diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index ad66e20ac3..8a5accc15d 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -139,6 +139,7 @@ jobs: "ephemeral", "termination-watcher", "multi-runner", + "external-managed-ssm-secrets" ] defaults: run: diff --git a/README.md b/README.md index c9c247f5d3..67a7438819 100644 --- a/README.md +++ b/README.md @@ -141,7 +141,7 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh) | [eventbridge](#input\_eventbridge) | Enable the use of EventBridge by the module. By enabling this feature events will be put on the EventBridge by the webhook instead of directly dispatching to queues for scaling.

`enable`: Enable the EventBridge feature.
`accept_events`: List can be used to only allow specific events to be putted on the EventBridge. By default all events, empty list will be be interpreted as all events. | 
object({
    enable        = optional(bool, true)
    accept_events = optional(list(string), null)
  })
| `{}` | no | | [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB. However if you are using Github Enterprise Cloud with data-residency (ghe.com), set the endpoint here. Example - https://companyname.ghe.com | `string` | `null` | no | -| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | 
object({
    key_base64     = string
    id             = string
    webhook_secret = string
  })
| n/a | yes | +| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app.
You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.
If you chose to provide the configuration values directly here,
please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).
Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc). | 
object({
    key_base64 = optional(string)
    key_base64_ssm = optional(object({
      arn  = string
      name = string
    }))
    id = optional(string)
    id_ssm = optional(object({
      arn  = string
      name = string
    }))
    webhook_secret = optional(string)
    webhook_secret_ssm = optional(object({
      arn  = string
      name = string
    }))
  })
| n/a | yes | | [idle\_config](#input\_idle\_config) | List of time periods, defined as a cron expression, to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | 
list(object({
    cron             = string
    timeZone         = string
    idleCount        = number
    evictionStrategy = optional(string, "oldest_first")
  }))
| `[]` | no | | [instance\_allocation\_strategy](#input\_instance\_allocation\_strategy) | The allocation strategy for spot instances. AWS recommends using `price-capacity-optimized` however the AWS default is `lowest-price`. | `string` | `"lowest-price"` | no | | [instance\_max\_spot\_price](#input\_instance\_max\_spot\_price) | Max price price for spot instances per hour. This variable will be passed to the create fleet as max spot price for the fleet. | `string` | `null` | no | diff --git a/docs/configuration.md b/docs/configuration.md index c7f53121ed..39240b24d9 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -10,7 +10,7 @@ To be able to support a number of use-cases, the module has quite a lot of confi - Linux vs Windows. You can configure the OS types linux and win. Linux will be used by default. - Re-use vs Ephemeral. By default runners are re-used, until detected idle. Once idle they will be removed from the pool. To improve security we are introducing ephemeral runners. Those runners are only used for one job. Ephemeral runners only work in combination with the workflow job event. For ephemeral runners the lambda requests a JIT (just in time) configuration via the GitHub API to register the runner. [JIT configuration](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-just-in-time-runners) is limited to ephemeral runners (and currently not supported by GHES). For non-ephemeral runners, a registration token is always requested. In both cases the configuration is made available to the instance via the same SSM parameter. To disable JIT configuration for ephemeral runners set `enable_jit_config` to `false`. We also suggest using a pre-build AMI to improve the start time of jobs for ephemeral runners. - Job retry (**Beta**). By default the scale-up lambda will discard the message when it is handled. Meaning in the ephemeral use-case an instance is created. The created runner will ask GitHub for a job, no guarantee it will run the job for which it was scaling. Result could be that with small system hick-up the job is keeping waiting for a runner. Enable a pool (org runners) is one option to avoid this problem. Another option is to enable the job retry function. Which will retry the job after a delay for a configured number of times. -- GitHub Cloud vs GitHub Enterprise Server (GHES). The runners support GitHub Cloud (Public GitHub - github.com), GitHub Data Residency instances (ghe.com), and GitHub Enterprise Server. For GHES, we rely on our community for support and testing. We have no capability to test GHES ourselves. +- GitHub Cloud vs GitHub Enterprise Server (GHES). The runners support GitHub Cloud (Public