_binaries_syncer_lambda_timeout"></a> [runner\_binaries\_syncer\_lambda\_timeout](#input\_runner\_binaries\_syncer\_lambda\_timeout) | Time out of the binaries sync lambda in seconds. | `number` | `300` | no |
| <a name="input_runner_binaries_syncer_lambda_zip"></a> [runner\_binaries\_syncer\_lambda\_zip](#input\_runner\_binaries\_syncer\_lambda\_zip) | File location of the binaries sync lambda zip file. | `string` | `null` | no |
| <a name="input_runner_boot_time_in_minutes"></a> [runner\_boot\_time\_in\_minutes](#input\_runner\_boot\_time\_in\_minutes) | The minimum time for an EC2 runner to boot and register as a runner. | `number` | `5` | no |
Expand Down
2 changes: 2 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,8 @@ module "runner_binaries" {
tags = local.tags

distribution_bucket_name = "${var.prefix}-dist-${random_string.random.result}"
s3_logging_bucket = var.runner_binaries_s3_logging_bucket
s3_logging_bucket_prefix = var.runner_binaries_s3_logging_bucket_prefix

runner_os = var.runner_os
runner_architecture = var.runner_architecture
Expand Down
8 changes: 6 additions & 2 deletions modules/runner-binaries-syncer/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
days = 35
storage_class = "INTELLIGENT_TIERING"
}


}
}

Expand Down Expand Up @@ -64,7 +62,13 @@ resource "aws_s3_bucket_public_access_block" "action_dist" {
restrict_public_buckets = true
}

resource "aws_s3_bucket_logging" "action_dist_logging" {
count = var.s3_logging_bucket != null ? 1 : 0

bucket = aws_s3_bucket.action_dist.id
target_bucket = var.s3_logging_bucket
target_prefix = var.s3_logging_bucket_prefix != null ? var.s3_logging_bucket_prefix : var.distribution_bucket_name
}

data "aws_iam_policy_document" "action_dist_sse_policy" {
count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
Expand Down
27 changes: 26 additions & 1 deletion modules/runner-binaries-syncer/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,31 @@ variable "distribution_bucket_name" {
condition = can(regex("^[a-z0-9-]*$", var.distribution_bucket_name))
}
}

variable "s3_logging_bucket" {
description = "Bucket for action runner distribution bucket access logging."
type = string
default = null

# Make sure the bucket name only contains legal characters
validation {
error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name."
condition = var.s3_logging_bucket == null || can(regex("^[a-z0-9-]*$", var.s3_logging_bucket))
}
}

variable "s3_logging_bucket_prefix" {
description = "Bucket prefix for action runner distribution bucket access logging."
type = string
default = null

# Make sure the bucket name only contains legal characters
AldinDuraki marked this conversation as resolved.
Show resolved Hide resolved
validation {
error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name."
condition = var.s3_logging_bucket_prefix == null || can(regex("^[a-z0-9-]*$", var.s3_logging_bucket_prefix))
}
}

variable "lambda_schedule_expression" {
description = "Scheduler expression for action runner binary syncer."
type = string
Expand Down Expand Up @@ -196,4 +221,4 @@ variable "lambda_architecture" {
condition = contains(["arm64", "x86_64"], var.lambda_architecture)
error_message = "`lambda_architecture` value is not valid, valid values are: `arm64` and `x86_64`."
}
}
}
25 changes: 25 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,31 @@ variable "runner_binaries_s3_sse_configuration" {
default = {}
}

variable "runner_binaries_s3_logging_bucket" {
description = "Bucket for action runner distribution bucket access logging."
type = string
default = null

# Make sure the bucket name only contains legal characters
validation {
error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name."
condition = var.runner_binaries_s3_logging_bucket == null || can(regex("^[a-z0-9-]*$", var.runner_binaries_s3_logging_bucket))
}
}

variable "runner_binaries_s3_logging_bucket_prefix" {
description = "Bucket prefix for action runner distribution bucket access logging."
type = string
default = null

# Make sure the bucket prefix only contains legal characters
validation {
error_message = "Only alphanumeric characters, hyphens followed by single slashes allowed in the bucket prefix."
condition = var.runner_binaries_s3_logging_bucket_prefix == null || can(regex("^(([a-zA-Z0-9-])+(\\/?))*$", var.runner_binaries_s3_logging_bucket_prefix))
}
}


variable "role_permissions_boundary" {
description = "Permissions boundary that will be added to the created roles."
type = string
Expand Down