From 3cde0f1c6eb401c424a2b65bbbfce3eb40f89615 Mon Sep 17 00:00:00 2001 From: Tyrone Meijn Date: Thu, 2 Mar 2023 09:25:58 +0100 Subject: [PATCH 01/74] fix!: remove deprecated pull policy variable (#710) ## Description Removes the earlier deprecated `runners_pull_policy` variable. Since were making a Major release I thought this one was nice to catch. ## Migrations required YES. Replace the `runners_pull_policy` by `runners_pull_policies`. --- README.md | 1 - locals.tf | 2 +- variables.tf | 6 ------ 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/README.md b/README.md index 735a29a0f..db1dd9f21 100644 --- a/README.md +++ b/README.md @@ -610,7 +610,6 @@ Made with [contributors-img](https://contrib.rocks). | [runners\_pre\_clone\_script](#input\_runners\_pre\_clone\_script) | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | `string` | `"\"\""` | no | | [runners\_privileged](#input\_runners\_privileged) | Runners will run in privileged mode, will be used in the runner config.toml | `bool` | `true` | no | | [runners\_pull\_policies](#input\_runners\_pull\_policies) | pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies | `list(string)` | 
[
  "always"
]
| no | -| [runners\_pull\_policy](#input\_runners\_pull\_policy) | Deprecated! Use runners\_pull\_policies instead. pull\_policy for the runners, will be used in the runner config.toml | `string` | `""` | no | | [runners\_request\_concurrency](#input\_runners\_request\_concurrency) | Limit number of concurrent requests for new jobs from GitLab (default 1). | `number` | `1` | no | | [runners\_request\_spot\_instance](#input\_runners\_request\_spot\_instance) | Whether or not to request spot instances via docker-machine | `bool` | `true` | no | | [runners\_root\_size](#input\_runners\_root\_size) | Runner instance root size in GB. | `number` | `16` | no | diff --git a/locals.tf b/locals.tf index 3b15a286c..4c11cdd62 100644 --- a/locals.tf +++ b/locals.tf @@ -78,7 +78,7 @@ locals { } ) - runners_pull_policies = var.runners_pull_policy != "" ? "[\"${var.runners_pull_policy}\"]" : "[\"${join("\",\"", var.runners_pull_policies)}\"]" + runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" diff --git a/variables.tf b/variables.tf index a63159f31..61d84f9e3 100644 --- a/variables.tf +++ b/variables.tf @@ -248,12 +248,6 @@ variable "runners_helper_image" { default = "" } -variable "runners_pull_policy" { - description = "Deprecated! Use runners_pull_policies instead. pull_policy for the runners, will be used in the runner config.toml" - type = string - default = "" -} - variable "runners_pull_policies" { description = "pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " type = list(string) From 3fdd3c5d2268ff05c32dfa5dbd6efb933ba1076e Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 16 Mar 2023 22:59:43 +0100 Subject: [PATCH 02/74] chore!: remove deprecated variables (#738) ## Description This PR removes all variables which are marked as deprecated. - `arn_format` - `subnet_id_runners` - `subnet_ids_gitlab_runner` - `asg_terminate_lifecycle_hook_create` - `asg_terminate_lifecycle_hook_heartbeat_timeout` - `asg_terminate_lifecycle_lambda_memory_size` - `asg_terminate_lifecycle_lambda_runtime` - `asg_terminate_lifecycle_lambda_timeout` ## Migrations required Yes. Remove the variables from your configuration. This is done automatically by the migration script. ## Verification None. --------- Co-authored-by: Tyrone Meijn --- .cspell.json | 5 ++ README.md | 2 + examples/runner-public/main.tf | 7 +-- main.tf | 7 ++- migrations/migrate-to-7-0-0.sh | 25 +++++++++ modules/terminate-agent-hook/variables.tf | 6 --- variables.tf | 64 ----------------------- 7 files changed, 39 insertions(+), 77 deletions(-) create mode 100755 migrations/migrate-to-7-0-0.sh diff --git a/.cspell.json b/.cspell.json index b85918fb7..e370f49e5 100644 --- a/.cspell.json +++ b/.cspell.json @@ -3,6 +3,7 @@ "language": "en", "words": [ "amannn", + "amazonec", "anytrue", "aquasecurity", "awscli", @@ -12,6 +13,8 @@ "concat", "devskim", "dind", + "endfor", + "formatlist", "gitter", "kics", "jsonencode", @@ -21,12 +24,14 @@ "oxsecurity", "shuf", "signoff", + "signum", "substr", "templatefile", "terrascan", "tfenv", "tflint", "tfsec", + "tftpl", "tfvars", "tmpfs", "trivy", diff --git a/README.md b/README.md index db1dd9f21..1c2dba21f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ + [![Terraform registry](https://img.shields.io/github/v/release/cattle-ops/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws/) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Actions](https://github.com/cattle-ops/terraform-aws-gitlab-runner/workflows/CI/badge.svg)](https://github.com/cattle-ops/terraform-aws-gitlab-runner/actions) + # Terraform module for GitLab auto scaling runners on AWS spot instances diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index 5f2b6392c..28b9b80c0 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -2,6 +2,8 @@ data "aws_availability_zones" "available" { state = "available" } +# Every VPC resource should have an associated Flow Log: This is an example only. No flow logs are created. +# kics-scan ignore-line module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.19.0" @@ -77,9 +79,8 @@ module "runner2" { runners_use_private_address = false - vpc_id = module.vpc.vpc_id - subnet_ids_gitlab_runner = module.vpc.public_subnets - subnet_id_runners = element(module.vpc.public_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.public_subnets, 0) docker_machine_spot_price_bid = "on-demand-price" diff --git a/main.tf b/main.tf index a15a1ebe1..a130b656e 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,7 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} data "aws_subnet" "runners" { - id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + id = var.subnet_id } data "aws_availability_zone" "runners" { @@ -87,7 +87,7 @@ locals { tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id - runners_subnet_id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix runners_instance_type = var.docker_machine_instance_type runners_spot_price_bid = var.docker_machine_spot_price_bid == "on-demand-price" || var.docker_machine_spot_price_bid == null ? "" : var.docker_machine_spot_price_bid @@ -163,7 +163,7 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { name = var.enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" - vpc_zone_identifier = length(var.subnet_id) > 0 ? [var.subnet_id] : var.subnet_ids_gitlab_runner + vpc_zone_identifier = [var.subnet_id] min_size = "1" max_size = "1" desired_capacity = "1" @@ -565,7 +565,6 @@ module "terminate_agent_hook" { name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" kms_key_id = local.kms_key - arn_format = var.arn_format tags = local.tags } diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh new file mode 100755 index 000000000..8aaaa9b4e --- /dev/null +++ b/migrations/migrate-to-7-0-0.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -eu + +# +# Precondition: The module call has been extracted to a separate file given in "$1". The code is well-formatted. +# Run `terraform fmt` to do that +# +# $1: file name containing the module call to be converted +# + +converted_file="$1.new" + +cp "$1" "$converted_file" + +# +# PR #738 chore!: remove deprecated variables +# +sed -i '/arn_format/d' "$converted_file" +sed -i '/subnet_id_runners/d' "$converted_file" +sed -i '/subnet_ids_gitlab_runner/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_create/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf index 3f8a22897..3cfb49970 100644 --- a/modules/terminate-agent-hook/variables.tf +++ b/modules/terminate-agent-hook/variables.tf @@ -60,9 +60,3 @@ variable "enable_xray_tracing" { type = bool default = false } - -variable "arn_format" { - type = string - default = "arn:aws" - description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} diff --git a/variables.tf b/variables.tf index 61d84f9e3..eab37cd28 100644 --- a/variables.tf +++ b/variables.tf @@ -3,12 +3,6 @@ variable "aws_region" { type = string } -variable "arn_format" { - type = string - default = null - description = "Deprecated! Calculated automatically by the module. ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} - variable "auth_type_cache_sr" { description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" type = string @@ -855,70 +849,12 @@ variable "docker_machine_egress_rules" { }] } -variable "subnet_id_runners" { - description = "Deprecated! Use subnet_id instead. List of subnets used for hosting the gitlab-runners." - type = string - default = "" -} - -variable "subnet_ids_gitlab_runner" { - description = "Deprecated! Use subnet_id instead. Subnet used for hosting the GitLab runner." - type = list(string) - default = [] -} - variable "asg_terminate_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string default = null } -variable "asg_terminate_lifecycle_hook_create" { - description = "(Deprecated and always true now) Boolean toggling the creation of the ASG instance terminate lifecycle hook." - type = bool - default = true - - validation { - condition = var.asg_terminate_lifecycle_hook_create - error_message = "The hook must be created. Please remove the variable declaration." - } -} - -variable "asg_terminate_lifecycle_hook_heartbeat_timeout" { - description = "(Deprecated and no longer in use) The amount of time, in seconds, for the instances to remain in wait state." - type = number - default = null - - validation { - condition = var.asg_terminate_lifecycle_hook_heartbeat_timeout == null - error_message = "The timeout value is managed by the module. Please remove the variable declaration." - } -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_memory_size" { - description = "(Deprecated and no longer in use) The memory size in MB to allocate to the terminate-instances Lambda function." - type = number - default = 128 -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_runtime" { - description = "(Deprecated and no longer in use) Identifier of the function's runtime. This should be a python3.x runtime. See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime for more information." - type = string - default = "python3.8" -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_timeout" { - description = "(Deprecated and no longer in use) Amount of time the terminate-instances Lambda Function has to run in seconds." - default = 30 - type = number -} - variable "runner_yum_update" { description = "Run a yum update as part of starting the runner" type = bool From 7cc41dab29f8d784dbc10e6549af79eec3f9cf57 Mon Sep 17 00:00:00 2001 From: kayma Date: Mon, 20 Mar 2023 21:10:51 +0100 Subject: [PATCH 03/74] add note for variable section --- variables.tf | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) diff --git a/variables.tf b/variables.tf index eab37cd28..e3c885e44 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,4 @@ +# remove variable variable "aws_region" { description = "AWS region." type = string @@ -9,58 +10,68 @@ variable "auth_type_cache_sr" { default = "iam" } +# global variable "environment" { description = "A name that identifies the environment, used as prefix and for tagging." type = string } +# global variable "vpc_id" { description = "The target VPC for the docker-machine and runner instances." type = string } +# global variable "subnet_id" { description = "Subnet id used for the runner and executors. Must belong to the VPC specified above." type = string default = "" # TODO remove as soon as subnet_id_runners and subnet_ids_gitlab_runner are gone. Variable is mandatory now. } +# agent variable "extra_security_group_ids_runner_agent" { description = "Optional IDs of extra security groups to apply to the runner agent. This will not apply to the runners spun up when using the docker+machine executor, which is the default." type = list(string) default = [] } +# agent variable "metrics_autoscaling" { description = "A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances." type = list(string) default = null } +# agent variable "instance_type" { description = "Instance type used for the GitLab runner." type = string default = "t3.micro" } +# agent variable "runner_instance_ebs_optimized" { description = "Enable the GitLab runner instance to be EBS-optimized." type = bool default = true } +# agent variable "runner_instance_enable_monitoring" { description = "Enable the GitLab runner instance to have detailed monitoring." type = bool default = true } +# agent variable "runner_instance_spot_price" { description = "By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen." type = string default = null } +# agent variable "runner_instance_metadata_options" { description = "Enable the Gitlab runner agent instance metadata service." type = object({ @@ -77,6 +88,7 @@ variable "runner_instance_metadata_options" { } } +# executor variable "docker_machine_instance_metadata_options" { description = "Enable the docker machine instances metadata service. Requires you use GitLab maintained docker machines." type = object({ @@ -89,41 +101,48 @@ variable "docker_machine_instance_metadata_options" { } } +# executor variable "docker_machine_instance_type" { description = "Instance type used for the instances hosting docker-machine." type = string default = "m5.large" } +# executor variable "docker_machine_spot_price_bid" { description = "Spot price bid. The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen." type = string default = "on-demand-price" } +# executor variable "docker_machine_download_url" { description = "(Optional) By default the module will use `docker_machine_version` to download the CKI maintained version (https://gitlab.com/cki-project/docker-machine) of Docker Machine. Alternative you can set this property to download location of the distribution of for the OS. See also https://docs.gitlab.com/runner/executors/docker_machine.html#install" type = string default = "" } +# executor variable "docker_machine_version" { description = "By default docker_machine_download_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases" type = string default = "0.16.2-gitlab.19-cki.2" } +# agent variable "runners_name" { description = "Name of the runner, will be used in the runner config.toml." type = string } +# agent variable "runners_userdata" { description = "Cloud-init user data that will be passed to the runner ec2 instance. Available only for `docker+machine` driver. Should not be base64 encrypted." type = string default = "" } +# agent variable "runners_executor" { description = "The executor to use. Currently supports `docker+machine` or `docker`." type = string @@ -135,131 +154,153 @@ variable "runners_executor" { } } +# agent variable "runners_install_amazon_ecr_credential_helper" { description = "Install amazon-ecr-credential-helper inside `userdata_pre_install` script" type = bool default = false } +# agent variable "runners_gitlab_url" { description = "URL of the GitLab instance to connect to." type = string } +# agent variable "runners_clone_url" { description = "Overwrites the URL for the GitLab instance. Use only if the runner can’t connect to the GitLab URL." type = string default = "" } +# agent variable "runners_token" { description = "Token for the runner, will be used in the runner config.toml." type = string default = "__REPLACED_BY_USER_DATA__" } +# agent variable "runners_limit" { description = "Limit for the runners, will be used in the runner config.toml." type = number default = 0 } +# agent variable "runners_concurrent" { description = "Concurrent value for the runners, will be used in the runner config.toml." type = number default = 10 } +# agent variable "runners_idle_time" { description = "Idle time of the runners, will be used in the runner config.toml." type = number default = 600 } +# agent variable "runners_idle_count" { description = "Idle count of the runners, will be used in the runner config.toml." type = number default = 0 } +# agent variable "runners_max_builds" { description = "Max builds for each runner after which it will be removed, will be used in the runner config.toml. By default set to 0, no maxBuilds will be set in the configuration." type = number default = 0 } +# executor variable "runners_image" { description = "Image to run builds, will be used in the runner config.toml" type = string default = "docker:18.03.1-ce" } +# executor variable "runners_privileged" { description = "Runners will run in privileged mode, will be used in the runner config.toml" type = bool default = true } +# executor variable "runners_disable_cache" { description = "Runners will not use local cache, will be used in the runner config.toml" type = bool default = false } +# executor variable "runners_add_dind_volumes" { description = "Add certificates and docker.sock to the volumes to support docker-in-docker (dind)" type = bool default = false } +# executor variable "runners_additional_volumes" { description = "Additional volumes that will be used in the runner config.toml, e.g Docker socket" type = list(any) default = [] } +# executor variable "runners_extra_hosts" { description = "Extra hosts that will be used in the runner config.toml, e.g other-host:127.0.0.1" type = list(any) default = [] } +# executor variable "runners_shm_size" { description = "shm_size for the runners, will be used in the runner config.toml" type = number default = 0 } +# executor variable "runners_docker_runtime" { description = "docker runtime for runners, will be used in the runner config.toml" type = string default = "" } +# executor variable "runners_helper_image" { description = "Overrides the default helper image used to clone repos and upload artifacts, will be used in the runner config.toml" type = string default = "" } +# executor variable "runners_pull_policies" { description = "pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " type = list(string) default = ["always"] } +# executor variable "runners_monitoring" { description = "Enable detailed cloudwatch monitoring for spot instances." type = bool default = false } +# executor variable "runners_ebs_optimized" { description = "Enable runners to be EBS-optimized." type = bool default = true } +# executor variable "runners_machine_autoscaling" { description = "Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section" type = list(object({ @@ -271,162 +312,189 @@ variable "runners_machine_autoscaling" { default = [] } +# executor variable "runners_root_size" { description = "Runner instance root size in GB." type = number default = 16 } +# executor variable "runners_volume_type" { description = "Runner instance volume type" type = string default = "gp2" } +# executor variable "runners_iam_instance_profile_name" { description = "IAM instance profile name of the runners, will be used in the runner config.toml" type = string default = "" } +# executor variable "runners_docker_registry_mirror" { description = "The docker registry mirror to use to avoid rate limiting by hub.docker.com" type = string default = "" } +# executor variable "runners_environment_vars" { description = "Environment variables during build execution, e.g. KEY=Value, see runner-public example. Will be used in the runner config.toml" type = list(string) default = [] } +# executor variable "runners_pre_build_script" { description = "Script to execute in the pipeline just before the build, will be used in the runner config.toml" type = string default = "\"\"" } +# executor variable "runners_post_build_script" { description = "Commands to be executed on the Runner just after executing the build, but before executing after_script. " type = string default = "\"\"" } +# executor variable "runners_pre_clone_script" { description = "Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. " type = string default = "\"\"" } +# executor variable "runners_request_concurrency" { description = "Limit number of concurrent requests for new jobs from GitLab (default 1)." type = number default = 1 } +# executor variable "runners_output_limit" { description = "Sets the maximum build log size in kilobytes, by default set to 4096 (4MB)." type = number default = 4096 } +# agent variable "userdata_pre_install" { description = "User-data script snippet to insert before GitLab runner install" type = string default = "" } +# agent variable "userdata_post_install" { description = "User-data script snippet to insert after GitLab runner install" type = string default = "" } +# agent variable "runners_use_private_address" { description = "Restrict runners to the use of a private IP address. If `runner_agent_uses_private_address` is set to `true`(default), `runners_use_private_address` will also apply for the agent." type = bool default = true } +# agent variable "runner_agent_uses_private_address" { description = "Restrict the runner agent to the use of a private IP address. If `runner_agent_uses_private_address` is set to `false` it will override the `runners_use_private_address` for the agent." type = bool default = true } +# executor variable "runners_request_spot_instance" { description = "Whether or not to request spot instances via docker-machine" type = bool default = true } +# agent variable "runners_check_interval" { description = "defines the interval length, in seconds, between new jobs check." type = number default = 3 } +# executor variable "cache_logging_bucket" { type = string description = "S3 Bucket ID where the access logs to the cache bucket are stored." default = null } +# executor variable "cache_logging_bucket_prefix" { type = string description = "Prefix within the `cache_logging_bucket`." default = null } +# executor variable "cache_bucket_prefix" { description = "Prefix for s3 cache bucket name." type = string default = "" } +# executor variable "cache_bucket_name_include_account_id" { description = "Boolean to add current account ID to cache bucket name." type = bool default = true } +# executor variable "cache_bucket_set_random_suffix" { description = "Append the cache bucket name with a random string suffix" type = bool default = false } +# executor variable "cache_bucket_versioning" { description = "Boolean used to enable versioning on the cache bucket, false by default." type = bool default = false } +# executor variable "cache_expiration_days" { description = "Number of days before cache objects expires." type = number default = 1 } +# executor variable "cache_shared" { description = "Enables cache sharing between runners, false by default." type = bool default = false } +# agent variable "gitlab_runner_version" { description = "Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases)." type = string default = "15.8.2" } +# agent variable "enable_ping" { description = "Allow ICMP Ping to the ec2 instances." type = bool default = false } +# agent variable "gitlab_runner_egress_rules" { description = "List of egress rules for the gitlab runner instance." type = list(object({ @@ -453,66 +521,77 @@ variable "gitlab_runner_egress_rules" { }] } +# agent variable "gitlab_runner_security_group_ids" { description = "A list of security group ids that are allowed to access the gitlab runner agent" type = list(string) default = [] } +# agent variable "gitlab_runner_security_group_description" { description = "A description for the gitlab-runner security group" type = string default = "A security group containing gitlab-runner agent instances" } +# agent variable "enable_cloudwatch_logging" { description = "Boolean used to enable or disable the CloudWatch logging." type = bool default = true } +# agent variable "cloudwatch_logging_retention_in_days" { description = "Retention for cloudwatch logs. Defaults to unlimited" type = number default = 0 } +# global variable "tags" { description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment." type = map(string) default = {} } +# agent variable "agent_tags" { description = "Map of tags that will be added to agent EC2 instances." type = map(string) default = {} } +# executor variable "runner_tags" { description = "Map of tags that will be added to runner EC2 instances." type = map(string) default = {} } +# global variable "suppressed_tags" { description = "List of tag keys which are removed from tags, agent_tags and runner_tags and never added as default tag by the module." type = list(string) default = [] } +# agent variable "role_tags" { description = "Map of tags that will be added to the role created. Useful for tag based authorization." type = map(string) default = {} } +# agent variable "allow_iam_service_linked_role_creation" { description = "Boolean used to control attaching the policy to a runner instance to create service linked roles." type = bool default = true } +# executor variable "docker_machine_options" { # cspell:ignore amazonec description = "List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '[\"amazonec2-zone=a\"]'" @@ -520,24 +599,28 @@ variable "docker_machine_options" { default = [] } +# agent variable "instance_role_json" { description = "Default runner instance override policy, expected to be in JSON format." type = string default = "" } +# executor variable "docker_machine_role_json" { description = "Docker machine runner instance override policy, expected to be in JSON format." type = string default = "" } +# executor variable "docker_machine_security_group_description" { description = "A description for the docker-machine security group" type = string default = "A security group containing docker-machine instances" } +# agent variable "ami_filter" { description = "List of maps used to create the AMI filter for the Gitlab runner agent AMI. Must resolve to an Amazon Linux 1 or 2 image." type = map(list(string)) @@ -547,12 +630,14 @@ variable "ami_filter" { } } +# agent variable "ami_owners" { description = "The list of owners used to select the AMI of Gitlab runner agent instances." type = list(string) default = ["amazon"] } +# executor variable "runner_ami_filter" { description = "List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI." type = map(list(string)) @@ -562,6 +647,7 @@ variable "runner_ami_filter" { } } +# executor variable "runner_ami_owners" { description = "The list of owners used to select the AMI of Gitlab runner docker-machine instances." type = list(string) @@ -570,6 +656,7 @@ variable "runner_ami_owners" { default = ["099720109477"] } +# agent variable "gitlab_runner_registration_config" { description = "Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo." type = map(string) @@ -585,18 +672,21 @@ variable "gitlab_runner_registration_config" { } } +# agent variable "secure_parameter_store_runner_token_key" { description = "The key name used store the Gitlab runner token in Secure Parameter Store" type = string default = "runner-token" } +# agent variable "secure_parameter_store_runner_sentry_dsn" { description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" type = string default = "sentry-dsn" } +# agent variable "enable_manage_gitlab_token" { description = "(Deprecated) Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`." type = bool @@ -610,6 +700,7 @@ variable "enable_manage_gitlab_token" { } } +# global variable "overrides" { description = <<-EOT This map provides the possibility to override some defaults. @@ -639,6 +730,7 @@ variable "overrides" { } } +# executor variable "cache_bucket" { description = "Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared cache. To use the same cache across multiple runners disable the creation of the cache and provide a policy and bucket name. See the public runner example for more details." type = map(any) @@ -650,18 +742,21 @@ variable "cache_bucket" { } } +# agent variable "enable_runner_user_data_trace_log" { description = "Enable bash trace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token." type = bool default = true } +# agent variable "enable_schedule" { description = "Flag used to enable/disable auto scaling group schedule for the runner instance. " type = bool default = false } +# agent variable "schedule_config" { description = "Map containing the configuration of the ASG scale-out and scale-in for the runner instance. Will only be used if enable_schedule is set to true. " type = map(any) @@ -680,24 +775,28 @@ variable "schedule_config" { } } +# agent variable "runner_root_block_device" { description = "The EC2 instance root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`" type = map(string) default = {} } +# agent variable "enable_runner_ssm_access" { description = "Add IAM policies to the runner agent instance to connect via the Session Manager." type = bool default = false } +# executor variable "enable_docker_machine_ssm_access" { description = "Add IAM policies to the docker-machine instances to connect via the Session Manager." type = bool default = false } +# executor variable "runners_volumes_tmpfs" { description = "Mount a tmpfs in runner container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" type = list(object({ @@ -707,6 +806,7 @@ variable "runners_volumes_tmpfs" { default = [] } +# executor variable "runners_services_volumes_tmpfs" { description = "Mount a tmpfs in gitlab service container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" type = list(object({ @@ -716,6 +816,7 @@ variable "runners_services_volumes_tmpfs" { default = [] } +# executor variable "runners_docker_services" { description = "adds `runners.docker.services` blocks to config.toml. All fields must be set (examine the Dockerfile of the service image for the entrypoint - see ./examples/runner-default/main.tf)" type = list(object({ @@ -727,102 +828,119 @@ variable "runners_docker_services" { default = [] } +# global variable "kms_key_id" { description = "KMS key id to encrypted the resources. Ensure CloudWatch and Runner/Executor have access to the provided KMS key." type = string default = "" } +# global variable "enable_kms" { description = "Let the module manage a KMS key, logs will be encrypted via KMS. Be-aware of the costs of an custom key." type = bool default = false } +# global variable "kms_alias_name" { description = "Alias added to the kms_key (if created and not provided by kms_key_id)" type = string default = "" } +# global variable "kms_deletion_window_in_days" { description = "Key rotation window, set to 0 for no rotation. Only used when `enable_kms` is set to `true`." type = number default = 7 } +# agent variable "enable_eip" { description = "Enable the assignment of an EIP to the gitlab runner instance" default = false type = bool } +# agent variable "enable_asg_recreation" { description = "Enable automatic redeployment of the Runner ASG when the Launch Configs change." default = true type = bool } +# agent variable "asg_delete_timeout" { description = "Timeout when trying to delete the Runner ASG." default = "10m" type = string } +# agent variable "asg_max_instance_lifetime" { description = "The seconds before an instance is refreshed in the ASG." default = null type = number } +# global variable "permissions_boundary" { description = "Name of permissions boundary policy to attach to AWS IAM roles" default = "" type = string } +# agent variable "log_group_name" { description = "Option to override the default name (`environment`) of the log group, requires `enable_cloudwatch_logging = true`." default = null type = string } +# agent variable "runner_iam_role_name" { type = string description = "IAM role name of the gitlab runner agent EC2 instance. If unspecified then `{name_iam_objects}-instance` is used" default = "" } +# agent variable "create_runner_iam_role" { type = bool description = "Whether to create the runner IAM role of the gitlab runner agent EC2 instance." default = true } +# agent variable "runner_iam_policy_arns" { type = list(string) description = "List of policy ARNs to be added to the instance profile of the gitlab runner agent ec2 instance." default = [] } +# executor variable "docker_machine_iam_policy_arns" { type = list(string) description = "List of policy ARNs to be added to the instance profile of the docker machine runners." default = [] } +# agent variable "sentry_dsn" { default = "__SENTRY_DSN_REPLACED_BY_USER_DATA__" description = "Sentry DSN of the project for the runner to use (uses legacy DSN format)" type = string } +# agent variable "prometheus_listen_address" { default = "" description = "Defines an address (:) the Prometheus metrics HTTP server should listen on." type = string } +# executor variable "docker_machine_egress_rules" { description = "List of egress rules for the docker-machine instance(s)." type = list(object({ @@ -849,30 +967,35 @@ variable "docker_machine_egress_rules" { }] } +# agent variable "asg_terminate_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string default = null } +# agent variable "runner_yum_update" { description = "Run a yum update as part of starting the runner" type = bool default = true } +# agent variable "runners_gitlab_certificate" { description = "Certificate of the GitLab instance to connect to. Example: `file(\"$${path.module}/my-gitlab.crt\")`" type = string default = "" } +# agent variable "runners_ca_certificate" { description = "Trusted CA certificate bundle. Example: `file(\"$${path.module}/ca.crt\")`" type = string default = "" } +# agent variable "runner_extra_config" { description = "Extra commands to run as part of starting the runner" type = string From d7ad4fe36dd70a0b89b3a82de44d768fb9291918 Mon Sep 17 00:00:00 2001 From: kayma Date: Wed, 22 Mar 2023 20:23:49 +0100 Subject: [PATCH 04/74] remove `aws_region` --- examples/runner-certificates/main.tf | 3 +-- examples/runner-default/main.tf | 3 +-- examples/runner-docker/main.tf | 1 - examples/runner-multi-region/main.tf | 2 -- examples/runner-pre-registered/main.tf | 1 - examples/runner-public/main.tf | 2 -- kms.tf | 2 +- main.tf | 5 +++-- migrations/migrate-to-7-0-0.sh | 7 +++++++ variables.tf | 7 +------ 10 files changed, 14 insertions(+), 19 deletions(-) diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index d652c1328..bddaa72f6 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -31,7 +31,6 @@ module "runner" { runners_executor = "docker" - aws_region = var.aws_region environment = var.environment ############################################### @@ -70,4 +69,4 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.public_subnets, 0) -} \ No newline at end of file +} diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 447fbb56b..25507fd5f 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -47,7 +47,6 @@ module "vpc_endpoints" { module "runner" { source = "../../" - aws_region = var.aws_region environment = var.environment vpc_id = module.vpc.vpc_id @@ -122,7 +121,7 @@ module "runner" { # docker-mirror-check: # image: docker:20.10.16 # stage: build - # variables: + # variables: # DOCKER_TLS_CERTDIR: '' # script: # - | diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index 29cbe92b3..30fc9e32b 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -39,7 +39,6 @@ module "vpc_endpoints" { module "runner" { source = "../../" - aws_region = var.aws_region environment = var.environment runners_use_private_address = false diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index 3e59c43f3..2ed4a662b 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -22,7 +22,6 @@ module "vpc_main_region" { module "runner_main_region" { source = "../../" - aws_region = var.aws_main_region environment = var.environment runners_use_private_address = false @@ -90,7 +89,6 @@ module "runner_alternate_region" { source = "../../" - aws_region = var.aws_alternate_region environment = var.environment runners_use_private_address = false diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index 68d1d85a3..c03695579 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -26,7 +26,6 @@ module "vpc" { module "runner" { source = "../../" - aws_region = var.aws_region environment = var.environment vpc_id = module.vpc.vpc_id diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index 28b9b80c0..c6570160a 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -29,7 +29,6 @@ module "cache" { module "runner" { source = "../../" - aws_region = var.aws_region environment = var.environment runners_use_private_address = false @@ -74,7 +73,6 @@ module "runner" { module "runner2" { source = "../../" - aws_region = var.aws_region environment = "${var.environment}-2" runners_use_private_address = false diff --git a/kms.tf b/kms.tf index 05967c718..f4227396f 100644 --- a/kms.tf +++ b/kms.tf @@ -8,7 +8,7 @@ resource "aws_kms_key" "default" { policy = templatefile("${path.module}/policies/kms-policy.json", { partition = data.aws_partition.current.partition - aws_region = var.aws_region + aws_region = data.aws_region.current.name account_id = data.aws_caller_identity.current.account_id } ) diff --git a/main.tf b/main.tf index a130b656e..60fa4d257 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,6 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} +data "aws_region" "current" {} data "aws_subnet" "runners" { id = var.subnet_id @@ -68,7 +69,7 @@ locals { runners_token = var.runners_token secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key secure_parameter_store_runner_sentry_dsn = local.secure_parameter_store_runner_sentry_dsn - secure_parameter_store_region = var.aws_region + secure_parameter_store_region = data.aws_region.current.name gitlab_runner_registration_token = var.gitlab_runner_registration_config["registration_token"] gitlab_runner_description = var.gitlab_runner_registration_config["description"] gitlab_runner_tag_list = var.gitlab_runner_registration_config["tag_list"] @@ -81,7 +82,7 @@ locals { template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { - aws_region = var.aws_region + aws_region = data.aws_region.current.name gitlab_url = var.runners_gitlab_url gitlab_clone_url = var.runners_clone_url tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 8aaaa9b4e..dd11a6e74 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -23,3 +23,10 @@ sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" + +# +# PT #757 refactor!: rename variables and prefix with agent, executor and global scope +# +sed -i '/aws_region/d' "$converted_file" + + diff --git a/variables.tf b/variables.tf index e3c885e44..d3824eae5 100644 --- a/variables.tf +++ b/variables.tf @@ -1,9 +1,4 @@ -# remove variable -variable "aws_region" { - description = "AWS region." - type = string -} - +# agent variable "auth_type_cache_sr" { description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" type = string From df68fb0d6148e09883112398a656fe818b4ab6bd Mon Sep 17 00:00:00 2001 From: kayma Date: Wed, 22 Mar 2023 21:21:22 +0100 Subject: [PATCH 05/74] rename global variables --- examples/runner-multi-region/README.md | 22 ++- examples/runner-multi-region/main.tf | 20 ++- examples/runner-public/main.tf | 8 +- kms.tf | 10 +- locals.tf | 6 +- logging.tf | 2 +- main.tf | 6 +- migrations/migrate-to-7-0-0.sh | 33 +++++ tags.tf | 2 +- variables.tf | 183 +++++++++++++------------ 10 files changed, 159 insertions(+), 133 deletions(-) diff --git a/examples/runner-multi-region/README.md b/examples/runner-multi-region/README.md index 6a804244a..82999bc01 100644 --- a/examples/runner-multi-region/README.md +++ b/examples/runner-multi-region/README.md @@ -23,12 +23,10 @@ To duplicate the Gitlab runner deployment to multiple regions, we therefore have module "runner_main_region" { # ... - overrides = { - name_sg = "my-security-group" - name_runner_agent_instance = "my-runner-agent" - name_docker_machine_runners = "my-runners-dm" - name_iam_objects = local.name_iam_objects_main_region # <-- - } + security_group_prefix = "my-security-group" + agent_instance_prefix = "my-runner-agent" + executor_docker_machine_instance_prefix = "my-runners-dm" + iam_object_prefix = local.name_iam_objects_main_region # <-- # ... @@ -40,14 +38,12 @@ module "runner_main_region" { module "runner_alternate_region" { # ... - - overrides = { - name_sg = "my-security-group" - name_runner_agent_instance = "my-runner-agent" - name_docker_machine_runners = "my-runners-dm" - name_iam_objects = local.name_iam_objects_alternate_region # <-- - } + security_group_prefix = "my-security-group" + agent_instance_prefix = "my-runner-agent" + executor_docker_machine_instance_prefix = "my-runners-dm" + iam_object_prefix = local.name_iam_objects_main_region # <-- + # ... cache_bucket_prefix = local.cache_bucket_prefix_alternate_region # <-- diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index 2ed4a662b..6b9476be9 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -47,12 +47,10 @@ module "runner_main_region" { maximum_timeout = "3600" } - overrides = { - name_sg = "my-security-group" - name_runner_agent_instance = "my-runner-agent" - name_docker_machine_runners = "my-runners-dm" - name_iam_objects = local.name_iam_objects_main_region - } + security_group_prefix = "my-security-group" + agent_instance_prefix = "my-runner-agent" + executor_docker_machine_instance_prefix = "my-runners-dm" + iam_object_prefix = local.name_iam_objects_main_region cache_shared = "true" @@ -115,12 +113,10 @@ module "runner_alternate_region" { access_level = "ref_protected" } - overrides = { - name_sg = "my-security-group" - name_runner_agent_instance = "my-runner-agent" - name_docker_machine_runners = "my-runners-dm" - name_iam_objects = local.name_iam_objects_alternate_region - } + security_group_prefix = "my-security-group" + agent_instance_prefix = "my-runner-agent" + executor_docker_machine_instance_prefix = "my-runners-dm" + iam_object_prefix = local.name_iam_objects_main_region # <-- cache_shared = "true" diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index c6570160a..1dc4878f4 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -55,11 +55,9 @@ module "runner" { access_level = "ref_protected" } - overrides = { - name_sg = "my-security-group" - name_runner_agent_instance = "my-runner-agent" - name_docker_machine_runners = "my-runners-dm" - } + security_group_prefix = "my-security-group" + agent_instance_prefix = "my-runner-agent" + executor_docker_machine_instance_prefix = "my-runners-dm" cache_shared = "true" diff --git a/kms.tf b/kms.tf index f4227396f..ab8e3a3d9 100644 --- a/kms.tf +++ b/kms.tf @@ -1,9 +1,9 @@ resource "aws_kms_key" "default" { - count = var.enable_kms ? 1 : 0 + count = var.enable_managed_kms_key ? 1 : 0 description = "GitLab Runner module managed key - ${var.environment}" - deletion_window_in_days = var.kms_deletion_window_in_days > 0 ? var.kms_deletion_window_in_days : null - enable_key_rotation = var.kms_deletion_window_in_days > 0 ? true : false + deletion_window_in_days = var.kms_managed_deletion_rotation_window_in_days > 0 ? var.kms_managed_deletion_rotation_window_in_days : null + enable_key_rotation = var.kms_managed_deletion_rotation_window_in_days > 0 ? true : false tags = local.tags policy = templatefile("${path.module}/policies/kms-policy.json", { @@ -15,7 +15,7 @@ resource "aws_kms_key" "default" { } resource "aws_kms_alias" "default" { - count = var.enable_kms && var.kms_alias_name != "" ? 1 : 0 - name = "alias/${var.kms_alias_name}" + count = var.enable_managed_kms_key && var.kms_managed_alias_name != "" ? 