GitHub - github.com), GitHub Data Residency instances (ghe.com), and GitHub Enterprise Server. For GHES, we rely on our community for support and testing. We have no capability to test GHES ourselves. - Spot vs on-demand. The runners use either the EC2 spot or on-demand life cycle. Runners will be created via the AWS [CreateFleet API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet.html). The module (scale up lambda) will request via the CreateFleet API to create instances in one of the subnets and of the specified instance types. - ARM64 support via Graviton/Graviton2 instance-types. When using the default example or top-level module, specifying `instance_types` that match a Graviton/Graviton 2 (ARM64) architecture (e.g. a1, t4g or any 6th-gen `g` or `gd` type), you must also specify `runner_architecture = "arm64"` and the sub-modules will be automatically configured to provision with ARM64 AMIs and leverage GitHub's ARM64 action runner. See below for more details. - Disable default labels for the runners (os, architecture and `self-hosted`) can achieve by setting `runner_disable_default_labels` = true. If enabled, the runner will only have the extra labels provided in `runner_extra_labels`. In case you on own start script is used, this configuration parameter needs to be parsed via SSM. @@ -24,17 +24,44 @@ The module uses the AWS System Manager Parameter Store to store configuration fo | `ssm_paths.root/var.prefix?/app/` | App secrets used by Lambda's | | `ssm_paths.root/var.prefix?/runners/config/` | Configuration parameters used by runner start script | | `ssm_paths.root/var.prefix?/runners/tokens/` | Either JIT configuration (ephemeral runners) or registration tokens (non ephemeral runners) generated by the control plane (scale-up lambda), and consumed by the start script on the runner to activate / register the runner. | -| `ssm_paths.root/var.prefix?/webhook/runner-matcher-config` | Runner matcher config used by webhook to decide the target for the webhook event. | +| `ssm_paths.root/var.prefix?/webhook/runner-matcher-config` | Runner matcher config used by webhook to decide the target for the webhook event. | Available configuration parameters: -| Parameter name | Description | -|-------------------------------------|---------------------------------------------------------------------------------------------------| -| `agent_mode` | Indicates if the agent is running in ephemeral mode or not. | -| `disable_default_labels` | Indicates if the default labels for the runners (os, architecture and `self-hosted`) are disabled | -| `enable_cloudwatch` | Configuration for the cloudwatch agent to stream logging. | -| `run_as` | The user used for running the GitHub action runner agent. | -| `token_path` | The path where tokens are stored. | +| Parameter name | Description | +| ------------------------ | ------------------------------------------------------------------------------------------------- | +| `agent_mode` | Indicates if the agent is running in ephemeral mode or not. | +| `disable_default_labels` | Indicates if the default labels for the runners (os, architecture and `self-hosted`) are disabled | +| `enable_cloudwatch` | Configuration for the cloudwatch agent to stream logging. | +| `run_as` | The user used for running the GitHub action runner agent. | +| `token_path` | The path where tokens are stored. | + +### Note regarding GitHub App secrets provisioning in SSM + +SSM parameters for GitHub App secrets (`webhook_secret`, `key_base64`, `id`) can also be manually created at the SSM path of your choice. + +If you opt for this approach, please fill the `*_ssm` attributes of the `github_app` variable as following: + +``` +github_app = { + key_base64_ssm = { + name = "/your/path/to/ssm/parameter/key-base-64" + arn = "arn:aws:ssm:::parameter/your/path/to/ssm/parameter/key-base-64" + } + id_ssm = { + name = "/your/path/to/ssm/parameter/id" + arn = "arn:aws:ssm:::parameter/your/path/to/ssm/parameter/id" + } + webhook_secret_ssm = { + name = "/your/path/to/ssm/parameter/webhook-secret" + arn = "arn:aws:ssm:::parameter/your/path/to/ssm/parameter/webhook-secret" + } + } +``` + +Manually creating the SSM parameters that hold the configuration of your GitHub App avoids leaking critical plain text values in your terraform state and version control system. This is a recommended security practice for handling sensitive credentials. + +You can read more [over here](../examples/external-managed-ssm-secrets/README.md). ## Encryption @@ -124,7 +151,6 @@ You can configure runners to be ephemeral, in which case runners will be used on The example for [ephemeral runners](examples/ephemeral.md) is based on the [default example](examples/default.md). Have look at the diff to see the major configuration differences. - ## Job retry (**Beta**) You can enable the job retry function to retry a job after a delay for a configured number of times. The function is disabled by default. To enable the function set `job_retry.enable` to `true`. The function will check the job status after a