feat: Separate runner agent private address (#381)

* add a separate variable for the runner agent private address

Allow separate control of the private addresses for the runners
and the Gitlab agent.

You might want to have separate auto assign ip address settings
for the Gitlab agent and runners.

As an example when you which to have the Gitlab agent with a
public ip address so it can register itself to the Gitlab
cloud. Were you want the runners to be in a private subnet
and have the external ip of the NAT gateway instead of their
own ip.

This is needed when you have a CICD account which will
run deployments in a separate account. The CICD account will
host the custom Gitlab runner.
In this separate account you want to whitelist the
CICD ip addresses so it can perform updates to the infrastructure.

* update description

* update README

Author: tiborhercz

README.md

@@ -372,6 +372,7 @@ terraform destroy
 | <a name="input_overrides"></a> [overrides](#input\_overrides) | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | `map(string)` | <pre>{<br>  "name_docker_machine_runners": "",<br>  "name_iam_objects": "",<br>  "name_runner_agent_instance": "",<br>  "name_sg": ""<br>}</pre> | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | Name of permissions boundary policy to attach to AWS IAM roles | `string` | `""` | no |
 | <a name="input_role_tags"></a> [role\_tags](#input\_role\_tags) | Map of tags that will be added to the role created. Useful for tag based authorization. | `map(string)` | `{}` | no |
+| <a name="input_runner_agent_uses_private_address"></a> [runner\_agent\_uses\_private\_address](#input\_runner\_agent\_uses\_private\_address) | Restrict the runner agent to the use of a private IP address | `bool` | `true` | no |
 | <a name="input_runner_ami_filter"></a> [runner\_ami\_filter](#input\_runner\_ami\_filter) | List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI. | `map(list(string))` | <pre>{<br>  "name": [<br>    "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"<br>  ]<br>}</pre> | no |
 | <a name="input_runner_ami_owners"></a> [runner\_ami\_owners](#input\_runner\_ami\_owners) | The list of owners used to select the AMI of Gitlab runner docker-machine instances. | `list(string)` | <pre>[<br>  "099720109477"<br>]</pre> | no |
 | <a name="input_runner_iam_policy_arns"></a> [runner\_iam\_policy\_arns](#input\_runner\_iam\_policy\_arns) | List of policy ARNs to be added to the instance profile of the gitlab runner agent ec2 instance. | `list(string)` | `[]` | no |

main.tf

@@ -273,7 +273,7 @@ resource "aws_launch_template" "gitlab_runner_instance" {
   }
   network_interfaces {
     security_groups             = concat([aws_security_group.runner.id], var.extra_security_group_ids_runner_agent)
-    associate_public_ip_address = false == var.runners_use_private_address
+    associate_public_ip_address = false == (var.runner_agent_uses_private_address == false ? var.runner_agent_uses_private_address : var.runners_use_private_address)
   }
   tag_specifications {
     resource_type = "instance"

variables.tf

@@ -332,6 +332,12 @@ variable "runners_use_private_address" {
   default     = true
 }
 
+variable "runner_agent_uses_private_address" {
+  description = "Restrict the runner agent to the use of a private IP address"
+  type        = bool
+  default     = true
+}
+
 variable "runners_request_spot_instance" {
   description = "Whether or not to request spot instances via docker-machine"
   type        = bool