1 : 0 + name = "alias/${var.kms_managed_alias_name}" target_key_id = aws_kms_key.default[0].key_id } diff --git a/locals.tf b/locals.tf index 4c11cdd62..64ac391b2 100644 --- a/locals.tf +++ b/locals.tf @@ -60,9 +60,9 @@ locals { secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.secure_parameter_store_runner_sentry_dsn}" # Custom names for runner agent instance, security groups, and IAM objects - name_runner_agent_instance = var.overrides["name_runner_agent_instance"] == "" ? local.tags["Name"] : var.overrides["name_runner_agent_instance"] - name_sg = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"] - name_iam_objects = lookup(var.overrides, "name_iam_objects", "") == "" ? local.tags["Name"] : var.overrides["name_iam_objects"] + name_runner_agent_instance = var.agent_instance_prefix == "" ? local.tags["Name"] : var.agent_instance_prefix + name_sg = var.security_group_prefix == "" ? local.tags["Name"] : var.security_group_prefix + name_iam_objects = var.iam_object_prefix == "" ? local.tags["Name"] : var.iam_object_prefix runners_additional_volumes = <<-EOT %{~if var.runners_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.runners_additional_volumes~},"${volume}"%{endfor~} diff --git a/logging.tf b/logging.tf index d63c597d7..249e8922b 100644 --- a/logging.tf +++ b/logging.tf @@ -11,7 +11,7 @@ locals { log_group_name = var.log_group_name != null ? var.log_group_name : var.environment }) provided_kms_key = var.kms_key_id != "" ? var.kms_key_id : "" - kms_key = local.provided_kms_key == "" && var.enable_kms ? aws_kms_key.default[0].arn : local.provided_kms_key + kms_key = local.provided_kms_key == "" && var.enable_managed_kms_key ? aws_kms_key.default[0].arn : local.provided_kms_key } resource "aws_cloudwatch_log_group" "environment" { diff --git a/main.tf b/main.tf index 60fa4d257..3321efcbe 100644 --- a/main.tf +++ b/main.tf @@ -366,7 +366,7 @@ resource "aws_iam_role" "instance" { name = local.aws_iam_role_instance_name assume_role_policy = length(var.instance_role_json) > 0 ? var.instance_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) - permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" + permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" tags = merge(local.tags, var.role_tags) } @@ -455,7 +455,7 @@ resource "aws_iam_role" "docker_machine" { count = var.runners_executor == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" assume_role_policy = length(var.docker_machine_role_json) > 0 ? var.docker_machine_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) - permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" + permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" tags = local.tags } @@ -564,7 +564,7 @@ module "terminate_agent_hook" { cloudwatch_logging_retention_in_days = var.cloudwatch_logging_retention_in_days name_iam_objects = local.name_iam_objects name_docker_machine_runners = local.runner_tags_merged["Name"] - role_permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" + role_permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" kms_key_id = local.kms_key tags = local.tags diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index dd11a6e74..ac788a003 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -29,4 +29,37 @@ sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" # sed -i '/aws_region/d' "$converted_file" +sed 's/enable_kms/enable_managed_kms_key/g' "$converted_file" | \ +sed 's/kms_alias_name/kms_managed_alias_name/g' | \ +sed 's/kms_deletion_window_in_days/kms_managed_deletion_rotation_window_in_days/g' | \ +sed 's/permission_boundary/iam_permission_boundary/g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +> "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" +# overrides block +extracted_variables=$(grep -E '(name_sg|name_iam_objects|name_runner_agent_instance|name_docker_machine_runners)' "$converted_file") + +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/name_sg/security_group_prefix/g' | \ + sed 's/name_iam_objects/iam_object_prefix/g' | \ + sed 's/name_runner_agent_instance/agent_instance_prefix/g' | \ + sed 's/name_docker_machine_runners/executor_docker_machine_instance_prefix/g' + ) + +sed '/name_sg/d' "$converted_file" | \ +sed '/name_iam_objects/d' | \ +sed '/name_runner_agent_instance/d' | \ +sed '/name_docker_machine_runners/d' | \ +sed '/overrides = {/d' \ +> "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" + +echo "$(head -n -1 "$converted_file") + $extracted_variables +}" > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" diff --git a/tags.tf b/tags.tf index aee23bd06..dfb559c26 100644 --- a/tags.tf +++ b/tags.tf @@ -28,7 +28,7 @@ locals { local.tags, var.runner_tags, # overwrites the `Name` key from `local.tags` - var.overrides["name_docker_machine_runners"] == "" ? { Name = substr(format("%s", var.environment), 0, 16) } : { Name = var.overrides["name_docker_machine_runners"] }, + var.executor_docker_machine_instance_prefix == "" ? { Name = substr(format("%s", var.environment), 0, 16) } : { Name = var.executor_docker_machine_instance_prefix }, ) # remove the `Name` tag in addition if docker+machine adds one to avoid a failure due to a duplicate `Name` tag diff --git a/variables.tf b/variables.tf index d3824eae5..b545a0a23 100644 --- a/variables.tf +++ b/variables.tf @@ -1,27 +1,108 @@ -# agent -variable "auth_type_cache_sr" { - description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" +/* + * Global variables + */ +variable "vpc_id" { + description = "The target VPC for the agent and executors (e.g. docker-machine) instances." + type = string +} + +variable "subnet_id" { + description = "Subnet id used for the agent and executors. Must belong to the `vpc_id`." + type = string +} + +variable "kms_key_id" { + description = "KMS key id to encrypt the resources. Ensure CloudWatch and Agent/Executors have access to the provided KMS key." + type = string + default = "" +} + +variable "enable_managed_kms_key" { + description = "Let the module manage a KMS key. Be-aware of the costs of an custom key. Do not specify a `kms_key_id` when `enable_kms` is set to `true`." + type = bool + default = false +} + +variable "kms_managed_alias_name" { + description = "Alias added to the created KMS key." + type = string + default = "" +} + +variable "kms_managed_deletion_rotation_window_in_days" { + description = "Key deletion/rotation window for the created KMS key. Set to 0 for no rotation/deletion window." + type = number + default = 7 +} + +variable "iam_permissions_boundary" { + description = "Name of permissions boundary policy to attach to AWS IAM roles" + default = "" type = string - default = "iam" } -# global variable "environment" { description = "A name that identifies the environment, used as prefix and for tagging." type = string } -# global -variable "vpc_id" { - description = "The target VPC for the docker-machine and runner instances." +variable "tags" { + description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment." + type = map(string) + default = {} +} + +variable "suppressed_tags" { + description = "List of tag keys which are removed from `tags`, `agent_tags` and `executor_tags` and never added as default tag by the module." + type = list(string) + default = [] +} + +variable "security_group_prefix" { + description = "Set the name prefix and overwrite the `Name` tag for all security groups." type = string + default = "" } -# global -variable "subnet_id" { - description = "Subnet id used for the runner and executors. Must belong to the VPC specified above." +variable "iam_object_prefix" { + description = "Set the name prefix of all AWS IAM resources." + type = string + default = "" +} + +/* + * Agent variables. The agent runs the GitLab Runner software and is responsible for starting the executors. + */ +variable "agent_instance_prefix" { + description = "Set the name prefix and override the `Name` tag for the EC2 GitLab Runner Agent instance." type = string - default = "" # TODO remove as soon as subnet_id_runners and subnet_ids_gitlab_runner are gone. Variable is mandatory now. + default = "" +} + +/* + * docker+machine Executor variables. The executor is the actual machine that runs the job. + */ +variable "executor_docker_machine_instance_prefix" { + description = "Set the name prefix and override the `Name` tag for the GitLab Runner Executor instances." + type = string + default = "" + + validation { + condition = length(var.executor_docker_machine_instance_prefix) <= 28 + error_message = "Maximum length for docker+machine executor name is 28 characters!" + } + + validation { + condition = var.executor_docker_machine_instance_prefix == "" || can(regex("^[a-zA-Z0-9\\.-]+$", var.executor_docker_machine_instance_prefix)) + error_message = "Valid characters for the docker+machine executor name are: [a-zA-Z0-9\\.-]." + } +} + +# agent +variable "auth_type_cache_sr" { + description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" + type = string + default = "iam" } # agent @@ -544,13 +625,6 @@ variable "cloudwatch_logging_retention_in_days" { default = 0 } -# global -variable "tags" { - description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment." - type = map(string) - default = {} -} - # agent variable "agent_tags" { description = "Map of tags that will be added to agent EC2 instances." @@ -565,13 +639,6 @@ variable "runner_tags" { default = {} } -# global -variable "suppressed_tags" { - description = "List of tag keys which are removed from tags, agent_tags and runner_tags and never added as default tag by the module." - type = list(string) - default = [] -} - # agent variable "role_tags" { description = "Map of tags that will be added to the role created. Useful for tag based authorization." @@ -695,35 +762,6 @@ variable "enable_manage_gitlab_token" { } } -# global -variable "overrides" { - description = <<-EOT - This map provides the possibility to override some defaults. - The following attributes are supported: - * `name_sg` set the name prefix and overwrite the `Name` tag for all security groups created by this module. - * `name_runner_agent_instance` set the name prefix and override the `Name` tag for the EC2 gitlab runner instances defined in the auto launch configuration. - * `name_docker_machine_runners` override the `Name` tag of EC2 instances created by the runner agent (used as name prefix for `docker_machine_version` >= 0.16.2). - * `name_iam_objects` set the name prefix of all AWS IAM resources created by this module. - EOT - type = map(string) - - default = { - name_sg = "" - name_iam_objects = "" - name_runner_agent_instance = "" - name_docker_machine_runners = "" - } - - validation { - condition = length(var.overrides["name_docker_machine_runners"]) <= 28 - error_message = "Maximum length for name_docker_machine_runners is 28 characters!" - } - - validation { - condition = var.overrides["name_docker_machine_runners"] == "" || can(regex("^[a-zA-Z0-9\\.-]+$", var.overrides["name_docker_machine_runners"])) - error_message = "Valid characters for the docker machine name are: [a-zA-Z0-9\\.-]." - } -} # executor variable "cache_bucket" { @@ -823,34 +861,6 @@ variable "runners_docker_services" { default = [] } -# global -variable "kms_key_id" { - description = "KMS key id to encrypted the resources. Ensure CloudWatch and Runner/Executor have access to the provided KMS key." - type = string - default = "" -} - -# global -variable "enable_kms" { - description = "Let the module manage a KMS key, logs will be encrypted via KMS. Be-aware of the costs of an custom key." - type = bool - default = false -} - -# global -variable "kms_alias_name" { - description = "Alias added to the kms_key (if created and not provided by kms_key_id)" - type = string - default = "" -} - -# global -variable "kms_deletion_window_in_days" { - description = "Key rotation window, set to 0 for no rotation. Only used when `enable_kms` is set to `true`." - type = number - default = 7 -} - # agent variable "enable_eip" { description = "Enable the assignment of an EIP to the gitlab runner instance" @@ -879,13 +889,6 @@ variable "asg_max_instance_lifetime" { type = number } -# global -variable "permissions_boundary" { - description = "Name of permissions boundary policy to attach to AWS IAM roles" - default = "" - type = string -} - # agent variable "log_group_name" { description = "Option to override the default name (`environment`) of the log group, requires `enable_cloudwatch_logging = true`." From ded5a6331939a4c6d38e0e0c9c17dfcb34def97d Mon Sep 17 00:00:00 2001 From: kayma Date: Wed, 22 Mar 2023 22:03:20 +0100 Subject: [PATCH 06/74] refactor some variables --- examples/runner-certificates/main.tf | 4 +- examples/runner-default/main.tf | 2 +- examples/runner-docker/main.tf | 4 +- examples/runner-multi-region/main.tf | 4 +- examples/runner-pre-registered/main.tf | 2 +- examples/runner-public/main.tf | 4 +- locals.tf | 2 +- main.tf | 68 +++---- migrations/migrate-to-7-0-0.sh | 28 +++ security_groups.tf | 14 +- variables.tf | 265 +++++++++++++------------ 11 files changed, 213 insertions(+), 184 deletions(-) diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index bddaa72f6..249365e35 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -27,9 +27,9 @@ module "runner" { ############################################### runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + agent_gitlab_url = var.gitlab_url - runners_executor = "docker" + executor_type = "docker" environment = var.environment diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 25507fd5f..50b3dc73c 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -54,7 +54,7 @@ module "runner" { metrics_autoscaling = ["GroupDesiredCapacity", "GroupInServiceCapacity"] runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + agent_gitlab_url = var.gitlab_url enable_runner_ssm_access = true gitlab_runner_security_group_ids = [data.aws_security_group.default.id] diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index 30fc9e32b..1168f2b2d 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -50,9 +50,9 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.public_subnets, 0) - runners_executor = "docker" + executor_type = "docker" runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + agent_gitlab_url = var.gitlab_url gitlab_runner_registration_config = { registration_token = var.registration_token diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index 6b9476be9..cf46e1374 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -32,7 +32,7 @@ module "runner_main_region" { docker_machine_spot_price_bid = "on-demand-price" runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + agent_gitlab_url = var.gitlab_url runners_environment_vars = ["KEY=Value", "FOO=bar"] runners_privileged = "false" @@ -97,7 +97,7 @@ module "runner_alternate_region" { docker_machine_spot_price_bid = "on-demand-price" runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + agent_gitlab_url = var.gitlab_url runners_environment_vars = ["KEY=Value", "FOO=bar"] runners_privileged = "false" diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index c03695579..274e46d0a 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -32,7 +32,7 @@ module "runner" { subnet_id = element(module.vpc.private_subnets, 0) runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + agent_gitlab_url = var.gitlab_url runners_token = var.runner_token # working 9 to 5 :) diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index 1dc4878f4..ce1798844 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -39,7 +39,7 @@ module "runner" { docker_machine_spot_price_bid = "on-demand-price" runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + agent_gitlab_url = var.gitlab_url runners_environment_vars = ["KEY=Value", "FOO=bar"] runners_privileged = "false" @@ -81,7 +81,7 @@ module "runner2" { docker_machine_spot_price_bid = "on-demand-price" runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + agent_gitlab_url = var.gitlab_url gitlab_runner_registration_config = { registration_token = var.registration_token diff --git a/locals.tf b/locals.tf index 64ac391b2..3c12e1657 100644 --- a/locals.tf +++ b/locals.tf @@ -53,7 +53,7 @@ locals { runners_docker_registry_mirror_option = var.runners_docker_registry_mirror == "" ? [] : ["engine-registry-mirror=${var.runners_docker_registry_mirror}"] # Ensure max builds is optional - runners_max_builds_string = var.runners_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runners_max_builds) + runners_max_builds_string = var.executor_max_builds == 0 ? "" : format("MaxBuilds = %d", var.executor_max_builds) # Define key for runner token for SSM secure_parameter_store_runner_token_key = "${var.environment}-${var.secure_parameter_store_runner_token_key}" diff --git a/main.tf b/main.tf index 3321efcbe..3ab286f38 100644 --- a/main.tf +++ b/main.tf @@ -58,14 +58,14 @@ locals { docker_machine_version = var.docker_machine_version docker_machine_download_url = var.docker_machine_download_url runners_config = local.template_runner_config - runners_userdata = var.runners_userdata - runners_executor = var.runners_executor - runners_install_amazon_ecr_credential_helper = var.runners_install_amazon_ecr_credential_helper + runners_userdata = var.executor_docker_machine_userdata + runners_executor = var.executor_type + runners_install_amazon_ecr_credential_helper = var.agent_install_amazon_ecr_credential_helper curl_cacert = length(var.runners_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates pre_install = var.userdata_pre_install post_install = var.userdata_post_install - runners_gitlab_url = var.runners_gitlab_url + runners_gitlab_url = var.agent_gitlab_url runners_token = var.runners_token secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key secure_parameter_store_runner_sentry_dsn = local.secure_parameter_store_runner_sentry_dsn @@ -77,14 +77,14 @@ locals { gitlab_runner_run_untagged = var.gitlab_runner_registration_config["run_untagged"] gitlab_runner_maximum_timeout = var.gitlab_runner_registration_config["maximum_timeout"] gitlab_runner_access_level = lookup(var.gitlab_runner_registration_config, "access_level", "not_protected") - sentry_dsn = var.sentry_dsn + sentry_dsn = var.agent_sentry_dsn }) template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { aws_region = data.aws_region.current.name - gitlab_url = var.runners_gitlab_url - gitlab_clone_url = var.runners_clone_url + gitlab_url = var.agent_gitlab_url + gitlab_clone_url = var.agent_gitlab_clone_url tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id @@ -92,21 +92,21 @@ locals { runners_aws_zone = data.aws_availability_zone.runners.name_suffix runners_instance_type = var.docker_machine_instance_type runners_spot_price_bid = var.docker_machine_spot_price_bid == "on-demand-price" || var.docker_machine_spot_price_bid == null ? "" : var.docker_machine_spot_price_bid - runners_ami = var.runners_executor == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" - runners_security_group_name = var.runners_executor == "docker+machine" ? aws_security_group.docker_machine[0].name : "" + runners_ami = var.executor_type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" + runners_security_group_name = var.executor_type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" runners_monitoring = var.runners_monitoring runners_ebs_optimized = var.runners_ebs_optimized - runners_instance_profile = var.runners_executor == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" + runners_instance_profile = var.executor_type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" runners_additional_volumes = local.runners_additional_volumes docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed runners_name = var.runners_name runners_tags = replace(replace(local.runner_tags_string, ",,", ","), "/,$/", "") runners_token = var.runners_token - runners_userdata = var.runners_userdata - runners_executor = var.runners_executor - runners_limit = var.runners_limit - runners_concurrent = var.runners_concurrent + runners_userdata = var.executor_docker_machine_userdata + runners_executor = var.executor_type + runners_limit = var.executor_max_jobs + runners_concurrent = var.agent_maximum_concurrent_jobs runners_image = var.runners_image runners_privileged = var.runners_privileged runners_disable_cache = var.runners_disable_cache @@ -114,8 +114,8 @@ locals { runners_helper_image = var.runners_helper_image runners_shm_size = var.runners_shm_size runners_pull_policies = local.runners_pull_policies - runners_idle_count = var.runners_idle_count - runners_idle_time = var.runners_idle_time + runners_idle_count = var.executor_idle_count + runners_idle_time = var.executor_idle_time runners_max_builds = local.runners_max_builds_string runners_machine_autoscaling = local.runners_machine_autoscaling runners_root_size = var.runners_root_size @@ -130,21 +130,21 @@ locals { runners_pre_clone_script = var.runners_pre_clone_script runners_request_concurrency = var.runners_request_concurrency runners_output_limit = var.runners_output_limit - runners_check_interval = var.runners_check_interval + runners_check_interval = var.agent_gitlab_check_interval runners_volumes_tmpfs = join("\n", [for v in var.runners_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_services_volumes_tmpfs = join("\n", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services bucket_name = local.bucket_name shared_cache = var.cache_shared - sentry_dsn = var.sentry_dsn - prometheus_listen_address = var.prometheus_listen_address + sentry_dsn = var.agent_sentry_dsn + prometheus_listen_address = var.agent_prometheus_listen_address auth_type = var.auth_type_cache_sr } ) } data "aws_ami" "docker-machine" { - count = var.runners_executor == "docker+machine" ? 1 : 0 + count = var.executor_type == "docker+machine" ? 1 : 0 most_recent = "true" @@ -246,9 +246,9 @@ resource "aws_launch_template" "gitlab_runner_instance" { image_id = data.aws_ami.runner.id user_data = base64gzip(local.template_user_data) - instance_type = var.instance_type + instance_type = var.agent_instance_type update_default_version = true - ebs_optimized = var.runner_instance_ebs_optimized + ebs_optimized = var.agent_ebs_optimized monitoring { enabled = var.runner_instance_enable_monitoring } @@ -284,7 +284,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { } } network_interfaces { - security_groups = concat([aws_security_group.runner.id], var.extra_security_group_ids_runner_agent) + security_groups = concat([aws_security_group.runner.id], var.agent_extra_security_group_ids) associate_public_ip_address = false == (var.runner_agent_uses_private_address == false ? var.runner_agent_uses_private_address : var.runners_use_private_address) } tag_specifications { @@ -306,10 +306,10 @@ resource "aws_launch_template" "gitlab_runner_instance" { tags = local.tags metadata_options { - http_endpoint = var.runner_instance_metadata_options.http_endpoint - http_tokens = var.runner_instance_metadata_options.http_tokens - http_put_response_hop_limit = var.runner_instance_metadata_options.http_put_response_hop_limit - instance_metadata_tags = var.runner_instance_metadata_options.instance_metadata_tags + http_endpoint = var.agent_metadata_options.http_endpoint + http_tokens = var.agent_metadata_options.http_tokens + http_put_response_hop_limit = var.agent_metadata_options.http_put_response_hop_limit + instance_metadata_tags = var.agent_metadata_options.instance_metadata_tags } lifecycle { @@ -377,7 +377,7 @@ resource "aws_iam_role" "instance" { ### iam:PassRole To pass the role from the agent to the docker machine runners ################################################################################ resource "aws_iam_policy" "instance_docker_machine_policy" { - count = var.runners_executor == "docker+machine" && var.create_runner_iam_role ? 1 : 0 + count = var.executor_type == "docker+machine" && var.create_runner_iam_role ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" path = "/" @@ -391,7 +391,7 @@ resource "aws_iam_policy" "instance_docker_machine_policy" { } resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { - count = var.runners_executor == "docker+machine" && var.create_runner_iam_role ? 1 : 0 + count = var.executor_type == "docker+machine" && var.create_runner_iam_role ? 1 : 0 role = aws_iam_role.instance[0].name policy_arn = aws_iam_policy.instance_docker_machine_policy[0].arn @@ -442,7 +442,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { /* If the S3 cache adapter is configured to use an IAM instance profile, the adapter uses the profile attached to the GitLab Runner machine. So do not use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */ - count = var.runners_executor == "docker+machine" ? (var.cache_bucket["create"] || lookup(var.cache_bucket, "policy", "") != "" ? 1 : 0) : 0 + count = var.executor_type == "docker+machine" ? (var.cache_bucket["create"] || lookup(var.cache_bucket, "policy", "") != "" ? 1 : 0) : 0 role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = local.bucket_policy @@ -452,7 +452,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { ### docker machine instance policy ################################################################################ resource "aws_iam_role" "docker_machine" { - count = var.runners_executor == "docker+machine" ? 1 : 0 + count = var.executor_type == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" assume_role_policy = length(var.docker_machine_role_json) > 0 ? var.docker_machine_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" @@ -461,7 +461,7 @@ resource "aws_iam_role" "docker_machine" { } resource "aws_iam_instance_profile" "docker_machine" { - count = var.runners_executor == "docker+machine" ? 1 : 0 + count = var.executor_type == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" role = aws_iam_role.docker_machine[0].name tags = local.tags @@ -471,7 +471,7 @@ resource "aws_iam_instance_profile" "docker_machine" { ### Add user defined policies ################################################################################ resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" { - count = var.runners_executor == "docker+machine" ? length(var.docker_machine_iam_policy_arns) : 0 + count = var.executor_type == "docker+machine" ? length(var.docker_machine_iam_policy_arns) : 0 role = aws_iam_role.docker_machine[0].name policy_arn = var.docker_machine_iam_policy_arns[count.index] @@ -479,7 +479,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" ################################################################################ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_managed" { - count = (var.runners_executor == "docker+machine" && var.enable_docker_machine_ssm_access) ? 1 : 0 + count = (var.executor_type == "docker+machine" && var.enable_docker_machine_ssm_access) ? 1 : 0 role = aws_iam_role.docker_machine[0].name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index ac788a003..91721f492 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -33,6 +33,34 @@ sed 's/enable_kms/enable_managed_kms_key/g' "$converted_file" | \ sed 's/kms_alias_name/kms_managed_alias_name/g' | \ sed 's/kms_deletion_window_in_days/kms_managed_deletion_rotation_window_in_days/g' | \ sed 's/permission_boundary/iam_permission_boundary/g' | \ +sed 's/extra_security_group_ids_runner_agent/agent_extra_security_group_ids/g' | \ +sed 's/instance_type/agent_instance_type/g' | \ +sed 's/runner_instance_ebs_optimized/agent_ebs_optimized/g' | \ +sed 's/runner_instance_enable_monitoring/agent_enable_monitoring/g' | \ +sed 's/runner_instance_metadata_options/agent_metadata_options/g' | \ +sed 's/runners_userdata/executor_docker_machine_userdata/g' | \ +sed 's/runners_executor/executor_type/g' | \ +sed 's/runners_install_amazon_ecr_credential_helper/agent_install_amazon_ecr_credential_helper/g' | \ +sed 's/runners_clone_url/agent_gitlab_clone_url/g' | \ +sed 's/runners_gitlab_url/agent_gitlab_url/g' | \ +sed 's/runners_max_builds/executor_max_builds/g' | \ +sed 's/runners_idle_count/executor_idle_count/g' | \ +sed 's/runners_idle_time/executor_idle_time/g' | \ +sed 's/runners_concurrent/agent_maximum_concurrent_jobs/g' | \ +sed 's/runners_limit/executor_max_jobs/g' | \ +sed 's/runners_check_interval/agent_gitlab_check_interval/g' | \ +sed 's/sentry_dsn/agent_sentry_dsn/g' | \ +sed 's/prometheus_listen_address/agent_prometheus_listen_address/g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ sed 's///g' | \ sed 's///g' | \ sed 's///g' | \ diff --git a/security_groups.tf b/security_groups.tf index 210217d2c..b8bd65659 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -66,7 +66,7 @@ resource "aws_security_group_rule" "runner_ping_group" { resource "aws_security_group" "docker_machine" { # checkov:skip=CKV2_AWS_5:Security group is used within an template and assigned to the docker machines - count = var.runners_executor == "docker+machine" ? 1 : 0 + count = var.executor_type == "docker+machine" ? 1 : 0 name_prefix = "${local.name_sg}-docker-machine" vpc_id = var.vpc_id @@ -107,7 +107,7 @@ resource "aws_security_group" "docker_machine" { # Allow docker-machine traffic from gitlab-runner agent instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_docker_runner" { - count = var.runners_executor == "docker+machine" ? 1 : 0 + count = var.executor_type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 2376 @@ -136,7 +136,7 @@ locals { # Allow SSH traffic from gitlab-runner agent instances and security group IDs to docker-machine instances resource "aws_security_group_rule" "docker_machine_ssh_runner" { - count = var.runners_executor == "docker+machine" ? 1 : 0 + count = var.executor_type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 22 @@ -155,7 +155,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_runner" { # Allow ICMP traffic from gitlab-runner agent instances and security group IDs to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_runner" { - count = var.runners_executor == "docker+machine" ? length(local.security_groups_ping) : 0 + count = var.executor_type == "docker+machine" ? length(local.security_groups_ping) : 0 type = "ingress" from_port = -1 @@ -178,7 +178,7 @@ resource "aws_security_group_rule" "docker_machine_ping_runner" { # Allow docker-machine traffic from docker-machine instances to docker-machine instances on port 2376 resource "aws_security_group_rule" "docker_machine_docker_self" { - count = var.runners_executor == "docker+machine" ? 1 : 0 + count = var.executor_type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 2376 @@ -196,7 +196,7 @@ resource "aws_security_group_rule" "docker_machine_docker_self" { # Allow SSH traffic from docker-machine instances to docker-machine instances on port 22 resource "aws_security_group_rule" "docker_machine_ssh_self" { - count = var.runners_executor == "docker+machine" ? 1 : 0 + count = var.executor_type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 22 @@ -214,7 +214,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_self" { # Allow ICMP traffic from docker-machine instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_self" { - count = (var.runners_executor == "docker+machine" && var.enable_ping) ? 1 : 0 + count = (var.executor_type == "docker+machine" && var.enable_ping) ? 1 : 0 type = "ingress" from_port = -1 diff --git a/variables.tf b/variables.tf index b545a0a23..776934203 100644 --- a/variables.tf +++ b/variables.tf @@ -74,11 +74,131 @@ variable "iam_object_prefix" { * Agent variables. The agent runs the GitLab Runner software and is responsible for starting the executors. */ variable "agent_instance_prefix" { - description = "Set the name prefix and override the `Name` tag for the EC2 GitLab Runner Agent instance." + description = "Set the name prefix and override the `Name` tag for the Agent instance." type = string default = "" } +variable "agent_instance_type" { + description = "Agent instance type used." + type = string + default = "t3.micro" +} + +variable "agent_ebs_optimized" { + description = "Enable the Agent instance to be EBS-optimized." + type = bool + default = true +} + +variable "agent_enable_monitoring" { + description = "Enable the detailed monitoring on the Agent instance." + type = bool + default = true +} + +variable "agent_extra_security_group_ids" { + description = "IDs of security groups to add to the Agent." + type = list(string) + default = [] +} + +variable "agent_metadata_options" { + description = "Enable the Gitlab runner agent instance metadata service. IMDSv2 is enabled by default." + type = object({ + http_endpoint = string + http_tokens = string + http_put_response_hop_limit = number + instance_metadata_tags = string + }) + default = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 2 + instance_metadata_tags = "disabled" + } +} + +variable "agent_install_amazon_ecr_credential_helper" { + description = "Install amazon-ecr-credential-helper inside `userdata_pre_install` script" + type = bool + default = false +} + +# agent +variable "agent_gitlab_check_interval" { + description = "Number of seconds between checking for available jobs." + type = number + default = 3 +} + +variable "agent_gitlab_url" { + description = "URL of the GitLab instance to connect to." + type = string +} + +variable "agent_gitlab_clone_url" { + description = "Overwrites the URL for the GitLab instance. Use only if the agent can’t connect to the GitLab URL." + type = string + default = "" +} + +variable "agent_maximum_concurrent_jobs" { + description = "The maximum number of jobs which can be processed by all executors at the same time." + type = number + default = 10 +} + +variable "agent_sentry_dsn" { + description = "Sentry DSN of the project for the Agent to use (uses legacy DSN format)" + type = string + default = "__SENTRY_DSN_REPLACED_BY_USER_DATA__" +} + +variable "agent_prometheus_listen_address" { + description = "Defines an address (:) the Prometheus metrics HTTP server should listen on." + type = string + default = "" +} + +/* + * Executor variables valid for all executors. + */ +variable "executor_type" { + description = "The executor type to use. Currently supports `docker+machine` or `docker`." + type = string + default = "docker+machine" + + validation { + condition = contains(["docker+machine", "docker"], var.executor_type) + error_message = "The executor currently supports `docker+machine` or `docker`." + } +} + +variable "executor_max_builds" { + description = "Destroys the executor after processing this many jobs. Set to `0` to disable this feature." + type = number + default = 0 +} + +variable "executor_max_jobs" { + description = "Number of jobs which can be processed in parallel by the executor." + type = number + default = 0 +} + +variable "executor_idle_time" { + description = "Idle time of the runners before they are destroyed." + type = number + default = 600 +} + +variable "executor_idle_count" { + description = "Number of idle Executor instances." + type = number + default = 0 +} + /* * docker+machine Executor variables. The executor is the actual machine that runs the job. */ @@ -98,6 +218,18 @@ variable "executor_docker_machine_instance_prefix" { } } +variable "executor_docker_machine_userdata" { + description = "Cloud-init user data that will be passed to the Executor EC2 instance. Should not be base64 encrypted." + type = string + default = "" +} + + + + + + + # agent variable "auth_type_cache_sr" { description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" @@ -105,12 +237,6 @@ variable "auth_type_cache_sr" { default = "iam" } -# agent -variable "extra_security_group_ids_runner_agent" { - description = "Optional IDs of extra security groups to apply to the runner agent. This will not apply to the runners spun up when using the docker+machine executor, which is the default." - type = list(string) - default = [] -} # agent variable "metrics_autoscaling" { @@ -119,27 +245,6 @@ variable "metrics_autoscaling" { default = null } -# agent -variable "instance_type" { - description = "Instance type used for the GitLab runner." - type = string - default = "t3.micro" -} - -# agent -variable "runner_instance_ebs_optimized" { - description = "Enable the GitLab runner instance to be EBS-optimized." - type = bool - default = true -} - -# agent -variable "runner_instance_enable_monitoring" { - description = "Enable the GitLab runner instance to have detailed monitoring." - type = bool - default = true -} - # agent variable "runner_instance_spot_price" { description = "By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen." @@ -147,22 +252,6 @@ variable "runner_instance_spot_price" { default = null } -# agent -variable "runner_instance_metadata_options" { - description = "Enable the Gitlab runner agent instance metadata service." - type = object({ - http_endpoint = string - http_tokens = string - http_put_response_hop_limit = number - instance_metadata_tags = string - }) - default = { - http_endpoint = "enabled" - http_tokens = "required" - http_put_response_hop_limit = 2 - instance_metadata_tags = "disabled" - } -} # executor variable "docker_machine_instance_metadata_options" { @@ -211,44 +300,10 @@ variable "runners_name" { type = string } -# agent -variable "runners_userdata" { - description = "Cloud-init user data that will be passed to the runner ec2 instance. Available only for `docker+machine` driver. Should not be base64 encrypted." - type = string - default = "" -} -# agent -variable "runners_executor" { - description = "The executor to use. Currently supports `docker+machine` or `docker`." - type = string - default = "docker+machine" - validation { - condition = contains(["docker+machine", "docker"], var.runners_executor) - error_message = "The executor currently supports `docker+machine` or `docker`." - } -} -# agent -variable "runners_install_amazon_ecr_credential_helper" { - description = "Install amazon-ecr-credential-helper inside `userdata_pre_install` script" - type = bool - default = false -} -# agent -variable "runners_gitlab_url" { - description = "URL of the GitLab instance to connect to." - type = string -} - -# agent -variable "runners_clone_url" { - description = "Overwrites the URL for the GitLab instance. Use only if the runner can’t connect to the GitLab URL." - type = string - default = "" -} # agent variable "runners_token" { @@ -257,40 +312,6 @@ variable "runners_token" { default = "__REPLACED_BY_USER_DATA__" } -# agent -variable "runners_limit" { - description = "Limit for the runners, will be used in the runner config.toml." - type = number - default = 0 -} - -# agent -variable "runners_concurrent" { - description = "Concurrent value for the runners, will be used in the runner config.toml." - type = number - default = 10 -} - -# agent -variable "runners_idle_time" { - description = "Idle time of the runners, will be used in the runner config.toml." - type = number - default = 600 -} - -# agent -variable "runners_idle_count" { - description = "Idle count of the runners, will be used in the runner config.toml." - type = number - default = 0 -} - -# agent -variable "runners_max_builds" { - description = "Max builds for each runner after which it will be removed, will be used in the runner config.toml. By default set to 0, no maxBuilds will be set in the configuration." - type = number - default = 0 -} # executor variable "runners_image" { @@ -493,13 +514,6 @@ variable "runners_request_spot_instance" { default = true } -# agent -variable "runners_check_interval" { - description = "defines the interval length, in seconds, between new jobs check." - type = number - default = 3 -} - # executor variable "cache_logging_bucket" { type = string @@ -924,19 +938,6 @@ variable "docker_machine_iam_policy_arns" { default = [] } -# agent -variable "sentry_dsn" { - default = "__SENTRY_DSN_REPLACED_BY_USER_DATA__" - description = "Sentry DSN of the project for the runner to use (uses legacy DSN format)" - type = string -} - -# agent -variable "prometheus_listen_address" { - default = "" - description = "Defines an address (:) the Prometheus metrics HTTP server should listen on." - type = string -} # executor variable "docker_machine_egress_rules" { From b4db8bfa688047f319e01564de8093dff962ff72 Mon Sep 17 00:00:00 2001 From: kayma Date: Wed, 22 Mar 2023 22:38:18 +0100 Subject: [PATCH 07/74] refactor some variables --- examples/runner-certificates/README.md | 6 +- examples/runner-certificates/main.tf | 4 +- examples/runner-default/main.tf | 2 +- examples/runner-docker/main.tf | 2 +- locals.tf | 12 +-- logging.tf | 4 +- main.tf | 52 +++++----- migrations/migrate-to-7-0-0.sh | 20 ++-- variables.tf | 129 ++++++++++++------------- 9 files changed, 112 insertions(+), 119 deletions(-) diff --git a/examples/runner-certificates/README.md b/examples/runner-certificates/README.md index 9e8ddd2e0..c8acf9fe8 100644 --- a/examples/runner-certificates/README.md +++ b/examples/runner-certificates/README.md @@ -28,7 +28,7 @@ Create a PEM-encoded `.crt` file containing the public certificate of your Gitla module { ... # Public cert of my companys gitlab instance - runners_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt") + agent_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt") ... } ``` @@ -38,7 +38,7 @@ Add your CA and intermediary certs to a second PEM-encoded `.crt` file. module { ... # Other public certs relating to my company. - runners_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") + agent_gitlab_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") ... } ``` @@ -160,4 +160,4 @@ module { ## Outputs No outputs. - \ No newline at end of file + diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index 249365e35..cc8116a9f 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -38,10 +38,10 @@ module "runner" { ############################################### # Public cert of my companys gitlab instance - runners_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt") + agent_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt") # Other public certs relating to my company. - runners_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") + agent_gitlab_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") # Mount EC2 host certs in docker so all user docker images can reference them. # Each user image will need to do: diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 50b3dc73c..f65a117d6 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -55,7 +55,7 @@ module "runner" { runners_name = var.runner_name agent_gitlab_url = var.gitlab_url - enable_runner_ssm_access = true + agent_enable_ssm_access = true gitlab_runner_security_group_ids = [data.aws_security_group.default.id] diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index 1168f2b2d..a663b54b8 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -42,7 +42,7 @@ module "runner" { environment = var.environment runners_use_private_address = false - enable_eip = true + agent_enable_eip = true docker_machine_security_group_description = "Custom description for docker-machine" gitlab_runner_security_group_description = "Custom description for gitlab-runner" diff --git a/locals.tf b/locals.tf index 3c12e1657..66c0d31b5 100644 --- a/locals.tf +++ b/locals.tf @@ -1,21 +1,21 @@ locals { # Manage certificates pre_install_gitlab_certificate = ( - length(var.runners_gitlab_certificate) > 0 + length(var.agent_gitlab_certificate) > 0 ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/gitlab.crt - ${var.runners_gitlab_certificate} + ${var.agent_gitlab_certificate} EOF EOT : "" ) pre_install_ca_certificate = ( - length(var.runners_ca_certificate) > 0 + length(var.agent_gitlab_ca_certificate) > 0 ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/ca.crt - ${var.runners_ca_certificate} + ${var.agent_gitlab_ca_certificate} EOF EOT : "" @@ -28,7 +28,7 @@ locals { EOT pre_install_certificates = ( # If either (or both) _certificate variables are specified - length(var.runners_gitlab_certificate) + length(var.runners_ca_certificate) > 0 + length(var.agent_gitlab_certificate) + length(var.agent_gitlab_ca_certificate) > 0 ? join("\n", [ local.pre_install_gitlab_certificate, local.pre_install_ca_certificate, @@ -39,7 +39,7 @@ locals { # Determine IAM role for runner instance aws_iam_role_instance_name = coalesce( - var.runner_iam_role_name, + var.agent_iam_role_profile_name, "${local.name_iam_objects}-instance" ) aws_iam_role_instance_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${local.aws_iam_role_instance_name}" diff --git a/logging.tf b/logging.tf index 249e8922b..e46410e16 100644 --- a/logging.tf +++ b/logging.tf @@ -1,7 +1,7 @@ resource "aws_iam_role_policy" "instance" { - count = var.enable_cloudwatch_logging && var.create_runner_iam_role ? 1 : 0 + count = var.enable_cloudwatch_logging && var.agent_create_runner_iam_role_profile ? 1 : 0 name = "${local.name_iam_objects}-logging" - role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy = templatefile("${path.module}/policies/instance-logging-policy.json", { partition = data.aws_partition.current.partition }) } diff --git a/main.tf b/main.tf index 3ab286f38..05cc2f2ac 100644 --- a/main.tf +++ b/main.tf @@ -38,12 +38,12 @@ resource "aws_ssm_parameter" "runner_sentry_dsn" { locals { template_user_data = templatefile("${path.module}/template/user-data.tftpl", { - eip = var.enable_eip ? local.template_eip : "" + eip = var.agent_enable_eip ? local.template_eip : "" logging = var.enable_cloudwatch_logging ? local.logging_user_data : "" gitlab_runner = local.template_gitlab_runner user_data_trace_log = var.enable_runner_user_data_trace_log - yum_update = var.runner_yum_update ? local.file_yum_update : "" - extra_config = var.runner_extra_config + yum_update = var.agent_yum_update ? local.file_yum_update : "" + extra_config = var.agent_user_data_extra }) file_yum_update = file("${path.module}/template/yum_update.tftpl") @@ -61,7 +61,7 @@ locals { runners_userdata = var.executor_docker_machine_userdata runners_executor = var.executor_type runners_install_amazon_ecr_credential_helper = var.agent_install_amazon_ecr_credential_helper - curl_cacert = length(var.runners_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" + curl_cacert = length(var.agent_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates pre_install = var.userdata_pre_install post_install = var.userdata_post_install @@ -85,7 +85,7 @@ locals { aws_region = data.aws_region.current.name gitlab_url = var.agent_gitlab_url gitlab_clone_url = var.agent_gitlab_clone_url - tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" + tls_ca_file = length(var.agent_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id runners_subnet_id = var.subnet_id @@ -250,7 +250,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { update_default_version = true ebs_optimized = var.agent_ebs_optimized monitoring { - enabled = var.runner_instance_enable_monitoring + enabled = var.agent_enable_monitoring } dynamic "instance_market_options" { for_each = var.runner_instance_spot_price == null || var.runner_instance_spot_price == "" ? [] : ["spot"] @@ -353,7 +353,7 @@ module "cache" { ### Trust policy ################################################################################ resource "aws_iam_instance_profile" "instance" { - count = var.create_runner_iam_role ? 1 : 0 + count = var.agent_create_runner_iam_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name role = local.aws_iam_role_instance_name @@ -362,7 +362,7 @@ resource "aws_iam_instance_profile" "instance" { } resource "aws_iam_role" "instance" { - count = var.create_runner_iam_role ? 1 : 0 + count = var.agent_create_runner_iam_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name assume_role_policy = length(var.instance_role_json) > 0 ? var.instance_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) @@ -377,7 +377,7 @@ resource "aws_iam_role" "instance" { ### iam:PassRole To pass the role from the agent to the docker machine runners ################################################################################ resource "aws_iam_policy" "instance_docker_machine_policy" { - count = var.executor_type == "docker+machine" && var.create_runner_iam_role ? 1 : 0 + count = var.executor_type == "docker+machine" && var.agent_create_runner_iam_role_profile ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" path = "/" @@ -391,7 +391,7 @@ resource "aws_iam_policy" "instance_docker_machine_policy" { } resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { - count = var.executor_type == "docker+machine" && var.create_runner_iam_role ? 1 : 0 + count = var.executor_type == "docker+machine" && var.agent_create_runner_iam_role_profile ? 1 : 0 role = aws_iam_role.instance[0].name policy_arn = aws_iam_policy.instance_docker_machine_policy[0].arn @@ -401,7 +401,7 @@ resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { ### Policies for runner agent instance to allow connection via Session Manager ################################################################################ resource "aws_iam_policy" "instance_session_manager_policy" { - count = var.enable_runner_ssm_access ? 1 : 0 + count = var.agent_enable_ssm_access ? 1 : 0 name = "${local.name_iam_objects}-session-manager" path = "/" @@ -412,16 +412,16 @@ resource "aws_iam_policy" "instance_session_manager_policy" { } resource "aws_iam_role_policy_attachment" "instance_session_manager_policy" { - count = var.enable_runner_ssm_access ? 1 : 0 + count = var.agent_enable_ssm_access ? 1 : 0 - role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_session_manager_policy[0].arn } resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" { - count = var.enable_runner_ssm_access ? 1 : 0 + count = var.agent_enable_ssm_access ? 