diff --git a/locals.tf b/locals.tf index 82a2c2711..627134c35 100644 --- a/locals.tf +++ b/locals.tf @@ -1,4 +1,11 @@ locals { + # Determine IAM role for runner instance + aws_iam_role_instance_name = coalesce( + var.runner_iam_role_name, + "${local.name_iam_objects}-instance" + ) + aws_iam_role_instance_arn = "arn:${data.aws_partition.current.partition}:iam:${data.aws_caller_identity.current.account_id}:role/${local.aws_iam_role_instance_name}" + # Convert list to a string separated and prepend by a comma docker_machine_options_string = format( ",\"amazonec2-metadata-token=${var.docker_machine_instance_metadata_options.http_tokens}\", \"amazonec2-metadata-token-response-hop-limit=${var.docker_machine_instance_metadata_options.http_put_response_hop_limit}\",%s", diff --git a/logging.tf b/logging.tf index 14898fd16..64888acc4 100644 --- a/logging.tf +++ b/logging.tf @@ -1,7 +1,7 @@ resource "aws_iam_role_policy" "instance" { count = var.enable_cloudwatch_logging ? 1 : 0 name = "${local.name_iam_objects}-instance-role" - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name policy = templatefile("${path.module}/policies/instance-logging-policy.json", { partition = data.aws_partition.current.partition }) } diff --git a/main.tf b/main.tf index 4469d4dfb..b81386edc 100644 --- a/main.tf +++ b/main.tf @@ -323,11 +323,12 @@ module "cache" { ################################################################################ resource "aws_iam_instance_profile" "instance" { name = "${local.name_iam_objects}-instance" - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name tags = local.tags } resource "aws_iam_role" "instance" { + count = var.create_runner_iam_role ? 1 : 0 name = "${local.name_iam_objects}-instance" assume_role_policy = length(var.instance_role_json) > 0 ? var.instance_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" @@ -351,7 +352,7 @@ resource "aws_iam_policy" "instance_docker_machine_policy" { } resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_docker_machine_policy.arn } @@ -371,14 +372,14 @@ resource "aws_iam_policy" "instance_session_manager_policy" { resource "aws_iam_role_policy_attachment" "instance_session_manager_policy" { count = var.enable_runner_ssm_access ? 1 : 0 - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_session_manager_policy[0].arn } resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" { count = var.enable_runner_ssm_access ? 1 : 0 - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" } @@ -387,7 +388,7 @@ resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" ################################################################################ resource "aws_iam_role_policy_attachment" "user_defined_policies" { count = length(var.runner_iam_policy_arns) - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name policy_arn = var.runner_iam_policy_arns[count.index] } @@ -397,7 +398,7 @@ resource "aws_iam_role_policy_attachment" "user_defined_policies" { resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { count = var.cache_bucket["create"] || length(lookup(var.cache_bucket, "policy", "")) > 0 ? 1 : 0 - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name policy_arn = local.bucket_policy } @@ -450,7 +451,7 @@ resource "aws_iam_policy" "service_linked_role" { resource "aws_iam_role_policy_attachment" "service_linked_role" { count = var.allow_iam_service_linked_role_creation ? 1 : 0 - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name policy_arn = aws_iam_policy.service_linked_role[0].arn } @@ -474,7 +475,7 @@ resource "aws_iam_policy" "ssm" { resource "aws_iam_role_policy_attachment" "ssm" { count = var.enable_manage_gitlab_token ? 1 : 0 - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name policy_arn = aws_iam_policy.ssm[0].arn } @@ -494,7 +495,7 @@ resource "aws_iam_policy" "eip" { resource "aws_iam_role_policy_attachment" "eip" { count = var.enable_eip ? 1 : 0 - role = aws_iam_role.instance.name + role = local.aws_iam_role_instance_name policy_arn = aws_iam_policy.eip[0].arn } diff --git a/outputs.tf b/outputs.tf index f1d3eea50..644d5398e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -15,12 +15,12 @@ output "runner_cache_bucket_name" { output "runner_agent_role_arn" { description = "ARN of the role used for the ec2 instance for the GitLab runner agent." - value = aws_iam_role.instance.arn + value = local.aws_iam_role_instance_arn } output "runner_agent_role_name" { description = "Name of the role used for the ec2 instance for the GitLab runner agent." - value = aws_iam_role.instance.name + value = local.aws_iam_role_instance_name } output "runner_role_arn" { diff --git a/variables.tf b/variables.tf index 56355a459..0db944fd2 100644 --- a/variables.tf +++ b/variables.tf @@ -733,6 +733,18 @@ variable "log_group_name" { type = string } +variable "runner_iam_role_name" { + type = string + description = "IAM role name of the gitlab runner agent EC2 instance. If unspecified then `{name_iam_objects}-instance` is used" + default = "" +} + +variable "create_runner_iam_role" { + type = bool + description = "Whether to create the runner IAM role of the gitlab runner agent EC2 instance." + default = true +} + variable "runner_iam_policy_arns" { type = list(string) description = "List of policy ARNs to be added to the instance profile of the gitlab runner agent ec2 instance."