From c69a0e160dbbeb70778a2bb47de071b1dc0d44ff Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Thu, 19 May 2022 23:44:38 +0200 Subject: [PATCH] feat: Add metadata options for docker mahcine - set default the usage of metadata tokens to required - refactor usages close: #445 Co-authored-by: Matthias Kay --- README.md | 12 ++++---- examples/runner-default/main.tf | 1 - locals.tf | 2 +- main.tf | 6 ++-- template/gitlab-runner.tpl | 2 +- variables.tf | 50 +++++++++++++++++++++++++++++---- 6 files changed, 57 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 20970082d..d892c0126 100644 --- a/README.md +++ b/README.md @@ -303,7 +303,7 @@ terraform destroy | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1 | -| [aws](#requirement\_aws) | ~> 3.35 | +| [aws](#requirement\_aws) | ~> 4 | ## Providers @@ -397,12 +397,13 @@ terraform destroy | [docker\_machine\_download\_url](#input\_docker\_machine\_download\_url) | (Optional) By default the module will use `docker_machine_version` to download the GitLab mantained version of Docker Machine. Alternative you can set this property to download location of the distribution of for the OS. See also https://docs.gitlab.com/runner/executors/docker_machine.html#install | `string` | `""` | no | | [docker\_machine\_egress\_rules](#input\_docker\_machine\_egress\_rules) | List of egress rules for the docker-machine instance(s). | 
list(object({
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    prefix_list_ids  = list(string)
    from_port        = number
    protocol         = string
    security_groups  = list(string)
    self             = bool
    to_port          = number
    description      = string
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "Allow all egress traffic for docker machine build runners",
    "from_port": 0,
    "ipv6_cidr_blocks": [
      "::/0"
    ],
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "self": null,
    "to_port": 0
  }
]
| no | | [docker\_machine\_iam\_policy\_arns](#input\_docker\_machine\_iam\_policy\_arns) | List of policy ARNs to be added to the instance profile of the docker machine runners. | `list(string)` | `[]` | no | +| [docker\_machine\_instance\_metadata\_options](#input\_docker\_machine\_instance\_metadata\_options) | Enable the docker machine instances metadata service. Requires you use GitLab maintained docker machines. | 
object({
    http_tokens                 = string
    http_put_response_hop_limit = number
  })
| 
{
  "http_put_response_hop_limit": 2,
  "http_tokens": "required"
}
| no | | [docker\_machine\_instance\_type](#input\_docker\_machine\_instance\_type) | Instance type used for the instances hosting docker-machine. | `string` | `"m5.large"` | no | | [docker\_machine\_options](#input\_docker\_machine\_options) | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | `list(string)` | `[]` | no | | [docker\_machine\_role\_json](#input\_docker\_machine\_role\_json) | Docker machine runner instance override policy, expected to be in JSON format. | `string` | `""` | no | | [docker\_machine\_security\_group\_description](#input\_docker\_machine\_security\_group\_description) | A description for the docker-machine security group | `string` | `"A security group containing docker-machine instances"` | no | | [docker\_machine\_spot\_price\_bid](#input\_docker\_machine\_spot\_price\_bid) | Spot price bid. The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen. | `string` | `"on-demand-price"` | no | -| [docker\_machine\_version](#input\_docker\_machine\_version) | By default docker\_machine\_download\_url is used to set the docker machine version. Version of docker-machine. The version will be ingored once `docker_machine_download_url` is set. | `string` | `"0.16.2-gitlab.12"` | no | +| [docker\_machine\_version](#input\_docker\_machine\_version) | By default docker\_machine\_download\_url is used to set the docker machine version. Version of docker-machine. The version will be ingored once `docker_machine_download_url` is set. | `string` | `"0.16.2-gitlab.15"` | no | | [enable\_asg\_recreation](#input\_enable\_asg\_recreation) | Enable automatic redeployment of the Runner ASG when the Launch Configs change. | `bool` | `true` | no | | [enable\_cloudwatch\_logging](#input\_enable\_cloudwatch\_logging) | Boolean used to enable or disable the CloudWatch logging. | `bool` | `true` | no | | [enable\_docker\_machine\_ssm\_access](#input\_enable\_docker\_machine\_ssm\_access) | Add IAM policies to the docker-machine instances to connect via the Session Manager. | `bool` | `false` | no | @@ -419,7 +420,7 @@ terraform destroy | [gitlab\_runner\_registration\_config](#input\_gitlab\_runner\_registration\_config) | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | `map(string)` | 