1 : 0 - role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" } @@ -429,10 +429,10 @@ resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" ### Add user defined policies ################################################################################ resource "aws_iam_role_policy_attachment" "user_defined_policies" { - count = length(var.runner_iam_policy_arns) + count = length(var.agent_extra_iam_policy_arns) - role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name - policy_arn = var.runner_iam_policy_arns[count.index] + role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + policy_arn = var.agent_extra_iam_policy_arns[count.index] } ################################################################################ @@ -444,7 +444,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */ count = var.executor_type == "docker+machine" ? (var.cache_bucket["create"] || lookup(var.cache_bucket, "policy", "") != "" ? 1 : 0) : 0 - role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = local.bucket_policy } @@ -502,13 +502,13 @@ resource "aws_iam_policy" "service_linked_role" { resource "aws_iam_role_policy_attachment" "service_linked_role" { count = var.allow_iam_service_linked_role_creation ? 1 : 0 - role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.service_linked_role[0].arn } resource "aws_eip" "gitlab_runner" { # checkov:skip=CKV2_AWS_19:We can't use NAT gateway here as we are contacted from the outside. - count = var.enable_eip ? 1 : 0 + count = var.agent_enable_eip ? 1 : 0 tags = local.tags } @@ -526,7 +526,7 @@ resource "aws_iam_policy" "ssm" { } resource "aws_iam_role_policy_attachment" "ssm" { - role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.ssm.arn } @@ -534,7 +534,7 @@ resource "aws_iam_role_policy_attachment" "ssm" { ### AWS assign EIP ################################################################################ resource "aws_iam_policy" "eip" { - count = var.enable_eip ? 1 : 0 + count = var.agent_enable_eip ? 1 : 0 name = "${local.name_iam_objects}-eip" path = "/" @@ -545,9 +545,9 @@ resource "aws_iam_policy" "eip" { } resource "aws_iam_role_policy_attachment" "eip" { - count = var.enable_eip ? 1 : 0 + count = var.agent_enable_eip ? 1 : 0 - role = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.eip[0].arn } @@ -557,7 +557,7 @@ resource "aws_iam_role_policy_attachment" "eip" { module "terminate_agent_hook" { source = "./modules/terminate-agent-hook" - name = var.asg_terminate_lifecycle_hook_name == null ? "terminate-instances" : var.asg_terminate_lifecycle_hook_name + name = var.agent_terminate_ec2_lifecycle_hook_name == null ? "terminate-instances" : var.agent_terminate_ec2_lifecycle_hook_name environment = var.environment asg_arn = aws_autoscaling_group.gitlab_runner_instance.arn asg_name = aws_autoscaling_group.gitlab_runner_instance.name diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 91721f492..d57c18e2f 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -51,16 +51,16 @@ sed 's/runners_limit/executor_max_jobs/g' | \ sed 's/runners_check_interval/agent_gitlab_check_interval/g' | \ sed 's/sentry_dsn/agent_sentry_dsn/g' | \ sed 's/prometheus_listen_address/agent_prometheus_listen_address/g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ +sed 's/runner_extra_config/agent_user_data_extra/g' | \ +sed 's/runners_ca_certificate/agent_gitlab_ca_certificate/g' | \ +sed 's/runners_yum_update/agent_yum_update/g' | \ +sed 's/runners_gitlab_certificate/runners_gitlab_certificate/g' | \ +sed 's/asg_terminate_lifecycle_hook_name/agent_terminate_ec2_lifecycle_hook_name/g' | \ +sed 's/runner_iam_policy_arns/agent_extra_iam_policy_arns/g' | \ +sed 's/create_runner_iam_role/agent_create_runner_iam_role_profile/g' | \ +sed 's/runner_iam_role_name/agent_iam_role_profile_name/g' | \ +sed 's/enable_eip/agent_enable_eip/g' | \ +sed 's/enable_runner_ssm_access/agent_enable_ssm_access/g' | \ sed 's///g' | \ sed 's///g' | \ sed 's///g' | \ diff --git a/variables.tf b/variables.tf index 776934203..30f3b6b72 100644 --- a/variables.tf +++ b/variables.tf @@ -103,6 +103,36 @@ variable "agent_extra_security_group_ids" { default = [] } +variable "agent_create_runner_iam_role_profile" { + description = "Whether to create the IAM role/profile for the Agent. If you provide your own role, make sure that it has the required permissions." + type = bool + default = true +} + +variable "agent_iam_role_profile_name" { + description = "IAM role/profile name for the Agent. If unspecified then `$${var.iam_object_prefix}-instance` is used." + type = string + default = "" +} + +variable "agent_extra_iam_policy_arns" { + description = "List of policy ARNs to be added to the instance profile of the Agent." + type = list(string) + default = [] +} + +variable "agent_enable_eip" { + description = "Assigns an EIP to the Agent." + type = bool + default = false +} + +variable "agent_enable_ssm_access" { + description = "Allows to connect to the Agent via SSM." + type = bool + default = false +} + variable "agent_metadata_options" { description = "Enable the Gitlab runner agent instance metadata service. IMDSv2 is enabled by default." type = object({ @@ -125,7 +155,30 @@ variable "agent_install_amazon_ecr_credential_helper" { default = false } -# agent +variable "agent_yum_update" { + description = "Run a `yum` update as part of starting the Agent" + type = bool + default = true +} + +variable "agent_user_data_extra" { + description = "Extra commands to run as part of starting the Agent" + type = string + default = "" +} + +variable "agent_gitlab_ca_certificate" { + description = "Trusted CA certificate bundle (PEM format). Example: `file(\"$${path.module}/ca.crt\")`" + type = string + default = "" +} + +variable "agent_gitlab_certificate" { + description = "Certificate of the GitLab instance to connect to (PEM format). Example: `file(\"$${path.module}/my-gitlab.crt\")`" + type = string + default = "" +} + variable "agent_gitlab_check_interval" { description = "Number of seconds between checking for available jobs." type = number @@ -161,6 +214,12 @@ variable "agent_prometheus_listen_address" { default = "" } +variable "agent_terminate_ec2_lifecycle_hook_name" { + description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." + type = string + default = null +} + /* * Executor variables valid for all executors. */ @@ -829,12 +888,7 @@ variable "runner_root_block_device" { default = {} } -# agent -variable "enable_runner_ssm_access" { - description = "Add IAM policies to the runner agent instance to connect via the Session Manager." - type = bool - default = false -} + # executor variable "enable_docker_machine_ssm_access" { @@ -875,13 +929,6 @@ variable "runners_docker_services" { default = [] } -# agent -variable "enable_eip" { - description = "Enable the assignment of an EIP to the gitlab runner instance" - default = false - type = bool -} - # agent variable "enable_asg_recreation" { description = "Enable automatic redeployment of the Runner ASG when the Launch Configs change." @@ -910,26 +957,7 @@ variable "log_group_name" { type = string } -# agent -variable "runner_iam_role_name" { - type = string - description = "IAM role name of the gitlab runner agent EC2 instance. If unspecified then `{name_iam_objects}-instance` is used" - default = "" -} -# agent -variable "create_runner_iam_role" { - type = bool - description = "Whether to create the runner IAM role of the gitlab runner agent EC2 instance." - default = true -} - -# agent -variable "runner_iam_policy_arns" { - type = list(string) - description = "List of policy ARNs to be added to the instance profile of the gitlab runner agent ec2 instance." - default = [] -} # executor variable "docker_machine_iam_policy_arns" { @@ -965,38 +993,3 @@ variable "docker_machine_egress_rules" { description = "Allow all egress traffic for docker machine build runners" }] } - -# agent -variable "asg_terminate_lifecycle_hook_name" { - description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." - type = string - default = null -} - -# agent -variable "runner_yum_update" { - description = "Run a yum update as part of starting the runner" - type = bool - default = true -} - -# agent -variable "runners_gitlab_certificate" { - description = "Certificate of the GitLab instance to connect to. Example: `file(\"$${path.module}/my-gitlab.crt\")`" - type = string - default = "" -} - -# agent -variable "runners_ca_certificate" { - description = "Trusted CA certificate bundle. Example: `file(\"$${path.module}/ca.crt\")`" - type = string - default = "" -} - -# agent -variable "runner_extra_config" { - description = "Extra commands to run as part of starting the runner" - type = string - default = "" -} From b1e90d7a3fc617292abc06e348c00c2ae3a3ea24 Mon Sep 17 00:00:00 2001 From: kayma Date: Wed, 22 Mar 2023 22:59:11 +0100 Subject: [PATCH 08/74] refactor some more --- examples/runner-certificates/main.tf | 2 +- examples/runner-default/main.tf | 2 +- examples/runner-docker/main.tf | 2 +- examples/runner-multi-region/main.tf | 4 +- examples/runner-public/main.tf | 4 +- main.tf | 50 ++++---- migrations/migrate-to-7-0-0.sh | 23 ++++ variables.tf | 165 ++++++++++++++------------- 8 files changed, 138 insertions(+), 114 deletions(-) diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index cc8116a9f..df3af6ccd 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -54,7 +54,7 @@ module "runner" { # Registration ############################################### - gitlab_runner_registration_config = { + agent_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_runner" description = "runner docker - auto" diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index f65a117d6..ccafccce5 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -61,7 +61,7 @@ module "runner" { docker_machine_spot_price_bid = "on-demand-price" - gitlab_runner_registration_config = { + agent_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner default - auto" diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index a663b54b8..bd50e31c1 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -54,7 +54,7 @@ module "runner" { runners_name = var.runner_name agent_gitlab_url = var.gitlab_url - gitlab_runner_registration_config = { + agent_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_runner" description = "runner docker - auto" diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index cf46e1374..1d468f443 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -38,7 +38,7 @@ module "runner_main_region" { runners_privileged = "false" runners_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] - gitlab_runner_registration_config = { + agent_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner public - auto" @@ -103,7 +103,7 @@ module "runner_alternate_region" { runners_privileged = "false" runners_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] - gitlab_runner_registration_config = { + agent_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner public - auto" diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index ce1798844..b59a1cd9c 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -45,7 +45,7 @@ module "runner" { runners_privileged = "false" runners_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] - gitlab_runner_registration_config = { + agent_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner public - auto" @@ -83,7 +83,7 @@ module "runner2" { runners_name = var.runner_name agent_gitlab_url = var.gitlab_url - gitlab_runner_registration_config = { + agent_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner_2" description = "runner public - auto" diff --git a/main.tf b/main.tf index 05cc2f2ac..1f3507be2 100644 --- a/main.tf +++ b/main.tf @@ -41,7 +41,7 @@ locals { eip = var.agent_enable_eip ? local.template_eip : "" logging = var.enable_cloudwatch_logging ? local.logging_user_data : "" gitlab_runner = local.template_gitlab_runner - user_data_trace_log = var.enable_runner_user_data_trace_log + user_data_trace_log = var.agent_user_data_enable_trace_log yum_update = var.agent_yum_update ? local.file_yum_update : "" extra_config = var.agent_user_data_extra }) @@ -70,13 +70,13 @@ locals { secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key secure_parameter_store_runner_sentry_dsn = local.secure_parameter_store_runner_sentry_dsn secure_parameter_store_region = data.aws_region.current.name - gitlab_runner_registration_token = var.gitlab_runner_registration_config["registration_token"] - gitlab_runner_description = var.gitlab_runner_registration_config["description"] - gitlab_runner_tag_list = var.gitlab_runner_registration_config["tag_list"] - gitlab_runner_locked_to_project = var.gitlab_runner_registration_config["locked_to_project"] - gitlab_runner_run_untagged = var.gitlab_runner_registration_config["run_untagged"] - gitlab_runner_maximum_timeout = var.gitlab_runner_registration_config["maximum_timeout"] - gitlab_runner_access_level = lookup(var.gitlab_runner_registration_config, "access_level", "not_protected") + gitlab_runner_registration_token = var.agent_gitlab_registration_config["registration_token"] + gitlab_runner_description = var.agent_gitlab_registration_config["description"] + gitlab_runner_tag_list = var.agent_gitlab_registration_config["tag_list"] + gitlab_runner_locked_to_project = var.agent_gitlab_registration_config["locked_to_project"] + gitlab_runner_run_untagged = var.agent_gitlab_registration_config["run_untagged"] + gitlab_runner_maximum_timeout = var.agent_gitlab_registration_config["maximum_timeout"] + gitlab_runner_access_level = lookup(var.agent_gitlab_registration_config, "access_level", "not_protected") sentry_dsn = var.agent_sentry_dsn }) @@ -149,14 +149,14 @@ data "aws_ami" "docker-machine" { most_recent = "true" dynamic "filter" { - for_each = var.runner_ami_filter + for_each = var.executor_docker_machine_ami_filter content { name = filter.key values = filter.value } } - owners = var.runner_ami_owners + owners = var.executor_docker_machine_ami_owners } # ignores: Autoscaling Groups Supply Tags --> we use a "dynamic" block to create the tags @@ -204,39 +204,39 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { } resource "aws_autoscaling_schedule" "scale_in" { - count = var.enable_schedule ? 1 : 0 + count = var.agent_schedule_enable ? 1 : 0 autoscaling_group_name = aws_autoscaling_group.gitlab_runner_instance.name scheduled_action_name = "scale_in-${aws_autoscaling_group.gitlab_runner_instance.name}" - recurrence = var.schedule_config["scale_in_recurrence"] - time_zone = try(var.schedule_config["scale_in_time_zone"], "Etc/UTC") - min_size = try(var.schedule_config["scale_in_min_size"], var.schedule_config["scale_in_count"]) - desired_capacity = try(var.schedule_config["scale_in_desired_capacity"], var.schedule_config["scale_in_count"]) - max_size = try(var.schedule_config["scale_in_max_size"], var.schedule_config["scale_in_count"]) + recurrence = var.agent_schedule_config["scale_in_recurrence"] + time_zone = try(var.agent_schedule_config["scale_in_time_zone"], "Etc/UTC") + min_size = try(var.agent_schedule_config["scale_in_min_size"], var.agent_schedule_config["scale_in_count"]) + desired_capacity = try(var.agent_schedule_config["scale_in_desired_capacity"], var.agent_schedule_config["scale_in_count"]) + max_size = try(var.agent_schedule_config["scale_in_max_size"], var.agent_schedule_config["scale_in_count"]) } resource "aws_autoscaling_schedule" "scale_out" { - count = var.enable_schedule ? 1 : 0 + count = var.agent_schedule_enable ? 1 : 0 autoscaling_group_name = aws_autoscaling_group.gitlab_runner_instance.name scheduled_action_name = "scale_out-${aws_autoscaling_group.gitlab_runner_instance.name}" - recurrence = var.schedule_config["scale_out_recurrence"] - time_zone = try(var.schedule_config["scale_out_time_zone"], "Etc/UTC") - min_size = try(var.schedule_config["scale_out_min_size"], var.schedule_config["scale_out_count"]) - desired_capacity = try(var.schedule_config["scale_out_desired_capacity"], var.schedule_config["scale_out_count"]) - max_size = try(var.schedule_config["scale_out_max_size"], var.schedule_config["scale_out_count"]) + recurrence = var.agent_schedule_config["scale_out_recurrence"] + time_zone = try(var.agent_schedule_config["scale_out_time_zone"], "Etc/UTC") + min_size = try(var.agent_schedule_config["scale_out_min_size"], var.agent_schedule_config["scale_out_count"]) + desired_capacity = try(var.agent_schedule_config["scale_out_desired_capacity"], var.agent_schedule_config["scale_out_count"]) + max_size = try(var.agent_schedule_config["scale_out_max_size"], var.agent_schedule_config["scale_out_count"]) } data "aws_ami" "runner" { most_recent = "true" dynamic "filter" { - for_each = var.ami_filter + for_each = var.agent_ami_filter content { name = filter.key values = filter.value } } - owners = var.ami_owners + owners = var.agent_ami_owners } resource "aws_launch_template" "gitlab_runner_instance" { @@ -268,7 +268,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { name = local.aws_iam_role_instance_name } dynamic "block_device_mappings" { - for_each = [var.runner_root_block_device] + for_each = [var.agent_root_block_device] content { # cSpell:ignore xvda device_name = lookup(block_device_mappings.value, "device_name", "/dev/xvda") diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index d57c18e2f..457997381 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -61,6 +61,29 @@ sed 's/create_runner_iam_role/agent_create_runner_iam_role_profile/g' | \ sed 's/runner_iam_role_name/agent_iam_role_profile_name/g' | \ sed 's/enable_eip/agent_enable_eip/g' | \ sed 's/enable_runner_ssm_access/agent_enable_ssm_access/g' | \ +sed 's/enable_runner_user_data_trace_log/agent_user_data_enable_trace_log/g' | \ +sed 's/enable_schedule/agent_schedule_enable/g' | \ +sed 's/schedule_config/agent_schedule_config/g' | \ +sed 's/runner_root_block_device/agent_root_block_device/g' | \ +sed 's/gitlab_runner_registration_config/agent_gitlab_registration_config/g' | \ +sed 's/[^_]ami_filter/agent_ami_filter/g' | \ +sed 's/[^_]ami_owners/agent_ami_owners/g' | \ +sed 's/runner_ami_filter/executor_docker_machine_ami_filter/g' | \ +sed 's/runner_ami_owners/executor_docker_machine_ami_owners/g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ +sed 's///g' | \ sed 's///g' | \ sed 's///g' | \ sed 's///g' | \ diff --git a/variables.tf b/variables.tf index 30f3b6b72..acc6b7a2f 100644 --- a/variables.tf +++ b/variables.tf @@ -91,6 +91,27 @@ variable "agent_ebs_optimized" { default = true } +variable "agent_root_block_device" { + description = "The Agent's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`" + type = map(string) + default = {} +} + +variable "agent_ami_filter" { + description = "List of maps used to create the AMI filter for the Agent AMI. Must resolve to an Amazon Linux 1 or 2 image." + type = map(list(string)) + + default = { + name = ["amzn2-ami-hvm-2.*-x86_64-ebs"] + } +} + +variable "agent_ami_owners" { + description = "The list of owners used to select the AMI of the Agent instance." + type = list(string) + default = ["amazon"] +} + variable "agent_enable_monitoring" { description = "Enable the detailed monitoring on the Agent instance." type = bool @@ -149,6 +170,30 @@ variable "agent_metadata_options" { } } +variable "agent_schedule_enable" { + description = "Set to `true` to enable the auto scaling group schedule for the Agent." + type = bool + default = false +} + +variable "agent_schedule_config" { + description = "Map containing the configuration of the ASG scale-out and scale-in for the Agent. Will only be used if `agent_schedule_enable` is set to `true`. " + type = map(any) + default = { + # Configure optional scale_out scheduled action + scale_out_recurrence = "0 8 * * 1-5" + scale_out_count = 1 # Default for min_size, desired_capacity and max_size + scale_out_time_zone = "Etc/UTC" + # Override using: scale_out_min_size, scale_out_desired_capacity, scale_out_max_size + + # Configure optional scale_in scheduled action + scale_in_recurrence = "0 18 * * 1-5" + scale_in_count = 0 # Default for min_size, desired_capacity and max_size + scale_in_time_zone = "Etc/UTC" + # Override using: scale_out_min_size, scale_out_desired_capacity, scale_out_max_size + } +} + variable "agent_install_amazon_ecr_credential_helper" { description = "Install amazon-ecr-credential-helper inside `userdata_pre_install` script" type = bool @@ -167,6 +212,27 @@ variable "agent_user_data_extra" { default = "" } +variable "agent_user_data_enable_trace_log" { + description = "Enable bash trace for the user data script on the Agent. Be aware this could log sensitive data such as you GitLab runner token." + type = bool + default = true +} + +variable "agent_gitlab_registration_config" { + description = "Configuration used to register the Agent. See the README for an example, or reference the examples in the examples directory of this repo." + type = map(string) + + default = { + registration_token = "" + tag_list = "" + description = "" + locked_to_project = "" + run_untagged = "" + maximum_timeout = "" + access_level = "" + } +} + variable "agent_gitlab_ca_certificate" { description = "Trusted CA certificate bundle (PEM format). Example: `file(\"$${path.module}/ca.crt\")`" type = string @@ -261,6 +327,23 @@ variable "executor_idle_count" { /* * docker+machine Executor variables. The executor is the actual machine that runs the job. */ +variable "executor_docker_machine_ami_filter" { + description = "List of maps used to create the AMI filter for the docker+machine Executor." + type = map(list(string)) + + default = { + name = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } +} + +variable "executor_docker_machine_ami_owners" { + description = "The list of owners used to select the AMI of the docker+machine Executor." + type = list(string) + + # Canonical + default = ["099720109477"] +} + variable "executor_docker_machine_instance_prefix" { description = "Set the name prefix and override the `Name` tag for the GitLab Runner Executor instances." type = string @@ -755,57 +838,11 @@ variable "docker_machine_security_group_description" { default = "A security group containing docker-machine instances" } -# agent -variable "ami_filter" { - description = "List of maps used to create the AMI filter for the Gitlab runner agent AMI. Must resolve to an Amazon Linux 1 or 2 image." - type = map(list(string)) - - default = { - name = ["amzn2-ami-hvm-2.*-x86_64-ebs"] - } -} - -# agent -variable "ami_owners" { - description = "The list of owners used to select the AMI of Gitlab runner agent instances." - type = list(string) - default = ["amazon"] -} -# executor -variable "runner_ami_filter" { - description = "List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI." - type = map(list(string)) - - default = { - name = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] - } -} -# executor -variable "runner_ami_owners" { - description = "The list of owners used to select the AMI of Gitlab runner docker-machine instances." - type = list(string) - # Canonical - default = ["099720109477"] -} -# agent -variable "gitlab_runner_registration_config" { - description = "Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo." - type = map(string) - default = { - registration_token = "" - tag_list = "" - description = "" - locked_to_project = "" - run_untagged = "" - maximum_timeout = "" - access_level = "" - } -} # agent variable "secure_parameter_store_runner_token_key" { @@ -848,45 +885,9 @@ variable "cache_bucket" { } } -# agent -variable "enable_runner_user_data_trace_log" { - description = "Enable bash trace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token." - type = bool - default = true -} - -# agent -variable "enable_schedule" { - description = "Flag used to enable/disable auto scaling group schedule for the runner instance. " - type = bool - default = false -} -# agent -variable "schedule_config" { - description = "Map containing the configuration of the ASG scale-out and scale-in for the runner instance. Will only be used if enable_schedule is set to true. " - type = map(any) - default = { - # Configure optional scale_out scheduled action - scale_out_recurrence = "0 8 * * 1-5" - scale_out_count = 1 # Default for min_size, desired_capacity and max_size - scale_out_time_zone = "Etc/UTC" - # Override using: scale_out_min_size, scale_out_desired_capacity, scale_out_max_size - # Configure optional scale_in scheduled action - scale_in_recurrence = "0 18 * * 1-5" - scale_in_count = 0 # Default for min_size, desired_capacity and max_size - scale_in_time_zone = "Etc/UTC" - # Override using: scale_out_min_size, scale_out_desired_capacity, scale_out_max_size - } -} -# agent -variable "runner_root_block_device" { - description = "The EC2 instance root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`" - type = map(string) - default = {} -} From a51a42b06b676a1e41f6638d639fe18513aa4819 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 23 Mar 2023 09:54:06 +0100 Subject: [PATCH 09/74] refactor some more variables --- examples/runner-default/main.tf | 6 +- examples/runner-docker/main.tf | 4 +- examples/runner-multi-region/main.tf | 20 +- examples/runner-public/main.tf | 10 +- locals.tf | 2 +- logging.tf | 10 +- main.tf | 63 +-- migrations/migrate-to-7-0-0.sh | 42 +- security_groups.tf | 16 +- tags.tf | 4 +- variables.tf | 584 ++++++++++++--------------- 11 files changed, 369 insertions(+), 392 deletions(-) diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index ccafccce5..722433a4a 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -57,7 +57,7 @@ module "runner" { agent_gitlab_url = var.gitlab_url agent_enable_ssm_access = true - gitlab_runner_security_group_ids = [data.aws_security_group.default.id] + agent_ping_allow_from_security_groups = [data.aws_security_group.default.id] docker_machine_spot_price_bid = "on-demand-price" @@ -102,14 +102,14 @@ module "runner" { } ] - runners_pre_build_script = < 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates - pre_install = var.userdata_pre_install - post_install = var.userdata_post_install + pre_install = var.agent_userdata_pre_install + post_install = var.agent_userdata_post_install runners_gitlab_url = var.agent_gitlab_url runners_token = var.runners_token secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key @@ -121,21 +121,21 @@ locals { runners_root_size = var.runners_root_size runners_volume_type = var.runners_volume_type runners_iam_instance_profile_name = var.runners_iam_instance_profile_name - runners_use_private_address_only = var.runners_use_private_address - runners_use_private_address = !var.runners_use_private_address - runners_request_spot_instance = var.runners_request_spot_instance - runners_environment_vars = jsonencode(var.runners_environment_vars) - runners_pre_build_script = var.runners_pre_build_script - runners_post_build_script = var.runners_post_build_script - runners_pre_clone_script = var.runners_pre_clone_script - runners_request_concurrency = var.runners_request_concurrency - runners_output_limit = var.runners_output_limit + runners_use_private_address_only = var.executor_docker_machine_use_private_address + runners_use_private_address = !var.executor_docker_machine_use_private_address + runners_request_spot_instance = var.executor_docker_machine_request_spot_instances + runners_environment_vars = jsonencode(var.executor_extra_environment_variables) + runners_pre_build_script = var.executor_pre_build_script + runners_post_build_script = var.executor_post_build_script + runners_pre_clone_script = var.executor_pre_clone_script + runners_request_concurrency = var.executor_request_concurrency + runners_output_limit = var.executor_output_limit runners_check_interval = var.agent_gitlab_check_interval runners_volumes_tmpfs = join("\n", [for v in var.runners_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_services_volumes_tmpfs = join("\n", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services bucket_name = local.bucket_name - shared_cache = var.cache_shared + shared_cache = var.executor_cache_shared sentry_dsn = var.agent_sentry_dsn prometheus_listen_address = var.agent_prometheus_listen_address auth_type = var.auth_type_cache_sr @@ -163,13 +163,14 @@ data "aws_ami" "docker-machine" { # ignores: Auto Scaling Group With No Associated ELB --> that's simply not true, as the EC2 instance contacts GitLab. So no ELB needed here. # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { + # TODO Please explain how `enable_asg_recreation` works name = var.enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" vpc_zone_identifier = [var.subnet_id] min_size = "1" max_size = "1" desired_capacity = "1" health_check_grace_period = 0 - max_instance_lifetime = var.asg_max_instance_lifetime + max_instance_lifetime = var.agent_max_instance_lifetime_seconds enabled_metrics = var.metrics_autoscaling dynamic "tag" { @@ -196,7 +197,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { } timeouts { - delete = var.asg_delete_timeout + delete = var.agent_terraform_timeout_delete_asg } lifecycle { ignore_changes = [min_size, max_size, desired_capacity] @@ -285,7 +286,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { } network_interfaces { security_groups = concat([aws_security_group.runner.id], var.agent_extra_security_group_ids) - associate_public_ip_address = false == (var.runner_agent_uses_private_address == false ? var.runner_agent_uses_private_address : var.runners_use_private_address) + associate_public_ip_address = false == (var.agent_use_private_address == false ? var.agent_use_private_address : var.executor_docker_machine_use_private_address) } tag_specifications { resource_type = "instance" @@ -335,14 +336,14 @@ module "cache" { environment = var.environment tags = local.tags - cache_bucket_prefix = var.cache_bucket_prefix - cache_bucket_name_include_account_id = var.cache_bucket_name_include_account_id - cache_bucket_set_random_suffix = var.cache_bucket_set_random_suffix - cache_bucket_versioning = var.cache_bucket_versioning - cache_expiration_days = var.cache_expiration_days - cache_lifecycle_prefix = var.cache_shared ? "project/" : "runner/" - cache_logging_bucket = var.cache_logging_bucket - cache_logging_bucket_prefix = var.cache_logging_bucket_prefix + cache_bucket_prefix = var.executor_cache_bucket_prefix + cache_bucket_name_include_account_id = var.executor_cache_bucket_name_include_account_id + cache_bucket_set_random_suffix = var.executor_cache_bucket_enable_random_suffix + cache_bucket_versioning = var.executor_cache_enable_versioning + cache_expiration_days = var.executor_cache_expiration_days + cache_lifecycle_prefix = var.executor_cache_shared ? "project/" : "runner/" + cache_logging_bucket = var.executor_cache_logging_bucket_id + cache_logging_bucket_prefix = var.executor_cache_logging_bucket_prefix kms_key_id = local.kms_key @@ -365,10 +366,10 @@ resource "aws_iam_role" "instance" { count = var.agent_create_runner_iam_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name - assume_role_policy = length(var.instance_role_json) > 0 ? var.instance_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) + assume_role_policy = length(var.agent_assume_role_json) > 0 ? var.agent_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" - tags = merge(local.tags, var.role_tags) + tags = merge(local.tags, var.agent_extra_role_tags) } ################################################################################ @@ -454,7 +455,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { resource "aws_iam_role" "docker_machine" { count = var.executor_type == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" - assume_role_policy = length(var.docker_machine_role_json) > 0 ? var.docker_machine_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) + assume_role_policy = length(var.executor_docker_machine_assume_role_json) > 0 ? var.executor_docker_machine_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" tags = local.tags @@ -471,10 +472,10 @@ resource "aws_iam_instance_profile" "docker_machine" { ### Add user defined policies ################################################################################ resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" { - count = var.executor_type == "docker+machine" ? length(var.docker_machine_iam_policy_arns) : 0 + count = var.executor_type == "docker+machine" ? length(var.executor_docker_machine_extra_iam_policy_arns) : 0 role = aws_iam_role.docker_machine[0].name - policy_arn = var.docker_machine_iam_policy_arns[count.index] + policy_arn = var.executor_docker_machine_extra_iam_policy_arns[count.index] } ################################################################################ @@ -561,7 +562,7 @@ module "terminate_agent_hook" { environment = var.environment asg_arn = aws_autoscaling_group.gitlab_runner_instance.arn asg_name = aws_autoscaling_group.gitlab_runner_instance.name - cloudwatch_logging_retention_in_days = var.cloudwatch_logging_retention_in_days + cloudwatch_logging_retention_in_days = var.agent_cloudwatch_retention_days name_iam_objects = local.name_iam_objects name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 457997381..4e6b47a22 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -70,6 +70,43 @@ sed 's/[^_]ami_filter/agent_ami_filter/g' | \ sed 's/[^_]ami_owners/agent_ami_owners/g' | \ sed 's/runner_ami_filter/executor_docker_machine_ami_filter/g' | \ sed 's/runner_ami_owners/executor_docker_machine_ami_owners/g' | \ +sed 's/instance_role_json/agent_assume_role_json/g' | \ +sed 's/docker_machine_role_json/executor_docker_machine_assume_role_json/g' | \ +sed 's/role_tags/agent_extra_role_tags/g' | \ +sed 's/runner_tags/executor_docker_machine_extra_role_tags/g' | \ +sed 's/agent_tags/agent_extra_instance_tags/g' | \ +sed 's/enable_ping/agent_ping_enable/g' | \ +sed 's/gitlab_runner_version/agent_gitlab_runner_version/g' | \ +sed 's/gitlab_runner_egress_rules/agent_extra_egress_rules/g' | \ +sed 's/gitlab_runner_security_group_ids/agent_ping_allow_from_security_groups/g' | \ +sed 's/gitlab_runner_security_group_description/agent_security_group_description/g' | \ +sed 's/cache_shared/executor_cache_shared/g' | \ +sed 's/cache_expiration_days/executor_cache_expiration_days/g' | \ +sed 's/cache_bucket_versioning/executor_cache_enable_versioning/g' | \ +sed 's/cache_logging_bucket_prefix/executor_cache_logging_bucket_prefix/g' | \ +sed 's/cache_logging_bucket/executor_cache_logging_bucket_id/g' | \ +sed 's/cache_bucket_set_random_suffix/executor_cache_bucket_enable_random_suffix/g' | \ +sed 's/cache_bucket_name_include_account_id/executor_cache_bucket_name_include_account_id/g' | \ +sed 's/cache_bucket_prefix/executor_cache_bucket_prefix/g' | \ +sed 's/runner_agent_uses_private_address/agent_use_private_address/g' | \ +sed 's/runners_use_private_address/executor_docker_machine_use_private_address/g' | \ +sed 's/runners_request_spot_instance/executor_docker_machine_request_spot_instances/g' | \ +sed 's/userdata_pre_install/agent_userdata_pre_install/g' | \ +sed 's/userdata_post_install/agent_userdata_post_install/g' | \ +sed 's/runners_pre_build_script/executor_pre_build_script/g' | \ +sed 's/runners_post_build_script/executor_post_build_script/g' | \ +sed 's/runners_pre_clone_script/executor_pre_clone_script/g' | \ +sed 's/runners_request_concurrency/executor_request_concurrency/g' | \ +sed 's/runners_output_limit/executor_output_limit/g' | \ +sed 's/runners_environment_vars/executor_extra_environment_variables/g' | \ +sed 's/runners_docker_registry_mirror/executor_docker_machine_docker_registry_mirror_url/g' | \ +sed 's/docker_machine_egress_rules/executor_docker_machine_extra_egress_rules/g' | \ +sed 's/docker_machine_iam_policy_arns/executor_docker_machine_extra_iam_policy_arns/g' | \ +sed 's/enable_cloudwatch_logging/agent_cloudwatch_enable/g' | \ +sed 's/cloudwatch_logging_retention_in_days/agent_cloudwatch_retention_days/g' | \ +sed 's/log_group_name/agent_cloudwatch_log_group_name/g' | \ +sed 's/asg_max_instance_lifetime/agent_max_instance_lifetime_seconds/g' | \ +sed 's/asg_delete_timeout/agent_terraform_timeout_delete_asg/g' | \ sed 's///g' | \ sed 's///g' | \ sed 's///g' | \ @@ -88,10 +125,7 @@ sed 's///g' | \ sed 's///g' | \ sed 's///g' | \ sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ + > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" # overrides block diff --git a/security_groups.tf b/security_groups.tf index b8bd65659..68659d032 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -6,10 +6,10 @@ resource "aws_security_group" "runner" { # checkov:skip=CKV2_AWS_5:False positive. Security group is used in a launch template network interface section. name_prefix = local.name_sg vpc_id = var.vpc_id - description = var.gitlab_runner_security_group_description + description = var.agent_security_group_description dynamic "egress" { - for_each = var.gitlab_runner_egress_rules + for_each = var.agent_extra_egress_rules iterator = each content { @@ -43,19 +43,19 @@ resource "aws_security_group" "runner" { # Allow ICMP traffic from allowed security group IDs to gitlab-runner agent instances resource "aws_security_group_rule" "runner_ping_group" { - count = length(var.gitlab_runner_security_group_ids) > 0 && var.enable_ping ? length(var.gitlab_runner_security_group_ids) : 0 + count = length(var.agent_ping_allow_from_security_groups) > 0 && var.agent_ping_enable ? length(var.agent_ping_allow_from_security_groups) : 0 type = "ingress" from_port = -1 to_port = -1 protocol = "icmp" - source_security_group_id = element(var.gitlab_runner_security_group_ids, count.index) + source_security_group_id = element(var.agent_ping_allow_from_security_groups, count.index) security_group_id = aws_security_group.runner.id description = format( "Allow ICMP traffic from %s to gitlab-runner agent instances in group %s", - element(var.gitlab_runner_security_group_ids, count.index), + element(var.agent_ping_allow_from_security_groups, count.index), aws_security_group.runner.name ) } @@ -73,7 +73,7 @@ resource "aws_security_group" "docker_machine" { description = var.docker_machine_security_group_description dynamic "egress" { - for_each = var.docker_machine_egress_rules + for_each = var.executor_docker_machine_extra_egress_rules iterator = each content { @@ -131,7 +131,7 @@ resource "aws_security_group_rule" "docker_machine_docker_runner" { # Combine runner security group id and additional security group IDs locals { # Only include runner security group id and additional if ping is enabled - security_groups_ping = var.enable_ping && length(var.gitlab_runner_security_group_ids) > 0 ? concat(var.gitlab_runner_security_group_ids, [aws_security_group.runner.id]) : [] + security_groups_ping = var.agent_ping_enable && length(var.agent_ping_allow_from_security_groups) > 0 ? concat(var.agent_ping_allow_from_security_groups, [aws_security_group.runner.id]) : [] } # Allow SSH traffic from gitlab-runner agent instances and security group IDs to docker-machine instances @@ -214,7 +214,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_self" { # Allow ICMP traffic from docker-machine instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_self" { - count = (var.executor_type == "docker+machine" && var.enable_ping) ? 1 : 0 + count = (var.executor_type == "docker+machine" && var.agent_ping_enable) ? 1 : 0 type = "ingress" from_port = -1 diff --git a/tags.tf b/tags.tf index dfb559c26..131711d09 100644 --- a/tags.tf +++ b/tags.tf @@ -19,14 +19,14 @@ locals { "Environment" = format("%s", var.environment) }, var.tags, - var.agent_tags + var.agent_extra_instance_tags ) agent_tags = { for k, v in local.agent_tags_merged : k => v if !contains(var.suppressed_tags, k) } runner_tags_merged = merge( local.tags, - var.runner_tags, + var.executor_docker_machine_extra_role_tags, # overwrites the `Name` key from `local.tags` var.executor_docker_machine_instance_prefix == "" ? { Name = substr(format("%s", var.environment), 0, 16) } : { Name = var.executor_docker_machine_instance_prefix }, ) diff --git a/variables.tf b/variables.tf index acc6b7a2f..0433925a7 100644 --- a/variables.tf +++ b/variables.tf @@ -85,6 +85,12 @@ variable "agent_instance_type" { default = "t3.micro" } +variable "agent_extra_instance_tags" { + description = "Map of tags that will be added to Agent EC2 instance." + type = map(string) + default = {} +} + variable "agent_ebs_optimized" { description = "Enable the Agent instance to be EBS-optimized." type = bool @@ -118,12 +124,56 @@ variable "agent_enable_monitoring" { default = true } +variable "agent_ping_enable" { + description = "Allow ICMP Ping to the Agent. Specify `agent_ping_allowed_from_security_groups` too!" + type = bool + default = false +} + +variable "agent_ping_allow_from_security_groups" { + description = "A list of security group ids that are allowed to access the gitlab runner agent" + type = list(string) + default = [] +} + +variable "agent_security_group_description" { + description = "A description for the Agents security group" + type = string + default = "A security group containing gitlab-runner agent instances" +} + variable "agent_extra_security_group_ids" { description = "IDs of security groups to add to the Agent." type = list(string) default = [] } +variable "agent_extra_egress_rules" { + description = "List of egress rules for the Agent." + type = list(object({ + cidr_blocks = list(string) + ipv6_cidr_blocks = list(string) + prefix_list_ids = list(string) + from_port = number + protocol = string + security_groups = list(string) + self = bool + to_port = number + description = string + })) + default = [{ + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + prefix_list_ids = null + from_port = 0 + protocol = "-1" + security_groups = null + self = null + to_port = 0 + description = null + }] +} + variable "agent_create_runner_iam_role_profile" { description = "Whether to create the IAM role/profile for the Agent. If you provide your own role, make sure that it has the required permissions." type = bool @@ -136,6 +186,18 @@ variable "agent_iam_role_profile_name" { default = "" } +variable "agent_extra_role_tags" { + description = "Map of tags that will be added to the role created. Useful for tag based authorization." + type = map(string) + default = {} +} + +variable "agent_assume_role_json" { + description = "The assume role policy for the Agent." + type = string + default = "" +} + variable "agent_extra_iam_policy_arns" { description = "List of policy ARNs to be added to the instance profile of the Agent." type = list(string) @@ -148,6 +210,12 @@ variable "agent_enable_eip" { default = false } +variable "agent_use_private_address" { + description = "Restrict the Agent to the use of a private IP address. If this is set to `false` it will override the `runners_use_private_address` for the agent." + type = bool + default = true +} + variable "agent_enable_ssm_access" { description = "Allows to connect to the Agent via SSM." type = bool @@ -176,6 +244,12 @@ variable "agent_schedule_enable" { default = false } +variable "agent_max_instance_lifetime_seconds" { + description = "The maximum time an Agent should live before it is killed." + default = null + type = number +} + variable "agent_schedule_config" { description = "Map containing the configuration of the ASG scale-out and scale-in for the Agent. Will only be used if `agent_schedule_enable` is set to `true`. " type = map(any) @@ -206,6 +280,18 @@ variable "agent_yum_update" { default = true } +variable "agent_userdata_pre_install" { + description = "User-data script snippet to insert before GitLab Runner install" + type = string + default = "" +} + +variable "agent_userdata_post_install" { + description = "User-data script snippet to insert after GitLab Runner install" + type = string + default = "" +} + variable "agent_user_data_extra" { description = "Extra commands to run as part of starting the Agent" type = string @@ -218,6 +304,30 @@ variable "agent_user_data_enable_trace_log" { default = true } +variable "agent_cloudwatch_enable" { + description = "Boolean used to enable or disable the CloudWatch logging." + type = bool + default = true +} + +variable "agent_cloudwatch_retention_days" { + description = "Retention for cloudwatch logs. Defaults to unlimited. Requires `agent_cloudwatch_enable = true`." + type = number + default = 0 +} + +variable "agent_cloudwatch_log_group_name" { + description = "Option to override the default name (`environment`) of the log group. Requires `agent_cloudwatch_enable = true`." + default = null + type = string +} + +variable "agent_gitlab_runner_version" { + description = "Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases)." + type = string + default = "15.8.2" +} + variable "agent_gitlab_registration_config" { description = "Configuration used to register the Agent. See the README for an example, or reference the examples in the examples directory of this repo." type = map(string) @@ -286,6 +396,12 @@ variable "agent_terminate_ec2_lifecycle_hook_name" { default = null } +variable "agent_terraform_timeout_delete_asg" { + description = "Timeout when trying to delete the Agent ASG." + default = "10m" + type = string +} + /* * Executor variables valid for all executors. */ @@ -324,9 +440,139 @@ variable "executor_idle_count" { default = 0 } +variable "executor_request_concurrency" { + description = "Limit number of concurrent requests for new jobs from GitLab (default 1)." + type = number + default = 1 +} + +variable "executor_output_limit" { + description = "Sets the maximum build log size in kilobytes, by default set to 4096 (4MB)." + type = number + default = 4096 +} + +variable "executor_extra_environment_variables" { + description = "Environment variables during build execution, e.g. KEY=Value, see runner-public example." + type = list(string) + default = [] +} + +variable "executor_cache_shared" { + description = "Enables cache sharing between runners. `false` by default." + type = bool + default = false +} + +variable "executor_cache_expiration_days" { + description = "Number of days before cache objects expire." + type = number + default = 1 +} + +variable "executor_cache_enable_versioning" { + description = "Boolean used to enable versioning on the cache bucket, false by default." + type = bool + default = false +} + +variable "executor_cache_bucket_prefix" { + description = "Prefix for s3 cache bucket name." + type = string + default = "" +} + +variable "executor_cache_bucket_name_include_account_id" { + description = "Boolean