feat: add option to read Gitlab Runner Registration token from SSM (#822)

Conoreby · kayman-mk · web-flow · commit 51d63e61f8fe · 2023-05-03T08:28:32.000+02:00
## Description Adds the ability to read the Gitlab registration token from SSM. If no registration token is passed in, it will look in SSM to find the token to use. This prevents the token from being leaked as part of the user_data. ```hcl module "gitlab_runner" { # ... gitlab_runner_registration_config = { registration_token = "" # this is the default value too # ... } secure_parameter_store_gitlab_runner_registration_token_name = "name-of-ssm-parameter-holding-the-registration-token" ``` Closes #776 Precondition for #186 to get rid of pre-registered runners. ## Migrations required NO ## Verification I modified the runner-default example to not pass in a registration token and added the token to SSM instead. Then I started up the runner and confirmed that it successfully registered with Gitlab. --------- Co-authored-by: Matthias Kay <github-public@matthiaskay.de> Co-authored-by: Matthias Kay <matthias.kay@hlag.com>
diff --git a/README.md b/README.md
@@ -170,6 +170,9 @@ gitlab_runner_registration_config = {
 }
 ```
 
+The registration token can also be read in via SSM parameter store. If no registration token is passed in, the module
+will look up the token in the SSM parameter store at the location specified by `secure_parameter_store_gitlab_runner_registration_token_name`.
+
 For migration to the new setup simply add the runner token to the parameter store. Once the runner is started it will lookup the
 required values via the parameter store. If the value is `null` a new runner will be registered and a new token created/stored.
 
@@ -380,12 +383,18 @@ module "runner" {
 
 ### Scenario: Use of Spot Fleet
 
-Since spot instances can be taken over by AWS depending on the instance type and AZ you are using, you may want multiple instances types in multiple AZs. This is where spot fleets come in, when there is no capacity on one instance type and one AZ, AWS will take the next instance type and so on. This update has been possible since the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine supports spot fleets.
+Since spot instances can be taken over by AWS depending on the instance type and AZ you are using, you may want multiple instances
+types in multiple AZs. This is where spot fleets come in, when there is no capacity on one instance type and one AZ, AWS will take
+the next instance type and so on. This update has been possible since the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2)
+of docker-machine supports spot fleets.
 
-We have seen that the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine this module is using consume more RAM using spot fleets.
-For comparison, if you launch 50 machines in the same time, it consumes ~1.2GB of RAM. In our case, we had to change the `instance_type` of the runner from `t3.micro` to `t3.small`.
+We have seen that the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine this
+module is using consume more RAM using spot fleets.
+For comparison, if you launch 50 machines in the same time, it consumes ~1.2GB of RAM. In our case, we had to change the
+`instance_type` of the runner from `t3.micro` to `t3.small`.
 
 #### Configuration example
+
 ```hcl
 module "runner" {
   # https://registry.terraform.io/modules/npalm/gitlab-runner/aws/
diff --git a/main.tf b/main.tf
@@ -53,33 +53,34 @@ locals {
 