{
  "access_level": "",
  "description": "",
  "locked_to_project": "",
  "maximum_timeout": "",
  "registration_token": "",
  "run_untagged": "",
  "tag_list": ""
}
| no | | [gitlab\_runner\_security\_group\_description](#input\_gitlab\_runner\_security\_group\_description) | A description for the gitlab-runner security group | `string` | `"A security group containing gitlab-runner agent instances"` | no | | [gitlab\_runner\_security\_group\_ids](#input\_gitlab\_runner\_security\_group\_ids) | A list of security group ids that are allowed to access the gitlab runner agent | `list(string)` | `[]` | no | -| [gitlab\_runner\_version](#input\_gitlab\_runner\_version) | Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). | `string` | `"14.8.2"` | no | +| [gitlab\_runner\_version](#input\_gitlab\_runner\_version) | Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). | `string` | `"14.8.3"` | no | | [instance\_role\_json](#input\_instance\_role\_json) | Default runner instance override policy, expected to be in JSON format. | `string` | `""` | no | | [instance\_type](#input\_instance\_type) | Instance type used for the GitLab runner. | `string` | `"t3.micro"` | no | | [kms\_alias\_name](#input\_kms\_alias\_name) | Alias added to the kms\_key (if created and not provided by kms\_key\_id) | `string` | `""` | no | @@ -437,8 +438,9 @@ terraform destroy | [runner\_iam\_policy\_arns](#input\_runner\_iam\_policy\_arns) | List of policy ARNs to be added to the instance profile of the gitlab runner agent ec2 instance. | `list(string)` | `[]` | no | | [runner\_instance\_ebs\_optimized](#input\_runner\_instance\_ebs\_optimized) | Enable the GitLab runner instance to be EBS-optimized. | `bool` | `true` | no | | [runner\_instance\_enable\_monitoring](#input\_runner\_instance\_enable\_monitoring) | Enable the GitLab runner instance to have detailed monitoring. | `bool` | `true` | no | -| [runner\_instance\_metadata\_options\_http\_endpoint](#input\_runner\_instance\_metadata\_options\_http\_endpoint) | Enable the Gitlab runner agent instance metadata service. The allowed values are enabled, disabled. | `string` | `"enabled"` | no | -| [runner\_instance\_metadata\_options\_http\_tokens](#input\_runner\_instance\_metadata\_options\_http\_tokens) | Set if Gitlab runner agent instance metadata service session tokens are required. The allowed values are optional, required. | `string` | `"optional"` | no | +| [runner\_instance\_metadata\_options](#input\_runner\_instance\_metadata\_options) | Enable the Gitlab runner agent instance metadata service. | 
object({
    http_endpoint               = string
    http_tokens                 = string
    http_put_response_hop_limit = number
    instance_metadata_tags      = string
  })
| 
{
  "http_endpoint": "enabled",
  "http_put_response_hop_limit": 2,
  "http_tokens": "required",
  "instance_metadata_tags": "disabled"
}
| no | +| [runner\_instance\_metadata\_options\_http\_endpoint](#input\_runner\_instance\_metadata\_options\_http\_endpoint) | DEPRECATED, replaced by runner\_instance\_metadata\_options. Enable the Gitlab runner agent instance metadata service. The allowed values are enabled, disabled. | `string` | `null` | no | +| [runner\_instance\_metadata\_options\_http\_tokens](#input\_runner\_instance\_metadata\_options\_http\_tokens) | EPRECATED, replaced by runner\_instance\_metadata\_options. Set if Gitlab runner agent instance metadata service session tokens are required. The allowed values are optional, required. | `string` | `null` | no | | [runner\_instance\_spot\_price](#input\_runner\_instance\_spot\_price) | By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose "on-demand-price" to pay up to the current on demand price for the instance type chosen. | `string` | `null` | no | | [runner\_root\_block\_device](#input\_runner\_root\_block\_device) | The EC2 instance root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id` | `map(string)` | `{}` | no | | [runner\_tags](#input\_runner\_tags) | Map of tags that will be added to runner EC2 instances. | `map(string)` | `{}` | no | diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index fc5abeb43..3f08e6bcf 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -43,7 +43,6 @@ module "runner" { gitlab_runner_security_group_ids = [data.aws_security_group.default.id] - docker_machine_download_url = "https://gitlab-docker-machine-downloads.s3.amazonaws.com/v0.16.2-gitlab.2/docker-machine" docker_machine_spot_price_bid = "on-demand-price" gitlab_runner_registration_config = { diff --git a/locals.tf b/locals.tf index 5d9a29157..fdf5d3997 100644 --- a/locals.tf +++ b/locals.tf @@ -1,7 +1,7 @@ locals { // Convert list to a string separated and prepend by a comma docker_machine_options_string = format( - ",%s", + ",\"amazonec2-metadata-token=${var.docker_machine_instance_metadata_options.http_tokens}\", \"amazonec2-metadata-token-response-hop-limit=${var.docker_machine_instance_metadata_options.http_put_response_hop_limit}\",%s", join(",", formatlist("%q", concat(var.docker_machine_options, local.runners_docker_registry_mirror_option))), ) diff --git a/main.tf b/main.tf index 7034fe8cf..231e3a4d0 100644 --- a/main.tf +++ b/main.tf @@ -277,8 +277,10 @@ resource "aws_launch_template" "gitlab_runner_instance" { tags = local.tags metadata_options { - http_endpoint = var.runner_instance_metadata_options_http_endpoint - http_tokens = var.runner_instance_metadata_options_http_tokens + http_endpoint = var.runner_instance_metadata_options.http_endpoint + http_tokens = var.runner_instance_metadata_options.http_tokens + http_put_response_hop_limit = var.runner_instance_metadata_options.http_put_response_hop_limit + instance_metadata_tags = var.runner_instance_metadata_options.instance_metadata_tags } lifecycle { diff --git a/template/gitlab-runner.tpl b/template/gitlab-runner.tpl index e068b5df6..ed199acba 100644 --- a/template/gitlab-runner.tpl +++ b/template/gitlab-runner.tpl @@ -42,7 +42,7 @@ fi if [[ `echo ${docker_machine_download_url}` == "" ]] then - curl --fail --retry 6 -L https://gitlab-docker-machine-downloads.s3.amazonaws.com/v${docker_machine_version}/docker-machine-`uname -s`-`uname -m` >/tmp/docker-machine + curl --fail --retry 6 -L https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/releases/v${docker_machine_version}/downloads/docker-machine-`uname -s`-`uname -m` >/tmp/docker-machine else curl --fail --retry 6 -L ${docker_machine_download_url} >/tmp/docker-machine fi diff --git a/variables.tf b/variables.tf index c293a22d2..951aa7606 100644 --- a/variables.tf +++ b/variables.tf @@ -67,16 +67,54 @@ variable "runner_instance_spot_price" { default = null } +variable "runner_instance_metadata_options" { + description = "Enable the Gitlab runner agent instance metadata service." + type = object({ + http_endpoint = string + http_tokens = string + http_put_response_hop_limit = number + instance_metadata_tags = string + }) + default = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 2 + instance_metadata_tags = "disabled" + } +} + +variable "docker_machine_instance_metadata_options" { + description = "Enable the docker machine instances metadata service. Requires you use GitLab maintained docker machines." + type = object({ + http_tokens = string + http_put_response_hop_limit = number + }) + default = { + http_tokens = "required" + http_put_response_hop_limit = 2 + } +} + variable "runner_instance_metadata_options_http_endpoint" { - description = "Enable the Gitlab runner agent instance metadata service. The allowed values are enabled, disabled." + description = "DEPRECATED, replaced by runner_instance_metadata_options. Enable the Gitlab runner agent instance metadata service. The allowed values are enabled, disabled." type = string - default = "enabled" + default = null + + validation { + condition = var.runner_instance_metadata_options_http_endpoint == null + error_message = "The \"runner_instance_metadata_options_http_endpoint\" variable is no longer used. To migrate, set the \"runner_instance_metadata_options.http_endpoint\" variable to the original value." + } } variable "runner_instance_metadata_options_http_tokens" { - description = "Set if Gitlab runner agent instance metadata service session tokens are required. The allowed values are optional, required." + description = "EPRECATED, replaced by runner_instance_metadata_options. Set if Gitlab runner agent instance metadata service session tokens are required. The allowed values are optional, required." type = string - default = "optional" + default = null + + validation { + condition = var.runner_instance_metadata_options_http_tokens == null + error_message = "The \"runner_instance_metadata_options_http_tokens\" variable is no longer used. To migrate, set the \"runner_instance_metadata_options.http_token\" variable to the original value." + } } variable "docker_machine_instance_type" { @@ -100,7 +138,7 @@ variable "docker_machine_download_url" { variable "docker_machine_version" { description = "By default docker_machine_download_url is used to set the docker machine version. Version of docker-machine. The version will be ingored once `docker_machine_download_url` is set." type = string - default = "0.16.2-gitlab.12" + default = "0.16.2-gitlab.15" } variable "runners_name" { @@ -367,7 +405,7 @@ variable "cache_shared" { variable "gitlab_runner_version" { description = "Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases)." type = string - default = "14.8.2" + default = "14.8.3" } variable "enable_ping" {