to add current account ID to cache bucket name." + type = bool + default = true +} + +variable "executor_cache_bucket_enable_random_suffix" { + description = "Append the cache bucket name with a random string suffix" + type = bool + default = false +} + +variable "executor_cache_logging_bucket_id" { + type = string + description = "S3 Bucket ID where the access logs to the cache bucket are stored." + default = null +} + +variable "executor_cache_logging_bucket_prefix" { + type = string + description = "Prefix within the `executor_cache_logging_bucket_name`." + default = null +} + +variable "executor_pre_clone_script" { + description = "Script to execute in the pipeline before cloning the Git repository. this can be used to adjust the Git client configuration first, for example." + type = string + default = "\"\"" +} + +variable "executor_pre_build_script" { + description = "Script to execute in the pipeline just before the build." + type = string + default = "\"\"" +} + +variable "executor_post_build_script" { + description = "Script to execute in the pipeline just after the build, but before executing after_script." + type = string + default = "\"\"" +} + + /* * docker+machine Executor variables. The executor is the actual machine that runs the job. */ +variable "executor_docker_machine_extra_role_tags" { + description = "Map of tags that will be added to runner EC2 instances." + type = map(string) + default = {} +} + +variable "executor_docker_machine_extra_egress_rules" { + description = "List of egress rules for the docker-machine instance(s)." + type = list(object({ + cidr_blocks = list(string) + ipv6_cidr_blocks = list(string) + prefix_list_ids = list(string) + from_port = number + protocol = string + security_groups = list(string) + self = bool + to_port = number + description = string + })) + default = [{ + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + prefix_list_ids = null + from_port = 0 + protocol = "-1" + security_groups = null + self = null + to_port = 0 + description = "Allow all egress traffic for docker machine build runners" + }] +} + +variable "executor_docker_machine_assume_role_json" { + description = "Assume role policy for the docker+machine Executor." + type = string + default = "" +} + +# executor +variable "executor_docker_machine_extra_iam_policy_arns" { + type = list(string) + description = "List of policy ARNs to be added to the instance profile of the docker+machine Executor." + default = [] +} + variable "executor_docker_machine_ami_filter" { description = "List of maps used to create the AMI filter for the docker+machine Executor." type = map(list(string)) @@ -344,6 +590,12 @@ variable "executor_docker_machine_ami_owners" { default = ["099720109477"] } +variable "executor_docker_machine_use_private_address" { + description = "Restrict Executors to the use of a private IP address. If `agent_use_private_address` is set to `true` (default), `executor_docker_machine_use_private_address` will also apply for the agent." + type = bool + default = true +} + variable "executor_docker_machine_instance_prefix" { description = "Set the name prefix and override the `Name` tag for the GitLab Runner Executor instances." type = string @@ -360,12 +612,23 @@ variable "executor_docker_machine_instance_prefix" { } } +variable "executor_docker_machine_request_spot_instances" { + description = "Whether or not to request spot instances via docker-machine" + type = bool + default = true +} + variable "executor_docker_machine_userdata" { description = "Cloud-init user data that will be passed to the Executor EC2 instance. Should not be base64 encrypted." type = string default = "" } +variable "executor_docker_machine_docker_registry_mirror_url" { + description = "The docker registry mirror to use to avoid rate limiting by hub.docker.com" + type = string + default = "" +} @@ -572,236 +835,6 @@ variable "runners_iam_instance_profile_name" { default = "" } -# executor -variable "runners_docker_registry_mirror" { - description = "The docker registry mirror to use to avoid rate limiting by hub.docker.com" - type = string - default = "" -} - -# executor -variable "runners_environment_vars" { - description = "Environment variables during build execution, e.g. KEY=Value, see runner-public example. Will be used in the runner config.toml" - type = list(string) - default = [] -} - -# executor -variable "runners_pre_build_script" { - description = "Script to execute in the pipeline just before the build, will be used in the runner config.toml" - type = string - default = "\"\"" -} - -# executor -variable "runners_post_build_script" { - description = "Commands to be executed on the Runner just after executing the build, but before executing after_script. " - type = string - default = "\"\"" -} - -# executor -variable "runners_pre_clone_script" { - description = "Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. " - type = string - default = "\"\"" -} - -# executor -variable "runners_request_concurrency" { - description = "Limit number of concurrent requests for new jobs from GitLab (default 1)." - type = number - default = 1 -} - -# executor -variable "runners_output_limit" { - description = "Sets the maximum build log size in kilobytes, by default set to 4096 (4MB)." - type = number - default = 4096 -} - -# agent -variable "userdata_pre_install" { - description = "User-data script snippet to insert before GitLab runner install" - type = string - default = "" -} - -# agent -variable "userdata_post_install" { - description = "User-data script snippet to insert after GitLab runner install" - type = string - default = "" -} - -# agent -variable "runners_use_private_address" { - description = "Restrict runners to the use of a private IP address. If `runner_agent_uses_private_address` is set to `true`(default), `runners_use_private_address` will also apply for the agent." - type = bool - default = true -} - -# agent -variable "runner_agent_uses_private_address" { - description = "Restrict the runner agent to the use of a private IP address. If `runner_agent_uses_private_address` is set to `false` it will override the `runners_use_private_address` for the agent." - type = bool - default = true -} - -# executor -variable "runners_request_spot_instance" { - description = "Whether or not to request spot instances via docker-machine" - type = bool - default = true -} - -# executor -variable "cache_logging_bucket" { - type = string - description = "S3 Bucket ID where the access logs to the cache bucket are stored." - default = null -} - -# executor -variable "cache_logging_bucket_prefix" { - type = string - description = "Prefix within the `cache_logging_bucket`." - default = null -} - -# executor -variable "cache_bucket_prefix" { - description = "Prefix for s3 cache bucket name." - type = string - default = "" -} - -# executor -variable "cache_bucket_name_include_account_id" { - description = "Boolean to add current account ID to cache bucket name." - type = bool - default = true -} - -# executor -variable "cache_bucket_set_random_suffix" { - description = "Append the cache bucket name with a random string suffix" - type = bool - default = false -} - -# executor -variable "cache_bucket_versioning" { - description = "Boolean used to enable versioning on the cache bucket, false by default." - type = bool - default = false -} - -# executor -variable "cache_expiration_days" { - description = "Number of days before cache objects expires." - type = number - default = 1 -} - -# executor -variable "cache_shared" { - description = "Enables cache sharing between runners, false by default." - type = bool - default = false -} - -# agent -variable "gitlab_runner_version" { - description = "Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases)." - type = string - default = "15.8.2" -} - -# agent -variable "enable_ping" { - description = "Allow ICMP Ping to the ec2 instances." - type = bool - default = false -} - -# agent -variable "gitlab_runner_egress_rules" { - description = "List of egress rules for the gitlab runner instance." - type = list(object({ - cidr_blocks = list(string) - ipv6_cidr_blocks = list(string) - prefix_list_ids = list(string) - from_port = number - protocol = string - security_groups = list(string) - self = bool - to_port = number - description = string - })) - default = [{ - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - prefix_list_ids = null - from_port = 0 - protocol = "-1" - security_groups = null - self = null - to_port = 0 - description = null - }] -} - -# agent -variable "gitlab_runner_security_group_ids" { - description = "A list of security group ids that are allowed to access the gitlab runner agent" - type = list(string) - default = [] -} - -# agent -variable "gitlab_runner_security_group_description" { - description = "A description for the gitlab-runner security group" - type = string - default = "A security group containing gitlab-runner agent instances" -} - -# agent -variable "enable_cloudwatch_logging" { - description = "Boolean used to enable or disable the CloudWatch logging." - type = bool - default = true -} - -# agent -variable "cloudwatch_logging_retention_in_days" { - description = "Retention for cloudwatch logs. Defaults to unlimited" - type = number - default = 0 -} - -# agent -variable "agent_tags" { - description = "Map of tags that will be added to agent EC2 instances." - type = map(string) - default = {} -} - -# executor -variable "runner_tags" { - description = "Map of tags that will be added to runner EC2 instances." - type = map(string) - default = {} -} - -# agent -variable "role_tags" { - description = "Map of tags that will be added to the role created. Useful for tag based authorization." - type = map(string) - default = {} -} - # agent variable "allow_iam_service_linked_role_creation" { description = "Boolean used to control attaching the policy to a runner instance to create service linked roles." @@ -817,20 +850,6 @@ variable "docker_machine_options" { default = [] } -# agent -variable "instance_role_json" { - description = "Default runner instance override policy, expected to be in JSON format." - type = string - default = "" -} - -# executor -variable "docker_machine_role_json" { - description = "Docker machine runner instance override policy, expected to be in JSON format." - type = string - default = "" -} - # executor variable "docker_machine_security_group_description" { description = "A description for the docker-machine security group" @@ -838,12 +857,6 @@ variable "docker_machine_security_group_description" { default = "A security group containing docker-machine instances" } - - - - - - # agent variable "secure_parameter_store_runner_token_key" { description = "The key name used store the Gitlab runner token in Secure Parameter Store" @@ -885,12 +898,6 @@ variable "cache_bucket" { } } - - - - - - # executor variable "enable_docker_machine_ssm_access" { description = "Add IAM policies to the docker-machine instances to connect via the Session Manager." @@ -929,68 +936,3 @@ variable "runners_docker_services" { })) default = [] } - -# agent -variable "enable_asg_recreation" { - description = "Enable automatic redeployment of the Runner ASG when the Launch Configs change." - default = true - type = bool -} - -# agent -variable "asg_delete_timeout" { - description = "Timeout when trying to delete the Runner ASG." - default = "10m" - type = string -} - -# agent -variable "asg_max_instance_lifetime" { - description = "The seconds before an instance is refreshed in the ASG." - default = null - type = number -} - -# agent -variable "log_group_name" { - description = "Option to override the default name (`environment`) of the log group, requires `enable_cloudwatch_logging = true`." - default = null - type = string -} - - - -# executor -variable "docker_machine_iam_policy_arns" { - type = list(string) - description = "List of policy ARNs to be added to the instance profile of the docker machine runners." - default = [] -} - - -# executor -variable "docker_machine_egress_rules" { - description = "List of egress rules for the docker-machine instance(s)." - type = list(object({ - cidr_blocks = list(string) - ipv6_cidr_blocks = list(string) - prefix_list_ids = list(string) - from_port = number - protocol = string - security_groups = list(string) - self = bool - to_port = number - description = string - })) - default = [{ - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - prefix_list_ids = null - from_port = 0 - protocol = "-1" - security_groups = null - self = null - to_port = 0 - description = "Allow all egress traffic for docker machine build runners" - }] -} From ba7af60cbf287eda56eed23542c82998dfda0f7a Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 23 Mar 2023 14:43:18 +0100 Subject: [PATCH 10/74] more variables --- examples/runner-certificates/README.md | 2 +- examples/runner-certificates/main.tf | 4 +- examples/runner-default/main.tf | 14 +- examples/runner-docker/main.tf | 10 +- examples/runner-multi-region/main.tf | 16 +- examples/runner-pre-registered/main.tf | 6 +- examples/runner-public/main.tf | 14 +- locals.tf | 16 +- main.tf | 38 +-- migrations/migrate-to-7-0-0.sh | 36 ++- modules/terminate-agent-hook/README.md | 2 +- security_groups.tf | 2 +- variables.tf | 379 ++++++++++++------------- 13 files changed, 266 insertions(+), 273 deletions(-) diff --git a/examples/runner-certificates/README.md b/examples/runner-certificates/README.md index c8acf9fe8..6bfe0d5c7 100644 --- a/examples/runner-certificates/README.md +++ b/examples/runner-certificates/README.md @@ -56,7 +56,7 @@ module { # ... # Mount EC2 host certs in docker so all user docker images can reference them. - runners_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"] + executor_docker_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"] # ... } diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index df3af6ccd..c3e19e343 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -26,7 +26,7 @@ module "runner" { # General ############################################### - runners_name = var.runner_name + runners_name = var.runner_name agent_gitlab_url = var.gitlab_url executor_type = "docker" @@ -48,7 +48,7 @@ module "runner" { # cp /etc/gitlab-runner/certs/* /usr/local/share/ca-certificates/ # update-ca-certificates # Or similar OS-dependent commands. The above are an example for Ubuntu. - runners_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"] + executor_docker_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"] ############################################### # Registration diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 722433a4a..b4b6d0fc9 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -53,8 +53,8 @@ module "runner" { subnet_id = element(module.vpc.private_subnets, 0) metrics_autoscaling = ["GroupDesiredCapacity", "GroupInServiceCapacity"] - runners_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runners_name = var.runner_name + agent_gitlab_url = var.gitlab_url agent_enable_ssm_access = true agent_ping_allow_from_security_groups = [data.aws_security_group.default.id] @@ -75,17 +75,17 @@ module "runner" { "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" } - runners_privileged = "true" - runners_additional_volumes = ["/certs/client"] + runners_privileged = "true" + executor_docker_additional_volumes = ["/certs/client"] - runners_volumes_tmpfs = [ + executor_docker_volumes_tmpfs = [ { volume = "/var/opt/cache", options = "rw,noexec" } ] - runners_services_volumes_tmpfs = [ + executor_docker_services_volumes_tmpfs = [ { volume = "/var/lib/mysql", options = "rw,noexec" @@ -93,7 +93,7 @@ module "runner" { ] # working 9 to 5 :) - runners_machine_autoscaling = [ + executor_docker_machine_autoscaling = [ { periods = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""] idle_count = 0 diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index b01ed363f..b66489f8b 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -42,16 +42,16 @@ module "runner" { environment = var.environment executor_docker_machine_use_private_address = false - agent_enable_eip = true + agent_enable_eip = true - docker_machine_security_group_description = "Custom description for docker-machine" - agent_security_group_description = "Custom description for gitlab-runner" + executor_docker_machine_security_group_description = "Custom description for docker-machine" + agent_security_group_description = "Custom description for gitlab-runner" vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.public_subnets, 0) - executor_type = "docker" - runners_name = var.runner_name + executor_type = "docker" + runners_name = var.runner_name agent_gitlab_url = var.gitlab_url agent_gitlab_registration_config = { diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index b225ed61c..3f3b301c3 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -31,12 +31,12 @@ module "runner_main_region" { docker_machine_spot_price_bid = "on-demand-price" - runners_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runners_name = var.runner_name + agent_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] - runners_privileged = "false" - runners_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] + runners_privileged = "false" + executor_docker_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] agent_gitlab_registration_config = { registration_token = var.registration_token @@ -96,12 +96,12 @@ module "runner_alternate_region" { docker_machine_spot_price_bid = "on-demand-price" - runners_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runners_name = var.runner_name + agent_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] - runners_privileged = "false" - runners_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] + runners_privileged = "false" + executor_docker_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] agent_gitlab_registration_config = { registration_token = var.registration_token diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index 274e46d0a..8301cb8fd 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -31,12 +31,12 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.private_subnets, 0) - runners_name = var.runner_name + runners_name = var.runner_name agent_gitlab_url = var.gitlab_url - runners_token = var.runner_token + runners_token = var.runner_token # working 9 to 5 :) - runners_machine_autoscaling = [ + executor_docker_machine_autoscaling = [ { periods = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""] idle_count = 0 diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index efb3553f1..6c6b0c05c 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -38,12 +38,12 @@ module "runner" { docker_machine_spot_price_bid = "on-demand-price" - runners_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runners_name = var.runner_name + agent_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] - runners_privileged = "false" - runners_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] + runners_privileged = "false" + executor_docker_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] agent_gitlab_registration_config = { registration_token = var.registration_token @@ -61,7 +61,7 @@ module "runner" { executor_cache_shared = "true" - cache_bucket = { + executor_cache_bucket = { create = false policy = module.cache.policy_arn bucket = module.cache.bucket @@ -80,7 +80,7 @@ module "runner2" { docker_machine_spot_price_bid = "on-demand-price" - runners_name = var.runner_name + runners_name = var.runner_name agent_gitlab_url = var.gitlab_url agent_gitlab_registration_config = { @@ -94,7 +94,7 @@ module "runner2" { executor_cache_shared = "true" - cache_bucket = { + executor_cache_bucket = { create = false policy = module.cache.policy_arn bucket = module.cache.bucket diff --git a/locals.tf b/locals.tf index c67953630..efda0d6c6 100644 --- a/locals.tf +++ b/locals.tf @@ -47,17 +47,17 @@ locals { # Convert list to a string separated and prepend by a comma docker_machine_options_string = format( ",\"amazonec2-metadata-token=${var.docker_machine_instance_metadata_options.http_tokens}\", \"amazonec2-metadata-token-response-hop-limit=${var.docker_machine_instance_metadata_options.http_put_response_hop_limit}\",%s", - join(",", formatlist("%q", concat(var.docker_machine_options, local.runners_docker_registry_mirror_option))), + join(",", formatlist("%q", concat(var.executor_docker_machine_ec2_options, local.runners_docker_registry_mirror_option))), ) runners_docker_registry_mirror_option = var.executor_docker_machine_docker_registry_mirror_url == "" ? [] : ["engine-registry-mirror=${var.executor_docker_machine_docker_registry_mirror_url}"] # Ensure max builds is optional - runners_max_builds_string = var.executor_max_builds == 0 ? "" : format("MaxBuilds = %d", var.executor_max_builds) + runners_max_builds_string = var.executor_docker_machine_max_builds == 0 ? "" : format("MaxBuilds = %d", var.executor_docker_machine_max_builds) # Define key for runner token for SSM - secure_parameter_store_runner_token_key = "${var.environment}-${var.secure_parameter_store_runner_token_key}" - secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.secure_parameter_store_runner_sentry_dsn}" + secure_parameter_store_runner_token_key = "${var.environment}-${var.agent_gitlab_token_secure_parameter_store}" + secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.agent_sentry_secure_parameter_store_name}" # Custom names for runner agent instance, security groups, and IAM objects name_runner_agent_instance = var.agent_instance_prefix == "" ? local.tags["Name"] : var.agent_instance_prefix @@ -65,20 +65,20 @@ locals { name_iam_objects = var.iam_object_prefix == "" ? local.tags["Name"] : var.iam_object_prefix runners_additional_volumes = <<-EOT - %{~if var.runners_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.runners_additional_volumes~},"${volume}"%{endfor~} + %{~if var.executor_docker_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.executor_docker_additional_volumes~},"${volume}"%{endfor~} EOT runners_machine_autoscaling = templatefile("${path.module}/template/runners_machine_autoscaling.tftpl", { - runners_machine_autoscaling = var.runners_machine_autoscaling + runners_machine_autoscaling = var.executor_docker_machine_autoscaling } ) runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tftpl", { - runners_docker_services = var.runners_docker_services + runners_docker_services = var.executor_docker_services } ) - runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" + runners_pull_policies = "[\"${join("\",\"", var.executor_docker_pull_policies)}\"]" /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" diff --git a/main.tf b/main.tf index 72db0c4c0..e39176f72 100644 --- a/main.tf +++ b/main.tf @@ -86,7 +86,7 @@ locals { gitlab_url = var.agent_gitlab_url gitlab_clone_url = var.agent_gitlab_clone_url tls_ca_file = length(var.agent_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" - runners_extra_hosts = var.runners_extra_hosts + runners_extra_hosts = var.executor_docker_extra_hosts runners_vpc_id = var.vpc_id runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix @@ -94,8 +94,8 @@ locals { runners_spot_price_bid = var.docker_machine_spot_price_bid == "on-demand-price" || var.docker_machine_spot_price_bid == null ? "" : var.docker_machine_spot_price_bid runners_ami = var.executor_type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" runners_security_group_name = var.executor_type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" - runners_monitoring = var.runners_monitoring - runners_ebs_optimized = var.runners_ebs_optimized + runners_monitoring = var.executor_docker_machine_enable_monitoring + runners_ebs_optimized = var.executor_docker_machine_ec2_ebs_optimized runners_instance_profile = var.executor_type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" runners_additional_volumes = local.runners_additional_volumes docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string @@ -110,17 +110,17 @@ locals { runners_image = var.runners_image runners_privileged = var.runners_privileged runners_disable_cache = var.runners_disable_cache - runners_docker_runtime = var.runners_docker_runtime - runners_helper_image = var.runners_helper_image - runners_shm_size = var.runners_shm_size + runners_docker_runtime = var.executor_docker_runtime + runners_helper_image = var.executor_docker_helper_image + runners_shm_size = var.executor_docker_shm_size runners_pull_policies = local.runners_pull_policies runners_idle_count = var.executor_idle_count runners_idle_time = var.executor_idle_time runners_max_builds = local.runners_max_builds_string runners_machine_autoscaling = local.runners_machine_autoscaling - runners_root_size = var.runners_root_size - runners_volume_type = var.runners_volume_type - runners_iam_instance_profile_name = var.runners_iam_instance_profile_name + runners_root_size = var.executor_docker_machine_ec2_root_size + runners_volume_type = var.executor_docker_machine_ec2_volume_type + runners_iam_instance_profile_name = var.executor_docker_machine_iam_instance_profile_name runners_use_private_address_only = var.executor_docker_machine_use_private_address runners_use_private_address = !var.executor_docker_machine_use_private_address runners_request_spot_instance = var.executor_docker_machine_request_spot_instances @@ -131,8 +131,8 @@ locals { runners_request_concurrency = var.executor_request_concurrency runners_output_limit = var.executor_output_limit runners_check_interval = var.agent_gitlab_check_interval - runners_volumes_tmpfs = join("\n", [for v in var.runners_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) - runners_services_volumes_tmpfs = join("\n", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) + runners_volumes_tmpfs = join("\n", [for v in var.executor_docker_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) + runners_services_volumes_tmpfs = join("\n", [for v in var.executor_docker_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services bucket_name = local.bucket_name shared_cache = var.executor_cache_shared @@ -164,7 +164,7 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { # TODO Please explain how `enable_asg_recreation` works - name = var.enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" + name = var.agent_enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" vpc_zone_identifier = [var.subnet_id] min_size = "1" max_size = "1" @@ -325,12 +325,12 @@ resource "aws_launch_template" "gitlab_runner_instance" { ### Create cache bucket ################################################################################ locals { - bucket_name = var.cache_bucket["create"] ? module.cache[0].bucket : var.cache_bucket["bucket"] - bucket_policy = var.cache_bucket["create"] ? module.cache[0].policy_arn : var.cache_bucket["policy"] + bucket_name = var.executor_cache_bucket["create"] ? module.cache[0].bucket : var.executor_cache_bucket["bucket"] + bucket_policy = var.executor_cache_bucket["create"] ? module.cache[0].policy_arn : var.executor_cache_bucket["policy"] } module "cache" { - count = var.cache_bucket["create"] ? 1 : 0 + count = var.executor_cache_bucket["create"] ? 1 : 0 source = "./modules/cache" environment = var.environment @@ -443,7 +443,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { /* If the S3 cache adapter is configured to use an IAM instance profile, the adapter uses the profile attached to the GitLab Runner machine. So do not use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */ - count = var.executor_type == "docker+machine" ? (var.cache_bucket["create"] || lookup(var.cache_bucket, "policy", "") != "" ? 1 : 0) : 0 + count = var.executor_type == "docker+machine" ? (var.executor_cache_bucket["create"] || lookup(var.executor_cache_bucket, "policy", "") != "" ? 1 : 0) : 0 role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = local.bucket_policy @@ -480,7 +480,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" ################################################################################ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_managed" { - count = (var.executor_type == "docker+machine" && var.enable_docker_machine_ssm_access) ? 1 : 0 + count = (var.executor_type == "docker+machine" && var.executor_enable_ssm_access) ? 1 : 0 role = aws_iam_role.docker_machine[0].name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" @@ -490,7 +490,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_ma ### Service linked policy, optional ################################################################################ resource "aws_iam_policy" "service_linked_role" { - count = var.allow_iam_service_linked_role_creation ? 1 : 0 + count = var.agent_allow_iam_service_linked_role_creation ? 1 : 0 name = "${local.name_iam_objects}-service_linked_role" path = "/" @@ -501,7 +501,7 @@ resource "aws_iam_policy" "service_linked_role" { } resource "aws_iam_role_policy_attachment" "service_linked_role" { - count = var.allow_iam_service_linked_role_creation ? 1 : 0 + count = var.agent_allow_iam_service_linked_role_creation ? 1 : 0 role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.service_linked_role[0].arn diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 4e6b47a22..3bf2294d3 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -28,6 +28,7 @@ sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" # PT #757 refactor!: rename variables and prefix with agent, executor and global scope # sed -i '/aws_region/d' "$converted_file" +sed -i '/enable_manage_gitlab_token/d' "$converted_file" sed 's/enable_kms/enable_managed_kms_key/g' "$converted_file" | \ sed 's/kms_alias_name/kms_managed_alias_name/g' | \ @@ -43,7 +44,7 @@ sed 's/runners_executor/executor_type/g' | \ sed 's/runners_install_amazon_ecr_credential_helper/agent_install_amazon_ecr_credential_helper/g' | \ sed 's/runners_clone_url/agent_gitlab_clone_url/g' | \ sed 's/runners_gitlab_url/agent_gitlab_url/g' | \ -sed 's/runners_max_builds/executor_max_builds/g' | \ +sed 's/runners_max_builds/executor_docker_machine_max_builds/g' | \ sed 's/runners_idle_count/executor_idle_count/g' | \ sed 's/runners_idle_time/executor_idle_time/g' | \ sed 's/runners_concurrent/agent_maximum_concurrent_jobs/g' | \ @@ -107,15 +108,30 @@ sed 's/cloudwatch_logging_retention_in_days/agent_cloudwatch_retention_days/g' | sed 's/log_group_name/agent_cloudwatch_log_group_name/g' | \ sed 's/asg_max_instance_lifetime/agent_max_instance_lifetime_seconds/g' | \ sed 's/asg_delete_timeout/agent_terraform_timeout_delete_asg/g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ +sed 's/enable_docker_machine_ssm_access/executor_enable_ssm_access/g' | \ +sed 's/cache_bucket/executor_cache_bucket/g' | \ +sed 's/docker_machine_security_group_description//g' | \ +sed 's/docker_machine_options/executor_docker_machine_ec2_options/g' | \ +sed 's/runners_iam_instance_profile_name/executor_docker_machine_iam_instance_profile_name/g' | \ +sed 's/runners_volume_type/executor_docker_machine_ec2_volume_type/g' | \ +sed 's/runners_ebs_optimized/executor_docker_machine_ec2_ebs_optimized/g' | \ +sed 's/runners_monitoring/executor_docker_machine_enable_monitoring/g' | \ +sed 's/runners_machine_autoscaling/executor_docker_machine_autoscaling/g' | \ +sed 's/runners_docker_services/executor_docker_services/g' | \ +sed 's/runners_services_volumes_tmpfs/executor_docker_services_volumes_tmpfs/g' | \ +sed 's/runners_volumes_tmpfs/executor_docker_volumes_tmpfs/g' | \ +sed 's/runners_root_size/executor_docker_machine_ec2_root_size/g' | \ +sed 's/enable_asg_recreation/agent_enable_asg_recreation/g' | \ +sed 's/secure_parameter_store_runner_sentry_dsn/agent_sentry_secure_parameter_store_name/g' | \ +sed 's/secure_parameter_store_runner_token_key/agent_gitlab_token_secure_parameter_store/g' | \ +sed 's/allow_iam_service_linked_role_creation/agent_allow_iam_service_linked_role_creation/g' | \ +sed 's/runners_pull_policies/executor_docker_pull_policies/g' | \ +sed 's/runners_helper_image/executor_docker_helper_image/g' | \ +sed 's/runners_docker_runtime/executor_docker_runtime/g' | \ +sed 's/runners_shm_size/executor_docker_shm_size/g' | \ +sed 's/runners_extra_hosts/executor_docker_extra_hosts/g' | \ +sed 's/runners_additional_volumes/executor_docker_additional_volumes/g' | \ +sed 's/runners_add_dind_volumes/executor_docker_add_dind_volumes/g' | \ sed 's///g' | \ sed 's///g' | \ sed 's///g' | \ diff --git a/modules/terminate-agent-hook/README.md b/modules/terminate-agent-hook/README.md index 681f6de98..13ba36492 100644 --- a/modules/terminate-agent-hook/README.md +++ b/modules/terminate-agent-hook/README.md @@ -92,7 +92,7 @@ module "runner" { docker_machine_options = var.docker_machine_options # See https://github.com/npalm/terraform-aws-gitlab-runner/issues/160 - runners_additional_volumes = ["/certs/client"] + executor_docker_additional_volumes = ["/certs/client"] tags = local.common_tags diff --git a/security_groups.tf b/security_groups.tf index 68659d032..daa69977a 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -70,7 +70,7 @@ resource "aws_security_group" "docker_machine" { name_prefix = "${local.name_sg}-docker-machine" vpc_id = var.vpc_id - description = var.docker_machine_security_group_description + description = var.executor_docker_machine_security_group_description dynamic "egress" { for_each = var.executor_docker_machine_extra_egress_rules diff --git a/variables.tf b/variables.tf index 0433925a7..3628c7270 100644 --- a/variables.tf +++ b/variables.tf @@ -174,6 +174,13 @@ variable "agent_extra_egress_rules" { }] } +# agent +variable "agent_allow_iam_service_linked_role_creation" { + description = "Boolean used to control attaching the policy to the Agent to create service linked roles." + type = bool + default = true +} + variable "agent_create_runner_iam_role_profile" { description = "Whether to create the IAM role/profile for the Agent. If you provide your own role, make sure that it has the required permissions." type = bool @@ -250,6 +257,12 @@ variable "agent_max_instance_lifetime_seconds" { type = number } +variable "agent_enable_asg_recreation" { + description = "Enable automatic redeployment of the Agent ASG when the Launch Configs change." + default = true + type = bool +} + variable "agent_schedule_config" { description = "Map containing the configuration of the ASG scale-out and scale-in for the Agent. Will only be used if `agent_schedule_enable` is set to `true`. " type = map(any) @@ -343,6 +356,12 @@ variable "agent_gitlab_registration_config" { } } +variable "agent_gitlab_token_secure_parameter_store" { + description = "Name of the Secure Parameter Store entry to hold the GitLab Runner token." + type = string + default = "runner-token" +} + variable "agent_gitlab_ca_certificate" { description = "Trusted CA certificate bundle (PEM format). Example: `file(\"$${path.module}/ca.crt\")`" type = string @@ -384,6 +403,12 @@ variable "agent_sentry_dsn" { default = "__SENTRY_DSN_REPLACED_BY_USER_DATA__" } +variable "agent_sentry_secure_parameter_store_name" { + description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" + type = string + default = "sentry-dsn" +} + variable "agent_prometheus_listen_address" { description = "Defines an address (:) the Prometheus metrics HTTP server should listen on." type = string @@ -416,10 +441,10 @@ variable "executor_type" { } } -variable "executor_max_builds" { - description = "Destroys the executor after processing this many jobs. Set to `0` to disable this feature." - type = number - default = 0 +variable "executor_enable_ssm_access" { + description = "Allows to connect to the Executor via SSM." + type = bool + default = false } variable "executor_max_jobs" { @@ -458,6 +483,20 @@ variable "executor_extra_environment_variables" { default = [] } +variable "executor_cache_bucket" { + description = <<-EOT + Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared + cache. To use the same cache across multiple runners disable the creation of the cache and provide a policy and + bucket name. See the public runner example for more details." + EOT + type = map({ create = bool, policy = string, bucket = string }) + default = { + create = true + policy = "" + bucket = "" + } +} + variable "executor_cache_shared" { description = "Enables cache sharing between runners. `false` by default." type = bool @@ -524,9 +563,83 @@ variable "executor_post_build_script" { default = "\"\"" } +/* + * Docker Executor variables. + */ +variable "executor_docker_volumes_tmpfs" { + description = "Mount a tmpfs in Executor container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" + type = list(object({ + volume = string + options = string + })) + default = [] +} + +variable "executor_docker_services" { + description = "Starts additional services with the Docker container. All fields must be set (examine the Dockerfile of the service image for the entrypoint - see ./examples/runner-default/main.tf)" + type = list(object({ + name = string + alias = string + entrypoint = list(string) + command = list(string) + })) + default = [] +} + +variable "executor_docker_services_volumes_tmpfs" { + description = "Mount a tmpfs in gitlab service container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" + type = list(object({ + volume = string + options = string + })) + default = [] +} + +variable "executor_docker_extra_hosts" { + description = "Extra hosts to be passed to the container, e.g other-host:127.0.0.1" + type = list(any) + default = [] +} + +variable "executor_docker_shm_size" { + description = "shm_size for the runners, will be used in the runner config.toml" + type = number + default = 0 +} + +variable "executor_docker_runtime" { + description = "Docker runtime for Executors" + type = string + default = "" +} + +variable "executor_docker_helper_image" { + description = "Overrides the default helper image used to clone repos and upload artifacts" + type = string + default = "" +} + +variable "executor_docker_pull_policies" { + description = "Pull policies for the Executor, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " + type = list(string) + default = ["always"] +} + +variable "executor_docker_additional_volumes" { + description = "Additional volumes that will be used in the Executor, e.g Docker socket" + type = list(any) + default = [] +} + +variable "executor_docker_add_dind_volumes" { + description = "Add certificates and docker.sock to the volumes to support docker-in-docker (dind)" + type = bool + default = false +} /* - * docker+machine Executor variables. The executor is the actual machine that runs the job. + * docker+machine Executor variables. The executor is the actual machine that runs the job. Please specify the + * `executor_docker_*` variables as well as Docker is used on the docker+machine executor. */ variable "executor_docker_machine_extra_role_tags" { description = "Map of tags that will be added to runner EC2 instances." @@ -560,6 +673,12 @@ variable "executor_docker_machine_extra_egress_rules" { }] } +variable "executor_docker_machine_iam_instance_profile_name" { + description = "IAM instance profile name of the Executors." + type = string + default = "" +} + variable "executor_docker_machine_assume_role_json" { description = "Assume role policy for the docker+machine Executor." type = string @@ -573,6 +692,12 @@ variable "executor_docker_machine_extra_iam_policy_arns" { default = [] } +variable "executor_docker_machine_security_group_description" { + description = "A description for the docker+machine Executor security group" + type = string + default = "A security group containing docker-machine instances" +} + variable "executor_docker_machine_ami_filter" { description = "List of maps used to create the AMI filter for the docker+machine Executor." type = map(list(string)) @@ -612,6 +737,12 @@ variable "executor_docker_machine_instance_prefix" { } } +variable "executor_docker_machine_enable_monitoring" { + description = "Enable detailed cloudwatch monitoring for spot instances." + type = bool + default = false +} + variable "executor_docker_machine_request_spot_instances" { description = "Whether or not to request spot instances via docker-machine" type = bool @@ -624,6 +755,48 @@ variable "executor_docker_machine_userdata" { default = "" } +variable "executor_docker_machine_ec2_volume_type" { + description = "Executor volume type" + type = string + default = "gp2" +} + +variable "executor_docker_machine_ec2_root_size" { + description = "Executor root size in GB." + type = number + default = 16 +} + +variable "executor_docker_machine_ec2_ebs_optimized" { + description = "Enable Executors to be EBS-optimized." + type = bool + default = true +} + +variable "executor_docker_machine_ec2_options" { + # cspell:ignore amazonec + description = "List of additional options for the docker+machine config. Each element of this list must be a key=value pair. E.g. '[\"amazonec2-zone=a\"]'" + type = list(string) + default = [] +} + +variable "executor_docker_machine_autoscaling" { + description = "Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section" + type = list(object({ + periods = list(string) + idle_count = number + idle_time = number + timezone = string + })) + default = [] +} + +variable "executor_docker_machine_max_builds" { + description = "Destroys the executor after processing this many jobs. Set to `0` to disable this feature." + type = number + default = 0 +} + variable "executor_docker_machine_docker_registry_mirror_url" { description = "The docker registry mirror to use to avoid rate limiting by hub.docker.com" type = string @@ -739,200 +912,4 @@ variable "runners_disable_cache" { default = false } -# executor -variable "runners_add_dind_volumes" { - description = "Add certificates and docker.sock to the volumes to support docker-in-docker (dind)" - type = bool - default = false -} - -# executor -variable "runners_additional_volumes" { - description = "Additional volumes that will be used in the runner config.toml, e.g Docker socket" - type = list(any) - default = [] -} - -# executor -variable "runners_extra_hosts" { - description = "Extra hosts that will be used in the runner config.toml, e.g other-host:127.0.0.1" - type = list(any) - default = [] -} - -# executor -variable "runners_shm_size" { - description = "shm_size for the runners, will be used in the runner config.toml" - type = number - default = 0 -} - -# executor -variable "runners_docker_runtime" { - description = "docker runtime for runners, will be used in the runner config.toml" - type = string - default = "" -} - -# executor -variable "runners_helper_image" { - description = "Overrides the default helper image used to clone repos and upload artifacts, will be used in the runner config.toml" - type = string - default = "" -} - -# executor -variable "runners_pull_policies" { - description = "pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " - type = list(string) - default = ["always"] -} - -# executor -variable "runners_monitoring" { - description = "Enable detailed cloudwatch monitoring for spot instances." - type = bool - default = false -} - -# executor -variable "runners_ebs_optimized" { - description = "Enable runners to be EBS-optimized." - type = bool - default = true -} - -# executor -variable "runners_machine_autoscaling" { - description = "Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section" - type = list(object({ - periods = list(string) - idle_count = number - idle_time = number - timezone = string - })) - default = [] -} - -# executor -variable "runners_root_size" { - description = "Runner instance root size in GB." - type = number - default = 16 -} - -# executor -variable "runners_volume_type" { - description = "Runner instance volume type" - type = string - default = "gp2" -} - -# executor -variable "runners_iam_instance_profile_name" { - description = "IAM instance profile name of the runners, will be used in the runner config.toml" - type = string - default = "" -} - -# agent -variable "allow_iam_service_linked_role_creation" { - description = "Boolean used to control attaching the policy to a runner instance to create service linked roles." - type = bool - default = true -} - -# executor -variable "docker_machine_options" { - # cspell:ignore amazonec - description = "List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '[\"amazonec2-zone=a\"]'" - type = list(string) - default = [] -} - -# executor -variable "docker_machine_security_group_description" { - description = "A description for the docker-machine security group" - type = string - default = "A security group containing docker-machine instances" -} - -# agent -variable "secure_parameter_store_runner_token_key" { - description = "The key name used store the Gitlab runner token in Secure Parameter Store" - type = string - default = "runner-token" -} - -# agent -variable "secure_parameter_store_runner_sentry_dsn" { - description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" - type = string - default = "sentry-dsn" -} - -# agent -variable "enable_manage_gitlab_token" { - description = "(Deprecated) Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`." - type = bool - default = null - - validation { - # false positive. There is no secret! - # kics-scan ignore-line - condition = anytrue([var.enable_manage_gitlab_token == null]) - error_message = "Deprecated, this variable is no longer in use and can be removed." - } -} - - -# executor -variable "cache_bucket" { - description = "Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared cache. To use the same cache across multiple runners disable the creation of the cache and provide a policy and bucket name. See the public runner example for more details." - type = map(any) - - default = { - create = true - policy = "" - bucket = "" - } -} - -# executor -variable "enable_docker_machine_ssm_access" { - description = "Add IAM policies to the docker-machine instances to connect via the Session Manager." - type = bool - default = false -} - -# executor -variable "runners_volumes_tmpfs" { - description = "Mount a tmpfs in runner container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" - type = list(object({ - volume = string - options = string - })) - default = [] -} -# executor -variable "runners_services_volumes_tmpfs" { - description = "Mount a tmpfs in gitlab service container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" - type = list(object({ - volume = string - options = string - })) - default = [] -} - -# executor -variable "runners_docker_services" { - description = "adds `runners.docker.services` blocks to config.toml. All fields must be set (examine the Dockerfile of the service image for the entrypoint - see ./examples/runner-default/main.tf)" - type = list(object({ - name = string - alias = string - entrypoint = list(string) - command = list(string) - })) - default = [] -} From d0e27293c46d8f9896b3db12320974c6fe16ee0b Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 23 Mar 2023 15:22:41 +0100 Subject: [PATCH 11/74] refactor remaining --- examples/runner-certificates/main.tf | 2 +- examples/runner-default/main.tf | 8 +- examples/runner-docker/main.tf | 2 +- examples/runner-multi-region/main.tf | 20 +-- examples/runner-pre-registered/main.tf | 4 +- examples/runner-public/main.tf | 14 +- locals.tf | 4 +- main.tf | 54 +++--- migrations/migrate-to-7-0-0.sh | 39 +++-- variables.tf | 218 +++++++++++-------------- 10 files changed, 170 insertions(+), 195 deletions(-) diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index c3e19e343..d981251f6 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -26,7 +26,7 @@ module "runner" { # General ############################################### - runners_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url executor_type = "docker" diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index b4b6d0fc9..381214b27 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -51,15 +51,15 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.private_subnets, 0) - metrics_autoscaling = ["GroupDesiredCapacity", "GroupInServiceCapacity"] + agent_collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] - runners_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url agent_enable_ssm_access = true agent_ping_allow_from_security_groups = [data.aws_security_group.default.id] - docker_machine_spot_price_bid = "on-demand-price" + executor_docker_machine_ec2_spot_price_bid = "on-demand-price" agent_gitlab_registration_config = { registration_token = var.registration_token @@ -75,7 +75,7 @@ module "runner" { "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" } - runners_privileged = "true" + executor_docker_privileged = "true" executor_docker_additional_volumes = ["/certs/client"] executor_docker_volumes_tmpfs = [ diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index b66489f8b..74ae51c36 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -51,7 +51,7 @@ module "runner" { subnet_id = element(module.vpc.public_subnets, 0) executor_type = "docker" - runners_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url agent_gitlab_registration_config = { diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index 3f3b301c3..a7df76c5d 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -29,13 +29,13 @@ module "runner_main_region" { vpc_id = module.vpc_main_region.vpc_id subnet_id = element(module.vpc_main_region.public_subnets, 0) - docker_machine_spot_price_bid = "on-demand-price" + executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - runners_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] - runners_privileged = "false" + executor_docker_privileged = "false" executor_docker_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] agent_gitlab_registration_config = { @@ -54,8 +54,8 @@ module "runner_main_region" { executor_cache_shared = "true" - executor_cache_bucket_prefix = local.cache_bucket_prefix_main_region - executor_cache_bucket_name_include_account_id = false + executor_cache_s3_bucket_prefix = local.cache_bucket_prefix_main_region + executor_cache_s3_bucket_name_include_account_id = false } module "vpc_alternate_region" { @@ -94,13 +94,13 @@ module "runner_alternate_region" { vpc_id = module.vpc_alternate_region.vpc_id subnet_id = element(module.vpc_alternate_region.public_subnets, 0) - docker_machine_spot_price_bid = "on-demand-price" + executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - runners_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] - runners_privileged = "false" + executor_docker_privileged = "false" executor_docker_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] agent_gitlab_registration_config = { @@ -120,6 +120,6 @@ module "runner_alternate_region" { executor_cache_shared = "true" - executor_cache_bucket_prefix = local.cache_bucket_prefix_alternate_region - executor_cache_bucket_name_include_account_id = false + executor_cache_s3_bucket_prefix = local.cache_bucket_prefix_alternate_region + executor_cache_s3_bucket_name_include_account_id = false } diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index 8301cb8fd..433695ae1 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -31,9 +31,9 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.private_subnets, 0) - runners_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url - runners_token = var.runner_token + agent_gitlab_token = var.runner_token # working 9 to 5 :) executor_docker_machine_autoscaling = [ diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index 6c6b0c05c..c63c21b7b 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -36,13 +36,13 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.public_subnets, 0) - docker_machine_spot_price_bid = "on-demand-price" + executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - runners_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] - runners_privileged = "false" + executor_docker_privileged = "false" executor_docker_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] agent_gitlab_registration_config = { @@ -61,7 +61,7 @@ module "runner" { executor_cache_shared = "true" - executor_cache_bucket = { + executor_cache_s3_bucket = { create = false policy = module.cache.policy_arn bucket = module.cache.bucket @@ -78,9 +78,9 @@ module "runner2" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.public_subnets, 0) - docker_machine_spot_price_bid = "on-demand-price" + executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - runners_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url agent_gitlab_registration_config = { @@ -94,7 +94,7 @@ module "runner2" { executor_cache_shared = "true" - executor_cache_bucket = { + executor_cache_s3_bucket = { create = false policy = module.cache.policy_arn bucket = module.cache.bucket diff --git a/locals.tf b/locals.tf index efda0d6c6..49540f96e 100644 --- a/locals.tf +++ b/locals.tf @@ -46,7 +46,7 @@ locals { # Convert list to a string separated and prepend by a comma docker_machine_options_string = format( - ",\"amazonec2-metadata-token=${var.docker_machine_instance_metadata_options.http_tokens}\", \"amazonec2-metadata-token-response-hop-limit=${var.docker_machine_instance_metadata_options.http_put_response_hop_limit}\",%s", + ",\"amazonec2-metadata-token=${var.executor_docker_machine_ec2_metadata_options.http_tokens}\", \"amazonec2-metadata-token-response-hop-limit=${var.executor_docker_machine_ec2_metadata_options.http_put_response_hop_limit}\",%s", join(",", formatlist("%q", concat(var.executor_docker_machine_ec2_options, local.runners_docker_registry_mirror_option))), ) @@ -82,7 +82,7 @@ locals { /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" - docker_machine_version_used = split(".", split("-", var.docker_machine_version)[0]) + docker_machine_version_used = split(".", split("-", var.agent_docker_machine_version)[0]) docker_machine_version_with_name_tag = split(".", "0.16.2") docker_machine_version_test = [ for i, j in reverse(range(length(local.docker_machine_version_used))) diff --git a/main.tf b/main.tf index e39176f72..3a0346f21 100644 --- a/main.tf +++ b/main.tf @@ -55,8 +55,8 @@ locals { template_gitlab_runner = templatefile("${path.module}/template/gitlab-runner.tftpl", { gitlab_runner_version = var.agent_gitlab_runner_version - docker_machine_version = var.docker_machine_version - docker_machine_download_url = var.docker_machine_download_url + docker_machine_version = var.agent_docker_machine_version + docker_machine_download_url = var.agent_docker_machine_download_url runners_config = local.template_runner_config runners_userdata = var.executor_docker_machine_userdata runners_executor = var.executor_type @@ -66,7 +66,7 @@ locals { pre_install = var.agent_userdata_pre_install post_install = var.agent_userdata_post_install runners_gitlab_url = var.agent_gitlab_url - runners_token = var.runners_token + runners_token = var.agent_gitlab_token secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key secure_parameter_store_runner_sentry_dsn = local.secure_parameter_store_runner_sentry_dsn secure_parameter_store_region = data.aws_region.current.name @@ -90,8 +90,8 @@ locals { runners_vpc_id = var.vpc_id runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix - runners_instance_type = var.docker_machine_instance_type - runners_spot_price_bid = var.docker_machine_spot_price_bid == "on-demand-price" || var.docker_machine_spot_price_bid == null ? "" : var.docker_machine_spot_price_bid + runners_instance_type = var.executor_docker_machine_instance_type + runners_spot_price_bid = var.executor_docker_machine_ec2_spot_price_bid == "on-demand-price" || var.executor_docker_machine_ec2_spot_price_bid == null ? "" : var.executor_docker_machine_ec2_spot_price_bid runners_ami = var.executor_type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" runners_security_group_name = var.executor_type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" runners_monitoring = var.executor_docker_machine_enable_monitoring @@ -100,16 +100,16 @@ locals { runners_additional_volumes = local.runners_additional_volumes docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed - runners_name = var.runners_name + runners_name = var.agent_gitlab_runner_name runners_tags = replace(replace(local.runner_tags_string, ",,", ","), "/,$/", "") - runners_token = var.runners_token + runners_token = var.agent_gitlab_token runners_userdata = var.executor_docker_machine_userdata runners_executor = var.executor_type runners_limit = var.executor_max_jobs runners_concurrent = var.agent_maximum_concurrent_jobs - runners_image = var.runners_image - runners_privileged = var.runners_privileged - runners_disable_cache = var.runners_disable_cache + runners_image = var.executor_docker_image + runners_privileged = var.executor_docker_privileged + runners_disable_cache = var.executor_docker_disable_local_cache runners_docker_runtime = var.executor_docker_runtime runners_helper_image = var.executor_docker_helper_image runners_shm_size = var.executor_docker_shm_size @@ -138,7 +138,7 @@ locals { shared_cache = var.executor_cache_shared sentry_dsn = var.agent_sentry_dsn prometheus_listen_address = var.agent_prometheus_listen_address - auth_type = var.auth_type_cache_sr + auth_type = var.executor_cache_s3_authentication_type } ) } @@ -171,7 +171,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { desired_capacity = "1" health_check_grace_period = 0 max_instance_lifetime = var.agent_max_instance_lifetime_seconds - enabled_metrics = var.metrics_autoscaling + enabled_metrics = var.agent_collect_autoscaling_metrics dynamic "tag" { for_each = local.agent_tags @@ -254,13 +254,13 @@ resource "aws_launch_template" "gitlab_runner_instance" { enabled = var.agent_enable_monitoring } dynamic "instance_market_options" { - for_each = var.runner_instance_spot_price == null || var.runner_instance_spot_price == "" ? [] : ["spot"] + for_each = var.agent_spot_price == null || var.agent_spot_price == "" ? [] : ["spot"] content { market_type = instance_market_options.value dynamic "spot_options" { - for_each = var.runner_instance_spot_price == "on-demand-price" ? [] : [0] + for_each = var.agent_spot_price == "on-demand-price" ? [] : [0] content { - max_price = var.runner_instance_spot_price + max_price = var.agent_spot_price } } } @@ -297,7 +297,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { tags = local.tags } dynamic "tag_specifications" { - for_each = var.runner_instance_spot_price == null || var.runner_instance_spot_price == "" ? [] : ["spot"] + for_each = var.agent_spot_price == null || var.agent_spot_price == "" ? [] : ["spot"] content { resource_type = "spot-instances-request" tags = local.tags @@ -325,25 +325,25 @@ resource "aws_launch_template" "gitlab_runner_instance" { ### Create cache bucket ################################################################################ locals { - bucket_name = var.executor_cache_bucket["create"] ? module.cache[0].bucket : var.executor_cache_bucket["bucket"] - bucket_policy = var.executor_cache_bucket["create"] ? module.cache[0].policy_arn : var.executor_cache_bucket["policy"] + bucket_name = var.executor_cache_s3_bucket["create"] ? module.cache[0].bucket : var.executor_cache_s3_bucket["bucket"] + bucket_policy = var.executor_cache_s3_bucket["create"] ? module.cache[0].policy_arn : var.executor_cache_s3_bucket["policy"] } module "cache" { - count = var.executor_cache_bucket["create"] ? 1 : 0 + count = var.executor_cache_s3_bucket["create"] ? 1 : 0 source = "./modules/cache" environment = var.environment tags = local.tags - cache_bucket_prefix = var.executor_cache_bucket_prefix - cache_bucket_name_include_account_id = var.executor_cache_bucket_name_include_account_id - cache_bucket_set_random_suffix = var.executor_cache_bucket_enable_random_suffix - cache_bucket_versioning = var.executor_cache_enable_versioning - cache_expiration_days = var.executor_cache_expiration_days + cache_bucket_prefix = var.executor_cache_s3_bucket_prefix + cache_bucket_name_include_account_id = var.executor_cache_s3_bucket_name_include_account_id + cache_bucket_set_random_suffix = var.executor_cache_s3_bucket_enable_random_suffix + cache_bucket_versioning = var.executor_cache_s3_enable_versioning + cache_expiration_days = var.executor_cache_s3_expiration_days cache_lifecycle_prefix = var.executor_cache_shared ? "project/" : "runner/" - cache_logging_bucket = var.executor_cache_logging_bucket_id - cache_logging_bucket_prefix = var.executor_cache_logging_bucket_prefix + cache_logging_bucket = var.executor_cache_s3_logging_bucket_id + cache_logging_bucket_prefix = var.executor_cache_s3_logging_bucket_prefix kms_key_id = local.kms_key @@ -443,7 +443,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { /* If the S3 cache adapter is configured to use an IAM instance profile, the adapter uses the profile attached to the GitLab Runner machine. So do not use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */ - count = var.executor_type == "docker+machine" ? (var.executor_cache_bucket["create"] || lookup(var.executor_cache_bucket, "policy", "") != "" ? 1 : 0) : 0 + count = var.executor_type == "docker+machine" ? (var.executor_cache_s3_bucket["create"] || lookup(var.executor_cache_s3_bucket, "policy", "") != "" ? 1 : 0) : 0 role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = local.bucket_policy diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 3bf2294d3..cca0584fc 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -82,13 +82,13 @@ sed 's/gitlab_runner_egress_rules/agent_extra_egress_rules/g' | \ sed 's/gitlab_runner_security_group_ids/agent_ping_allow_from_security_groups/g' | \ sed 's/gitlab_runner_security_group_description/agent_security_group_description/g' | \ sed 's/cache_shared/executor_cache_shared/g' | \ -sed 's/cache_expiration_days/executor_cache_expiration_days/g' | \ -sed 's/cache_bucket_versioning/executor_cache_enable_versioning/g' | \ -sed 's/cache_logging_bucket_prefix/executor_cache_logging_bucket_prefix/g' | \ -sed 's/cache_logging_bucket/executor_cache_logging_bucket_id/g' | \ -sed 's/cache_bucket_set_random_suffix/executor_cache_bucket_enable_random_suffix/g' | \ -sed 's/cache_bucket_name_include_account_id/executor_cache_bucket_name_include_account_id/g' | \ -sed 's/cache_bucket_prefix/executor_cache_bucket_prefix/g' | \ +sed 's/cache_expiration_days/executor_cache_s3_expiration_days/g' | \ +sed 's/cache_bucket_versioning/executor_cache_s3_enable_versioning/g' | \ +sed 's/cache_logging_bucket_prefix/executor_cache_s3_logging_bucket_prefix/g' | \ +sed 's/cache_logging_bucket/executor_cache_s3_logging_bucket_id/g' | \ +sed 's/cache_bucket_set_random_suffix/executor_cache_s3_bucket_enable_random_suffix/g' | \ +sed 's/cache_bucket_name_include_account_id/executor_cache_s3_bucket_name_include_account_id/g' | \ +sed 's/cache_bucket_prefix/executor_cache_s3_bucket_prefix/g' | \ sed 's/runner_agent_uses_private_address/agent_use_private_address/g' | \ sed 's/runners_use_private_address/executor_docker_machine_use_private_address/g' | \ sed 's/runners_request_spot_instance/executor_docker_machine_request_spot_instances/g' | \ @@ -109,7 +109,7 @@ sed 's/log_group_name/agent_cloudwatch_log_group_name/g' | \ sed 's/asg_max_instance_lifetime/agent_max_instance_lifetime_seconds/g' | \ sed 's/asg_delete_timeout/agent_terraform_timeout_delete_asg/g' | \ sed 's/enable_docker_machine_ssm_access/executor_enable_ssm_access/g' | \ -sed 's/cache_bucket/executor_cache_bucket/g' | \ +sed 's/cache_bucket/executor_cache_s3_bucket/g' | \ sed 's/docker_machine_security_group_description//g' | \ sed 's/docker_machine_options/executor_docker_machine_ec2_options/g' | \ sed 's/runners_iam_instance_profile_name/executor_docker_machine_iam_instance_profile_name/g' | \ @@ -132,16 +132,19 @@ sed 's/runners_shm_size/executor_docker_shm_size/g' | \ sed 's/runners_extra_hosts/executor_docker_extra_hosts/g' | \ sed 's/runners_additional_volumes/executor_docker_additional_volumes/g' | \ sed 's/runners_add_dind_volumes/executor_docker_add_dind_volumes/g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ -sed 's///g' | \ - +sed 's/runners_disable_cache/executor_docker_disable_local_cache/g' | \ +sed 's/runners_privileged/executor_docker_privileged/g' | \ +sed 's/runners_image/executor_docker_image/g' | \ +sed 's/runners_token/agent_gitlab_token/g' | \ +sed 's/runners_name/agent_gitlab_runner_name/g' | \ +sed 's/docker_machine_version/agent_docker_machine_version/g' | \ +sed 's/docker_machine_download_url/agent_docker_machine_download_url/g' | \ +sed 's/docker_machine_spot_price_bid/executor_docker_machine_ec2_spot_price_bid/g' | \ +sed 's/docker_machine_instance_type/executor_docker_machine_instance_type/g' | \ +sed 's/docker_machine_instance_metadata_options/executor_docker_machine_ec2_metadata_options/g' | \ +sed 's/runner_instance_spot_price/agent_spot_price/g' | \ +sed 's/metrics_autoscaling/agent_collect_autoscaling_metrics/g' | \ +sed 's/auth_type_cache_sr/executor_cache_s3_authentication_type/g' \ > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" # overrides block diff --git a/variables.tf b/variables.tf index 3628c7270..e5554454f 100644 --- a/variables.tf +++ b/variables.tf @@ -91,6 +91,12 @@ variable "agent_extra_instance_tags" { default = {} } +variable "agent_spot_price" { + description = "By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen." + type = string + default = null +} + variable "agent_ebs_optimized" { description = "Enable the Agent instance to be EBS-optimized." type = bool @@ -124,6 +130,12 @@ variable "agent_enable_monitoring" { default = true } +variable "agent_collect_autoscaling_metrics" { + description = "A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances." + type = list(string) + default = null +} + variable "agent_ping_enable" { description = "Allow ICMP Ping to the Agent. Specify `agent_ping_allowed_from_security_groups` too!" type = bool @@ -287,6 +299,18 @@ variable "agent_install_amazon_ecr_credential_helper" { default = false } +variable "agent_docker_machine_version" { + description = "By default docker_machine_download_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases" + type = string + default = "0.16.2-gitlab.19-cki.2" +} + +variable "agent_docker_machine_download_url" { + description = "(Optional) By default the module will use `docker_machine_version` to download the CKI maintained version (https://gitlab.com/cki-project/docker-machine) of Docker Machine. Alternative you can set this property to download location of the distribution of for the OS. See also https://docs.gitlab.com/runner/executors/docker_machine.html#install" + type = string + default = "" +} + variable "agent_yum_update" { description = "Run a `yum` update as part of starting the Agent" type = bool @@ -335,6 +359,11 @@ variable "agent_cloudwatch_log_group_name" { type = string } +variable "agent_gitlab_runner_name" { + description = "Name of the Gitlab Runner." + type = string +} + variable "agent_gitlab_runner_version" { description = "Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases)." type = string @@ -391,6 +420,12 @@ variable "agent_gitlab_clone_url" { default = "" } +variable "agent_gitlab_token" { + description = "Token for the Agent to connect to GitLab" + type = string + default = "__REPLACED_BY_USER_DATA__" +} + variable "agent_maximum_concurrent_jobs" { description = "The maximum number of jobs which can be processed by all executors at the same time." type = number @@ -483,7 +518,13 @@ variable "executor_extra_environment_variables" { default = [] } -variable "executor_cache_bucket" { +variable "executor_cache_shared" { + description = "Enables cache sharing between runners. `false` by default." + type = bool + default = false +} + +variable "executor_cache_s3_bucket" { description = <<-EOT Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared cache. To use the same cache across multiple runners disable the creation of the cache and provide a policy and @@ -497,49 +538,49 @@ variable "executor_cache_bucket" { } } -variable "executor_cache_shared" { - description = "Enables cache sharing between runners. `false` by default." - type = bool - default = false +variable "executor_cache_s3_authentication_type" { + description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" + type = string + default = "iam" } -variable "executor_cache_expiration_days" { +variable "executor_cache_s3_expiration_days" { description = "Number of days before cache objects expire." type = number default = 1 } -variable "executor_cache_enable_versioning" { +variable "executor_cache_s3_enable_versioning" { description = "Boolean used to enable versioning on the cache bucket, false by default." type = bool default = false } -variable "executor_cache_bucket_prefix" { +variable "executor_cache_s3_bucket_prefix" { description = "Prefix for s3 cache bucket name." type = string default = "" } -variable "executor_cache_bucket_name_include_account_id" { +variable "executor_cache_s3_bucket_name_include_account_id" { description = "Boolean to add current account ID to cache bucket name." type = bool default = true } -variable "executor_cache_bucket_enable_random_suffix" { +variable "executor_cache_s3_bucket_enable_random_suffix" { description = "Append the cache bucket name with a random string suffix" type = bool default = false } -variable "executor_cache_logging_bucket_id" { +variable "executor_cache_s3_logging_bucket_id" { type = string description = "S3 Bucket ID where the access logs to the cache bucket are stored." default = null } -variable "executor_cache_logging_bucket_prefix" { +variable "executor_cache_s3_logging_bucket_prefix" { type = string description = "Prefix within the `executor_cache_logging_bucket_name`." default = null @@ -613,6 +654,18 @@ variable "executor_docker_runtime" { default = "" } +variable "executor_docker_privileged" { + description = "Executor will run in privileged mode" + type = bool + default = true +} + +variable "executor_docker_image" { + description = "Image to run builds" + type = string + default = "docker:18.03.1-ce" +} + variable "executor_docker_helper_image" { description = "Overrides the default helper image used to clone repos and upload artifacts" type = string @@ -625,6 +678,12 @@ variable "executor_docker_pull_policies" { default = ["always"] } +variable "executor_docker_disable_local_cache" { + description = "Runners will not use local cache" + type = bool + default = false +} + variable "executor_docker_additional_volumes" { description = "Additional volumes that will be used in the Executor, e.g Docker socket" type = list(any) @@ -641,6 +700,12 @@ variable "executor_docker_add_dind_volumes" { * docker+machine Executor variables. The executor is the actual machine that runs the job. Please specify the * `executor_docker_*` variables as well as Docker is used on the docker+machine executor. */ +variable "executor_docker_machine_instance_type" { + description = "Instance type used for the instances hosting docker-machine." + type = string + default = "m5.large" +} + variable "executor_docker_machine_extra_role_tags" { description = "Map of tags that will be added to runner EC2 instances." type = map(string) @@ -773,6 +838,12 @@ variable "executor_docker_machine_ec2_ebs_optimized" { default = true } +variable "executor_docker_machine_ec2_spot_price_bid" { + description = "Spot price bid. The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen." + type = string + default = "on-demand-price" +} + variable "executor_docker_machine_ec2_options" { # cspell:ignore amazonec description = "List of additional options for the docker+machine config. Each element of this list must be a key=value pair. E.g. '[\"amazonec2-zone=a\"]'" @@ -780,6 +851,18 @@ variable "executor_docker_machine_ec2_options" { default = [] } +variable "executor_docker_machine_ec2_metadata_options" { + description = "Enable the docker machine instances metadata service. Requires you use GitLab maintained docker machines." + type = object({ + http_tokens = string + http_put_response_hop_limit = number + }) + default = { + http_tokens = "required" + http_put_response_hop_limit = 2 + } +} + variable "executor_docker_machine_autoscaling" { description = "Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section" type = list(object({ @@ -802,114 +885,3 @@ variable "executor_docker_machine_docker_registry_mirror_url" { type = string default = "" } - - - - - - -# agent -variable "auth_type_cache_sr" { - description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" - type = string - default = "iam" -} - - -# agent -variable "metrics_autoscaling" { - description = "A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances." - type = list(string) - default = null -} - -# agent -variable "runner_instance_spot_price" { - description = "By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen." - type = string - default = null -} - - -# executor -variable "docker_machine_instance_metadata_options" { - description = "Enable the docker machine instances metadata service. Requires you use GitLab maintained docker machines." - type = object({ - http_tokens = string - http_put_response_hop_limit = number - }) - default = { - http_tokens = "required" - http_put_response_hop_limit = 2 - } -} - -# executor -variable "docker_machine_instance_type" { - description = "Instance type used for the instances hosting docker-machine." - type = string - default = "m5.large" -} - -# executor -variable "docker_machine_spot_price_bid" { - description = "Spot price bid. The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen." - type = string - default = "on-demand-price" -} - -# executor -variable "docker_machine_download_url" { - description = "(Optional) By default the module will use `docker_machine_version` to download the CKI maintained version (https://gitlab.com/cki-project/docker-machine) of Docker Machine. Alternative you can set this property to download location of the distribution of for the OS. See also https://docs.gitlab.com/runner/executors/docker_machine.html#install" - type = string - default = "" -} - -# executor -variable "docker_machine_version" { - description = "By default docker_machine_download_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases" - type = string - default = "0.16.2-gitlab.19-cki.2" -} - -# agent -variable "runners_name" { - description = "Name of the runner, will be used in the runner config.toml." - type = string -} - - - - - - -# agent -variable "runners_token" { - description = "Token for the runner, will be used in the runner config.toml." - type = string - default = "__REPLACED_BY_USER_DATA__" -} - - -# executor -variable "runners_image" { - description = "Image to run builds, will be used in the runner config.toml" - type = string - default = "docker:18.03.1-ce" -} - -# executor -variable "runners_privileged" { - description = "Runners will run in privileged mode, will be used in the runner config.toml" - type = bool - default = true -} - -# executor -variable "runners_disable_cache" { - description = "Runners will not use local cache, will be used in the runner config.toml" - type = bool - default = false -} - - From dd58916c0cb2a4c3b5d64507249e4f5e3d39a3d5 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 23 Mar 2023 15:31:35 +0100 Subject: [PATCH 12/74] fix syntax error --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index e5554454f..f72836a12 100644 --- a/variables.tf +++ b/variables.tf @@ -530,7 +530,7 @@ variable "executor_cache_s3_bucket" { cache. To use the same cache across multiple runners disable the creation of the cache and provide a policy and bucket name. See the public runner example for more details." EOT - type = map({ create = bool, policy = string, bucket = string }) + type = map(any) default = { create = true policy = "" From 05345cfafd73dec56bb1587fedb745ff848b191f Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 23 Mar 2023 15:39:39 +0100 Subject: [PATCH 13/74] format code --- examples/runner-certificates/main.tf | 4 ++-- examples/runner-default/main.tf | 12 ++++++------ examples/runner-docker/main.tf | 6 +++--- examples/runner-multi-region/main.tf | 8 ++++---- examples/runner-pre-registered/main.tf | 6 +++--- examples/runner-public/main.tf | 8 ++++---- 6 files changed, 22 insertions(+), 22 deletions(-) diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index d981251f6..5223d3df4 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -26,8 +26,8 @@ module "runner" { # General ############################################### - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url + agent_gitlab_runner_name = var.runner_name + agent_gitlab_url = var.gitlab_url executor_type = "docker" diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 381214b27..2f6240868 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -49,13 +49,13 @@ module "runner" { environment = var.environment - vpc_id = module.vpc.vpc_id - subnet_id = element(module.vpc.private_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.private_subnets, 0) agent_collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url - agent_enable_ssm_access = true + agent_gitlab_runner_name = var.runner_name + agent_gitlab_url = var.gitlab_url + agent_enable_ssm_access = true agent_ping_allow_from_security_groups = [data.aws_security_group.default.id] @@ -75,7 +75,7 @@ module "runner" { "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" } - executor_docker_privileged = "true" + executor_docker_privileged = "true" executor_docker_additional_volumes = ["/certs/client"] executor_docker_volumes_tmpfs = [ diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index 74ae51c36..7faff67bd 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -50,9 +50,9 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.public_subnets, 0) - executor_type = "docker" - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url + executor_type = "docker" + agent_gitlab_runner_name = var.runner_name + agent_gitlab_url = var.gitlab_url agent_gitlab_registration_config = { registration_token = var.registration_token diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index a7df76c5d..fd1ef74e0 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -31,11 +31,11 @@ module "runner_main_region" { executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - agent_gitlab_runner_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] - executor_docker_privileged = "false" + executor_docker_privileged = "false" executor_docker_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] agent_gitlab_registration_config = { @@ -96,11 +96,11 @@ module "runner_alternate_region" { executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - agent_gitlab_runner_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] - executor_docker_privileged = "false" + executor_docker_privileged = "false" executor_docker_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] agent_gitlab_registration_config = { diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index 433695ae1..642aaeda8 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -31,9 +31,9 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.private_subnets, 0) - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url - agent_gitlab_token = var.runner_token + agent_gitlab_runner_name = var.runner_name + agent_gitlab_url = var.gitlab_url + agent_gitlab_token = var.runner_token # working 9 to 5 :) executor_docker_machine_autoscaling = [ diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index c63c21b7b..2b6c7ae89 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -38,11 +38,11 @@ module "runner" { executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - agent_gitlab_runner_name = var.runner_name + agent_gitlab_runner_name = var.runner_name agent_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] - executor_docker_privileged = "false" + executor_docker_privileged = "false" executor_docker_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"] agent_gitlab_registration_config = { @@ -80,8 +80,8 @@ module "runner2" { executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url + agent_gitlab_runner_name = var.runner_name + agent_gitlab_url = var.gitlab_url agent_gitlab_registration_config = { registration_token = var.registration_token From 4f73a4433f33f49774df4447c3538fbcad81b160 Mon Sep 17 00:00:00 2001 From: Tyrone Meijn Date: Thu, 2 Mar 2023 09:25:58 +0100 Subject: [PATCH 14/74] fix!: remove deprecated pull policy variable (#710) ## Description Removes the earlier deprecated `runners_pull_policy` variable. Since were making a Major release I thought this one was nice to catch. ## Migrations required YES. Replace the `runners_pull_policy` by `runners_pull_policies`. --- README.md | 1 - locals.tf | 2 +- variables.tf | 6 ------ 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/README.md b/README.md index a659dcc33..e98843706 100644 --- a/README.md +++ b/README.md @@ -614,7 +614,6 @@ Made with [contributors-img](https://contrib.rocks). | [runners\_pre\_clone\_script](#input\_runners\_pre\_clone\_script) | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | `string` | `"\"\""` | no | | [runners\_privileged](#input\_runners\_privileged) | Runners will run in privileged mode, will be used in the runner config.toml | `bool` | `true` | no | | [runners\_pull\_policies](#input\_runners\_pull\_policies) | pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies | `list(string)` | 
[
  "always"
]
| no | -| [runners\_pull\_policy](#input\_runners\_pull\_policy) | Deprecated! Use runners\_pull\_policies instead. pull\_policy for the runners, will be used in the runner config.toml | `string` | `""` | no | | [runners\_request\_concurrency](#input\_runners\_request\_concurrency) | Limit number of concurrent requests for new jobs from GitLab (default 1). | `number` | `1` | no | | [runners\_request\_spot\_instance](#input\_runners\_request\_spot\_instance) | Whether or not to request spot instances via docker-machine | `bool` | `true` | no | | [runners\_root\_size](#input\_runners\_root\_size) | Runner instance root size in GB. | `number` | `16` | no | diff --git a/locals.tf b/locals.tf index d7126f554..58122f219 100644 --- a/locals.tf +++ b/locals.tf @@ -78,7 +78,7 @@ locals { } ) - runners_pull_policies = var.runners_pull_policy != "" ? "[\"${var.runners_pull_policy}\"]" : "[\"${join("\",\"", var.runners_pull_policies)}\"]" + runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" diff --git a/variables.tf b/variables.tf index 3c586597c..cb53182f3 100644 --- a/variables.tf +++ b/variables.tf @@ -248,12 +248,6 @@ variable "runners_helper_image" { default = "" } -variable "runners_pull_policy" { - description = "Deprecated! Use runners_pull_policies instead. pull_policy for the runners, will be used in the runner config.toml" - type = string - default = "" -} - variable "runners_pull_policies" { description = "pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " type = list(string) From c78907af5b7bedf2fc999f8d50c2ae94c039c6a6 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 16 Mar 2023 22:59:43 +0100 Subject: [PATCH 15/74] chore!: remove deprecated variables (#738) ## Description This PR removes all variables which are marked as deprecated. - `arn_format` - `subnet_id_runners` - `subnet_ids_gitlab_runner` - `asg_terminate_lifecycle_hook_create` - `asg_terminate_lifecycle_hook_heartbeat_timeout` - `asg_terminate_lifecycle_lambda_memory_size` - `asg_terminate_lifecycle_lambda_runtime` - `asg_terminate_lifecycle_lambda_timeout` ## Migrations required Yes. Remove the variables from your configuration. This is done automatically by the migration script. ## Verification None. --------- Co-authored-by: Tyrone Meijn --- .cspell.json | 2 + README.md | 2 + examples/runner-public/main.tf | 7 +-- main.tf | 7 ++- migrations/migrate-to-7-0-0.sh | 25 +++++++++ modules/terminate-agent-hook/variables.tf | 6 --- variables.tf | 64 ----------------------- 7 files changed, 36 insertions(+), 77 deletions(-) create mode 100755 migrations/migrate-to-7-0-0.sh diff --git a/.cspell.json b/.cspell.json index 8a67886ec..d4f21e267 100644 --- a/.cspell.json +++ b/.cspell.json @@ -4,6 +4,7 @@ "words": [ "amazonec", "amannn", + "amazonec", "anytrue", "aquasecurity", "awscli", @@ -32,6 +33,7 @@ "tflint", "tftpl", "tfsec", + "tftpl", "tfvars", "tmpfs", "trivy", diff --git a/README.md b/README.md index e98843706..c9c7a8d39 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ + [![Terraform registry](https://img.shields.io/github/v/release/cattle-ops/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws/) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Actions](https://github.com/cattle-ops/terraform-aws-gitlab-runner/workflows/CI/badge.svg)](https://github.com/cattle-ops/terraform-aws-gitlab-runner/actions) + # Terraform module for GitLab auto scaling runners on AWS spot instances diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index 5f2b6392c..28b9b80c0 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -2,6 +2,8 @@ data "aws_availability_zones" "available" { state = "available" } +# Every VPC resource should have an associated Flow Log: This is an example only. No flow logs are created. +# kics-scan ignore-line module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.19.0" @@ -77,9 +79,8 @@ module "runner2" { runners_use_private_address = false - vpc_id = module.vpc.vpc_id - subnet_ids_gitlab_runner = module.vpc.public_subnets - subnet_id_runners = element(module.vpc.public_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.public_subnets, 0) docker_machine_spot_price_bid = "on-demand-price" diff --git a/main.tf b/main.tf index a15a1ebe1..a130b656e 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,7 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} data "aws_subnet" "runners" { - id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + id = var.subnet_id } data "aws_availability_zone" "runners" { @@ -87,7 +87,7 @@ locals { tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id - runners_subnet_id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix runners_instance_type = var.docker_machine_instance_type runners_spot_price_bid = var.docker_machine_spot_price_bid == "on-demand-price" || var.docker_machine_spot_price_bid == null ? "" : var.docker_machine_spot_price_bid @@ -163,7 +163,7 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { name = var.enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" - vpc_zone_identifier = length(var.subnet_id) > 0 ? [var.subnet_id] : var.subnet_ids_gitlab_runner + vpc_zone_identifier = [var.subnet_id] min_size = "1" max_size = "1" desired_capacity = "1" @@ -565,7 +565,6 @@ module "terminate_agent_hook" { name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" kms_key_id = local.kms_key - arn_format = var.arn_format tags = local.tags } diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh new file mode 100755 index 000000000..8aaaa9b4e --- /dev/null +++ b/migrations/migrate-to-7-0-0.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -eu + +# +# Precondition: The module call has been extracted to a separate file given in "$1". The code is well-formatted. +# Run `terraform fmt` to do that +# +# $1: file name containing the module call to be converted +# + +converted_file="$1.new" + +cp "$1" "$converted_file" + +# +# PR #738 chore!: remove deprecated variables +# +sed -i '/arn_format/d' "$converted_file" +sed -i '/subnet_id_runners/d' "$converted_file" +sed -i '/subnet_ids_gitlab_runner/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_create/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf index 3f8a22897..3cfb49970 100644 --- a/modules/terminate-agent-hook/variables.tf +++ b/modules/terminate-agent-hook/variables.tf @@ -60,9 +60,3 @@ variable "enable_xray_tracing" { type = bool default = false } - -variable "arn_format" { - type = string - default = "arn:aws" - description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} diff --git a/variables.tf b/variables.tf index cb53182f3..f02bc51db 100644 --- a/variables.tf +++ b/variables.tf @@ -3,12 +3,6 @@ variable "aws_region" { type = string } -variable "arn_format" { - type = string - default = null - description = "Deprecated! Calculated automatically by the module. ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} - variable "auth_type_cache_sr" { description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" type = string @@ -855,70 +849,12 @@ variable "docker_machine_egress_rules" { }] } -variable "subnet_id_runners" { - description = "Deprecated! Use subnet_id instead. List of subnets used for hosting the gitlab-runners." - type = string - default = "" -} - -variable "subnet_ids_gitlab_runner" { - description = "Deprecated! Use subnet_id instead. Subnet used for hosting the GitLab runner." - type = list(string) - default = [] -} - variable "asg_terminate_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string default = null } -variable "asg_terminate_lifecycle_hook_create" { - description = "(Deprecated and always true now) Boolean toggling the creation of the ASG instance terminate lifecycle hook." - type = bool - default = true - - validation { - condition = var.asg_terminate_lifecycle_hook_create - error_message = "The hook must be created. Please remove the variable declaration." - } -} - -variable "asg_terminate_lifecycle_hook_heartbeat_timeout" { - description = "(Deprecated and no longer in use) The amount of time, in seconds, for the instances to remain in wait state." - type = number - default = null - - validation { - condition = var.asg_terminate_lifecycle_hook_heartbeat_timeout == null - error_message = "The timeout value is managed by the module. Please remove the variable declaration." - } -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_memory_size" { - description = "(Deprecated and no longer in use) The memory size in MB to allocate to the terminate-instances Lambda function." - type = number - default = 128 -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_runtime" { - description = "(Deprecated and no longer in use) Identifier of the function's runtime. This should be a python3.x runtime. See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime for more information." - type = string - default = "python3.8" -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_timeout" { - description = "(Deprecated and no longer in use) Amount of time the terminate-instances Lambda Function has to run in seconds." - default = 30 - type = number -} - variable "runner_yum_update" { description = "Run a yum update as part of starting the runner" type = bool From 323e198f5b8cd11aeaa20655431b19dff4214212 Mon Sep 17 00:00:00 2001 From: Tyrone Meijn Date: Thu, 2 Mar 2023 09:25:58 +0100 Subject: [PATCH 16/74] fix!: remove deprecated pull policy variable (#710) ## Description Removes the earlier deprecated `runners_pull_policy` variable. Since were making a Major release I thought this one was nice to catch. ## Migrations required YES. Replace the `runners_pull_policy` by `runners_pull_policies`. --- README.md | 1 - locals.tf | 2 +- variables.tf | 6 ------ 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/README.md b/README.md index baf83eb42..570027d34 100644 --- a/README.md +++ b/README.md @@ -616,7 +616,6 @@ Made with [contributors-img](https://contrib.rocks). | [runners\_pre\_clone\_script](#input\_runners\_pre\_clone\_script) | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | `string` | `"\"\""` | no | | [runners\_privileged](#input\_runners\_privileged) | Runners will run in privileged mode, will be used in the runner config.toml | `bool` | `true` | no | | [runners\_pull\_policies](#input\_runners\_pull\_policies) | pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies | `list(string)` | 
[
  "always"
]
