refactor: avoid creating some resources if runners_executor is not docker+machine (#369)

halilkaya · Halil Kaya · kayman-mk · web-flow · commit 81d707c38ad2 · 2023-01-12T16:58:55.000+01:00
No need to create the some resources that are directly relevant to docker machine since variable runners_executor does not have value docker+machine.

Co-authored-by: Halil Kaya &lt;halil.kaya@sendcloud.com&gt;
Co-authored-by: Matthias Kay &lt;github-public@matthiaskay.de&gt;
Co-authored-by: kayma &lt;kayma@hlag.com&gt;
diff --git a/main.tf b/main.tf
@@ -87,11 +87,11 @@ locals {
       runners_aws_zone                  = data.aws_availability_zone.runners.name_suffix
       runners_instance_type             = var.docker_machine_instance_type
       runners_spot_price_bid            = var.docker_machine_spot_price_bid == "on-demand-price" ? "" : var.docker_machine_spot_price_bid
-      runners_ami                       = data.aws_ami.docker_machine.id
-      runners_security_group_name       = aws_security_group.docker_machine.name
+      runners_ami                       = var.runners_executor == "docker+machine" ? data.aws_ami.docker-machine[0].id : ""
+      runners_security_group_name       = var.runners_executor == "docker+machine" ? aws_security_group.docker_machine[0].name : ""
       runners_monitoring                = var.runners_monitoring
       runners_ebs_optimized             = var.runners_ebs_optimized
-      runners_instance_profile          = aws_iam_instance_profile.docker_machine.name
+      runners_instance_profile          = var.runners_executor == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : ""
       runners_additional_volumes        = local.runners_additional_volumes
       docker_machine_options            = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string
       docker_machine_name               = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed
@@ -137,7 +137,9 @@ locals {
   )
 }
 
-data "aws_ami" "docker_machine" {
+data "aws_ami" "docker-machine" {
+  count = var.runners_executor == "docker+machine" ? 1 : 0
+
   most_recent = "true"
 
   dynamic "filter" {
@@ -343,7 +345,8 @@ resource "aws_iam_instance_profile" "instance" {
 }
 
 resource "aws_iam_role" "instance" {
-  count                = var.create_runner_iam_role ? 1 : 0
+  count = var.create_runner_iam_role ? 1 : 0
+
   name                 = local.aws_iam_role_instance_name
   assume_role_policy   = length(var.instance_role_json) > 0 ? var.instance_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {})
   permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}"
@@ -356,22 +359,23 @@ resource "aws_iam_role" "instance" {
 ### iam:PassRole To pass the role from the agent to the docker machine runners
 ################################################################################
 resource "aws_iam_policy" "instance_docker_machine_policy" {
-  count       = var.create_runner_iam_role ? 1 : 0
+  count = var.runners_executor == "docker+machine" && var.create_runner_iam_role ? 1 : 0
+
   name        = "${local.name_iam_objects}-docker-machine"
   path        = "/"
   description = "Policy for docker machine."
   policy = templatefile("${path.module}/policies/instance-docker-machine-policy.json",
     {
-      docker_machine_role_arn = aws_iam_role.docker_machine.arn
+      docker_machine_role_arn = aws_iam_role.docker_machine[0].arn
   })
   tags = local.tags
 }
 
 resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" {
-  count = var.create_runner_iam_role ? 1 : 0
+  count = var.runners_executor == "docker+machine" && var.create_runner_iam_role ? 1 : 0
 
-  role       = local.aws_iam_role_instance_name
-  policy_arn = aws_iam_policy.instance_docker_machine_policy[count.index].arn
+  role       = aws_iam_role.instance[0].name
+  policy_arn = aws_iam_policy.instance_docker_machine_policy[0].arn
 }
 
 ################################################################################
@@ -418,7 +422,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" {
   /* If the S3 cache adapter is configured to use an IAM instance profile, the
      adapter uses the profile attached to the GitLab Runner machine. So do not
      use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */
-  count = var.cache_bucket["create"] || length(lookup(var.cache_bucket, "policy", "")) > 0 ? 1 : 0
+  count = var.runners_executor == "docker+machine" ? (var.cache_bucket["create"] || lookup(var.cache_bucket, "policy", "") != "" ? 1 : 0) : 0
 