   template_gitlab_runner = templatefile("${path.module}/template/gitlab-runner.tftpl",
     {
-      gitlab_runner_version                        = var.gitlab_runner_version
-      docker_machine_version                       = var.docker_machine_version
-      docker_machine_download_url                  = var.docker_machine_download_url
-      runners_config                               = local.template_runner_config
-      runners_userdata                             = var.runners_userdata
-      runners_executor                             = var.runners_executor
-      runners_install_amazon_ecr_credential_helper = var.runners_install_amazon_ecr_credential_helper
-      curl_cacert                                  = length(var.runners_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : ""
-      pre_install_certificates                     = local.pre_install_certificates
-      pre_install                                  = var.userdata_pre_install
-      post_install                                 = var.userdata_post_install
-      runners_gitlab_url                           = var.runners_gitlab_url
-      runners_token                                = var.runners_token
-      secure_parameter_store_runner_token_key      = local.secure_parameter_store_runner_token_key
-      secure_parameter_store_runner_sentry_dsn     = local.secure_parameter_store_runner_sentry_dsn
-      secure_parameter_store_region                = var.aws_region
-      gitlab_runner_registration_token             = var.gitlab_runner_registration_config["registration_token"]
-      gitlab_runner_description                    = var.gitlab_runner_registration_config["description"]
-      gitlab_runner_tag_list                       = var.gitlab_runner_registration_config["tag_list"]
-      gitlab_runner_locked_to_project              = var.gitlab_runner_registration_config["locked_to_project"]
-      gitlab_runner_run_untagged                   = var.gitlab_runner_registration_config["run_untagged"]
-      gitlab_runner_maximum_timeout                = var.gitlab_runner_registration_config["maximum_timeout"]
-      gitlab_runner_access_level                   = lookup(var.gitlab_runner_registration_config, "access_level", "not_protected")
-      sentry_dsn                                   = var.sentry_dsn
-      public_key                                   = var.use_fleet == true ? tls_private_key.fleet[0].public_key_openssh : ""
-      use_fleet                                    = var.use_fleet
-      private_key                                  = var.use_fleet == true ? tls_private_key.fleet[0].private_key_pem : ""
+      gitlab_runner_version                                        = var.gitlab_runner_version
+      docker_machine_version                                       = var.docker_machine_version
+      docker_machine_download_url                                  = var.docker_machine_download_url
+      runners_config                                               = local.template_runner_config
+      runners_userdata                                             = var.runners_userdata
+      runners_executor                                             = var.runners_executor
+      runners_install_amazon_ecr_credential_helper                 = var.runners_install_amazon_ecr_credential_helper
+      curl_cacert                                                  = length(var.runners_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : ""
+      pre_install_certificates                                     = local.pre_install_certificates
+      pre_install                                                  = var.userdata_pre_install
+      post_install                                                 = var.userdata_post_install
+      runners_gitlab_url                                           = var.runners_gitlab_url
+      runners_token                                                = var.runners_token
+      secure_parameter_store_runner_token_key                      = local.secure_parameter_store_runner_token_key
+      secure_parameter_store_runner_sentry_dsn                     = local.secure_parameter_store_runner_sentry_dsn
+      secure_parameter_store_gitlab_runner_registration_token_name = var.secure_parameter_store_gitlab_runner_registration_token_name
+      secure_parameter_store_region                                = var.aws_region
+      gitlab_runner_registration_token                             = lookup(var.gitlab_runner_registration_config, "registration_token", "__GITLAB_REGISTRATION_TOKEN_FROM_SSM__")
+      gitlab_runner_description                                    = var.gitlab_runner_registration_config["description"]
+      gitlab_runner_tag_list                                       = var.gitlab_runner_registration_config["tag_list"]
+      gitlab_runner_locked_to_project                              = var.gitlab_runner_registration_config["locked_to_project"]
+      gitlab_runner_run_untagged                                   = var.gitlab_runner_registration_config["run_untagged"]
+      gitlab_runner_maximum_timeout                                = var.gitlab_runner_registration_config["maximum_timeout"]
+      gitlab_runner_access_level                                   = lookup(var.gitlab_runner_registration_config, "access_level", "not_protected")
+      sentry_dsn                                                   = var.sentry_dsn
+      public_key                                                   = var.use_fleet == true ? tls_private_key.fleet[0].public_key_openssh : ""
+      use_fleet                                                    = var.use_fleet
+      private_key                                                  = var.use_fleet == true ? tls_private_key.fleet[0].private_key_pem : ""
   })
 
   template_runner_config = templatefile("${path.module}/template/runner-config.tftpl",
diff --git a/template/gitlab-runner.tftpl b/template/gitlab-runner.tftpl
@@ -32,10 +32,17 @@ then
   [[ "$valid_token_response" != "200" ]] && valid_token=false
 fi
 
+gitlab_runner_registration_token=${gitlab_runner_registration_token}
+# fetch registration token from SSM
+if [[ "$gitlab_runner_registration_token" == "__GITLAB_REGISTRATION_TOKEN_FROM_SSM__" ]]
+then
+    gitlab_runner_registration_token=$(aws ssm get-parameter --name "${secure_parameter_store_gitlab_runner_registration_token_name}" --with-decryption --region "${secure_parameter_store_region}" | jq -r ".Parameter | .Value")
+fi
+
 if [[ "${runners_token}" == "__REPLACED_BY_USER_DATA__" && "$token" == "null" ]] || [[ "$valid_token" == "false" ]]
 then
   token=$(curl ${curl_cacert} --request POST -L "${runners_gitlab_url}/api/v4/runners" \
-    --form "token=${gitlab_runner_registration_token}" \
+    --form "token=$gitlab_runner_registration_token" \
     --form "tag_list=${gitlab_runner_tag_list}" \
     --form "description=${gitlab_runner_description}" \
     --form "locked=${gitlab_runner_locked_to_project}" \
diff --git a/variables.tf b/variables.tf
@@ -615,6 +615,12 @@ variable "gitlab_runner_registration_config" {
   }
 }
 
+variable "secure_parameter_store_gitlab_runner_registration_token_name" {
+  description = "The name of the SSM parameter to read the GitLab Runner registration token from."
+  type        = string
+  default     = "gitlab-runner-registration-token"
+}
+
 variable "secure_parameter_store_runner_token_key" {
   description = "The key name used store the Gitlab runner token in Secure Parameter Store"
   type        = string

Original file line number	Diff line number	Diff line change
`@@ -615,6 +615,12 @@ variable "gitlab_runner_registration_config" {`
`615`	`615`	`}`
`616`	`616`	`}`
`617`	`617`
	`618`	`+variable "secure_parameter_store_gitlab_runner_registration_token_name" {`
	`619`	`+ description = "The name of the SSM parameter to read the GitLab Runner registration token from."`
	`620`	`+ type = string`
	`621`	`+ default = "gitlab-runner-registration-token"`
	`622`	`+}`
	`623`	`+`
`618`	`624`	`variable "secure_parameter_store_runner_token_key" {`
`619`	`625`	`description = "The key name used store the Gitlab runner token in Secure Parameter Store"`
`620`	`626`	`type = string`