| no | -| [runners\_pull\_policy](#input\_runners\_pull\_policy) | Deprecated! Use runners\_pull\_policies instead. pull\_policy for the runners, will be used in the runner config.toml | `string` | `""` | no | | [runners\_request\_concurrency](#input\_runners\_request\_concurrency) | Limit number of concurrent requests for new jobs from GitLab (default 1). | `number` | `1` | no | | [runners\_request\_spot\_instance](#input\_runners\_request\_spot\_instance) | Whether or not to request spot instances via docker-machine | `bool` | `true` | no | | [runners\_root\_size](#input\_runners\_root\_size) | Runner instance root size in GB. | `number` | `16` | no | diff --git a/locals.tf b/locals.tf index d7126f554..58122f219 100644 --- a/locals.tf +++ b/locals.tf @@ -78,7 +78,7 @@ locals { } ) - runners_pull_policies = var.runners_pull_policy != "" ? "[\"${var.runners_pull_policy}\"]" : "[\"${join("\",\"", var.runners_pull_policies)}\"]" + runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" diff --git a/variables.tf b/variables.tf index 3c586597c..cb53182f3 100644 --- a/variables.tf +++ b/variables.tf @@ -248,12 +248,6 @@ variable "runners_helper_image" { default = "" } -variable "runners_pull_policy" { - description = "Deprecated! Use runners_pull_policies instead. pull_policy for the runners, will be used in the runner config.toml" - type = string - default = "" -} - variable "runners_pull_policies" { description = "pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " type = list(string) From 93657e65c067e803c7f4548e0a7d6a07b8022975 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 16 Mar 2023 22:59:43 +0100 Subject: [PATCH 17/74] chore!: remove deprecated variables (#738) This PR removes all variables which are marked as deprecated. - `arn_format` - `subnet_id_runners` - `subnet_ids_gitlab_runner` - `asg_terminate_lifecycle_hook_create` - `asg_terminate_lifecycle_hook_heartbeat_timeout` - `asg_terminate_lifecycle_lambda_memory_size` - `asg_terminate_lifecycle_lambda_runtime` - `asg_terminate_lifecycle_lambda_timeout` Yes. Remove the variables from your configuration. This is done automatically by the migration script. None. --------- Co-authored-by: Tyrone Meijn --- .cspell.json | 2 + README.md | 3 +- examples/runner-public/main.tf | 7 ++- main.tf | 7 ++- migrations/migrate-to-7-0-0.sh | 25 +++++++++ modules/terminate-agent-hook/variables.tf | 6 --- variables.tf | 64 ----------------------- 7 files changed, 35 insertions(+), 79 deletions(-) create mode 100755 migrations/migrate-to-7-0-0.sh diff --git a/.cspell.json b/.cspell.json index 15180d9ab..b8a95ecdd 100644 --- a/.cspell.json +++ b/.cspell.json @@ -4,6 +4,7 @@ "words": [ "amazonec", "amannn", + "amazonec", "anytrue", "aquasecurity", "awscli", @@ -50,6 +51,7 @@ "tflint", "tftpl", "tfsec", + "tftpl", "tfvars", "tmpfs", "trivy", diff --git a/README.md b/README.md index 570027d34..0ec2a580e 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,9 @@ - + [![Terraform registry](https://img.shields.io/github/v/release/cattle-ops/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws/) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Actions](https://github.com/cattle-ops/terraform-aws-gitlab-runner/workflows/CI/badge.svg)](https://github.com/cattle-ops/terraform-aws-gitlab-runner/actions) + # Terraform module for GitLab auto scaling runners on AWS spot instances diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index ffd2ae3ea..0d5d2c82e 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -2,7 +2,7 @@ data "aws_availability_zones" "available" { state = "available" } -# VPC Flow logs are not needed here +# Every VPC resource should have an associated Flow Log: This is an example only. No flow logs are created. # kics-scan ignore-line module "vpc" { source = "terraform-aws-modules/vpc/aws" @@ -79,9 +79,8 @@ module "runner2" { runners_use_private_address = false - vpc_id = module.vpc.vpc_id - subnet_ids_gitlab_runner = module.vpc.public_subnets - subnet_id_runners = element(module.vpc.public_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.public_subnets, 0) docker_machine_spot_price_bid = "on-demand-price" diff --git a/main.tf b/main.tf index a15a1ebe1..a130b656e 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,7 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} data "aws_subnet" "runners" { - id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + id = var.subnet_id } data "aws_availability_zone" "runners" { @@ -87,7 +87,7 @@ locals { tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id - runners_subnet_id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix runners_instance_type = var.docker_machine_instance_type runners_spot_price_bid = var.docker_machine_spot_price_bid == "on-demand-price" || var.docker_machine_spot_price_bid == null ? "" : var.docker_machine_spot_price_bid @@ -163,7 +163,7 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { name = var.enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" - vpc_zone_identifier = length(var.subnet_id) > 0 ? [var.subnet_id] : var.subnet_ids_gitlab_runner + vpc_zone_identifier = [var.subnet_id] min_size = "1" max_size = "1" desired_capacity = "1" @@ -565,7 +565,6 @@ module "terminate_agent_hook" { name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" kms_key_id = local.kms_key - arn_format = var.arn_format tags = local.tags } diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh new file mode 100755 index 000000000..8aaaa9b4e --- /dev/null +++ b/migrations/migrate-to-7-0-0.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -eu + +# +# Precondition: The module call has been extracted to a separate file given in "$1". The code is well-formatted. +# Run `terraform fmt` to do that +# +# $1: file name containing the module call to be converted +# + +converted_file="$1.new" + +cp "$1" "$converted_file" + +# +# PR #738 chore!: remove deprecated variables +# +sed -i '/arn_format/d' "$converted_file" +sed -i '/subnet_id_runners/d' "$converted_file" +sed -i '/subnet_ids_gitlab_runner/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_create/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf index 3f8a22897..3cfb49970 100644 --- a/modules/terminate-agent-hook/variables.tf +++ b/modules/terminate-agent-hook/variables.tf @@ -60,9 +60,3 @@ variable "enable_xray_tracing" { type = bool default = false } - -variable "arn_format" { - type = string - default = "arn:aws" - description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} diff --git a/variables.tf b/variables.tf index cb53182f3..f02bc51db 100644 --- a/variables.tf +++ b/variables.tf @@ -3,12 +3,6 @@ variable "aws_region" { type = string } -variable "arn_format" { - type = string - default = null - description = "Deprecated! Calculated automatically by the module. ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} - variable "auth_type_cache_sr" { description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" type = string @@ -855,70 +849,12 @@ variable "docker_machine_egress_rules" { }] } -variable "subnet_id_runners" { - description = "Deprecated! Use subnet_id instead. List of subnets used for hosting the gitlab-runners." - type = string - default = "" -} - -variable "subnet_ids_gitlab_runner" { - description = "Deprecated! Use subnet_id instead. Subnet used for hosting the GitLab runner." - type = list(string) - default = [] -} - variable "asg_terminate_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string default = null } -variable "asg_terminate_lifecycle_hook_create" { - description = "(Deprecated and always true now) Boolean toggling the creation of the ASG instance terminate lifecycle hook." - type = bool - default = true - - validation { - condition = var.asg_terminate_lifecycle_hook_create - error_message = "The hook must be created. Please remove the variable declaration." - } -} - -variable "asg_terminate_lifecycle_hook_heartbeat_timeout" { - description = "(Deprecated and no longer in use) The amount of time, in seconds, for the instances to remain in wait state." - type = number - default = null - - validation { - condition = var.asg_terminate_lifecycle_hook_heartbeat_timeout == null - error_message = "The timeout value is managed by the module. Please remove the variable declaration." - } -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_memory_size" { - description = "(Deprecated and no longer in use) The memory size in MB to allocate to the terminate-instances Lambda function." - type = number - default = 128 -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_runtime" { - description = "(Deprecated and no longer in use) Identifier of the function's runtime. This should be a python3.x runtime. See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime for more information." - type = string - default = "python3.8" -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_timeout" { - description = "(Deprecated and no longer in use) Amount of time the terminate-instances Lambda Function has to run in seconds." - default = 30 - type = number -} - variable "runner_yum_update" { description = "Run a yum update as part of starting the runner" type = bool From 3b340a4021f9174aebb5548965757da56c857dff Mon Sep 17 00:00:00 2001 From: Tyrone Meijn Date: Thu, 2 Mar 2023 09:25:58 +0100 Subject: [PATCH 18/74] fix!: remove deprecated pull policy variable (#710) ## Description Removes the earlier deprecated `runners_pull_policy` variable. Since were making a Major release I thought this one was nice to catch. ## Migrations required YES. Replace the `runners_pull_policy` by `runners_pull_policies`. --- README.md | 1 - locals.tf | 2 +- variables.tf | 6 ------ 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/README.md b/README.md index baf83eb42..570027d34 100644 --- a/README.md +++ b/README.md @@ -616,7 +616,6 @@ Made with [contributors-img](https://contrib.rocks). | [runners\_pre\_clone\_script](#input\_runners\_pre\_clone\_script) | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | `string` | `"\"\""` | no | | [runners\_privileged](#input\_runners\_privileged) | Runners will run in privileged mode, will be used in the runner config.toml | `bool` | `true` | no | | [runners\_pull\_policies](#input\_runners\_pull\_policies) | pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies | `list(string)` | 
[
  "always"
]
| no | -| [runners\_pull\_policy](#input\_runners\_pull\_policy) | Deprecated! Use runners\_pull\_policies instead. pull\_policy for the runners, will be used in the runner config.toml | `string` | `""` | no | | [runners\_request\_concurrency](#input\_runners\_request\_concurrency) | Limit number of concurrent requests for new jobs from GitLab (default 1). | `number` | `1` | no | | [runners\_request\_spot\_instance](#input\_runners\_request\_spot\_instance) | Whether or not to request spot instances via docker-machine | `bool` | `true` | no | | [runners\_root\_size](#input\_runners\_root\_size) | Runner instance root size in GB. | `number` | `16` | no | diff --git a/locals.tf b/locals.tf index d7126f554..58122f219 100644 --- a/locals.tf +++ b/locals.tf @@ -78,7 +78,7 @@ locals { } ) - runners_pull_policies = var.runners_pull_policy != "" ? "[\"${var.runners_pull_policy}\"]" : "[\"${join("\",\"", var.runners_pull_policies)}\"]" + runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" diff --git a/variables.tf b/variables.tf index 437af1a01..724a52bec 100644 --- a/variables.tf +++ b/variables.tf @@ -248,12 +248,6 @@ variable "runners_helper_image" { default = "" } -variable "runners_pull_policy" { - description = "Deprecated! Use runners_pull_policies instead. pull_policy for the runners, will be used in the runner config.toml" - type = string - default = "" -} - variable "runners_pull_policies" { description = "pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " type = list(string) From 3e17556124d8b309740c54c958c1162d6205c0a5 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 16 Mar 2023 22:59:43 +0100 Subject: [PATCH 19/74] chore!: remove deprecated variables (#738) This PR removes all variables which are marked as deprecated. - `arn_format` - `subnet_id_runners` - `subnet_ids_gitlab_runner` - `asg_terminate_lifecycle_hook_create` - `asg_terminate_lifecycle_hook_heartbeat_timeout` - `asg_terminate_lifecycle_lambda_memory_size` - `asg_terminate_lifecycle_lambda_runtime` - `asg_terminate_lifecycle_lambda_timeout` Yes. Remove the variables from your configuration. This is done automatically by the migration script. None. --------- Co-authored-by: Tyrone Meijn --- .cspell.json | 2 + README.md | 3 +- examples/runner-public/main.tf | 7 ++- main.tf | 7 ++- migrations/migrate-to-7-0-0.sh | 25 +++++++++ modules/terminate-agent-hook/variables.tf | 6 --- variables.tf | 64 ----------------------- 7 files changed, 35 insertions(+), 79 deletions(-) create mode 100755 migrations/migrate-to-7-0-0.sh diff --git a/.cspell.json b/.cspell.json index 15180d9ab..b8a95ecdd 100644 --- a/.cspell.json +++ b/.cspell.json @@ -4,6 +4,7 @@ "words": [ "amazonec", "amannn", + "amazonec", "anytrue", "aquasecurity", "awscli", @@ -50,6 +51,7 @@ "tflint", "tftpl", "tfsec", + "tftpl", "tfvars", "tmpfs", "trivy", diff --git a/README.md b/README.md index 570027d34..0ec2a580e 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,9 @@ - + [![Terraform registry](https://img.shields.io/github/v/release/cattle-ops/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws/) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Actions](https://github.com/cattle-ops/terraform-aws-gitlab-runner/workflows/CI/badge.svg)](https://github.com/cattle-ops/terraform-aws-gitlab-runner/actions) + # Terraform module for GitLab auto scaling runners on AWS spot instances diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index ffd2ae3ea..0d5d2c82e 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -2,7 +2,7 @@ data "aws_availability_zones" "available" { state = "available" } -# VPC Flow logs are not needed here +# Every VPC resource should have an associated Flow Log: This is an example only. No flow logs are created. # kics-scan ignore-line module "vpc" { source = "terraform-aws-modules/vpc/aws" @@ -79,9 +79,8 @@ module "runner2" { runners_use_private_address = false - vpc_id = module.vpc.vpc_id - subnet_ids_gitlab_runner = module.vpc.public_subnets - subnet_id_runners = element(module.vpc.public_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.public_subnets, 0) docker_machine_spot_price_bid = "on-demand-price" diff --git a/main.tf b/main.tf index 00e76ae6e..91e020d14 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,7 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} data "aws_subnet" "runners" { - id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + id = var.subnet_id } data "aws_availability_zone" "runners" { @@ -87,7 +87,7 @@ locals { tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id - runners_subnet_id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix runners_instance_type = var.docker_machine_instance_type runners_spot_price_bid = var.docker_machine_spot_price_bid == "on-demand-price" || var.docker_machine_spot_price_bid == null ? "" : var.docker_machine_spot_price_bid @@ -163,7 +163,7 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { name = var.enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" - vpc_zone_identifier = length(var.subnet_id) > 0 ? [var.subnet_id] : var.subnet_ids_gitlab_runner + vpc_zone_identifier = [var.subnet_id] min_size = "1" max_size = "1" desired_capacity = "1" @@ -595,7 +595,6 @@ module "terminate_agent_hook" { name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" kms_key_id = local.kms_key - arn_format = var.arn_format tags = local.tags } diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh new file mode 100755 index 000000000..8aaaa9b4e --- /dev/null +++ b/migrations/migrate-to-7-0-0.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -eu + +# +# Precondition: The module call has been extracted to a separate file given in "$1". The code is well-formatted. +# Run `terraform fmt` to do that +# +# $1: file name containing the module call to be converted +# + +converted_file="$1.new" + +cp "$1" "$converted_file" + +# +# PR #738 chore!: remove deprecated variables +# +sed -i '/arn_format/d' "$converted_file" +sed -i '/subnet_id_runners/d' "$converted_file" +sed -i '/subnet_ids_gitlab_runner/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_create/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf index 3f8a22897..3cfb49970 100644 --- a/modules/terminate-agent-hook/variables.tf +++ b/modules/terminate-agent-hook/variables.tf @@ -60,9 +60,3 @@ variable "enable_xray_tracing" { type = bool default = false } - -variable "arn_format" { - type = string - default = "arn:aws" - description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} diff --git a/variables.tf b/variables.tf index 724a52bec..fd6ead62b 100644 --- a/variables.tf +++ b/variables.tf @@ -3,12 +3,6 @@ variable "aws_region" { type = string } -variable "arn_format" { - type = string - default = null - description = "Deprecated! Calculated automatically by the module. ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} - variable "auth_type_cache_sr" { description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" type = string @@ -855,70 +849,12 @@ variable "docker_machine_egress_rules" { }] } -variable "subnet_id_runners" { - description = "Deprecated! Use subnet_id instead. List of subnets used for hosting the gitlab-runners." - type = string - default = "" -} - -variable "subnet_ids_gitlab_runner" { - description = "Deprecated! Use subnet_id instead. Subnet used for hosting the GitLab runner." - type = list(string) - default = [] -} - variable "asg_terminate_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string default = null } -variable "asg_terminate_lifecycle_hook_create" { - description = "(Deprecated and always true now) Boolean toggling the creation of the ASG instance terminate lifecycle hook." - type = bool - default = true - - validation { - condition = var.asg_terminate_lifecycle_hook_create - error_message = "The hook must be created. Please remove the variable declaration." - } -} - -variable "asg_terminate_lifecycle_hook_heartbeat_timeout" { - description = "(Deprecated and no longer in use) The amount of time, in seconds, for the instances to remain in wait state." - type = number - default = null - - validation { - condition = var.asg_terminate_lifecycle_hook_heartbeat_timeout == null - error_message = "The timeout value is managed by the module. Please remove the variable declaration." - } -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_memory_size" { - description = "(Deprecated and no longer in use) The memory size in MB to allocate to the terminate-instances Lambda function." - type = number - default = 128 -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_runtime" { - description = "(Deprecated and no longer in use) Identifier of the function's runtime. This should be a python3.x runtime. See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime for more information." - type = string - default = "python3.8" -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_timeout" { - description = "(Deprecated and no longer in use) Amount of time the terminate-instances Lambda Function has to run in seconds." - default = 30 - type = number -} - variable "runner_yum_update" { description = "Run a yum update as part of starting the runner" type = bool From 3662eebc9bd3b27236879a11a39f0b8a7cdb2ed1 Mon Sep 17 00:00:00 2001 From: Tyrone Meijn Date: Thu, 20 Apr 2023 08:50:14 +0200 Subject: [PATCH 20/74] feat!: add idle_count_min` and `idle_scale_factor` to Docker Machine autoscaling options (#711) ## Description Switches from hardcoded options to free-from scaling configuration. This reduces the module complexity by allowing to get rid of a number of variables while giving more control to the user to define their options without us having to build support into it for. Adds `idle_scale_factor` and `idle_count_min` Docker Machine options. See [documentation](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section"). ## Migrations required YES - users will have to change the input name from `runners_machine_autoscaling` to `runners_machine_autoscaling_options`. No other changes should be needed, we just support _more_ options. A migration script is available. ## Verification No input given: (end of rendered `config.toml`) ![image](https://user-images.githubusercontent.com/17970041/225890782-02fe4adc-4c6a-4237-9752-a64349464113.png) Input: ```hcl runners_machine_autoscaling_options = [ { periods = ["* * 9-17 * * mon-fri *", "* * 9-17 * * mon-fri *"] idle_count = 50 idle_count_min = 10 idle_time = 3600 timezone = "UTC" idle_scale_factor = 1.5 }, { periods = ["* * 9-17 * * mon-fri *", "* * 9-17 * * mon-fri *"] idle_count = 50 idle_time = 3600 timezone = "Europe/Amsterdam" } ] ``` Rendered `config.toml`: ![image](https://user-images.githubusercontent.com/17970041/225891085-add03ee8-3943-4c56-96a4-d1a8c252deb0.png) Apply results: ![image](https://user-images.githubusercontent.com/17970041/225893020-a9850486-4aa6-4eb0-b996-558ec7bccfea.png) Closes #556 --------- Co-authored-by: Matthias Kay --- .cspell.json | 7 ++++--- .github/workflows/ci.yml | 2 +- .terraform-version | 2 +- examples/runner-default/main.tf | 4 ++-- examples/runner-pre-registered/main.tf | 4 ++-- locals.tf | 5 ----- main.tf | 7 ++++++- migrations/migrate-to-7-0-0.sh | 5 +++++ outputs.tf | 5 +++++ template/runner-config.tftpl | 8 +++++++- template/runners_machine_autoscaling.tftpl | 7 ------- variables.tf | 23 +++++++++++++++++----- 12 files changed, 51 insertions(+), 28 deletions(-) delete mode 100644 template/runners_machine_autoscaling.tftpl diff --git a/.cspell.json b/.cspell.json index b8a95ecdd..877c3e397 100644 --- a/.cspell.json +++ b/.cspell.json @@ -2,6 +2,7 @@ "version": "0.2", "language": "en", "words": [ + "alltrue", "amazonec", "amannn", "amazonec", @@ -22,9 +23,7 @@ "endfor", "formatlist", "gitter", - "godotenv", - "golangci", - "gruntwork", + "glrunners", "instancelifecycle", "kics", "joho", @@ -39,10 +38,12 @@ "pylint", "pylintrc", "pyright", + "setsubtract", "shuf", "signoff", "signum", "stretchr", + "subkey", "substr", "templatefile", "terrascan", diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 324db2a70..a96f7f751 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: strategy: fail-fast: false matrix: - terraform: [ 1.0.11, 1.3.9, latest ] + terraform: [1.3.9, latest] example: [ "runner-default", diff --git a/.terraform-version b/.terraform-version index 337a6a8f1..589268e6f 100644 --- a/.terraform-version +++ b/.terraform-version @@ -1 +1 @@ -1.0.8 \ No newline at end of file +1.3.0 \ No newline at end of file diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 84e089824..39a49fbe1 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -97,9 +97,9 @@ module "runner" { ] # working 9 to 5 :) - runners_machine_autoscaling = [ + runners_machine_autoscaling_options = [ { - periods = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""] + periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] idle_count = 0 idle_time = 60 timezone = var.timezone diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index e6d204c15..75d50d7b6 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -40,9 +40,9 @@ module "runner" { runners_token = var.runner_token # working 9 to 5 :) - runners_machine_autoscaling = [ + runners_machine_autoscaling_options = [ { - periods = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""] + periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] idle_count = 0 idle_time = 60 timezone = var.timezone diff --git a/locals.tf b/locals.tf index 58122f219..6d9342440 100644 --- a/locals.tf +++ b/locals.tf @@ -68,11 +68,6 @@ locals { %{~if var.runners_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.runners_additional_volumes~},"${volume}"%{endfor~} EOT - runners_machine_autoscaling = templatefile("${path.module}/template/runners_machine_autoscaling.tftpl", { - runners_machine_autoscaling = var.runners_machine_autoscaling - } - ) - runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tftpl", { runners_docker_services = var.runners_docker_services } diff --git a/main.tf b/main.tf index 91e020d14..9248df253 100644 --- a/main.tf +++ b/main.tf @@ -81,6 +81,12 @@ locals { template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { + runners_machine_autoscaling = [for config in var.runners_machine_autoscaling_options : { + for key, value in config : + # Convert key from snake_case to PascalCase which is the casing for this section. + join("", [for subkey in split("_", key) : title(subkey)]) => jsonencode(value) if value != null + }] + aws_region = var.aws_region gitlab_url = var.runners_gitlab_url gitlab_clone_url = var.runners_clone_url @@ -116,7 +122,6 @@ locals { runners_idle_count = var.runners_idle_count runners_idle_time = var.runners_idle_time runners_max_builds = local.runners_max_builds_string - runners_machine_autoscaling = local.runners_machine_autoscaling runners_root_size = var.runners_root_size runners_volume_type = var.runners_volume_type runners_iam_instance_profile_name = var.runners_iam_instance_profile_name diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 8aaaa9b4e..de69a715d 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -23,3 +23,8 @@ sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" + +# +# PR #711 feat!: refactor Docker Machine autoscaling options +# +sed -i 's/runners_machine_autoscaling/runners_machine_autoscaling_options/g' "$converted_file" diff --git a/outputs.tf b/outputs.tf index 66a6ba3bd..6956b3c90 100644 --- a/outputs.tf +++ b/outputs.tf @@ -57,3 +57,8 @@ output "runner_user_data" { description = "The user data of the Gitlab Runner Agent's launch template." value = local.template_user_data } + +output "runner_config_toml_rendered" { + description = "The rendered config.toml given to the Runner Manager." + value = local.template_runner_config +} diff --git a/template/runner-config.tftpl b/template/runner-config.tftpl index dda5e801a..eca80c910 100644 --- a/template/runner-config.tftpl +++ b/template/runner-config.tftpl @@ -71,4 +71,10 @@ listen_address = "${prometheus_listen_address}" ${docker_machine_options} ] -${runners_machine_autoscaling} +%{~ for config in runners_machine_autoscaling ~} + [[runners.machine.autoscaling]] + %{~ for key, value in config ~} + ${key} = ${value} + %{~ endfor ~} +%{~ endfor ~} + diff --git a/template/runners_machine_autoscaling.tftpl b/template/runners_machine_autoscaling.tftpl deleted file mode 100644 index 71b40fda1..000000000 --- a/template/runners_machine_autoscaling.tftpl +++ /dev/null @@ -1,7 +0,0 @@ -%{ for config in runners_machine_autoscaling ~} - [[runners.machine.autoscaling]] - Periods = [${replace(format("\"%s\"", join("\",\"", config.periods)), "/\"{2,}/", "\"")}] - IdleCount = ${config.idle_count} - IdleTime = ${config.idle_time} - Timezone = "${config.timezone}" -%{ endfor ~} diff --git a/variables.tf b/variables.tf index fd6ead62b..5d551bf97 100644 --- a/variables.tf +++ b/variables.tf @@ -260,14 +260,27 @@ variable "runners_ebs_optimized" { default = true } -variable "runners_machine_autoscaling" { +variable "runners_machine_autoscaling_options" { description = "Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section" type = list(object({ - periods = list(string) - idle_count = number - idle_time = number - timezone = string + periods = list(string) + idle_count = optional(number) + idle_scale_factor = optional(number) + idle_count_min = optional(number) + idle_time = optional(number) + timezone = optional(string, "UTC") })) + + validation { + condition = alltrue([ + for options in var.runners_machine_autoscaling_options : + length( + setsubtract([for key, value in options : key if value != null], ["periods", "timezone"]) + ) > 0 + ]) + + error_message = "Please specify an attribute that affects Autoscaling." + } default = [] } From 13874f118266971d8932f3bac4591f24c1eb75ae Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 09:54:44 +0200 Subject: [PATCH 21/74] fix syntax error --- variables.tf | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/variables.tf b/variables.tf index a338fe4a6..98ef4dba8 100644 --- a/variables.tf +++ b/variables.tf @@ -877,17 +877,8 @@ variable "executor_docker_machine_autoscaling_options" { idle_time = optional(number) timezone = optional(string, "UTC") })) + default = [] - validation { - condition = alltrue([ - for options in var.executor_docker_machine_autoscaling_options : - length( - setsubtract([for key, value in options : key if value != null], ["periods", "timezone"]) - ) > 0 - ]) - - error_message = "Please specify an attribute that affects Autoscaling." - } default = [] } variable "executor_docker_machine_max_builds" { From 26a6d19bc66325234b950db2895f5be4d7d65328 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 20 Apr 2023 10:14:17 +0200 Subject: [PATCH 22/74] feat!: allow to set all docker options for the Executor (#511) ## Description Adds a new variable `runners_docker_options` which holds all values for the `[runners.docker]` section and makes the single variables - `runners_image` - `runners_privileged` - `runners_disable_cache` - `runners_additional_volumes` - `runners_shm_size` - `runners_docker_runtime` - `runners_helper_image` - `runners_pull_policy` obsolete. ## Migrations required Yes, as the minimum Terraform version is 1.3.0 to support optional block variables with defaults. A migration script is provided to restructure the variables. See `/migrations/migrate-to-7-0-0.sh`. Attention Mac users: The script will not work out of the box as the `sed` implementation is different. Use a Docker container with Alpine or Ubuntu to run the script. ```hcl module "gitlab_ci_runner" { ... runners_docker_options { # set whatever is necessary } ``` ## Verification - [x] Use current configuration and ensure that the `config.toml` remains unchanged - [x] Set all new block variables and ensure that the `config.toml` is valid (use `gitlab-runner verify) - [x] Check that the default settings with Terraform 1.3 work as expected - [x] Verify all docker settings against the documentation to ensure correct names The runner starts in both cases and is available in Gitlab. No example tested but used our active configuration at Hapag-Lloyd. --------- Co-authored-by: Tyrone Meijn --- .github/workflows/ci.yml | 2 +- examples/runner-certificates/main.tf | 7 +- examples/runner-default/main.tf | 8 +- examples/runner-multi-region/main.tf | 12 ++- examples/runner-public/main.tf | 6 +- locals.tf | 16 ++-- main.tf | 10 +-- migrations/migrate-to-7-0-0.sh | 51 ++++++++++++ template/runner-config.tftpl | 20 ++--- template/runners_docker_options.tftpl | 4 + variables.tf | 111 ++++++++++++++------------ versions.tf | 2 +- 12 files changed, 162 insertions(+), 87 deletions(-) create mode 100644 template/runners_docker_options.tftpl diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a96f7f751..d40a29f15 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: strategy: fail-fast: false matrix: - terraform: [1.3.9, latest] + terraform: [ 1.3.9, latest ] example: [ "runner-default", diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index e7c9c5875..c0bef14ae 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -51,7 +51,12 @@ module "runner" { # cp /etc/gitlab-runner/certs/* /usr/local/share/ca-certificates/ # update-ca-certificates # Or similar OS-dependent commands. The above are an example for Ubuntu. - runners_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"] + runners_docker_options = { + volumes = [ + "/cache", + "/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro" + ] + } ############################################### # Registration diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 39a49fbe1..5038a9e9e 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -79,9 +79,6 @@ module "runner" { "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" } - runners_privileged = "true" - runners_additional_volumes = ["/certs/client"] - runners_volumes_tmpfs = [ { volume = "/var/opt/cache", @@ -106,6 +103,11 @@ module "runner" { } ] + runners_docker_options = { + privileged = "true" + volumes = ["/cache", "/certs/client"] + } + runners_pre_build_script = < value if value != null && key != "volumes" + }, { + volumes = local.runners_volumes + }) + } + ) + + # Ensure max builds is optional runners_max_builds_string = var.runners_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runners_max_builds) @@ -64,17 +74,13 @@ locals { name_sg = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"] name_iam_objects = lookup(var.overrides, "name_iam_objects", "") == "" ? local.tags["Name"] : var.overrides["name_iam_objects"] - runners_additional_volumes = <<-EOT - %{~if var.runners_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.runners_additional_volumes~},"${volume}"%{endfor~} - EOT + runners_volumes = concat(var.runners_docker_options.volumes, var.runners_add_dind_volumes ? ["/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"] : []) runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tftpl", { runners_docker_services = var.runners_docker_services } ) - runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" - /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" docker_machine_version_used = split(".", split("-", var.docker_machine_version)[0]) diff --git a/main.tf b/main.tf index 9248df253..910441d39 100644 --- a/main.tf +++ b/main.tf @@ -91,7 +91,6 @@ locals { gitlab_url = var.runners_gitlab_url gitlab_clone_url = var.runners_clone_url tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" - runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix @@ -102,7 +101,6 @@ locals { runners_monitoring = var.runners_monitoring runners_ebs_optimized = var.runners_ebs_optimized runners_instance_profile = var.runners_executor == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" - runners_additional_volumes = local.runners_additional_volumes docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed runners_name = var.runners_name @@ -112,13 +110,6 @@ locals { runners_executor = var.runners_executor runners_limit = var.runners_limit runners_concurrent = var.runners_concurrent - runners_image = var.runners_image - runners_privileged = var.runners_privileged - runners_disable_cache = var.runners_disable_cache - runners_docker_runtime = var.runners_docker_runtime - runners_helper_image = var.runners_helper_image - runners_shm_size = var.runners_shm_size - runners_pull_policies = local.runners_pull_policies runners_idle_count = var.runners_idle_count runners_idle_time = var.runners_idle_time runners_max_builds = local.runners_max_builds_string @@ -135,6 +126,7 @@ locals { runners_request_concurrency = var.runners_request_concurrency runners_output_limit = var.runners_output_limit runners_check_interval = var.runners_check_interval + runners_docker_options = local.runners_docker_options_toml runners_volumes_tmpfs = join("\n", [for v in var.runners_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_services_volumes_tmpfs = join("\n", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index de69a715d..540743aa4 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -28,3 +28,54 @@ sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" # PR #711 feat!: refactor Docker Machine autoscaling options # sed -i 's/runners_machine_autoscaling/runners_machine_autoscaling_options/g' "$converted_file" + +# +# PR #710 chore!: remove old variable `runners_pull_policy` +# +sed -i '/runners_pull_policy/d' "$converted_file" + +# +# PR #511 feat!: allow to set all docker options for the Executor +# +extracted_variables=$(grep -E '(runners_docker_runtime|runners_helper_image|runners_shm_size|runners_shm_size|runners_extra_hosts|runners_disable_cache|runners_image|runners_privileged)' "$converted_file") + +sed -i '/runners_image/d' "$converted_file" +sed -i '/runners_privileged/d' "$converted_file" +sed -i '/runners_disable_cache/d' "$converted_file" +sed -i '/runners_extra_hosts/d' "$converted_file" +sed -i '/runners_shm_size/d' "$converted_file" +sed -i '/runners_docker_runtime/d' "$converted_file" +sed -i '/runners_helper_image/d' "$converted_file" + +# content to be added to `volumes` +volumes=$(grep "runners_additional_volumes" "$converted_file" | cut -d '=' -f 2 | tr -d '[]') + +if [ -n "$volumes" ]; then + extracted_variables="$extracted_variables + volumes = [\"/cache\", $volumes]" +fi + +sed -i '/runners_additional_volumes/d' "$converted_file" + + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runners_image/image/g' | \ + sed 's/runners_privileged/privileged/g' | \ + sed 's/runners_disable_cache/disable_cache/g' | \ + sed 's/runners_extra_hosts/extra_hosts/g' | \ + sed 's/runners_shm_size/shm_size/g' | \ + sed 's/runners_docker_runtime/runtime/g' | \ + sed 's/runners_helper_image/helper_image/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runners_docker_options { + $extracted_variables +} +}" > x + +mv x "$converted_file" + +echo "Module call converted. Output: $converted_file" \ No newline at end of file diff --git a/template/runner-config.tftpl b/template/runner-config.tftpl index eca80c910..9439a3c62 100644 --- a/template/runner-config.tftpl +++ b/template/runner-config.tftpl @@ -18,22 +18,17 @@ listen_address = "${prometheus_listen_address}" request_concurrency = ${runners_request_concurrency} output_limit = ${runners_output_limit} limit = ${runners_limit} - [runners.docker] - tls_verify = false - image = "${runners_image}" - privileged = ${runners_privileged} - disable_cache = ${runners_disable_cache} - volumes = ["/cache"${runners_additional_volumes}] - extra_hosts = ${jsonencode(runners_extra_hosts)} - shm_size = ${runners_shm_size} - pull_policy = ${runners_pull_policies} - runtime = "${runners_docker_runtime}" - helper_image = "${runners_helper_image}" - ${runners_docker_services} + + ${runners_docker_options} + + ${runners_docker_services} + [runners.docker.tmpfs] ${runners_volumes_tmpfs} + [runners.docker.services_tmpfs] ${runners_services_volumes_tmpfs} + [runners.cache] Type = "s3" Shared = ${shared_cache} @@ -43,6 +38,7 @@ listen_address = "${prometheus_listen_address}" BucketName = "${bucket_name}" BucketLocation = "${aws_region}" Insecure = false + [runners.machine] IdleCount = ${runners_idle_count} IdleTime = ${runners_idle_time} diff --git a/template/runners_docker_options.tftpl b/template/runners_docker_options.tftpl new file mode 100644 index 000000000..2a4dcac4a --- /dev/null +++ b/template/runners_docker_options.tftpl @@ -0,0 +1,4 @@ + [runners.docker] +%{ for key, value in options ~} + ${key} = ${jsonencode(value)} +%{ endfor ~} diff --git a/variables.tf b/variables.tf index 5d551bf97..a718bdf17 100644 --- a/variables.tf +++ b/variables.tf @@ -188,64 +188,77 @@ variable "runners_max_builds" { default = 0 } -variable "runners_image" { - description = "Image to run builds, will be used in the runner config.toml" - type = string - default = "docker:18.03.1-ce" -} - -variable "runners_privileged" { - description = "Runners will run in privileged mode, will be used in the runner config.toml" - type = bool - default = true -} - -variable "runners_disable_cache" { - description = "Runners will not use local cache, will be used in the runner config.toml" - type = bool - default = false -} - variable "runners_add_dind_volumes" { description = "Add certificates and docker.sock to the volumes to support docker-in-docker (dind)" type = bool default = false } -variable "runners_additional_volumes" { - description = "Additional volumes that will be used in the runner config.toml, e.g Docker socket" - type = list(any) - default = [] -} - -variable "runners_extra_hosts" { - description = "Extra hosts that will be used in the runner config.toml, e.g other-host:127.0.0.1" - type = list(any) - default = [] -} - -variable "runners_shm_size" { - description = "shm_size for the runners, will be used in the runner config.toml" - type = number - default = 0 -} +variable "runners_docker_options" { + description = < Date: Thu, 20 Apr 2023 10:36:07 +0200 Subject: [PATCH 23/74] fix wrong variable name --- examples/runner-default/main.tf | 2 +- examples/runner-pre-registered/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index acb549bf6..65831ed89 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -96,7 +96,7 @@ module "runner" { ] # working 9 to 5 :) - executor_docker_machine_autoscaling = [ + executor_docker_machine_autoscaling_options = [ { periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] idle_count = 0 diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index b3ecfeba0..d9182f85e 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -39,7 +39,7 @@ module "runner" { agent_gitlab_token = var.runner_token # working 9 to 5 :) - executor_docker_machine_autoscaling = [ + executor_docker_machine_autoscaling_options = [ { periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] idle_count = 0 From 30f03a4f618312c478700cf09b9203813593b288 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 10:51:30 +0200 Subject: [PATCH 24/74] fix syntax error --- examples/runner-multi-region/.terraform.lock.hcl | 2 ++ locals.tf | 7 ++----- main.tf | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/examples/runner-multi-region/.terraform.lock.hcl b/examples/runner-multi-region/.terraform.lock.hcl index 68b3bbd7e..7da931f00 100644 --- a/examples/runner-multi-region/.terraform.lock.hcl +++ b/examples/runner-multi-region/.terraform.lock.hcl @@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/archive" { version = "2.3.0" hashes = [ "h1:OmE1tPjiST8iQp6fC0N3Xzur+q2RvgvD7Lz0TpKSRBw=", + "h1:anS1fAU2IWUABjdscCF3nexOIeJXmC3bGOKyifatSDU=", "zh:0869128d13abe12b297b0cd13b8767f10d6bf047f5afc4215615aabc39c2eb4f", "zh:481ed837d63ba3aa45dd8736da83e911e3509dee0e7961bf5c00ed2644f807b3", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", @@ -49,6 +50,7 @@ provider "registry.terraform.io/hashicorp/local" { version = "2.4.0" constraints = ">= 2.4.0, 2.4.0" hashes = [ + "h1:7RnIbO3CFakblTJs7o0mUiY44dc9xGYsLhSNFSNS1Ds=", "h1:R97FTYETo88sT2VHfMgkPU3lzCsZLunPftjSI5vfKe8=", "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9", "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf", diff --git a/locals.tf b/locals.tf index 1e3d857db..1a59e3421 100644 --- a/locals.tf +++ b/locals.tf @@ -54,14 +54,13 @@ locals { runners_docker_options_toml = templatefile("${path.module}/template/runners_docker_options.tftpl", { options = merge({ - for key, value in var.runners_docker_options : key => value if value != null && key != "volumes" + for key, value in var.executor_docker_options : key => value if value != null && key != "volumes" }, { volumes = local.runners_volumes }) } ) - # Ensure max builds is optional runners_max_builds_string = var.executor_docker_machine_max_builds == 0 ? "" : format("MaxBuilds = %d", var.executor_docker_machine_max_builds) @@ -74,9 +73,7 @@ locals { name_sg = var.security_group_prefix == "" ? local.tags["Name"] : var.security_group_prefix name_iam_objects = var.iam_object_prefix == "" ? local.tags["Name"] : var.iam_object_prefix - runners_additional_volumes = <<-EOT - %{~if var.executor_docker_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.executor_docker_additional_volumes~},"${volume}"%{endfor~} - EOT + runners_volumes = concat(var.executor_docker_options.volumes, var.executor_docker_add_dind_volumes ? ["/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"] : []) runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tftpl", { runners_docker_services = var.executor_docker_services diff --git a/main.tf b/main.tf index 3ba51c511..dd234dcf8 100644 --- a/main.tf +++ b/main.tf @@ -103,7 +103,6 @@ locals { runners_monitoring = var.executor_docker_machine_enable_monitoring runners_ebs_optimized = var.executor_docker_machine_ec2_ebs_optimized runners_instance_profile = var.executor_type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" - runners_additional_volumes = local.runners_additional_volumes docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed runners_name = var.agent_gitlab_runner_name @@ -139,6 +138,7 @@ locals { runners_volumes_tmpfs = join("\n", [for v in var.executor_docker_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_services_volumes_tmpfs = join("\n", [for v in var.executor_docker_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services + runners_docker_options = local.runners_docker_options_toml bucket_name = local.bucket_name shared_cache = var.executor_cache_shared sentry_dsn = var.agent_sentry_dsn From 90a9c483179a7298a13b85f6594b62ba50b72a4e Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 10:58:34 +0200 Subject: [PATCH 25/74] fix lint issues --- .cspell.json | 4 ++ main.tf | 12 ++-- migrations/migrate-to-7-0-0.sh | 1 - variables.tf | 128 ++++++++++++++++----------------- 4 files changed, 71 insertions(+), 74 deletions(-) diff --git a/.cspell.json b/.cspell.json index 877c3e397..6d0ad9557 100644 --- a/.cspell.json +++ b/.cspell.json @@ -18,6 +18,8 @@ "codeowners", "companys", "concat", + "cpu", + "cpuset", "devskim", "dind", "endfor", @@ -45,6 +47,7 @@ "stretchr", "subkey", "substr", + "sysctl", "templatefile", "terrascan", "terratest", @@ -58,6 +61,7 @@ "trivy", "typecheck", "userdata", + "userns", "xanzy" ], "flagWords": [] diff --git a/main.tf b/main.tf index dd234dcf8..45c47de2a 100644 --- a/main.tf +++ b/main.tf @@ -82,11 +82,11 @@ locals { template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { - aws_region = data.aws_region.current.name - gitlab_url = var.agent_gitlab_url - gitlab_clone_url = var.agent_gitlab_clone_url - tls_ca_file = length(var.agent_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" - runners_extra_hosts = var.executor_docker_extra_hosts + aws_region = data.aws_region.current.name + gitlab_url = var.agent_gitlab_url + gitlab_clone_url = var.agent_gitlab_clone_url + tls_ca_file = length(var.agent_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" + runners_extra_hosts = var.executor_docker_extra_hosts runners_machine_autoscaling = [for config in var.executor_docker_machine_autoscaling_options : { for key, value in config : # Convert key from snake_case to PascalCase which is the casing for this section. @@ -169,7 +169,7 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { # TODO Please explain how `agent_enable_asg_recreation` works - name = var.agent_enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" + name = var.agent_enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" vpc_zone_identifier = [var.subnet_id] min_size = "1" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index b542d959f..9077f5b25 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -184,7 +184,6 @@ sed 's/runners_helper_image/executor_docker_helper_image/g' | \ sed 's/runners_docker_runtime/executor_docker_runtime/g' | \ sed 's/runners_shm_size/executor_docker_shm_size/g' | \ sed 's/runners_extra_hosts/executor_docker_extra_hosts/g' | \ -sed 's/runners_additional_volumes/executor_docker_additional_volumes/g' | \ sed 's/runners_add_dind_volumes/executor_docker_add_dind_volumes/g' | \ sed 's/runners_disable_cache/executor_docker_disable_local_cache/g' | \ sed 's/runners_privileged/executor_docker_privileged/g' | \ diff --git a/variables.tf b/variables.tf index 811a4e0db..a022c664d 100644 --- a/variables.tf +++ b/variables.tf @@ -162,7 +162,7 @@ variable "agent_extra_security_group_ids" { variable "agent_extra_egress_rules" { description = "List of egress rules