delay, and when the is still queued, it will create a new runner. The new runner is created in the same way as the others via the scale-up function. Hence the same configuration applies. @@ -133,7 +159,6 @@ For checking the job status a API call is made to GitHub. Which can exhaust the The option `job_retry.delay_in_seconds` is the delay before the job status is checked. The delay is increased by the factor `job_retry.delay_backoff` for each attempt. The upper bound for a delay is 900 seconds, which is the max message delay on SQS. The maximum number of attempts is configured via `job_retry.max_attempts`. The delay should be set to a higher value than the time it takes to start a runner. - ## Prebuilt Images This module also allows you to run agents from a prebuilt AMI to gain faster startup times. The module provides several examples to build your own custom AMI. To remove old images, an [AMI housekeeper module](modules/public/ami-housekeeper.md) can be used. See the [AMI examples](ami-examples/index.md) for more details. @@ -231,7 +256,7 @@ The watcher is listening for spot termination warnings and create a log message ### Termination handler !!! warning - This feature will only work once the CloudTrail is enabled. +This feature will only work once the CloudTrail is enabled. The termination handler is listening for spot terminations by capture the `BidEvictedEvent` via CloudTrail. The handler will log and optionally create a metric for each termination. The intend is to enhance the logic to inform the user about the termination via the GitHub Job or Workflow run. The feature is disabled by default. The feature is enabled once the watcher is enabled, the feature can be disabled explicit by setting `instance_termination_watcher.features.enable_spot_termination_handler = false`. @@ -332,5 +357,4 @@ resource "aws_iam_role_policy" "event_rule_firehose_role" { } ``` - NOTE: By default, a runner AMI update requires a re-apply of this terraform config (the runner AMI ID is looked up by a terraform data source). To avoid this, you can use `ami_id_ssm_parameter_name` to have the scale-up lambda dynamically lookup the runner AMI ID from an SSM parameter at instance launch time. Said SSM parameter is managed outside of this module (e.g. by a runner AMI build workflow). diff --git a/docs/examples/external-managed-ssm-secrets.md b/docs/examples/external-managed-ssm-secrets.md new file mode 100644 index 0000000000..411b843d60 --- /dev/null +++ b/docs/examples/external-managed-ssm-secrets.md @@ -0,0 +1 @@ +--8<-- "examples/external-managed-ssm-secrets/README.md" diff --git a/docs/examples/index.md b/docs/examples/index.md index 37b30bbd5e..ac611575fc 100644 --- a/docs/examples/index.md +++ b/docs/examples/index.md @@ -9,3 +9,4 @@ Examples are located in the [examples](https://github.com/github-aws-runners/ter - _[Prebuilt Images](prebuilt.md)_: Example usages of deploying runners with a custom prebuilt image. - _[Windows](windows.md)_: Example usage of creating a runner using Windows as the OS. - _[Termination watcher](termination-watcher.md)_: Example usages of termination watcher. +- _[Externally managed SSM secrets](external-managed-ssm-secrets.md)_: Example usage of externally managed SSM secrets for the GitHub App credentials. diff --git a/examples/default/README.md b/examples/default/README.md index 771b2c7bab..f3129d71bc 100644 --- a/examples/default/README.md +++ b/examples/default/README.md @@ -6,7 +6,7 @@ This module shows how to create GitHub action runners. Lambda release will be do Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](https://github.com/github-aws-runners/terraform-aws-github-runner). First download the Lambda releases from GitHub. Alternatively you can build the lambdas locally with Node or Docker, there is a simple build script in `/.ci/build.sh`. In the `main.tf` you can simply remove the location of the lambda zip files, the default location will work in this case. -> The default example assumes local built lambda's available. Ensure you have built the lambda's. Alternativly you can downlowd the lambda's. The version needs to be set to a GitHub release version, see https://github.com/github-aws-runners/terraform-aws-github-runner/releases +> The default example assumes local built lambda's available. Ensure you have built the lambda's. Alternatively you can download the lambda's. The version needs to be set to a GitHub release version, see https://github.com/github-aws-runners/terraform-aws-github-runner/releases ```bash cd ../lambdas-download diff --git a/examples/external-managed-ssm-secrets/.terraform.lock.hcl b/examples/external-managed-ssm-secrets/.terraform.lock.hcl new file mode 100644 index 0000000000..045fb7350a --- /dev/null +++ b/examples/external-managed-ssm-secrets/.terraform.lock.hcl @@ -0,0 +1,85 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.82.1" + constraints = ">= 5.0.0, ~> 5.0, ~> 5.27" + hashes = [ + "h1:QTOtDMehUfiD3wDbbDuXYuTqGgLDkKK9Agkd5NCUEic=", + "zh:0fde8533282973f1f5d33b2c4f82d962a2c78860d39b42ac20a9ce399f06f62c", + "zh:1fd1a252bffe91668f35be8eac4e0a980f022120254eae1674c3c05049aff88a", + "zh:31bbd380cd7d74bf9a8c961fc64da4222bed40ffbdb27b011e637fa8b2d33641", + "zh:333ee400cf6f62fa199dc1270bf8efac6ffe56659f86918070b8351b8636e03b", + "zh:42ea9fee0a152d344d548eab43583299a13bcd73fae9e53e7e1a708720ac1315", + "zh:4b78f25a8cda3316eb56aa01909a403ec2f325a2eb0512c9a73966068c26cf29", + "zh:5e9cf9a275eda8f7940a41e32abe0b92ba76b5744def4af5124b343b5f33eb94", + "zh:6a46c8630c16b9e1338c2daed6006118db951420108b58b8b886403c69317439", + "zh:6efe11cf1a01f98a8d8043cdcd8c0ee5fe93a0e582c2b69ebb73ea073f5068c3", + "zh:88ab5c768c7d8133dab94eff48071e764424ad2b7cfeee5abe6d5bb16e4b85c6", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a614beb312574342b27dbc34d65b450997f63fa3e948d0d30f441e4f69337380", + "zh:c1f486e27130610a9b64cacb0bd928009c433d62b3be515488185e6467b4aa1f", + "zh:dccd166e89e1a02e7ce658df3c42d040edec4b09c6f7906aa5743938518148b1", + "zh:e75a3ae0fb42b7ea5a0bb5dffd8f8468004c9700fcc934eb04c264fda2ba9984", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.5.2" + constraints = "~> 2.0" + hashes = [ + "h1:IyFbOIO6mhikFNL/2h1iZJ6kyN3U00jgkpCLUCThAfE=", + "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", + "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", + "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", + "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", + "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", + "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", + "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", + "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", + "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", + "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = "~> 3.0, ~> 3.2" + hashes = [ + "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.3" + constraints = "~> 3.0" + hashes = [ + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", + ] +} diff --git a/examples/external-managed-ssm-secrets/README.md b/examples/external-managed-ssm-secrets/README.md new file mode 100644 index 0000000000..dd14d36960 --- /dev/null +++ b/examples/external-managed-ssm-secrets/README.md @@ -0,0 +1,117 @@ +# Externally managed SSM secrets + +This example is based on the [default setup](../default/README.md), but shows how to use configure runners with already existing SSM parameters that you'd have created manually. + +Manually creating the SSM parameters that hold the configuration of your GitHub App avoids leaking critical plain text values in your terraform state and version control system. This is a recommended security practice for handling sensitive credentials. + +## Prerequisites + +To configure GitHub App credentials in AWS, you have two options: + +### 1. Using the [`ssm.sh`](./ssm.sh) script + +- Edit [`ssm.sh`](./ssm.sh) and set your values +- Run: `source ssm.sh` +- Then run your Terraform commands (`terraform plan` / `terraform apply`) + +### 2. Create them manually via the AWS console (or the `aws-cli`) + +- Create the following SSM parameters on the AWS console: + +``` +/github-action-runners/app/github_app_id (Your GitHub App ID) +/github-action-runners/app/github_app_key_base64 (Your GitHub App Private Key) +/github-action-runners/app/github_app_webhook_secret (Your Installation ID) +``` + +Example using AWS CLI: + +```bash + # GitHub App ID + aws ssm put-parameter \ + --name "/github-action-runners/app/github_app_id" \ + --value "YOUR_APP_ID" \ + --type "SecureString" + + # GitHub App Private Key + aws ssm put-parameter \ + --name "/github-action-runners/app/github_app_key_base64" \ + --value "YOUR_PRIVATE_KEY" \ + --type "SecureString" + + # GitHub App Installation ID + aws ssm put-parameter \ + --name "/github-action-runners/app/github_app_webhook_secret" \ + --value "YOUR_INSTALLATION_ID" \ + --type "SecureString" +``` + +- Fill the `arn` and `name` values for each of these inside the [`github_app_ssm_parameters` variable](./variables.tf). + +## Usages + +Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](https://github.com/philips-labs/terraform-aws-github-runner). First download the Lambda releases from GitHub. Alternatively you can build the lambdas locally with Node or Docker, there is a simple build script in `/.ci/build.sh`. In the `main.tf` you can simply remove the location of the lambda zip files, the default location will work in this case. + +> This example assumes local built lambda's available. Ensure you have built the lambda's. Alternativly you can downlowd the lambda's. The version needs to be set to a GitHub release version, see https://github.com/philips-labs/terraform-aws-github-runner/releases + +```bash +cd ../lambdas-download +terraform init +terraform apply -var=module_version= +cd - +``` + +Before running Terraform, ensure the GitHub app is configured. See the [configuration details](https://github.com/philips-labs/terraform-aws-github-runner#usages) for more details. + +```bash +terraform init +terraform apply +``` + +The example will try to update the webhook of your GitHub. In case the update