feat: add an IAM policy to grant the runner access to the KMS key

[jasonjanderson]

Description

Fixes some issues with accessing the S3 bucket when the bucket has KMS encryption enabled.

Allowing the runner role the ability to use the KMS key. We mainly ran into issue with this around access to the caching S3 bucket. Without access to the KMS key, the runners can't pull from or push to the S3 bucket created by this project.

In case var.enable_kms is set to true, the module automatically adds a policy to access the KMS key.

Migrations required

No

Verification

Custom:

module "runner" {
  source      = "github.com/jasonjanderson/terraform-aws-gitlab-runner?ref=kms"
  aws_region  = data.aws_region.current.name
  environment = "terraform"

  #   ssh_public_key = local_file.public_ssh_key.content

  vpc_id                   = module.vpc.vpc_id
  subnet_ids_gitlab_runner = module.vpc.private_subnets
  subnet_id_runners        = element(module.vpc.private_subnets, 0)

  runners_name       = "terraform"
  runners_gitlab_url = "https://gitlab.com"

  gitlab_runner_registration_config = {
    registration_token = data.gitlab_project.init-register.runners_token
    tag_list           = "terraform"
    description        = data.gitlab_project.init-register.name
    locked_to_project  = "true"
    run_untagged       = "false"
    maximum_timeout    = "3600"
  }


  docker_machine_spot_price_bid = "on-demand-price"
  docker_machine_instance_type  = "t3.large"

  enable_kms     = true
  enable_cloudwatch_logging            = true
  cloudwatch_logging_retention_in_days = 14
  agent_tags                           = local.terraform_runner_tags
  runner_tags                          = local.terraform_runner_tags
  docker_machine_iam_policy_arns       = [aws_iam_policy.terraform_runner.arn]
  runners_add_dind_volumes             = true
  runners_executor                     = "docker+machine"
  runners_monitoring                   = true
  runners_request_concurrency          = 10
  runners_machine_autoscaling = [{
    periods    = ["\"* * 8-19 * * mon-fri *\""]
    idle_count = 1
    idle_time  = 1800
    timezone   = "America/Chicago"
  }]
}

[github-actions]

Hey @jasonjanderson! 👋

Thank you for your contribution to the project. Please refer to the contribution rules for a quick overview of the process.

Make sure that this PR clearly explains:

• the problem being solved
• the best way a reviewer and you can test your changes

With submitting this PR you confirm that you hold the rights of the code added and agree that it will published under this LICENSE.

The following ChatOps commands are supported:

• /help: notifies a maintainer to help you out

Simply add a comment with the command in the first line. If you need to pass more information, separate it with a blank line from the command.

This message was generated automatically. You are welcome to improve it.

[kayman-mk]

Good job! Thanks for implementing the KMS policy in the module. Makes the module easier to use.

[kayman-mk]

@npalm Any chance to test this change (have no access to a computer right now)? It looks good to me. I think we have to create a release note so users can remove their own KMS policy.

[npalm]

@npalm Any chance to test this change (have no access to a computer right now)? It looks good to me. I think we have to create a release note so users can remove their own KMS policy.

will do my best to test it today or tomorrow. Thx for the ping

[npalm]

@jasonjanderson thx for the contribution.

• Tested with a deployment without KMS key, all fine
• When setting enable_kms and not provide a manged key the module failes. See inline comment.

Dit not have the time to explore solution right now.

[npalm]

@jasonjanderson thanks for your work, all looks good. @kayman-mk for me the PR is ready.