for the Agent." - type = list(object({ + type = list(object({ cidr_blocks = list(string) ipv6_cidr_blocks = list(string) prefix_list_ids = list(string) @@ -244,7 +244,7 @@ variable "agent_enable_ssm_access" { variable "agent_metadata_options" { description = "Enable the Gitlab runner agent instance metadata service. IMDSv2 is enabled by default." - type = object({ + type = object({ http_endpoint = string http_tokens = string http_put_response_hop_limit = number @@ -279,7 +279,7 @@ variable "agent_enable_asg_recreation" { variable "agent_schedule_config" { description = "Map containing the configuration of the ASG scale-out and scale-in for the Agent. Will only be used if `agent_schedule_enable` is set to `true`. " type = map(any) - default = { + default = { # Configure optional scale_out scheduled action scale_out_recurrence = "0 8 * * 1-5" scale_out_count = 1 # Default for min_size, desired_capacity and max_size @@ -532,7 +532,7 @@ variable "executor_cache_s3_bucket" { bucket name. See the public runner example for more details." EOT type = map(any) - default = { + default = { create = true policy = "" bucket = "" @@ -610,7 +610,7 @@ variable "executor_post_build_script" { */ variable "executor_docker_volumes_tmpfs" { description = "Mount a tmpfs in Executor container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" - type = list(object({ + type = list(object({ volume = string options = string })) @@ -619,7 +619,7 @@ variable "executor_docker_volumes_tmpfs" { variable "executor_docker_services" { description = "Starts additional services with the Docker container. All fields must be set (examine the Dockerfile of the service image for the entrypoint - see ./examples/runner-default/main.tf)" - type = list(object({ + type = list(object({ name = string alias = string entrypoint = list(string) @@ -630,7 +630,7 @@ variable "executor_docker_services" { variable "executor_docker_services_volumes_tmpfs" { description = "Mount a tmpfs in gitlab service container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" - type = list(object({ + type = list(object({ volume = string options = string })) @@ -685,12 +685,6 @@ variable "executor_docker_disable_local_cache" { default = false } -variable "executor_docker_additional_volumes" { - description = "Additional volumes that will be used in the Executor, e.g Docker socket" - type = list(any) - default = [] -} - variable "executor_docker_add_dind_volumes" { description = "Add certificates and docker.sock to the volumes to support docker-in-docker (dind)" type = bool @@ -698,7 +692,7 @@ variable "executor_docker_add_dind_volumes" { } variable "executor_docker_options" { -description = < Date: Thu, 20 Apr 2023 11:04:43 +0200 Subject: [PATCH 26/74] fix syntax error --- examples/runner-default/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 65831ed89..5767dc2cf 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -79,7 +79,6 @@ module "runner" { } executor_docker_privileged = "true" - executor_docker_additional_volumes = ["/certs/client"] executor_docker_volumes_tmpfs = [ { From b5f9e17a61a2fd23ab6e53370a3fb009b06e42ef Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 11:21:24 +0200 Subject: [PATCH 27/74] removed obsolete variables present in executor_docker_options now --- examples/runner-default/main.tf | 2 -- locals.tf | 2 +- main.tf | 7 ---- migrations/migrate-to-7-0-0.sh | 14 +++----- variables.tf | 58 +++++---------------------------- 5 files changed, 14 insertions(+), 69 deletions(-) diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 5767dc2cf..0b83a18cd 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -78,8 +78,6 @@ module "runner" { "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" } - executor_docker_privileged = "true" - executor_docker_volumes_tmpfs = [ { volume = "/var/opt/cache", diff --git a/locals.tf b/locals.tf index 1a59e3421..57e530b55 100644 --- a/locals.tf +++ b/locals.tf @@ -80,7 +80,7 @@ locals { } ) - runners_pull_policies = "[\"${join("\",\"", var.executor_docker_pull_policies)}\"]" + runners_pull_policies = "[\"${join("\",\"", var.executor_docker_options.pull_policies)}\"]" /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" diff --git a/main.tf b/main.tf index 45c47de2a..98409c82b 100644 --- a/main.tf +++ b/main.tf @@ -86,7 +86,6 @@ locals { gitlab_url = var.agent_gitlab_url gitlab_clone_url = var.agent_gitlab_clone_url tls_ca_file = length(var.agent_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" - runners_extra_hosts = var.executor_docker_extra_hosts runners_machine_autoscaling = [for config in var.executor_docker_machine_autoscaling_options : { for key, value in config : # Convert key from snake_case to PascalCase which is the casing for this section. @@ -112,12 +111,6 @@ locals { runners_executor = var.executor_type runners_limit = var.executor_max_jobs runners_concurrent = var.agent_maximum_concurrent_jobs - runners_image = var.executor_docker_image - runners_privileged = var.executor_docker_privileged - runners_disable_cache = var.executor_docker_disable_local_cache - runners_docker_runtime = var.executor_docker_runtime - runners_helper_image = var.executor_docker_helper_image - runners_shm_size = var.executor_docker_shm_size runners_pull_policies = local.runners_pull_policies runners_idle_count = var.executor_idle_count runners_idle_time = var.executor_idle_time diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 9077f5b25..5a7b22a38 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -37,7 +37,7 @@ sed -i '/runners_pull_policy/d' "$converted_file" # # PR #511 feat!: allow to set all docker options for the Executor # -extracted_variables=$(grep -E '(runners_docker_runtime|runners_helper_image|runners_shm_size|runners_shm_size|runners_extra_hosts|runners_disable_cache|runners_image|runners_privileged)' "$converted_file") +extracted_variables=$(grep -E '(runners_pull_policies|runners_docker_runtime|runners_helper_image|runners_shm_size|runners_shm_size|runners_extra_hosts|runners_disable_cache|runners_image|runners_privileged)' "$converted_file") sed -i '/runners_image/d' "$converted_file" sed -i '/runners_privileged/d' "$converted_file" @@ -46,6 +46,7 @@ sed -i '/runners_extra_hosts/d' "$converted_file" sed -i '/runners_shm_size/d' "$converted_file" sed -i '/runners_docker_runtime/d' "$converted_file" sed -i '/runners_helper_image/d' "$converted_file" +sed -i '/runners_pull_policies/d' "$converted_file" # content to be added to `volumes` volumes=$(grep "runners_additional_volumes" "$converted_file" | cut -d '=' -f 2 | tr -d '[]') @@ -66,7 +67,8 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/runners_extra_hosts/extra_hosts/g' | \ sed 's/runners_shm_size/shm_size/g' | \ sed 's/runners_docker_runtime/runtime/g' | \ - sed 's/runners_helper_image/helper_image/g' + sed 's/runners_helper_image/helper_image/g' | \ + sed 's/runners_pull_policies/pull_policies/g' ) # add new block runners_docker_options at the end @@ -179,15 +181,7 @@ sed 's/enable_asg_recreation/agent_enable_asg_recreation/g' | \ sed 's/secure_parameter_store_runner_sentry_dsn/agent_sentry_secure_parameter_store_name/g' | \ sed 's/secure_parameter_store_runner_token_key/agent_gitlab_token_secure_parameter_store/g' | \ sed 's/allow_iam_service_linked_role_creation/agent_allow_iam_service_linked_role_creation/g' | \ -sed 's/runners_pull_policies/executor_docker_pull_policies/g' | \ -sed 's/runners_helper_image/executor_docker_helper_image/g' | \ -sed 's/runners_docker_runtime/executor_docker_runtime/g' | \ -sed 's/runners_shm_size/executor_docker_shm_size/g' | \ -sed 's/runners_extra_hosts/executor_docker_extra_hosts/g' | \ sed 's/runners_add_dind_volumes/executor_docker_add_dind_volumes/g' | \ -sed 's/runners_disable_cache/executor_docker_disable_local_cache/g' | \ -sed 's/runners_privileged/executor_docker_privileged/g' | \ -sed 's/runners_image/executor_docker_image/g' | \ sed 's/runners_token/agent_gitlab_token/g' | \ sed 's/runners_name/agent_gitlab_runner_name/g' | \ sed 's/docker_machine_version/agent_docker_machine_version/g' | \ diff --git a/variables.tf b/variables.tf index a022c664d..3b6c2b867 100644 --- a/variables.tf +++ b/variables.tf @@ -637,54 +637,6 @@ variable "executor_docker_services_volumes_tmpfs" { default = [] } -variable "executor_docker_extra_hosts" { - description = "Extra hosts to be passed to the container, e.g other-host:127.0.0.1" - type = list(any) - default = [] -} - -variable "executor_docker_shm_size" { - description = "shm_size for the runners, will be used in the runner config.toml" - type = number - default = 0 -} - -variable "executor_docker_runtime" { - description = "Docker runtime for Executors" - type = string - default = "" -} - -variable "executor_docker_privileged" { - description = "Executor will run in privileged mode" - type = bool - default = true -} - -variable "executor_docker_image" { - description = "Image to run builds" - type = string - default = "docker:18.03.1-ce" -} - -variable "executor_docker_helper_image" { - description = "Overrides the default helper image used to clone repos and upload artifacts" - type = string - default = "" -} - -variable "executor_docker_pull_policies" { - description = "Pull policies for the Executor, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " - type = list(string) - default = ["always"] -} - -variable "executor_docker_disable_local_cache" { - description = "Runners will not use local cache" - type = bool - default = false -} - variable "executor_docker_add_dind_volumes" { description = "Add certificates and docker.sock to the volumes to support docker-in-docker (dind)" type = bool @@ -755,7 +707,15 @@ variable "executor_docker_options" { wait_for_services_timeout = optional(number) }) - default = null + default = { + disable_cache = "false" + image = "docker:18.03.1-ce" + privileged = "true" + pull_policy = "always" + shm_size = 0 + tls_verify = "false" + volumes = "/cache" + } } /* From 2d79ffcdf9e5b2e6f03380b40b6089afc6ec741e Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 11:34:31 +0200 Subject: [PATCH 28/74] rename variables agent_* to runner_manager_* --- .terraform.lock.hcl | 20 +++ examples/runner-certificates/main.tf | 6 +- examples/runner-default/main.tf | 12 +- examples/runner-docker/main.tf | 10 +- examples/runner-multi-region/main.tf | 16 +-- examples/runner-pre-registered/main.tf | 6 +- examples/runner-public/main.tf | 14 +- locals.tf | 20 +-- logging.tf | 12 +- main.tf | 178 ++++++++++++------------- security_groups.tf | 14 +- tags.tf | 2 +- variables.tf | 116 ++++++++-------- 13 files changed, 223 insertions(+), 203 deletions(-) diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index b05883a71..f90068d25 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -42,6 +42,26 @@ provider "registry.terraform.io/hashicorp/aws" { ] } +provider "registry.terraform.io/hashicorp/local" { + version = "2.4.0" + constraints = ">= 2.4.0" + hashes = [ + "h1:7RnIbO3CFakblTJs7o0mUiY44dc9xGYsLhSNFSNS1Ds=", + "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9", + "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf", + "zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:82a803f2f484c8b766e2e9c32343e9c89b91997b9f8d2697f9f3837f62926b35", + "zh:9708a4e40d6cc4b8afd1352e5186e6e1502f6ae599867c120967aebe9d90ed04", + "zh:973f65ce0d67c585f4ec250c1e634c9b22d9c4288b484ee2a871d7fa1e317406", + "zh:c8fa0f98f9316e4cfef082aa9b785ba16e36ff754d6aba8b456dab9500e671c6", + "zh:cfa5342a5f5188b20db246c73ac823918c189468e1382cb3c48a9c0c08fc5bf7", + "zh:e0e2b477c7e899c63b06b38cd8684a893d834d6d0b5e9b033cedc06dd7ffe9e2", + "zh:f62d7d05ea1ee566f732505200ab38d94315a4add27947a60afa29860822d3fc", + "zh:fa7ce69dde358e172bd719014ad637634bbdabc49363104f4fca759b4b73f2ce", + ] +} + provider "registry.terraform.io/hashicorp/random" { version = "3.4.3" hashes = [ diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index e881bc376..9a328152a 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -28,8 +28,8 @@ module "runner" { # General ############################################### - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runner_manager_gitlab_runner_name = var.runner_name + runner_manager_gitlab_url = var.gitlab_url executor_type = "docker" @@ -62,7 +62,7 @@ module "runner" { # Registration ############################################### - agent_gitlab_registration_config = { + runner_manager_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_runner" description = "runner docker - auto" diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 0b83a18cd..4b71373ec 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -54,17 +54,17 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.private_subnets, 0) - agent_collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] + runner_manager_collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url - agent_enable_ssm_access = true + runner_manager_gitlab_runner_name = var.runner_name + runner_manager_gitlab_url = var.gitlab_url + runner_manager_enable_ssm_access = true - agent_ping_allow_from_security_groups = [data.aws_security_group.default.id] + runner_manager_ping_allow_from_security_groups = [data.aws_security_group.default.id] executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - agent_gitlab_registration_config = { + runner_manager_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner default - auto" diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index 1378a4dbf..cd0147ae9 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -44,19 +44,19 @@ module "runner" { environment = var.environment executor_docker_machine_use_private_address = false - agent_enable_eip = true + runner_manager_enable_eip = true executor_docker_machine_security_group_description = "Custom description for docker-machine" - agent_security_group_description = "Custom description for gitlab-runner" + runner_manager_security_group_description = "Custom description for gitlab-runner" vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.public_subnets, 0) executor_type = "docker" - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runner_manager_gitlab_runner_name = var.runner_name + runner_manager_gitlab_url = var.gitlab_url - agent_gitlab_registration_config = { + runner_manager_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_runner" description = "runner docker - auto" diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index b25b53bfe..9e921addd 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -33,8 +33,8 @@ module "runner_main_region" { executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runner_manager_gitlab_runner_name = var.runner_name + runner_manager_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] executor_docker_options = { @@ -42,7 +42,7 @@ module "runner_main_region" { volumes = ["/var/run/docker.sock:/var/run/docker.sock"] } - agent_gitlab_registration_config = { + runner_manager_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner public - auto" @@ -52,7 +52,7 @@ module "runner_main_region" { } security_group_prefix = "my-security-group" - agent_instance_prefix = "my-runner-agent" + runner_manager_instance_prefix = "my-runner-agent" executor_docker_machine_instance_prefix = "my-runners-dm" iam_object_prefix = local.name_iam_objects_main_region @@ -102,8 +102,8 @@ module "runner_alternate_region" { executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runner_manager_gitlab_runner_name = var.runner_name + runner_manager_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] executor_docker_options = { @@ -111,7 +111,7 @@ module "runner_alternate_region" { volumes = ["/var/run/docker.sock:/var/run/docker.sock"] } - agent_gitlab_registration_config = { + runner_manager_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner public - auto" @@ -122,7 +122,7 @@ module "runner_alternate_region" { } security_group_prefix = "my-security-group" - agent_instance_prefix = "my-runner-agent" + runner_manager_instance_prefix = "my-runner-agent" executor_docker_machine_instance_prefix = "my-runners-dm" iam_object_prefix = local.name_iam_objects_main_region # <-- diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index d9182f85e..1b6ebdbe1 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -34,9 +34,9 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.private_subnets, 0) - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url - agent_gitlab_token = var.runner_token + runner_manager_gitlab_runner_name = var.runner_name + runner_manager_gitlab_url = var.gitlab_url + runner_manager_gitlab_token = var.runner_token # working 9 to 5 :) executor_docker_machine_autoscaling_options = [ diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index ef9730020..b365110d8 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -38,8 +38,8 @@ module "runner" { executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runner_manager_gitlab_runner_name = var.runner_name + runner_manager_gitlab_url = var.gitlab_url executor_extra_environment_variables = ["KEY=Value", "FOO=bar"] executor_docker_options = { @@ -47,7 +47,7 @@ module "runner" { volumes = ["/var/run/docker.sock:/var/run/docker.sock"] } - agent_gitlab_registration_config = { + runner_manager_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner public - auto" @@ -58,7 +58,7 @@ module "runner" { } security_group_prefix = "my-security-group" - agent_instance_prefix = "my-runner-agent" + runner_manager_instance_prefix = "my-runner-agent" executor_docker_machine_instance_prefix = "my-runners-dm" executor_cache_shared = "true" @@ -82,10 +82,10 @@ module "runner2" { executor_docker_machine_ec2_spot_price_bid = "on-demand-price" - agent_gitlab_runner_name = var.runner_name - agent_gitlab_url = var.gitlab_url + runner_manager_gitlab_runner_name = var.runner_name + runner_manager_gitlab_url = var.gitlab_url - agent_gitlab_registration_config = { + runner_manager_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner_2" description = "runner public - auto" diff --git a/locals.tf b/locals.tf index 57e530b55..bbb283354 100644 --- a/locals.tf +++ b/locals.tf @@ -1,21 +1,21 @@ locals { # Manage certificates pre_install_gitlab_certificate = ( - length(var.agent_gitlab_certificate) > 0 + length(var.runner_manager_gitlab_certificate) > 0 ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/gitlab.crt - ${var.agent_gitlab_certificate} + ${var.runner_manager_gitlab_certificate} EOF EOT : "" ) pre_install_ca_certificate = ( - length(var.agent_gitlab_ca_certificate) > 0 + length(var.runner_manager_gitlab_ca_certificate) > 0 ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/ca.crt - ${var.agent_gitlab_ca_certificate} + ${var.runner_manager_gitlab_ca_certificate} EOF EOT : "" @@ -28,7 +28,7 @@ locals { EOT pre_install_certificates = ( # If either (or both) _certificate variables are specified - length(var.agent_gitlab_certificate) + length(var.agent_gitlab_ca_certificate) > 0 + length(var.runner_manager_gitlab_certificate) + length(var.runner_manager_gitlab_ca_certificate) > 0 ? join("\n", [ local.pre_install_gitlab_certificate, local.pre_install_ca_certificate, @@ -39,7 +39,7 @@ locals { # Determine IAM role for runner instance aws_iam_role_instance_name = coalesce( - var.agent_iam_role_profile_name, + var.runner_manager_iam_role_profile_name, "${local.name_iam_objects}-instance" ) aws_iam_role_instance_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${local.aws_iam_role_instance_name}" @@ -65,11 +65,11 @@ locals { runners_max_builds_string = var.executor_docker_machine_max_builds == 0 ? "" : format("MaxBuilds = %d", var.executor_docker_machine_max_builds) # Define key for runner token for SSM - secure_parameter_store_runner_token_key = "${var.environment}-${var.agent_gitlab_token_secure_parameter_store}" - secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.agent_sentry_secure_parameter_store_name}" + secure_parameter_store_runner_token_key = "${var.environment}-${var.runner_manager_gitlab_token_secure_parameter_store}" + secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.runner_manager_sentry_secure_parameter_store_name}" # Custom names for runner agent instance, security groups, and IAM objects - name_runner_agent_instance = var.agent_instance_prefix == "" ? local.tags["Name"] : var.agent_instance_prefix + name_runner_agent_instance = var.runner_manager_instance_prefix == "" ? local.tags["Name"] : var.runner_manager_instance_prefix name_sg = var.security_group_prefix == "" ? local.tags["Name"] : var.security_group_prefix name_iam_objects = var.iam_object_prefix == "" ? local.tags["Name"] : var.iam_object_prefix @@ -84,7 +84,7 @@ locals { /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" - docker_machine_version_used = split(".", split("-", var.agent_docker_machine_version)[0]) + docker_machine_version_used = split(".", split("-", var.runner_manager_docker_machine_version)[0]) docker_machine_version_with_name_tag = split(".", "0.16.2") docker_machine_version_test = [ for i, j in reverse(range(length(local.docker_machine_version_used))) diff --git a/logging.tf b/logging.tf index 8a43d618f..86c78820b 100644 --- a/logging.tf +++ b/logging.tf @@ -1,25 +1,25 @@ resource "aws_iam_role_policy" "instance" { - count = var.agent_cloudwatch_enable && var.agent_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_manager_cloudwatch_enable && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 name = "${local.name_iam_objects}-logging" - role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy = templatefile("${path.module}/policies/instance-logging-policy.json", { partition = data.aws_partition.current.partition }) } locals { logging_user_data = templatefile("${path.module}/template/logging.tftpl", { - log_group_name = var.agent_cloudwatch_log_group_name != null ? var.agent_cloudwatch_log_group_name : var.environment + log_group_name = var.runner_manager_cloudwatch_log_group_name != null ? var.runner_manager_cloudwatch_log_group_name : var.environment }) provided_kms_key = var.kms_key_id != "" ? var.kms_key_id : "" kms_key = local.provided_kms_key == "" && var.enable_managed_kms_key ? aws_kms_key.default[0].arn : local.provided_kms_key } resource "aws_cloudwatch_log_group" "environment" { - count = var.agent_cloudwatch_enable ? 1 : 0 - name = var.agent_cloudwatch_log_group_name != null ? var.agent_cloudwatch_log_group_name : var.environment + count = var.runner_manager_cloudwatch_enable ? 1 : 0 + name = var.runner_manager_cloudwatch_log_group_name != null ? var.runner_manager_cloudwatch_log_group_name : var.environment # ignores a false positive: retention_in_days not set # kics-scan ignore-line - retention_in_days = var.agent_cloudwatch_retention_days + retention_in_days = var.runner_manager_cloudwatch_retention_days tags = local.tags # ignored as decided by the user diff --git a/main.tf b/main.tf index 98409c82b..ba178ccde 100644 --- a/main.tf +++ b/main.tf @@ -38,12 +38,12 @@ resource "aws_ssm_parameter" "runner_sentry_dsn" { locals { template_user_data = templatefile("${path.module}/template/user-data.tftpl", { - eip = var.agent_enable_eip ? local.template_eip : "" - logging = var.agent_cloudwatch_enable ? local.logging_user_data : "" + eip = var.runner_manager_enable_eip ? local.template_eip : "" + logging = var.runner_manager_cloudwatch_enable ? local.logging_user_data : "" gitlab_runner = local.template_gitlab_runner - user_data_trace_log = var.agent_user_data_enable_trace_log - yum_update = var.agent_yum_update ? local.file_yum_update : "" - extra_config = var.agent_user_data_extra + user_data_trace_log = var.runner_manager_user_data_enable_trace_log + yum_update = var.runner_manager_yum_update ? local.file_yum_update : "" + extra_config = var.runner_manager_user_data_extra }) file_yum_update = file("${path.module}/template/yum_update.tftpl") @@ -54,38 +54,38 @@ locals { template_gitlab_runner = templatefile("${path.module}/template/gitlab-runner.tftpl", { - gitlab_runner_version = var.agent_gitlab_runner_version - docker_machine_version = var.agent_docker_machine_version - docker_machine_download_url = var.agent_docker_machine_download_url + gitlab_runner_version = var.runner_manager_gitlab_runner_version + docker_machine_version = var.runner_manager_docker_machine_version + docker_machine_download_url = var.runner_manager_docker_machine_download_url runners_config = local.template_runner_config runners_userdata = var.executor_docker_machine_userdata runners_executor = var.executor_type - runners_install_amazon_ecr_credential_helper = var.agent_install_amazon_ecr_credential_helper - curl_cacert = length(var.agent_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" + runners_install_amazon_ecr_credential_helper = var.runner_manager_install_amazon_ecr_credential_helper + curl_cacert = length(var.runner_manager_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates - pre_install = var.agent_userdata_pre_install - post_install = var.agent_userdata_post_install - runners_gitlab_url = var.agent_gitlab_url - runners_token = var.agent_gitlab_token + pre_install = var.runner_manager_userdata_pre_install + post_install = var.runner_manager_userdata_post_install + runners_gitlab_url = var.runner_manager_gitlab_url + runners_token = var.runner_manager_gitlab_token secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key secure_parameter_store_runner_sentry_dsn = local.secure_parameter_store_runner_sentry_dsn secure_parameter_store_region = data.aws_region.current.name - gitlab_runner_registration_token = var.agent_gitlab_registration_config["registration_token"] - gitlab_runner_description = var.agent_gitlab_registration_config["description"] - gitlab_runner_tag_list = var.agent_gitlab_registration_config["tag_list"] - gitlab_runner_locked_to_project = var.agent_gitlab_registration_config["locked_to_project"] - gitlab_runner_run_untagged = var.agent_gitlab_registration_config["run_untagged"] - gitlab_runner_maximum_timeout = var.agent_gitlab_registration_config["maximum_timeout"] - gitlab_runner_access_level = lookup(var.agent_gitlab_registration_config, "access_level", "not_protected") - sentry_dsn = var.agent_sentry_dsn + gitlab_runner_registration_token = var.runner_manager_gitlab_registration_config["registration_token"] + gitlab_runner_description = var.runner_manager_gitlab_registration_config["description"] + gitlab_runner_tag_list = var.runner_manager_gitlab_registration_config["tag_list"] + gitlab_runner_locked_to_project = var.runner_manager_gitlab_registration_config["locked_to_project"] + gitlab_runner_run_untagged = var.runner_manager_gitlab_registration_config["run_untagged"] + gitlab_runner_maximum_timeout = var.runner_manager_gitlab_registration_config["maximum_timeout"] + gitlab_runner_access_level = lookup(var.runner_manager_gitlab_registration_config, "access_level", "not_protected") + sentry_dsn = var.runner_manager_sentry_dsn }) template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { aws_region = data.aws_region.current.name - gitlab_url = var.agent_gitlab_url - gitlab_clone_url = var.agent_gitlab_clone_url - tls_ca_file = length(var.agent_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" + gitlab_url = var.runner_manager_gitlab_url + gitlab_clone_url = var.runner_manager_gitlab_clone_url + tls_ca_file = length(var.runner_manager_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_machine_autoscaling = [for config in var.executor_docker_machine_autoscaling_options : { for key, value in config : # Convert key from snake_case to PascalCase which is the casing for this section. @@ -104,13 +104,13 @@ locals { runners_instance_profile = var.executor_type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed - runners_name = var.agent_gitlab_runner_name + runners_name = var.runner_manager_gitlab_runner_name runners_tags = replace(replace(local.runner_tags_string, ",,", ","), "/,$/", "") - runners_token = var.agent_gitlab_token + runners_token = var.runner_manager_gitlab_token runners_userdata = var.executor_docker_machine_userdata runners_executor = var.executor_type runners_limit = var.executor_max_jobs - runners_concurrent = var.agent_maximum_concurrent_jobs + runners_concurrent = var.runner_manager_maximum_concurrent_jobs runners_pull_policies = local.runners_pull_policies runners_idle_count = var.executor_idle_count runners_idle_time = var.executor_idle_time @@ -127,15 +127,15 @@ locals { runners_pre_clone_script = var.executor_pre_clone_script runners_request_concurrency = var.executor_request_concurrency runners_output_limit = var.executor_output_limit - runners_check_interval = var.agent_gitlab_check_interval + runners_check_interval = var.runner_manager_gitlab_check_interval runners_volumes_tmpfs = join("\n", [for v in var.executor_docker_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_services_volumes_tmpfs = join("\n", [for v in var.executor_docker_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services runners_docker_options = local.runners_docker_options_toml bucket_name = local.bucket_name shared_cache = var.executor_cache_shared - sentry_dsn = var.agent_sentry_dsn - prometheus_listen_address = var.agent_prometheus_listen_address + sentry_dsn = var.runner_manager_sentry_dsn + prometheus_listen_address = var.runner_manager_prometheus_listen_address auth_type = var.executor_cache_s3_authentication_type } ) @@ -162,15 +162,15 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { # TODO Please explain how `agent_enable_asg_recreation` works - name = var.agent_enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" + name = var.runner_manager_enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" vpc_zone_identifier = [var.subnet_id] min_size = "1" max_size = "1" desired_capacity = "1" health_check_grace_period = 0 - max_instance_lifetime = var.agent_max_instance_lifetime_seconds - enabled_metrics = var.agent_collect_autoscaling_metrics + max_instance_lifetime = var.runner_manager_max_instance_lifetime_seconds + enabled_metrics = var.runner_manager_collect_autoscaling_metrics dynamic "tag" { for_each = local.agent_tags @@ -196,7 +196,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { } timeouts { - delete = var.agent_terraform_timeout_delete_asg + delete = var.runner_manager_terraform_timeout_delete_asg } lifecycle { ignore_changes = [min_size, max_size, desired_capacity] @@ -204,39 +204,39 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { } resource "aws_autoscaling_schedule" "scale_in" { - count = var.agent_schedule_enable ? 1 : 0 + count = var.runner_manager_schedule_enable ? 1 : 0 autoscaling_group_name = aws_autoscaling_group.gitlab_runner_instance.name scheduled_action_name = "scale_in-${aws_autoscaling_group.gitlab_runner_instance.name}" - recurrence = var.agent_schedule_config["scale_in_recurrence"] - time_zone = try(var.agent_schedule_config["scale_in_time_zone"], "Etc/UTC") - min_size = try(var.agent_schedule_config["scale_in_min_size"], var.agent_schedule_config["scale_in_count"]) - desired_capacity = try(var.agent_schedule_config["scale_in_desired_capacity"], var.agent_schedule_config["scale_in_count"]) - max_size = try(var.agent_schedule_config["scale_in_max_size"], var.agent_schedule_config["scale_in_count"]) + recurrence = var.runner_manager_schedule_config["scale_in_recurrence"] + time_zone = try(var.runner_manager_schedule_config["scale_in_time_zone"], "Etc/UTC") + min_size = try(var.runner_manager_schedule_config["scale_in_min_size"], var.runner_manager_schedule_config["scale_in_count"]) + desired_capacity = try(var.runner_manager_schedule_config["scale_in_desired_capacity"], var.runner_manager_schedule_config["scale_in_count"]) + max_size = try(var.runner_manager_schedule_config["scale_in_max_size"], var.runner_manager_schedule_config["scale_in_count"]) } resource "aws_autoscaling_schedule" "scale_out" { - count = var.agent_schedule_enable ? 1 : 0 + count = var.runner_manager_schedule_enable ? 1 : 0 autoscaling_group_name = aws_autoscaling_group.gitlab_runner_instance.name scheduled_action_name = "scale_out-${aws_autoscaling_group.gitlab_runner_instance.name}" - recurrence = var.agent_schedule_config["scale_out_recurrence"] - time_zone = try(var.agent_schedule_config["scale_out_time_zone"], "Etc/UTC") - min_size = try(var.agent_schedule_config["scale_out_min_size"], var.agent_schedule_config["scale_out_count"]) - desired_capacity = try(var.agent_schedule_config["scale_out_desired_capacity"], var.agent_schedule_config["scale_out_count"]) - max_size = try(var.agent_schedule_config["scale_out_max_size"], var.agent_schedule_config["scale_out_count"]) + recurrence = var.runner_manager_schedule_config["scale_out_recurrence"] + time_zone = try(var.runner_manager_schedule_config["scale_out_time_zone"], "Etc/UTC") + min_size = try(var.runner_manager_schedule_config["scale_out_min_size"], var.runner_manager_schedule_config["scale_out_count"]) + desired_capacity = try(var.runner_manager_schedule_config["scale_out_desired_capacity"], var.runner_manager_schedule_config["scale_out_count"]) + max_size = try(var.runner_manager_schedule_config["scale_out_max_size"], var.runner_manager_schedule_config["scale_out_count"]) } data "aws_ami" "runner" { most_recent = "true" dynamic "filter" { - for_each = var.agent_ami_filter + for_each = var.runner_manager_ami_filter content { name = filter.key values = filter.value } } - owners = var.agent_ami_owners + owners = var.runner_manager_ami_owners } resource "aws_launch_template" "gitlab_runner_instance" { @@ -246,20 +246,20 @@ resource "aws_launch_template" "gitlab_runner_instance" { image_id = data.aws_ami.runner.id user_data = base64gzip(local.template_user_data) - instance_type = var.agent_instance_type + instance_type = var.runner_manager_instance_type update_default_version = true - ebs_optimized = var.agent_ebs_optimized + ebs_optimized = var.runner_manager_ebs_optimized monitoring { - enabled = var.agent_enable_monitoring + enabled = var.runner_manager_enable_monitoring } dynamic "instance_market_options" { - for_each = var.agent_spot_price == null || var.agent_spot_price == "" ? [] : ["spot"] + for_each = var.runner_manager_spot_price == null || var.runner_manager_spot_price == "" ? [] : ["spot"] content { market_type = instance_market_options.value dynamic "spot_options" { - for_each = var.agent_spot_price == "on-demand-price" ? [] : [0] + for_each = var.runner_manager_spot_price == "on-demand-price" ? [] : [0] content { - max_price = var.agent_spot_price + max_price = var.runner_manager_spot_price } } } @@ -268,7 +268,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { name = local.aws_iam_role_instance_name } dynamic "block_device_mappings" { - for_each = [var.agent_root_block_device] + for_each = [var.runner_manager_root_block_device] content { # cSpell:ignore xvda device_name = lookup(block_device_mappings.value, "device_name", "/dev/xvda") @@ -284,8 +284,8 @@ resource "aws_launch_template" "gitlab_runner_instance" { } } network_interfaces { - security_groups = concat([aws_security_group.runner.id], var.agent_extra_security_group_ids) - associate_public_ip_address = false == (var.agent_use_private_address == false ? var.agent_use_private_address : var.executor_docker_machine_use_private_address) + security_groups = concat([aws_security_group.runner.id], var.runner_manager_extra_security_group_ids) + associate_public_ip_address = false == (var.runner_manager_use_private_address == false ? var.runner_manager_use_private_address : var.executor_docker_machine_use_private_address) } tag_specifications { resource_type = "instance" @@ -296,7 +296,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { tags = local.tags } dynamic "tag_specifications" { - for_each = var.agent_spot_price == null || var.agent_spot_price == "" ? [] : ["spot"] + for_each = var.runner_manager_spot_price == null || var.runner_manager_spot_price == "" ? [] : ["spot"] content { resource_type = "spot-instances-request" tags = local.tags @@ -306,10 +306,10 @@ resource "aws_launch_template" "gitlab_runner_instance" { tags = local.tags metadata_options { - http_endpoint = var.agent_metadata_options.http_endpoint - http_tokens = var.agent_metadata_options.http_tokens - http_put_response_hop_limit = var.agent_metadata_options.http_put_response_hop_limit - instance_metadata_tags = var.agent_metadata_options.instance_metadata_tags + http_endpoint = var.runner_manager_metadata_options.http_endpoint + http_tokens = var.runner_manager_metadata_options.http_tokens + http_put_response_hop_limit = var.runner_manager_metadata_options.http_put_response_hop_limit + instance_metadata_tags = var.runner_manager_metadata_options.instance_metadata_tags } lifecycle { @@ -353,7 +353,7 @@ module "cache" { ### Trust policy ################################################################################ resource "aws_iam_instance_profile" "instance" { - count = var.agent_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_manager_create_runner_iam_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name role = local.aws_iam_role_instance_name @@ -362,13 +362,13 @@ resource "aws_iam_instance_profile" "instance" { } resource "aws_iam_role" "instance" { - count = var.agent_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_manager_create_runner_iam_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name - assume_role_policy = length(var.agent_assume_role_json) > 0 ? var.agent_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) + assume_role_policy = length(var.runner_manager_assume_role_json) > 0 ? var.runner_manager_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" - tags = merge(local.tags, var.agent_extra_role_tags) + tags = merge(local.tags, var.runner_manager_extra_role_tags) } ################################################################################ @@ -392,7 +392,7 @@ resource "aws_iam_policy" "instance_kms_policy" { resource "aws_iam_role_policy_attachment" "instance_kms_policy" { count = var.enable_managed_kms_key ? 1 : 0 - role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_kms_policy[0].arn } @@ -403,7 +403,7 @@ resource "aws_iam_role_policy_attachment" "instance_kms_policy" { ### iam:PassRole To pass the role from the agent to the docker machine runners ################################################################################ resource "aws_iam_policy" "instance_docker_machine_policy" { - count = var.executor_type == "docker+machine" && var.agent_create_runner_iam_role_profile ? 1 : 0 + count = var.executor_type == "docker+machine" && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" path = "/" @@ -417,7 +417,7 @@ resource "aws_iam_policy" "instance_docker_machine_policy" { } resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { - count = var.executor_type == "docker+machine" && var.agent_create_runner_iam_role_profile ? 1 : 0 + count = var.executor_type == "docker+machine" && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 role = aws_iam_role.instance[0].name policy_arn = aws_iam_policy.instance_docker_machine_policy[0].arn @@ -427,7 +427,7 @@ resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { ### Policies for runner agent instance to allow connection via Session Manager ################################################################################ resource "aws_iam_policy" "instance_session_manager_policy" { - count = var.agent_enable_ssm_access ? 1 : 0 + count = var.runner_manager_enable_ssm_access ? 1 : 0 name = "${local.name_iam_objects}-session-manager" path = "/" @@ -438,16 +438,16 @@ resource "aws_iam_policy" "instance_session_manager_policy" { } resource "aws_iam_role_policy_attachment" "instance_session_manager_policy" { - count = var.agent_enable_ssm_access ? 1 : 0 + count = var.runner_manager_enable_ssm_access ? 1 : 0 - role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_session_manager_policy[0].arn } resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" { - count = var.agent_enable_ssm_access ? 1 : 0 + count = var.runner_manager_enable_ssm_access ? 1 : 0 - role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" } @@ -455,10 +455,10 @@ resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" ### Add user defined policies ################################################################################ resource "aws_iam_role_policy_attachment" "user_defined_policies" { - count = length(var.agent_extra_iam_policy_arns) + count = length(var.runner_manager_extra_iam_policy_arns) - role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name - policy_arn = var.agent_extra_iam_policy_arns[count.index] + role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + policy_arn = var.runner_manager_extra_iam_policy_arns[count.index] } ################################################################################ @@ -470,7 +470,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */ count = var.executor_type == "docker+machine" ? (var.executor_cache_s3_bucket["create"] || lookup(var.executor_cache_s3_bucket, "policy", "") != "" ? 1 : 0) : 0 - role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = local.bucket_policy } @@ -519,7 +519,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_ma ### Service linked policy, optional ################################################################################ resource "aws_iam_policy" "service_linked_role" { - count = var.agent_allow_iam_service_linked_role_creation ? 1 : 0 + count = var.runner_manager_allow_iam_service_linked_role_creation ? 1 : 0 name = "${local.name_iam_objects}-service_linked_role" path = "/" @@ -530,15 +530,15 @@ resource "aws_iam_policy" "service_linked_role" { } resource "aws_iam_role_policy_attachment" "service_linked_role" { - count = var.agent_allow_iam_service_linked_role_creation ? 1 : 0 + count = var.runner_manager_allow_iam_service_linked_role_creation ? 1 : 0 - role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.service_linked_role[0].arn } resource "aws_eip" "gitlab_runner" { # checkov:skip=CKV2_AWS_19:We can't use NAT gateway here as we are contacted from the outside. - count = var.agent_enable_eip ? 1 : 0 + count = var.runner_manager_enable_eip ? 1 : 0 tags = local.tags } @@ -556,7 +556,7 @@ resource "aws_iam_policy" "ssm" { } resource "aws_iam_role_policy_attachment" "ssm" { - role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.ssm.arn } @@ -564,7 +564,7 @@ resource "aws_iam_role_policy_attachment" "ssm" { ### AWS assign EIP ################################################################################ resource "aws_iam_policy" "eip" { - count = var.agent_enable_eip ? 1 : 0 + count = var.runner_manager_enable_eip ? 1 : 0 name = "${local.name_iam_objects}-eip" path = "/" @@ -575,9 +575,9 @@ resource "aws_iam_policy" "eip" { } resource "aws_iam_role_policy_attachment" "eip" { - count = var.agent_enable_eip ? 1 : 0 + count = var.runner_manager_enable_eip ? 1 : 0 - role = var.agent_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.eip[0].arn } @@ -587,11 +587,11 @@ resource "aws_iam_role_policy_attachment" "eip" { module "terminate_agent_hook" { source = "./modules/terminate-agent-hook" - name = var.agent_terminate_ec2_lifecycle_hook_name == null ? "terminate-instances" : var.agent_terminate_ec2_lifecycle_hook_name + name = var.runner_manager_terminate_ec2_lifecycle_hook_name == null ? "terminate-instances" : var.runner_manager_terminate_ec2_lifecycle_hook_name environment = var.environment asg_arn = aws_autoscaling_group.gitlab_runner_instance.arn asg_name = aws_autoscaling_group.gitlab_runner_instance.name - cloudwatch_logging_retention_in_days = var.agent_cloudwatch_retention_days + cloudwatch_logging_retention_in_days = var.runner_manager_cloudwatch_retention_days name_iam_objects = local.name_iam_objects name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" diff --git a/security_groups.tf b/security_groups.tf index daa69977a..e4464bea8 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -6,10 +6,10 @@ resource "aws_security_group" "runner" { # checkov:skip=CKV2_AWS_5:False positive. Security group is used in a launch template network interface section. name_prefix = local.name_sg vpc_id = var.vpc_id - description = var.agent_security_group_description + description = var.runner_manager_security_group_description dynamic "egress" { - for_each = var.agent_extra_egress_rules + for_each = var.runner_manager_extra_egress_rules iterator = each content { @@ -43,19 +43,19 @@ resource "aws_security_group" "runner" { # Allow ICMP traffic from allowed security group IDs to gitlab-runner agent instances resource "aws_security_group_rule" "runner_ping_group" { - count = length(var.agent_ping_allow_from_security_groups) > 0 && var.agent_ping_enable ? length(var.agent_ping_allow_from_security_groups) : 0 + count = length(var.runner_manager_ping_allow_from_security_groups) > 0 && var.runner_manager_ping_enable ? length(var.runner_manager_ping_allow_from_security_groups) : 0 type = "ingress" from_port = -1 to_port = -1 protocol = "icmp" - source_security_group_id = element(var.agent_ping_allow_from_security_groups, count.index) + source_security_group_id = element(var.runner_manager_ping_allow_from_security_groups, count.index) security_group_id = aws_security_group.runner.id description = format( "Allow ICMP traffic from %s to gitlab-runner agent instances in group %s", - element(var.agent_ping_allow_from_security_groups, count.index), + element(var.runner_manager_ping_allow_from_security_groups, count.index), aws_security_group.runner.name ) } @@ -131,7 +131,7 @@ resource "aws_security_group_rule" "docker_machine_docker_runner" { # Combine runner security group id and additional security group IDs locals { # Only include runner security group id and additional if ping is enabled - security_groups_ping = var.agent_ping_enable && length(var.agent_ping_allow_from_security_groups) > 0 ? concat(var.agent_ping_allow_from_security_groups, [aws_security_group.runner.id]) : [] + security_groups_ping = var.runner_manager_ping_enable && length(var.runner_manager_ping_allow_from_security_groups) > 0 ? concat(var.runner_manager_ping_allow_from_security_groups, [aws_security_group.runner.id]) : [] } # Allow SSH traffic from gitlab-runner agent instances and security group IDs to docker-machine instances @@ -214,7 +214,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_self" { # Allow ICMP traffic from docker-machine instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_self" { - count = (var.executor_type == "docker+machine" && var.agent_ping_enable) ? 1 : 0 + count = (var.executor_type == "docker+machine" && var.runner_manager_ping_enable) ? 