fails the apply will not fail. You can receive the webhook details by running: + +```bash +terraform output -raw webhook_secret +``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3.0 | +| [aws](#requirement\_aws) | ~> 5.27 | +| [local](#requirement\_local) | ~> 2.0 | +| [random](#requirement\_random) | ~> 3.0 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [base](#module\_base) | ../base | n/a | +| [runners](#module\_runners) | ../../ | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_region](#input\_aws\_region) | AWS region. | `string` | `"eu-west-1"` | no | +| [environment](#input\_environment) | Environment name, used as prefix. | `string` | `null` | no | +| [github\_app\_ssm\_parameters](#input\_github\_app\_ssm\_parameters) | SSM parameters details for the GitHub App, that you've created manually on AWS. | 
object({
    key_base64 = optional(object({
      arn  = string
      name = string
    }))
    id = optional(object({
      arn  = string
      name = string
    }))
    webhook_secret = optional(object({
      arn  = string
      name = string
    }))
  })
| `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [note](#output\_note) | n/a | +| [runners](#output\_runners) | n/a | +| [webhook\_endpoint](#output\_webhook\_endpoint) | n/a | + diff --git a/examples/external-managed-ssm-secrets/main.tf b/examples/external-managed-ssm-secrets/main.tf new file mode 100644 index 0000000000..e390a56792 --- /dev/null +++ b/examples/external-managed-ssm-secrets/main.tf @@ -0,0 +1,48 @@ +locals { + environment = var.environment != null ? var.environment : "default" + aws_region = var.aws_region +} + +module "base" { + source = "../base" + + prefix = local.environment + aws_region = local.aws_region +} + +module "runners" { + source = "../../" + create_service_linked_role_spot = true + aws_region = local.aws_region + vpc_id = module.base.vpc.vpc_id + subnet_ids = module.base.vpc.private_subnets + + prefix = local.environment + tags = { + Project = "ProjectX" + } + + github_app = { + key_base64_ssm = var.github_app_ssm_parameters.key_base64 + id_ssm = var.github_app_ssm_parameters.id + webhook_secret_ssm = var.github_app_ssm_parameters.webhook_secret + } + + enable_organization_runners = true + runner_extra_labels = ["default", "example"] + + # enable access to the runners via SSM + enable_ssm_on_runners = true + + instance_types = ["m7a.large", "m5.large"] + + # override delay of events in seconds + delay_webhook_event = 5 + runners_maximum_count = 2 + + # override scaling down + scale_down_schedule_expression = "cron(* * * * ? *)" + + # prefix GitHub runners with the environment name + runner_name_prefix = "${local.environment}_" +} diff --git a/examples/external-managed-ssm-secrets/outputs.tf b/examples/external-managed-ssm-secrets/outputs.tf new file mode 100644 index 0000000000..e764e732cd --- /dev/null +++ b/examples/external-managed-ssm-secrets/outputs.tf @@ -0,0 +1,16 @@ +output "runners" { + value = { + lambda_syncer_name = module.runners.binaries_syncer.lambda.function_name + } +} + +output "webhook_endpoint" { + value = module.runners.webhook.endpoint +} + +output "note" { + value = <<-EOF + The runners are not yet ready to process jobs. Please ensure you updated the GitHub app with the webhook endpoint and secret. + The webhook endpoint is: ${module.runners.webhook.endpoint} + EOF +} diff --git a/examples/external-managed-ssm-secrets/providers.tf b/examples/external-managed-ssm-secrets/providers.tf new file mode 100644 index 0000000000..eca2fe96a7 --- /dev/null +++ b/examples/external-managed-ssm-secrets/providers.tf @@ -0,0 +1,9 @@ +provider "aws" { + region = local.aws_region + + default_tags { + tags = { + Example = local.environment + } + } +} diff --git a/examples/external-managed-ssm-secrets/ssm.sh b/examples/external-managed-ssm-secrets/ssm.sh new file mode 100755 index 0000000000..cfccd5e637 --- /dev/null +++ b/examples/external-managed-ssm-secrets/ssm.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# NOTE: this script is only for demonstration purposes + +# Script to create SSM parameters outside of Terraform +# and set them as environment variables for Terraform + +APP_ID= +APP_PRIVATE_KEY_FILE= +APP_WEBHOOK_SECRET= +APP_PRIVATE_KEY=$(base64 -i $APP_PRIVATE_KEY_FILE) +SSM_PATH="/github-runners/example/app" + +if [ -z "$APP_ID" ]; then + echo "APP_ID is not set" + exit 1 +fi + +if [ -z "$APP_WEBHOOK_SECRET" ]; then + echo "APP_WEBHOOK_SECRET is not set" + exit 1 +fi + +if [ -z "$APP_PRIVATE_KEY_FILE" ]; then + echo "APP_PRIVATE_KEY_FILE is not set" + exit 1 +fi + + +export AWS_PAGER="" +export AWS_REGION=eu-central-1 +export TF_VAR_aws_region=$AWS_REGION + + +# GitHub App ID +aws ssm put-parameter \ + --name "${SSM_PATH}/github_app_id" \ + --overwrite \ + --value "${APP_ID}" \ + --type "SecureString" + +# GitHub App Private Key +aws ssm put-parameter \ + --name "${SSM_PATH}/github_app_key_base64" \ + --overwrite \ + --value "${APP_PRIVATE_KEY}" \ + --type "SecureString" + +# GitHub App Installation ID +aws ssm put-parameter \ + --name "${SSM_PATH}/github_app_webhook_secret" \ + --overwrite \ + --value "${APP_WEBHOOK_SECRET}" \ + --type "SecureString" + + +github_app_id_ssm=$(aws ssm get-parameter --name "${SSM_PATH}/github_app_id" --query 'Parameter.