   role       = local.aws_iam_role_instance_name
   policy_arn = local.bucket_policy
@@ -428,32 +432,35 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" {
 ### docker machine instance policy
 ################################################################################
 resource "aws_iam_role" "docker_machine" {
+  count                = var.runners_executor == "docker+machine" ? 1 : 0
   name                 = "${local.name_iam_objects}-docker-machine"
   assume_role_policy   = length(var.docker_machine_role_json) > 0 ? var.docker_machine_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {})
   permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}"
   tags                 = local.tags
 }
 
 resource "aws_iam_instance_profile" "docker_machine" {
-  name = "${local.name_iam_objects}-docker-machine"
-  role = aws_iam_role.docker_machine.name
-  tags = local.tags
+  count = var.runners_executor == "docker+machine" ? 1 : 0
+  name  = "${local.name_iam_objects}-docker-machine"
+  role  = aws_iam_role.docker_machine[0].name
+  tags  = local.tags
 }
 
 ################################################################################
 ### Add user defined policies
 ################################################################################
 resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" {
-  count      = length(var.docker_machine_iam_policy_arns)
-  role       = aws_iam_role.docker_machine.name
+  count = var.runners_executor == "docker+machine" ? length(var.docker_machine_iam_policy_arns) : 0
+
+  role       = aws_iam_role.docker_machine[0].name
   policy_arn = var.docker_machine_iam_policy_arns[count.index]
 }
 
 ################################################################################
 resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_managed" {
-  count = var.enable_docker_machine_ssm_access ? 1 : 0
+  count = (var.runners_executor == "docker+machine" && var.enable_docker_machine_ssm_access) ? 1 : 0
 
-  role       = aws_iam_role.docker_machine.name
+  role       = aws_iam_role.docker_machine[0].name
   policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
 
diff --git a/outputs.tf b/outputs.tf
@@ -25,12 +25,12 @@ output "runner_agent_role_name" {
 
 output "runner_role_arn" {
   description = "ARN of the role used for the docker machine runners."
-  value       = aws_iam_role.docker_machine.arn
+  value       = element(concat(aws_iam_role.docker_machine.*.arn, [""]), 0)
 }
 
 output "runner_role_name" {
   description = "Name of the role used for the docker machine runners."
-  value       = aws_iam_role.docker_machine.name
+  value       = element(concat(aws_iam_role.docker_machine.*.name, [""]), 0)
 }
 
 output "runner_agent_sg_id" {
@@ -40,7 +40,7 @@ output "runner_agent_sg_id" {
 
 output "runner_sg_id" {
   description = "ID of the security group attached to the docker machine runners."
-  value       = aws_security_group.docker_machine.id
+  value       = element(concat(aws_security_group.docker_machine.*.id, [""]), 0)
 }
 
 output "runner_eip" {
diff --git a/security_groups.tf b/security_groups.tf
@@ -64,6 +64,7 @@ resource "aws_security_group_rule" "runner_ping_group" {
 ########################################
 
 resource "aws_security_group" "docker_machine" {
+  count       = var.runners_executor == "docker+machine" ? 1 : 0
   name_prefix = "${local.name_sg}-docker-machine"
   vpc_id      = var.vpc_id
   description = var.docker_machine_security_group_description
@@ -103,18 +104,20 @@ resource "aws_security_group" "docker_machine" {
 
 # Allow docker-machine traffic from gitlab-runner agent instances to docker-machine instances
 resource "aws_security_group_rule" "docker_machine_docker_runner" {
+  count = var.runners_executor == "docker+machine" ? 1 : 0
+
   type      = "ingress"
   from_port = 2376
   to_port   = 2376
   protocol  = "tcp"
 
   source_security_group_id = aws_security_group.runner.id
-  security_group_id        = aws_security_group.docker_machine.id
+  security_group_id        = aws_security_group.docker_machine[0].id
 
   description = format(
     "Allow docker-machine traffic from group %s to docker-machine instances in group %s",
     aws_security_group.runner.name,
-    aws_security_group.docker_machine.name
+    aws_security_group.docker_machine[0].name
   )
 }
 
@@ -130,37 +133,39 @@ locals {
 
 # Allow SSH traffic from gitlab-runner agent instances and security group IDs to docker-machine instances
 resource "aws_security_group_rule" "docker_machine_ssh_runner" {
+  count = var.runners_executor == "docker+machine" ? 1 : 0
+
   type      = "ingress"
   from_port = 22
   to_port   = 22
   protocol  = "tcp"
 
   source_security_group_id = aws_security_group.runner.id
-  security_group_id        = aws_security_group.docker_machine.id
+  security_group_id        = aws_security_group.docker_machine[0].id
 
   description = format(
     "Allow SSH traffic from %s to docker-machine instances in group %s on port 22",
     aws_security_group.runner.id,
-    aws_security_group.docker_machine.name
+    aws_security_group.docker_machine[0].name
   )
 }
 