{arn:ARN,name:Name}' --output json) +github_app_key_base64_ssm=$(aws ssm get-parameter --name "${SSM_PATH}/github_app_key_base64" --query 'Parameter.{arn:ARN,name:Name}' --output json) +github_app_webhook_secret_ssm=$(aws ssm get-parameter --name "${SSM_PATH}/github_app_webhook_secret" --query 'Parameter.{arn:ARN,name:Name}' --output json) + +export TF_VAR_github_app_ssm_parameters="{ + \"id\": `echo $github_app_id_ssm`, + \"key_base64\": `echo $github_app_key_base64_ssm`, + \"webhook_secret\": `echo $github_app_webhook_secret_ssm` +}" + +export TF_VAR_environment=external-ssm diff --git a/examples/external-managed-ssm-secrets/variables.tf b/examples/external-managed-ssm-secrets/variables.tf new file mode 100644 index 0000000000..047f404400 --- /dev/null +++ b/examples/external-managed-ssm-secrets/variables.tf @@ -0,0 +1,32 @@ +variable "github_app_ssm_parameters" { + description = "SSM parameters details for the GitHub App, that you've created manually on AWS." + type = object({ + key_base64 = optional(object({ + arn = string + name = string + })) + id = optional(object({ + arn = string + name = string + })) + webhook_secret = optional(object({ + arn = string + name = string + })) + }) + default = {} +} + +variable "environment" { + description = "Environment name, used as prefix." + + type = string + default = null +} + +variable "aws_region" { + description = "AWS region." + + type = string + default = "eu-west-1" +} diff --git a/examples/external-managed-ssm-secrets/versions.tf b/examples/external-managed-ssm-secrets/versions.tf new file mode 100644 index 0000000000..349e8243a5 --- /dev/null +++ b/examples/external-managed-ssm-secrets/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.27" + } + local = { + source = "hashicorp/local" + version = "~> 2.0" + } + random = { + source = "hashicorp/random" + version = "~> 3.0" + } + } + required_version = ">= 1.3.0" +} diff --git a/examples/multi-runner/README.md b/examples/multi-runner/README.md index 70b2220f89..0a4bb295e1 100644 --- a/examples/multi-runner/README.md +++ b/examples/multi-runner/README.md @@ -23,7 +23,7 @@ Per combination of OS and architecture a lambda distribution syncer will be crea Steps for the full setup, such as creating a GitHub app can be found the [docs](https://github-aws-runners.github.io/terraform-aws-github-runner/). First download the Lambda releases from GitHub. Alternatively you can build the lambdas locally with Node or Docker, there is a simple build script in `/.ci/build.sh`. In the `main.tf` you can simply remove the location of the lambda zip files, the default location will work in this case. -> The default example assumes local built lambda's available. Ensure you have built the lambda's. Alternativly you can downlowd the lambda's. The version needs to be set to a GitHub release version, see https://github.com/github-aws-runners/terraform-aws-github-runner/releases +> The default example assumes local built lambda's available. Ensure you have built the lambda's. Alternatively you can download the lambda's. The version needs to be set to a GitHub release version, see https://github.com/github-aws-runners/terraform-aws-github-runner/releases ```bash cd ../lambdas-download diff --git a/main.tf b/main.tf index e4e18000fd..b9456c0a52 100644 --- a/main.tf +++ b/main.tf @@ -4,8 +4,9 @@ locals { }) github_app_parameters = { - id = module.ssm.parameters.github_app_id - key_base64 = module.ssm.parameters.github_app_key_base64 + id = coalesce(var.github_app.id_ssm, module.ssm.parameters.github_app_id) + key_base64 = coalesce(var.github_app.key_base64_ssm, module.ssm.parameters.github_app_key_base64) + webhook_secret = coalesce(var.github_app.webhook_secret_ssm, module.ssm.parameters.github_app_webhook_secret) } default_runner_labels = distinct(concat(["self-hosted", var.runner_os, var.runner_architecture])) @@ -87,8 +88,7 @@ resource "aws_sqs_queue" "queued_builds_dlq" { } module "ssm" { - source = "./modules/ssm" - + source = "./modules/ssm" kms_key_arn = var.kms_key_arn path_prefix = "${local.ssm_root_path}/${var.ssm_paths.app}" github_app = var.github_app @@ -120,7 +120,7 @@ module "webhook" { matcher_config_parameter_store_tier = var.matcher_config_parameter_store_tier github_app_parameters = { - webhook_secret = module.ssm.parameters.github_app_webhook_secret + webhook_secret = local.github_app_parameters.webhook_secret } lambda_s3_bucket = var.lambda_s3_bucket diff --git a/mkdocs.yaml b/mkdocs.yaml index 1fe9cb301f..d4bb359f42 100644 --- a/mkdocs.yaml +++ b/mkdocs.yaml @@ -70,6 +70,7 @@ nav: - Default: examples/default.md - Multi Runner: examples/multi-runner.md - Ephemeral: examples/ephemeral.md + - External managed secrets: examples/external-managed-ssm-secrets.md - Custom AMI: examples/prebuilt.md - Termination watcher: examples/termination-watcher.md - Lambda download: examples/lambda-download.md diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md index 771f7e1f98..dca32e2662 100644 --- a/modules/multi-runner/README.md +++ b/modules/multi-runner/README.md @@ -131,7 +131,7 @@ module "multi-runner" { | [eventbridge](#input\_eventbridge) | Enable the use of EventBridge by the module. By enabling this feature events will be put on the EventBridge by the webhook instead of directly dispatching to queues for scaling. | 
object({
    enable        = optional(bool, true)
    accept_events = optional(list(string), [])
  })
| `{}` | no | | [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB. .However if you are using Github Enterprise Cloud with data-residency (ghe.com), set the endpoint here. Example - https://companyname.ghe.com\| | `string` | `null` | no | -| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | 
object({
    key_base64     = string
    id             = string
    webhook_secret = string
  })
| n/a | yes | +| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app.
You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.
If you chose to provide the configuration values directly here,
please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).
Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc). | 
object({
    key_base64 = optional(string)
    key_base64_ssm = optional(object({
      arn  = string
      name = string
    }))
    id = optional(string)
    id_ssm = optional(object({
      arn  = string
      name = string
    }))
    webhook_secret = optional(string)
    webhook_secret_ssm = optional(object({
      arn  = string
      name = string
    }))
  })
| n/a | yes | | [instance\_profile\_path](#input\_instance\_profile\_path) | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no | | [instance\_termination\_watcher](#input\_instance\_termination\_watcher) | Configuration for the spot termination watcher lambda function. This feature is Beta, changes will not trigger a major release as long in beta.

`enable`: Enable or disable the spot termination watcher.
`memory_size`: Memory size linit in MB of the lambda.
`s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.
`s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.
`timeout`: Time out of the lambda in seconds.
`zip`: File location of the lambda zip file. | 
object({
    enable = optional(bool, false)
    features = optional(object({
      enable_spot_termination_handler              = optional(bool, true)
      enable_spot_termination_notification_watcher = optional(bool, true)
    }), {})
    memory_size       = optional(number, null)
    s3_key            = optional(string, null)
    s3_object_version = optional(string, null)
    timeout           = optional(number, null)
    zip               = optional(string, null)
  })
| `{}` | no | | [key\_name](#input\_key\_name) | Key pair name | `string` | `null` | no | diff --git a/modules/multi-runner/main.tf b/modules/multi-runner/main.tf index 22ec0df3ba..905cc7f793 100644 --- a/modules/multi-runner/main.tf +++ b/modules/multi-runner/main.tf @@ -4,8 +4,9 @@ locals { }) github_app_parameters = { - id = module.ssm.parameters.github_app_id - key_base64 = module.ssm.parameters.github_app_key_base64 + id = coalesce(var.github_app.id_ssm, module.ssm.parameters.github_app_id) + key_base64 = coalesce(var.github_app.key_base64_ssm, module.ssm.parameters.github_app_key_base64) + webhook_secret = coalesce(var.github_app.webhook_secret_ssm, module.ssm.parameters.github_app_webhook_secret) } runner_extra_labels = { for k, v in var.multi_runner_config : k => sort(setunion(flatten(v.matcherConfig.labelMatchers), compact(v.runner_config.runner_extra_labels))) } diff --git a/modules/multi-runner/outputs.tf b/modules/multi-runner/outputs.tf index 42758c0652..7ce7171faf 100644 --- a/modules/multi-runner/outputs.tf +++ b/modules/multi-runner/outputs.tf @@ -45,7 +45,11 @@ output "webhook" { } output "ssm_parameters" { - value = module.ssm.parameters + value = { for k, v in local.github_app_parameters : k => { + name = v.name + arn = v.arn + } + } } output "instance_termination_watcher" { diff --git a/modules/multi-runner/ssm.tf b/modules/multi-runner/ssm.tf index 6b2591f465..6a3a234e6f 100644 --- a/modules/multi-runner/ssm.tf +++ b/modules/multi-runner/ssm.tf @@ -1,6 +1,5 @@ module "ssm" { - source = "../ssm" - + source = "../ssm" kms_key_arn = var.kms_key_arn path_prefix = "${local.ssm_root_path}/${var.ssm_paths.app}" github_app = var.github_app diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf index bc45ee4057..ff4419d4d9 100644 --- a/modules/multi-runner/variables.tf +++ b/modules/multi-runner/variables.tf @@ -1,12 +1,41 @@ variable "github_app" { - description = "GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`)." + description = < [github\_app](#input\_github\_app) | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | 
object({
    key_base64     = string
    id             = string
    webhook_secret = string
  })
| n/a | yes | +| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app.