 # Allow ICMP traffic from gitlab-runner agent instances and security group IDs to docker-machine instances
 resource "aws_security_group_rule" "docker_machine_ping_runner" {
-  count = length(local.security_groups_ping)
+  count = var.runners_executor == "docker+machine" ? length(local.security_groups_ping) : 0
 
   type      = "ingress"
   from_port = -1
   to_port   = -1
   protocol  = "icmp"
 
   source_security_group_id = element(local.security_groups_ping, count.index)
-  security_group_id        = aws_security_group.docker_machine.id
+  security_group_id        = aws_security_group.docker_machine[0].id
 
   description = format(
     "Allow ICMP traffic from %s to docker-machine instances in group %s",
     element(local.security_groups_ping, count.index),
-    aws_security_group.docker_machine.name
+    aws_security_group.docker_machine[0].name
   )
 }
 
@@ -170,49 +175,54 @@ resource "aws_security_group_rule" "docker_machine_ping_runner" {
 
 # Allow docker-machine traffic from docker-machine instances to docker-machine instances on port 2376
 resource "aws_security_group_rule" "docker_machine_docker_self" {
+  count = var.runners_executor == "docker+machine" ? 1 : 0
+
   type      = "ingress"
   from_port = 2376
   to_port   = 2376
   protocol  = "tcp"
   self      = true
 
-  security_group_id = aws_security_group.docker_machine.id
+  security_group_id = aws_security_group.docker_machine[0].id
 
   description = format(
     "Allow docker-machine traffic within group %s on port 2376",
-    aws_security_group.docker_machine.name,
+    aws_security_group.docker_machine[0].name,
   )
 }
 
 # Allow SSH traffic from docker-machine instances to docker-machine instances on port 22
 resource "aws_security_group_rule" "docker_machine_ssh_self" {
+  count = var.runners_executor == "docker+machine" ? 1 : 0
+
   type      = "ingress"
   from_port = 22
   to_port   = 22
   protocol  = "tcp"
   self      = true
 
-  security_group_id = aws_security_group.docker_machine.id
+  security_group_id = aws_security_group.docker_machine[0].id
 
   description = format(
     "Allow SSH traffic within group %s on port 22",
-    aws_security_group.docker_machine.name,
+    aws_security_group.docker_machine[0].name,
   )
 }
 
 # Allow ICMP traffic from docker-machine instances to docker-machine instances
 resource "aws_security_group_rule" "docker_machine_ping_self" {
-  count     = var.enable_ping ? 1 : 0
+  count = (var.runners_executor == "docker+machine" && var.enable_ping) ? 1 : 0
+
   type      = "ingress"
   from_port = -1
   to_port   = -1
   protocol  = "icmp"
   self      = true
 
-  security_group_id = aws_security_group.docker_machine.id
+  security_group_id = aws_security_group.docker_machine[0].id
 
   description = format(
     "Allow ICMP traffic within group %s",
-    aws_security_group.docker_machine.name,
+    aws_security_group.docker_machine[0].name,
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -25,12 +25,12 @@ output "runner_agent_role_name" {`
`25`	`25`
`26`	`26`	`output "runner_role_arn" {`
`27`	`27`	`description = "ARN of the role used for the docker machine runners."`
`28`		`- value = aws_iam_role.docker_machine.arn`
	`28`	`+ value = element(concat(aws_iam_role.docker_machine.*.arn, [""]), 0)`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`output "runner_role_name" {`
`32`	`32`	`description = "Name of the role used for the docker machine runners."`
`33`		`- value = aws_iam_role.docker_machine.name`
	`33`	`+ value = element(concat(aws_iam_role.docker_machine.*.name, [""]), 0)`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`output "runner_agent_sg_id" {`
`@@ -40,7 +40,7 @@ output "runner_agent_sg_id" {`
`40`	`40`
`41`	`41`	`output "runner_sg_id" {`
`42`	`42`	`description = "ID of the security group attached to the docker machine runners."`
`43`		`- value = aws_security_group.docker_machine.id`
	`43`	`+ value = element(concat(aws_security_group.docker_machine.*.id, [""]), 0)`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`output "runner_eip" {`