You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.
If you chose to provide the configuration values directly here,
please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).
Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc). | 
object({
    key_base64 = optional(string)
    key_base64_ssm = optional(object({
      arn  = string
      name = string
    }))
    id = optional(string)
    id_ssm = optional(object({
      arn  = string
      name = string
    }))
    webhook_secret = optional(string)
    webhook_secret_ssm = optional(object({
      arn  = string
      name = string
    }))
  })
| n/a | yes | | [kms\_key\_arn](#input\_kms\_key\_arn) | Optional CMK Key ARN to be used for Parameter Store. | `string` | `null` | no | | [path\_prefix](#input\_path\_prefix) | The path prefix used for naming resources | `string` | n/a | yes | | [tags](#input\_tags) | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no | diff --git a/modules/ssm/outputs.tf b/modules/ssm/outputs.tf index 3545a839c3..4017f6ab3d 100644 --- a/modules/ssm/outputs.tf +++ b/modules/ssm/outputs.tf @@ -1,16 +1,16 @@ output "parameters" { value = { github_app_id = { - name = aws_ssm_parameter.github_app_id.name - arn = aws_ssm_parameter.github_app_id.arn + name = var.github_app.id_ssm != null ? var.github_app.id_ssm.name : aws_ssm_parameter.github_app_id[0].name + arn = var.github_app.id_ssm != null ? var.github_app.id_ssm.arn : aws_ssm_parameter.github_app_id[0].arn } github_app_key_base64 = { - name = aws_ssm_parameter.github_app_key_base64.name - arn = aws_ssm_parameter.github_app_key_base64.arn + name = var.github_app.key_base64_ssm != null ? var.github_app.key_base64_ssm.name : aws_ssm_parameter.github_app_key_base64[0].name + arn = var.github_app.key_base64_ssm != null ? var.github_app.key_base64_ssm.arn : aws_ssm_parameter.github_app_key_base64[0].arn } github_app_webhook_secret = { - name = aws_ssm_parameter.github_app_webhook_secret.name - arn = aws_ssm_parameter.github_app_webhook_secret.arn + name = var.github_app.webhook_secret_ssm != null ? var.github_app.webhook_secret_ssm.name : aws_ssm_parameter.github_app_webhook_secret[0].name + arn = var.github_app.webhook_secret_ssm != null ? var.github_app.webhook_secret_ssm.arn : aws_ssm_parameter.github_app_webhook_secret[0].arn } } } diff --git a/modules/ssm/ssm.tf b/modules/ssm/ssm.tf index 6bf3291e37..3f13333e68 100644 --- a/modules/ssm/ssm.tf +++ b/modules/ssm/ssm.tf @@ -1,4 +1,5 @@ resource "aws_ssm_parameter" "github_app_id" { + count = var.github_app.id_ssm != null ? 0 : 1 name = "${var.path_prefix}/github_app_id" type = "SecureString" value = var.github_app.id @@ -7,6 +8,7 @@ resource "aws_ssm_parameter" "github_app_id" { } resource "aws_ssm_parameter" "github_app_key_base64" { + count = var.github_app.key_base64_ssm != null ? 0 : 1 name = "${var.path_prefix}/github_app_key_base64" type = "SecureString" value = var.github_app.key_base64 @@ -15,6 +17,7 @@ resource "aws_ssm_parameter" "github_app_key_base64" { } resource "aws_ssm_parameter" "github_app_webhook_secret" { + count = var.github_app.webhook_secret_ssm != null ? 0 : 1 name = "${var.path_prefix}/github_app_webhook_secret" type = "SecureString" value = var.github_app.webhook_secret diff --git a/modules/ssm/variables.tf b/modules/ssm/variables.tf index 310f3a8d89..1eb796aea7 100644 --- a/modules/ssm/variables.tf +++ b/modules/ssm/variables.tf @@ -1,10 +1,37 @@ variable "github_app" { - description = "GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`)." + description = < { + name = v.name + arn = v.arn + } + } } diff --git a/variables.tf b/variables.tf index eb3fbb7604..cb30dcef5d 100644 --- a/variables.tf +++ b/variables.tf @@ -32,12 +32,39 @@ variable "enable_organization_runners" { } variable "github_app" { - description = "GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`)." + description = <