1 : 0 type = "ingress" from_port = -1 diff --git a/tags.tf b/tags.tf index 131711d09..7109c262a 100644 --- a/tags.tf +++ b/tags.tf @@ -19,7 +19,7 @@ locals { "Environment" = format("%s", var.environment) }, var.tags, - var.agent_extra_instance_tags + var.runner_manager_extra_instance_tags ) agent_tags = { for k, v in local.agent_tags_merged : k => v if !contains(var.suppressed_tags, k) } diff --git a/variables.tf b/variables.tf index 3b6c2b867..8b690f26b 100644 --- a/variables.tf +++ b/variables.tf @@ -71,45 +71,45 @@ variable "iam_object_prefix" { } /* - * Agent variables. The agent runs the GitLab Runner software and is responsible for starting the executors. + * Runner Manager: A type of runner that can create multiple runners for autoscaling. Specific to the type of executor used. */ -variable "agent_instance_prefix" { +variable "runner_manager_instance_prefix" { description = "Set the name prefix and override the `Name` tag for the Agent instance." type = string default = "" } -variable "agent_instance_type" { +variable "runner_manager_instance_type" { description = "Agent instance type used." type = string default = "t3.micro" } -variable "agent_extra_instance_tags" { +variable "runner_manager_extra_instance_tags" { description = "Map of tags that will be added to Agent EC2 instance." type = map(string) default = {} } -variable "agent_spot_price" { +variable "runner_manager_spot_price" { description = "By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen." type = string default = null } -variable "agent_ebs_optimized" { +variable "runner_manager_ebs_optimized" { description = "Enable the Agent instance to be EBS-optimized." type = bool default = true } -variable "agent_root_block_device" { +variable "runner_manager_root_block_device" { description = "The Agent's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`" type = map(string) default = {} } -variable "agent_ami_filter" { +variable "runner_manager_ami_filter" { description = "List of maps used to create the AMI filter for the Agent AMI. Must resolve to an Amazon Linux 1 or 2 image." type = map(list(string)) @@ -118,49 +118,49 @@ variable "agent_ami_filter" { } } -variable "agent_ami_owners" { +variable "runner_manager_ami_owners" { description = "The list of owners used to select the AMI of the Agent instance." type = list(string) default = ["amazon"] } -variable "agent_enable_monitoring" { +variable "runner_manager_enable_monitoring" { description = "Enable the detailed monitoring on the Agent instance." type = bool default = true } -variable "agent_collect_autoscaling_metrics" { +variable "runner_manager_collect_autoscaling_metrics" { description = "A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances." type = list(string) default = null } -variable "agent_ping_enable" { +variable "runner_manager_ping_enable" { description = "Allow ICMP Ping to the Agent. Specify `agent_ping_allowed_from_security_groups` too!" type = bool default = false } -variable "agent_ping_allow_from_security_groups" { +variable "runner_manager_ping_allow_from_security_groups" { description = "A list of security group ids that are allowed to access the gitlab runner agent" type = list(string) default = [] } -variable "agent_security_group_description" { +variable "runner_manager_security_group_description" { description = "A description for the Agents security group" type = string default = "A security group containing gitlab-runner agent instances" } -variable "agent_extra_security_group_ids" { +variable "runner_manager_extra_security_group_ids" { description = "IDs of security groups to add to the Agent." type = list(string) default = [] } -variable "agent_extra_egress_rules" { +variable "runner_manager_extra_egress_rules" { description = "List of egress rules for the Agent." type = list(object({ cidr_blocks = list(string) @@ -188,61 +188,61 @@ variable "agent_extra_egress_rules" { ] } -variable "agent_allow_iam_service_linked_role_creation" { +variable "runner_manager_allow_iam_service_linked_role_creation" { description = "Boolean used to control attaching the policy to the Agent to create service linked roles." type = bool default = true } -variable "agent_create_runner_iam_role_profile" { +variable "runner_manager_create_runner_iam_role_profile" { description = "Whether to create the IAM role/profile for the Agent. If you provide your own role, make sure that it has the required permissions." type = bool default = true } -variable "agent_iam_role_profile_name" { +variable "runner_manager_iam_role_profile_name" { description = "IAM role/profile name for the Agent. If unspecified then `$${var.iam_object_prefix}-instance` is used." type = string default = "" } -variable "agent_extra_role_tags" { +variable "runner_manager_extra_role_tags" { description = "Map of tags that will be added to the role created. Useful for tag based authorization." type = map(string) default = {} } -variable "agent_assume_role_json" { +variable "runner_manager_assume_role_json" { description = "The assume role policy for the Agent." type = string default = "" } -variable "agent_extra_iam_policy_arns" { +variable "runner_manager_extra_iam_policy_arns" { description = "List of policy ARNs to be added to the instance profile of the Agent." type = list(string) default = [] } -variable "agent_enable_eip" { +variable "runner_manager_enable_eip" { description = "Assigns an EIP to the Agent." type = bool default = false } -variable "agent_use_private_address" { +variable "runner_manager_use_private_address" { description = "Restrict the Agent to the use of a private IP address. If this is set to `false` it will override the `runners_use_private_address` for the agent." type = bool default = true } -variable "agent_enable_ssm_access" { +variable "runner_manager_enable_ssm_access" { description = "Allows to connect to the Agent via SSM." type = bool default = false } -variable "agent_metadata_options" { +variable "runner_manager_metadata_options" { description = "Enable the Gitlab runner agent instance metadata service. IMDSv2 is enabled by default." type = object({ http_endpoint = string @@ -258,25 +258,25 @@ variable "agent_metadata_options" { } } -variable "agent_schedule_enable" { +variable "runner_manager_schedule_enable" { description = "Set to `true` to enable the auto scaling group schedule for the Agent." type = bool default = false } -variable "agent_max_instance_lifetime_seconds" { +variable "runner_manager_max_instance_lifetime_seconds" { description = "The maximum time an Agent should live before it is killed." default = null type = number } -variable "agent_enable_asg_recreation" { +variable "runner_manager_enable_asg_recreation" { description = "Enable automatic redeployment of the Agent ASG when the Launch Configs change." default = true type = bool } -variable "agent_schedule_config" { +variable "runner_manager_schedule_config" { description = "Map containing the configuration of the ASG scale-out and scale-in for the Agent. Will only be used if `agent_schedule_enable` is set to `true`. " type = map(any) default = { @@ -294,84 +294,84 @@ variable "agent_schedule_config" { } } -variable "agent_install_amazon_ecr_credential_helper" { +variable "runner_manager_install_amazon_ecr_credential_helper" { description = "Install amazon-ecr-credential-helper inside `userdata_pre_install` script" type = bool default = false } -variable "agent_docker_machine_version" { +variable "runner_manager_docker_machine_version" { description = "By default docker_machine_download_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases" type = string default = "0.16.2-gitlab.19-cki.2" } -variable "agent_docker_machine_download_url" { +variable "runner_manager_docker_machine_download_url" { description = "(Optional) By default the module will use `docker_machine_version` to download the CKI maintained version (https://gitlab.com/cki-project/docker-machine) of Docker Machine. Alternative you can set this property to download location of the distribution of for the OS. See also https://docs.gitlab.com/runner/executors/docker_machine.html#install" type = string default = "" } -variable "agent_yum_update" { +variable "runner_manager_yum_update" { description = "Run a `yum` update as part of starting the Agent" type = bool default = true } -variable "agent_userdata_pre_install" { +variable "runner_manager_userdata_pre_install" { description = "User-data script snippet to insert before GitLab Runner install" type = string default = "" } -variable "agent_userdata_post_install" { +variable "runner_manager_userdata_post_install" { description = "User-data script snippet to insert after GitLab Runner install" type = string default = "" } -variable "agent_user_data_extra" { +variable "runner_manager_user_data_extra" { description = "Extra commands to run as part of starting the Agent" type = string default = "" } -variable "agent_user_data_enable_trace_log" { +variable "runner_manager_user_data_enable_trace_log" { description = "Enable bash trace for the user data script on the Agent. Be aware this could log sensitive data such as you GitLab runner token." type = bool default = true } -variable "agent_cloudwatch_enable" { +variable "runner_manager_cloudwatch_enable" { description = "Boolean used to enable or disable the CloudWatch logging." type = bool default = true } -variable "agent_cloudwatch_retention_days" { +variable "runner_manager_cloudwatch_retention_days" { description = "Retention for cloudwatch logs. Defaults to unlimited. Requires `agent_cloudwatch_enable = true`." type = number default = 0 } -variable "agent_cloudwatch_log_group_name" { +variable "runner_manager_cloudwatch_log_group_name" { description = "Option to override the default name (`environment`) of the log group. Requires `agent_cloudwatch_enable = true`." default = null type = string } -variable "agent_gitlab_runner_name" { +variable "runner_manager_gitlab_runner_name" { description = "Name of the Gitlab Runner." type = string } -variable "agent_gitlab_runner_version" { +variable "runner_manager_gitlab_runner_version" { description = "Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases)." type = string default = "15.8.2" } -variable "agent_gitlab_registration_config" { +variable "runner_manager_gitlab_registration_config" { description = "Configuration used to register the Agent. See the README for an example, or reference the examples in the examples directory of this repo." type = map(string) @@ -386,78 +386,78 @@ variable "agent_gitlab_registration_config" { } } -variable "agent_gitlab_token_secure_parameter_store" { +variable "runner_manager_gitlab_token_secure_parameter_store" { description = "Name of the Secure Parameter Store entry to hold the GitLab Runner token." type = string default = "runner-token" } -variable "agent_gitlab_ca_certificate" { +variable "runner_manager_gitlab_ca_certificate" { description = "Trusted CA certificate bundle (PEM format). Example: `file(\"$${path.module}/ca.crt\")`" type = string default = "" } -variable "agent_gitlab_certificate" { +variable "runner_manager_gitlab_certificate" { description = "Certificate of the GitLab instance to connect to (PEM format). Example: `file(\"$${path.module}/my-gitlab.crt\")`" type = string default = "" } -variable "agent_gitlab_check_interval" { +variable "runner_manager_gitlab_check_interval" { description = "Number of seconds between checking for available jobs." type = number default = 3 } -variable "agent_gitlab_url" { +variable "runner_manager_gitlab_url" { description = "URL of the GitLab instance to connect to." type = string } -variable "agent_gitlab_clone_url" { +variable "runner_manager_gitlab_clone_url" { description = "Overwrites the URL for the GitLab instance. Use only if the agent can’t connect to the GitLab URL." type = string default = "" } -variable "agent_gitlab_token" { +variable "runner_manager_gitlab_token" { description = "Token for the Agent to connect to GitLab" type = string default = "__REPLACED_BY_USER_DATA__" } -variable "agent_maximum_concurrent_jobs" { +variable "runner_manager_maximum_concurrent_jobs" { description = "The maximum number of jobs which can be processed by all executors at the same time." type = number default = 10 } -variable "agent_sentry_dsn" { +variable "runner_manager_sentry_dsn" { description = "Sentry DSN of the project for the Agent to use (uses legacy DSN format)" type = string default = "__SENTRY_DSN_REPLACED_BY_USER_DATA__" } -variable "agent_sentry_secure_parameter_store_name" { +variable "runner_manager_sentry_secure_parameter_store_name" { description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" type = string default = "sentry-dsn" } -variable "agent_prometheus_listen_address" { +variable "runner_manager_prometheus_listen_address" { description = "Defines an address (:) the Prometheus metrics HTTP server should listen on." type = string default = "" } -variable "agent_terminate_ec2_lifecycle_hook_name" { +variable "runner_manager_terminate_ec2_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string default = null } -variable "agent_terraform_timeout_delete_asg" { +variable "runner_manager_terraform_timeout_delete_asg" { description = "Timeout when trying to delete the Agent ASG." default = "10m" type = string @@ -714,7 +714,7 @@ variable "executor_docker_options" { pull_policy = "always" shm_size = 0 tls_verify = "false" - volumes = "/cache" + volumes = ["/cache"] } } From e014dc6dd0af32ffcc38d20523c1953ff452b2a5 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 11:37:47 +0200 Subject: [PATCH 29/74] rename variables in script too --- migrations/migrate-to-7-0-0.sh | 110 ++++++++++++++++----------------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 5a7b22a38..276d2a4a7 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -90,53 +90,53 @@ sed 's/enable_kms/enable_managed_kms_key/g' "$converted_file" | \ sed 's/kms_alias_name/kms_managed_alias_name/g' | \ sed 's/kms_deletion_window_in_days/kms_managed_deletion_rotation_window_in_days/g' | \ sed 's/permission_boundary/iam_permission_boundary/g' | \ -sed 's/extra_security_group_ids_runner_agent/agent_extra_security_group_ids/g' | \ -sed 's/instance_type/agent_instance_type/g' | \ -sed 's/runner_instance_ebs_optimized/agent_ebs_optimized/g' | \ -sed 's/runner_instance_enable_monitoring/agent_enable_monitoring/g' | \ -sed 's/runner_instance_metadata_options/agent_metadata_options/g' | \ +sed 's/extra_security_group_ids_runner_agent/runner_manager_extra_security_group_ids/g' | \ +sed 's/instance_type/runner_manager_instance_type/g' | \ +sed 's/runner_instance_ebs_optimized/runner_manager_ebs_optimized/g' | \ +sed 's/runner_instance_enable_monitoring/runner_manager_enable_monitoring/g' | \ +sed 's/runner_instance_metadata_options/runner_manager_metadata_options/g' | \ sed 's/runners_userdata/executor_docker_machine_userdata/g' | \ sed 's/runners_executor/executor_type/g' | \ -sed 's/runners_install_amazon_ecr_credential_helper/agent_install_amazon_ecr_credential_helper/g' | \ -sed 's/runners_clone_url/agent_gitlab_clone_url/g' | \ -sed 's/runners_gitlab_url/agent_gitlab_url/g' | \ +sed 's/runners_install_amazon_ecr_credential_helper/runner_manager_install_amazon_ecr_credential_helper/g' | \ +sed 's/runners_clone_url/runner_manager_gitlab_clone_url/g' | \ +sed 's/runners_gitlab_url/runner_manager_gitlab_url/g' | \ sed 's/runners_max_builds/executor_docker_machine_max_builds/g' | \ sed 's/runners_idle_count/executor_idle_count/g' | \ sed 's/runners_idle_time/executor_idle_time/g' | \ -sed 's/runners_concurrent/agent_maximum_concurrent_jobs/g' | \ +sed 's/runners_concurrent/runner_manager_maximum_concurrent_jobs/g' | \ sed 's/runners_limit/executor_max_jobs/g' | \ -sed 's/runners_check_interval/agent_gitlab_check_interval/g' | \ -sed 's/sentry_dsn/agent_sentry_dsn/g' | \ -sed 's/prometheus_listen_address/agent_prometheus_listen_address/g' | \ -sed 's/runner_extra_config/agent_user_data_extra/g' | \ -sed 's/runners_ca_certificate/agent_gitlab_ca_certificate/g' | \ -sed 's/runners_yum_update/agent_yum_update/g' | \ +sed 's/runners_check_interval/runner_manager_gitlab_check_interval/g' | \ +sed 's/sentry_dsn/runner_manager_sentry_dsn/g' | \ +sed 's/prometheus_listen_address/runner_manager_prometheus_listen_address/g' | \ +sed 's/runner_extra_config/runner_manager_user_data_extra/g' | \ +sed 's/runners_ca_certificate/runner_manager_gitlab_ca_certificate/g' | \ +sed 's/runners_yum_update/runner_manager_yum_update/g' | \ sed 's/runners_gitlab_certificate/runners_gitlab_certificate/g' | \ -sed 's/asg_terminate_lifecycle_hook_name/agent_terminate_ec2_lifecycle_hook_name/g' | \ -sed 's/runner_iam_policy_arns/agent_extra_iam_policy_arns/g' | \ -sed 's/create_runner_iam_role/agent_create_runner_iam_role_profile/g' | \ -sed 's/runner_iam_role_name/agent_iam_role_profile_name/g' | \ -sed 's/enable_eip/agent_enable_eip/g' | \ -sed 's/enable_runner_ssm_access/agent_enable_ssm_access/g' | \ -sed 's/enable_runner_user_data_trace_log/agent_user_data_enable_trace_log/g' | \ -sed 's/enable_schedule/agent_schedule_enable/g' | \ -sed 's/schedule_config/agent_schedule_config/g' | \ -sed 's/runner_root_block_device/agent_root_block_device/g' | \ -sed 's/gitlab_runner_registration_config/agent_gitlab_registration_config/g' | \ -sed 's/[^_]ami_filter/agent_ami_filter/g' | \ -sed 's/[^_]ami_owners/agent_ami_owners/g' | \ +sed 's/asg_terminate_lifecycle_hook_name/runner_manager_terminate_ec2_lifecycle_hook_name/g' | \ +sed 's/runner_iam_policy_arns/runner_manager_extra_iam_policy_arns/g' | \ +sed 's/create_runner_iam_role/runner_manager_create_runner_iam_role_profile/g' | \ +sed 's/runner_iam_role_name/runner_manager_iam_role_profile_name/g' | \ +sed 's/enable_eip/runner_manager_enable_eip/g' | \ +sed 's/enable_runner_ssm_access/runner_manager_enable_ssm_access/g' | \ +sed 's/enable_runner_user_data_trace_log/runner_manager_user_data_enable_trace_log/g' | \ +sed 's/enable_schedule/runner_manager_schedule_enable/g' | \ +sed 's/schedule_config/runner_manager_schedule_config/g' | \ +sed 's/runner_root_block_device/runner_manager_root_block_device/g' | \ +sed 's/gitlab_runner_registration_config/runner_manager_gitlab_registration_config/g' | \ +sed 's/[^_]ami_filter/runner_manager_ami_filter/g' | \ +sed 's/[^_]ami_owners/runner_manager_ami_owners/g' | \ sed 's/runner_ami_filter/executor_docker_machine_ami_filter/g' | \ sed 's/runner_ami_owners/executor_docker_machine_ami_owners/g' | \ -sed 's/instance_role_json/agent_assume_role_json/g' | \ +sed 's/instance_role_json/runner_manager_assume_role_json/g' | \ sed 's/docker_machine_role_json/executor_docker_machine_assume_role_json/g' | \ -sed 's/role_tags/agent_extra_role_tags/g' | \ +sed 's/role_tags/runner_manager_extra_role_tags/g' | \ sed 's/runner_tags/executor_docker_machine_extra_role_tags/g' | \ -sed 's/agent_tags/agent_extra_instance_tags/g' | \ -sed 's/enable_ping/agent_ping_enable/g' | \ -sed 's/gitlab_runner_version/agent_gitlab_runner_version/g' | \ -sed 's/gitlab_runner_egress_rules/agent_extra_egress_rules/g' | \ -sed 's/gitlab_runner_security_group_ids/agent_ping_allow_from_security_groups/g' | \ -sed 's/gitlab_runner_security_group_description/agent_security_group_description/g' | \ +sed 's/agent_tags/runner_manager_extra_instance_tags/g' | \ +sed 's/enable_ping/runner_manager_ping_enable/g' | \ +sed 's/gitlab_runner_version/runner_manager_gitlab_runner_version/g' | \ +sed 's/gitlab_runner_egress_rules/runner_manager_extra_egress_rules/g' | \ +sed 's/gitlab_runner_security_group_ids/runner_manager_ping_allow_from_security_groups/g' | \ +sed 's/gitlab_runner_security_group_description/runner_manager_security_group_description/g' | \ sed 's/cache_shared/executor_cache_shared/g' | \ sed 's/cache_expiration_days/executor_cache_s3_expiration_days/g' | \ sed 's/cache_bucket_versioning/executor_cache_s3_enable_versioning/g' | \ @@ -145,11 +145,11 @@ sed 's/cache_logging_bucket/executor_cache_s3_logging_bucket_id/g' | \ sed 's/cache_bucket_set_random_suffix/executor_cache_s3_bucket_enable_random_suffix/g' | \ sed 's/cache_bucket_name_include_account_id/executor_cache_s3_bucket_name_include_account_id/g' | \ sed 's/cache_bucket_prefix/executor_cache_s3_bucket_prefix/g' | \ -sed 's/runner_agent_uses_private_address/agent_use_private_address/g' | \ +sed 's/runner_agent_uses_private_address/runner_manager_use_private_address/g' | \ sed 's/runners_use_private_address/executor_docker_machine_use_private_address/g' | \ sed 's/runners_request_spot_instance/executor_docker_machine_request_spot_instances/g' | \ -sed 's/userdata_pre_install/agent_userdata_pre_install/g' | \ -sed 's/userdata_post_install/agent_userdata_post_install/g' | \ +sed 's/userdata_pre_install/runner_manager_userdata_pre_install/g' | \ +sed 's/userdata_post_install/runner_manager_userdata_post_install/g' | \ sed 's/runners_pre_build_script/executor_pre_build_script/g' | \ sed 's/runners_post_build_script/executor_post_build_script/g' | \ sed 's/runners_pre_clone_script/executor_pre_clone_script/g' | \ @@ -159,11 +159,11 @@ sed 's/runners_environment_vars/executor_extra_environment_variables/g' | \ sed 's/runners_docker_registry_mirror/executor_docker_machine_docker_registry_mirror_url/g' | \ sed 's/docker_machine_egress_rules/executor_docker_machine_extra_egress_rules/g' | \ sed 's/docker_machine_iam_policy_arns/executor_docker_machine_extra_iam_policy_arns/g' | \ -sed 's/enable_cloudwatch_logging/agent_cloudwatch_enable/g' | \ -sed 's/cloudwatch_logging_retention_in_days/agent_cloudwatch_retention_days/g' | \ -sed 's/log_group_name/agent_cloudwatch_log_group_name/g' | \ -sed 's/asg_max_instance_lifetime/agent_max_instance_lifetime_seconds/g' | \ -sed 's/asg_delete_timeout/agent_terraform_timeout_delete_asg/g' | \ +sed 's/enable_cloudwatch_logging/runner_manager_cloudwatch_enable/g' | \ +sed 's/cloudwatch_logging_retention_in_days/runner_manager_cloudwatch_retention_days/g' | \ +sed 's/log_group_name/runner_manager_cloudwatch_log_group_name/g' | \ +sed 's/asg_max_instance_lifetime/runner_manager_max_instance_lifetime_seconds/g' | \ +sed 's/asg_delete_timeout/runner_manager_terraform_timeout_delete_asg/g' | \ sed 's/enable_docker_machine_ssm_access/executor_enable_ssm_access/g' | \ sed 's/cache_bucket/executor_cache_s3_bucket/g' | \ sed 's/docker_machine_security_group_description//g' | \ @@ -177,20 +177,20 @@ sed 's/runners_docker_services/executor_docker_services/g' | \ sed 's/runners_services_volumes_tmpfs/executor_docker_services_volumes_tmpfs/g' | \ sed 's/runners_volumes_tmpfs/executor_docker_volumes_tmpfs/g' | \ sed 's/runners_root_size/executor_docker_machine_ec2_root_size/g' | \ -sed 's/enable_asg_recreation/agent_enable_asg_recreation/g' | \ -sed 's/secure_parameter_store_runner_sentry_dsn/agent_sentry_secure_parameter_store_name/g' | \ -sed 's/secure_parameter_store_runner_token_key/agent_gitlab_token_secure_parameter_store/g' | \ -sed 's/allow_iam_service_linked_role_creation/agent_allow_iam_service_linked_role_creation/g' | \ +sed 's/enable_asg_recreation/runner_manager_enable_asg_recreation/g' | \ +sed 's/secure_parameter_store_runner_sentry_dsn/runner_manager_sentry_secure_parameter_store_name/g' | \ +sed 's/secure_parameter_store_runner_token_key/runner_manager_gitlab_token_secure_parameter_store/g' | \ +sed 's/allow_iam_service_linked_role_creation/runner_manager_allow_iam_service_linked_role_creation/g' | \ sed 's/runners_add_dind_volumes/executor_docker_add_dind_volumes/g' | \ -sed 's/runners_token/agent_gitlab_token/g' | \ -sed 's/runners_name/agent_gitlab_runner_name/g' | \ -sed 's/docker_machine_version/agent_docker_machine_version/g' | \ -sed 's/docker_machine_download_url/agent_docker_machine_download_url/g' | \ +sed 's/runners_token/runner_manager_gitlab_token/g' | \ +sed 's/runners_name/runner_manager_gitlab_runner_name/g' | \ +sed 's/docker_machine_version/runner_manager_docker_machine_version/g' | \ +sed 's/docker_machine_download_url/runner_manager_docker_machine_download_url/g' | \ sed 's/docker_machine_spot_price_bid/executor_docker_machine_ec2_spot_price_bid/g' | \ sed 's/docker_machine_instance_type/executor_docker_machine_instance_type/g' | \ sed 's/docker_machine_instance_metadata_options/executor_docker_machine_ec2_metadata_options/g' | \ -sed 's/runner_instance_spot_price/agent_spot_price/g' | \ -sed 's/metrics_autoscaling/agent_collect_autoscaling_metrics/g' | \ +sed 's/runner_instance_spot_price/runner_manager_spot_price/g' | \ +sed 's/metrics_autoscaling/runner_manager_collect_autoscaling_metrics/g' | \ sed 's/auth_type_cache_sr/executor_cache_s3_authentication_type/g' \ > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" @@ -200,7 +200,7 @@ extracted_variables=$(grep -E '(name_sg|name_iam_objects|name_runner_agent_insta extracted_variables=$(echo "$extracted_variables" | \ sed 's/name_sg/security_group_prefix/g' | \ sed 's/name_iam_objects/iam_object_prefix/g' | \ - sed 's/name_runner_agent_instance/agent_instance_prefix/g' | \ + sed 's/name_runner_agent_instance/runner_manager_instance_prefix/g' | \ sed 's/name_docker_machine_runners/executor_docker_machine_instance_prefix/g' ) From a94a9e6e18d51b07eac6400169f636f7c64ef4c4 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 11:46:14 +0200 Subject: [PATCH 30/74] rename variables executor_* to runner_worker_* --- examples/runner-certificates/main.tf | 4 +- examples/runner-default/main.tf | 14 ++-- examples/runner-docker/main.tf | 6 +- examples/runner-multi-region/main.tf | 32 +++---- examples/runner-pre-registered/main.tf | 2 +- examples/runner-public/main.tf | 22 ++--- locals.tf | 16 ++-- main.tf | 110 ++++++++++++------------- migrations/migrate-to-7-0-0.sh | 94 ++++++++++----------- security_groups.tf | 18 ++-- tags.tf | 4 +- variables.tf | 106 ++++++++++++------------ 12 files changed, 214 insertions(+), 214 deletions(-) diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index 9a328152a..4a9a25969 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -31,7 +31,7 @@ module "runner" { runner_manager_gitlab_runner_name = var.runner_name runner_manager_gitlab_url = var.gitlab_url - executor_type = "docker" + runner_worker_type = "docker" environment = var.environment @@ -51,7 +51,7 @@ module "runner" { # update-ca-certificates # Or similar OS-dependent commands. The above are an example for Ubuntu. - executor_docker_options = { + runner_worker_docker_options = { volumes = [ "/cache", "/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro" diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 4b71373ec..ac0871b00 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -62,7 +62,7 @@ module "runner" { runner_manager_ping_allow_from_security_groups = [data.aws_security_group.default.id] - executor_docker_machine_ec2_spot_price_bid = "on-demand-price" + runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" runner_manager_gitlab_registration_config = { registration_token = var.registration_token @@ -78,14 +78,14 @@ module "runner" { "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" } - executor_docker_volumes_tmpfs = [ + runner_worker_docker_volumes_tmpfs = [ { volume = "/var/opt/cache", options = "rw,noexec" } ] - executor_docker_services_volumes_tmpfs = [ + runner_worker_docker_services_volumes_tmpfs = [ { volume = "/var/lib/mysql", options = "rw,noexec" @@ -93,7 +93,7 @@ module "runner" { ] # working 9 to 5 :) - executor_docker_machine_autoscaling_options = [ + runner_worker_docker_machine_autoscaling_options = [ { periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] idle_count = 0 @@ -102,19 +102,19 @@ module "runner" { } ] - executor_docker_options = { + runner_worker_docker_options = { privileged = "true" volumes = ["/cache", "/certs/client"] } - executor_pre_build_script = < value if value != null && key != "volumes" + for key, value in var.runner_worker_docker_options : key => value if value != null && key != "volumes" }, { volumes = local.runners_volumes }) @@ -62,7 +62,7 @@ locals { ) # Ensure max builds is optional - runners_max_builds_string = var.executor_docker_machine_max_builds == 0 ? "" : format("MaxBuilds = %d", var.executor_docker_machine_max_builds) + runners_max_builds_string = var.runner_worker_docker_machine_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runner_worker_docker_machine_max_builds) # Define key for runner token for SSM secure_parameter_store_runner_token_key = "${var.environment}-${var.runner_manager_gitlab_token_secure_parameter_store}" @@ -73,14 +73,14 @@ locals { name_sg = var.security_group_prefix == "" ? local.tags["Name"] : var.security_group_prefix name_iam_objects = var.iam_object_prefix == "" ? local.tags["Name"] : var.iam_object_prefix - runners_volumes = concat(var.executor_docker_options.volumes, var.executor_docker_add_dind_volumes ? ["/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"] : []) + runners_volumes = concat(var.runner_worker_docker_options.volumes, var.runner_worker_docker_add_dind_volumes ? ["/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"] : []) runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tftpl", { - runners_docker_services = var.executor_docker_services + runners_docker_services = var.runner_worker_docker_services } ) - runners_pull_policies = "[\"${join("\",\"", var.executor_docker_options.pull_policies)}\"]" + runners_pull_policies = "[\"${join("\",\"", var.runner_worker_docker_options.pull_policies)}\"]" /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" diff --git a/main.tf b/main.tf index ba178ccde..15c1d1c72 100644 --- a/main.tf +++ b/main.tf @@ -58,8 +58,8 @@ locals { docker_machine_version = var.runner_manager_docker_machine_version docker_machine_download_url = var.runner_manager_docker_machine_download_url runners_config = local.template_runner_config - runners_userdata = var.executor_docker_machine_userdata - runners_executor = var.executor_type + runners_userdata = var.runner_worker_docker_machine_userdata + runners_executor = var.runner_worker_type runners_install_amazon_ecr_credential_helper = var.runner_manager_install_amazon_ecr_credential_helper curl_cacert = length(var.runner_manager_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates @@ -86,7 +86,7 @@ locals { gitlab_url = var.runner_manager_gitlab_url gitlab_clone_url = var.runner_manager_gitlab_clone_url tls_ca_file = length(var.runner_manager_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" - runners_machine_autoscaling = [for config in var.executor_docker_machine_autoscaling_options : { + runners_machine_autoscaling = [for config in var.runner_worker_docker_machine_autoscaling_options : { for key, value in config : # Convert key from snake_case to PascalCase which is the casing for this section. join("", [for subkey in split("_", key) : title(subkey)]) => jsonencode(value) if value != null @@ -95,66 +95,66 @@ locals { runners_vpc_id = var.vpc_id runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix - runners_instance_type = var.executor_docker_machine_instance_type - runners_spot_price_bid = var.executor_docker_machine_ec2_spot_price_bid == "on-demand-price" || var.executor_docker_machine_ec2_spot_price_bid == null ? "" : var.executor_docker_machine_ec2_spot_price_bid - runners_ami = var.executor_type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" - runners_security_group_name = var.executor_type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" - runners_monitoring = var.executor_docker_machine_enable_monitoring - runners_ebs_optimized = var.executor_docker_machine_ec2_ebs_optimized - runners_instance_profile = var.executor_type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" + runners_instance_type = var.runner_worker_docker_machine_instance_type + runners_spot_price_bid = var.runner_worker_docker_machine_ec2_spot_price_bid == "on-demand-price" || var.runner_worker_docker_machine_ec2_spot_price_bid == null ? "" : var.runner_worker_docker_machine_ec2_spot_price_bid + runners_ami = var.runner_worker_type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" + runners_security_group_name = var.runner_worker_type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" + runners_monitoring = var.runner_worker_docker_machine_enable_monitoring + runners_ebs_optimized = var.runner_worker_docker_machine_ec2_ebs_optimized + runners_instance_profile = var.runner_worker_type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed runners_name = var.runner_manager_gitlab_runner_name runners_tags = replace(replace(local.runner_tags_string, ",,", ","), "/,$/", "") runners_token = var.runner_manager_gitlab_token - runners_userdata = var.executor_docker_machine_userdata - runners_executor = var.executor_type - runners_limit = var.executor_max_jobs + runners_userdata = var.runner_worker_docker_machine_userdata + runners_executor = var.runner_worker_type + runners_limit = var.runner_worker_max_jobs runners_concurrent = var.runner_manager_maximum_concurrent_jobs runners_pull_policies = local.runners_pull_policies - runners_idle_count = var.executor_idle_count - runners_idle_time = var.executor_idle_time + runners_idle_count = var.runner_worker_idle_count + runners_idle_time = var.runner_worker_idle_time runners_max_builds = local.runners_max_builds_string - runners_root_size = var.executor_docker_machine_ec2_root_size - runners_volume_type = var.executor_docker_machine_ec2_volume_type - runners_iam_instance_profile_name = var.executor_docker_machine_iam_instance_profile_name - runners_use_private_address_only = var.executor_docker_machine_use_private_address - runners_use_private_address = !var.executor_docker_machine_use_private_address - runners_request_spot_instance = var.executor_docker_machine_request_spot_instances - runners_environment_vars = jsonencode(var.executor_extra_environment_variables) - runners_pre_build_script = var.executor_pre_build_script - runners_post_build_script = var.executor_post_build_script - runners_pre_clone_script = var.executor_pre_clone_script - runners_request_concurrency = var.executor_request_concurrency - runners_output_limit = var.executor_output_limit + runners_root_size = var.runner_worker_docker_machine_ec2_root_size + runners_volume_type = var.runner_worker_docker_machine_ec2_volume_type + runners_iam_instance_profile_name = var.runner_worker_docker_machine_iam_instance_profile_name + runners_use_private_address_only = var.runner_worker_docker_machine_use_private_address + runners_use_private_address = !var.runner_worker_docker_machine_use_private_address + runners_request_spot_instance = var.runner_worker_docker_machine_request_spot_instances + runners_environment_vars = jsonencode(var.runner_worker_extra_environment_variables) + runners_pre_build_script = var.runner_worker_pre_build_script + runners_post_build_script = var.runner_worker_post_build_script + runners_pre_clone_script = var.runner_worker_pre_clone_script + runners_request_concurrency = var.runner_worker_request_concurrency + runners_output_limit = var.runner_worker_output_limit runners_check_interval = var.runner_manager_gitlab_check_interval - runners_volumes_tmpfs = join("\n", [for v in var.executor_docker_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) - runners_services_volumes_tmpfs = join("\n", [for v in var.executor_docker_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) + runners_volumes_tmpfs = join("\n", [for v in var.runner_worker_docker_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) + runners_services_volumes_tmpfs = join("\n", [for v in var.runner_worker_docker_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services runners_docker_options = local.runners_docker_options_toml bucket_name = local.bucket_name - shared_cache = var.executor_cache_shared + shared_cache = var.runner_worker_cache_shared sentry_dsn = var.runner_manager_sentry_dsn prometheus_listen_address = var.runner_manager_prometheus_listen_address - auth_type = var.executor_cache_s3_authentication_type + auth_type = var.runner_worker_cache_s3_authentication_type } ) } data "aws_ami" "docker-machine" { - count = var.executor_type == "docker+machine" ? 1 : 0 + count = var.runner_worker_type == "docker+machine" ? 1 : 0 most_recent = "true" dynamic "filter" { - for_each = var.executor_docker_machine_ami_filter + for_each = var.runner_worker_docker_machine_ami_filter content { name = filter.key values = filter.value } } - owners = var.executor_docker_machine_ami_owners + owners = var.runner_worker_docker_machine_ami_owners } # ignores: Autoscaling Groups Supply Tags --> we use a "dynamic" block to create the tags @@ -285,7 +285,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { } network_interfaces { security_groups = concat([aws_security_group.runner.id], var.runner_manager_extra_security_group_ids) - associate_public_ip_address = false == (var.runner_manager_use_private_address == false ? var.runner_manager_use_private_address : var.executor_docker_machine_use_private_address) + associate_public_ip_address = false == (var.runner_manager_use_private_address == false ? var.runner_manager_use_private_address : var.runner_worker_docker_machine_use_private_address) } tag_specifications { resource_type = "instance" @@ -324,25 +324,25 @@ resource "aws_launch_template" "gitlab_runner_instance" { ### Create cache bucket ################################################################################ locals { - bucket_name = var.executor_cache_s3_bucket["create"] ? module.cache[0].bucket : var.executor_cache_s3_bucket["bucket"] - bucket_policy = var.executor_cache_s3_bucket["create"] ? module.cache[0].policy_arn : var.executor_cache_s3_bucket["policy"] + bucket_name = var.runner_worker_cache_s3_bucket["create"] ? module.cache[0].bucket : var.runner_worker_cache_s3_bucket["bucket"] + bucket_policy = var.runner_worker_cache_s3_bucket["create"] ? module.cache[0].policy_arn : var.runner_worker_cache_s3_bucket["policy"] } module "cache" { - count = var.executor_cache_s3_bucket["create"] ? 1 : 0 + count = var.runner_worker_cache_s3_bucket["create"] ? 1 : 0 source = "./modules/cache" environment = var.environment tags = local.tags - cache_bucket_prefix = var.executor_cache_s3_bucket_prefix - cache_bucket_name_include_account_id = var.executor_cache_s3_bucket_name_include_account_id - cache_bucket_set_random_suffix = var.executor_cache_s3_bucket_enable_random_suffix - cache_bucket_versioning = var.executor_cache_s3_enable_versioning - cache_expiration_days = var.executor_cache_s3_expiration_days - cache_lifecycle_prefix = var.executor_cache_shared ? "project/" : "runner/" - cache_logging_bucket = var.executor_cache_s3_logging_bucket_id - cache_logging_bucket_prefix = var.executor_cache_s3_logging_bucket_prefix + cache_bucket_prefix = var.runner_worker_cache_s3_bucket_prefix + cache_bucket_name_include_account_id = var.runner_worker_cache_s3_bucket_name_include_account_id + cache_bucket_set_random_suffix = var.runner_worker_cache_s3_bucket_enable_random_suffix + cache_bucket_versioning = var.runner_worker_cache_s3_enable_versioning + cache_expiration_days = var.runner_worker_cache_s3_expiration_days + cache_lifecycle_prefix = var.runner_worker_cache_shared ? "project/" : "runner/" + cache_logging_bucket = var.runner_worker_cache_s3_logging_bucket_id + cache_logging_bucket_prefix = var.runner_worker_cache_s3_logging_bucket_prefix kms_key_id = local.kms_key @@ -403,7 +403,7 @@ resource "aws_iam_role_policy_attachment" "instance_kms_policy" { ### iam:PassRole To pass the role from the agent to the docker machine runners ################################################################################ resource "aws_iam_policy" "instance_docker_machine_policy" { - count = var.executor_type == "docker+machine" && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_worker_type == "docker+machine" && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" path = "/" @@ -417,7 +417,7 @@ resource "aws_iam_policy" "instance_docker_machine_policy" { } resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { - count = var.executor_type == "docker+machine" && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_worker_type == "docker+machine" && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 role = aws_iam_role.instance[0].name policy_arn = aws_iam_policy.instance_docker_machine_policy[0].arn @@ -468,7 +468,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { /* If the S3 cache adapter is configured to use an IAM instance profile, the adapter uses the profile attached to the GitLab Runner machine. So do not use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */ - count = var.executor_type == "docker+machine" ? (var.executor_cache_s3_bucket["create"] || lookup(var.executor_cache_s3_bucket, "policy", "") != "" ? 1 : 0) : 0 + count = var.runner_worker_type == "docker+machine" ? (var.runner_worker_cache_s3_bucket["create"] || lookup(var.runner_worker_cache_s3_bucket, "policy", "") != "" ? 1 : 0) : 0 role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = local.bucket_policy @@ -478,9 +478,9 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { ### docker machine instance policy ################################################################################ resource "aws_iam_role" "docker_machine" { - count = var.executor_type == "docker+machine" ? 1 : 0 + count = var.runner_worker_type == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" - assume_role_policy = length(var.executor_docker_machine_assume_role_json) > 0 ? var.executor_docker_machine_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) + assume_role_policy = length(var.runner_worker_docker_machine_assume_role_json) > 0 ? var.runner_worker_docker_machine_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" tags = local.tags @@ -489,7 +489,7 @@ resource "aws_iam_role" "docker_machine" { resource "aws_iam_instance_profile" "docker_machine" { - count = var.executor_type == "docker+machine" ? 1 : 0 + count = var.runner_worker_type == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" role = aws_iam_role.docker_machine[0].name tags = local.tags @@ -499,15 +499,15 @@ resource "aws_iam_instance_profile" "docker_machine" { ### Add user defined policies ################################################################################ resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" { - count = var.executor_type == "docker+machine" ? length(var.executor_docker_machine_extra_iam_policy_arns) : 0 + count = var.runner_worker_type == "docker+machine" ? length(var.runner_worker_docker_machine_extra_iam_policy_arns) : 0 role = aws_iam_role.docker_machine[0].name - policy_arn = var.executor_docker_machine_extra_iam_policy_arns[count.index] + policy_arn = var.runner_worker_docker_machine_extra_iam_policy_arns[count.index] } ################################################################################ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_managed" { - count = (var.executor_type == "docker+machine" && var.executor_enable_ssm_access) ? 1 : 0 + count = (var.runner_worker_type == "docker+machine" && var.runner_worker_enable_ssm_access) ? 1 : 0 role = aws_iam_role.docker_machine[0].name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 276d2a4a7..714693de1 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -95,16 +95,16 @@ sed 's/instance_type/runner_manager_instance_type/g' | \ sed 's/runner_instance_ebs_optimized/runner_manager_ebs_optimized/g' | \ sed 's/runner_instance_enable_monitoring/runner_manager_enable_monitoring/g' | \ sed 's/runner_instance_metadata_options/runner_manager_metadata_options/g' | \ -sed 's/runners_userdata/executor_docker_machine_userdata/g' | \ -sed 's/runners_executor/executor_type/g' | \ +sed 's/runners_userdata/runner_worker_docker_machine_userdata/g' | \ +sed 's/runners_executor/runner_worker_type/g' | \ sed 's/runners_install_amazon_ecr_credential_helper/runner_manager_install_amazon_ecr_credential_helper/g' | \ sed 's/runners_clone_url/runner_manager_gitlab_clone_url/g' | \ sed 's/runners_gitlab_url/runner_manager_gitlab_url/g' | \ -sed 's/runners_max_builds/executor_docker_machine_max_builds/g' | \ -sed 's/runners_idle_count/executor_idle_count/g' | \ -sed 's/runners_idle_time/executor_idle_time/g' | \ +sed 's/runners_max_builds/runner_worker_docker_machine_max_builds/g' | \ +sed 's/runners_idle_count/runner_worker_idle_count/g' | \ +sed 's/runners_idle_time/runner_worker_idle_time/g' | \ sed 's/runners_concurrent/runner_manager_maximum_concurrent_jobs/g' | \ -sed 's/runners_limit/executor_max_jobs/g' | \ +sed 's/runners_limit/runner_worker_max_jobs/g' | \ sed 's/runners_check_interval/runner_manager_gitlab_check_interval/g' | \ sed 's/sentry_dsn/runner_manager_sentry_dsn/g' | \ sed 's/prometheus_listen_address/runner_manager_prometheus_listen_address/g' | \ @@ -125,73 +125,73 @@ sed 's/runner_root_block_device/runner_manager_root_block_device/g' | \ sed 's/gitlab_runner_registration_config/runner_manager_gitlab_registration_config/g' | \ sed 's/[^_]ami_filter/runner_manager_ami_filter/g' | \ sed 's/[^_]ami_owners/runner_manager_ami_owners/g' | \ -sed 's/runner_ami_filter/executor_docker_machine_ami_filter/g' | \ -sed 's/runner_ami_owners/executor_docker_machine_ami_owners/g' | \ +sed 's/runner_ami_filter/runner_worker_docker_machine_ami_filter/g' | \ +sed 's/runner_ami_owners/runner_worker_docker_machine_ami_owners/g' | \ sed 's/instance_role_json/runner_manager_assume_role_json/g' | \ -sed 's/docker_machine_role_json/executor_docker_machine_assume_role_json/g' | \ +sed 's/docker_machine_role_json/runner_worker_docker_machine_assume_role_json/g' | \ sed 's/role_tags/runner_manager_extra_role_tags/g' | \ -sed 's/runner_tags/executor_docker_machine_extra_role_tags/g' | \ +sed 's/runner_tags/runner_worker_docker_machine_extra_role_tags/g' | \ sed 's/agent_tags/runner_manager_extra_instance_tags/g' | \ sed 's/enable_ping/runner_manager_ping_enable/g' | \ sed 's/gitlab_runner_version/runner_manager_gitlab_runner_version/g' | \ sed 's/gitlab_runner_egress_rules/runner_manager_extra_egress_rules/g' | \ sed 's/gitlab_runner_security_group_ids/runner_manager_ping_allow_from_security_groups/g' | \ sed 's/gitlab_runner_security_group_description/runner_manager_security_group_description/g' | \ -sed 's/cache_shared/executor_cache_shared/g' | \ -sed 's/cache_expiration_days/executor_cache_s3_expiration_days/g' | \ -sed 's/cache_bucket_versioning/executor_cache_s3_enable_versioning/g' | \ -sed 's/cache_logging_bucket_prefix/executor_cache_s3_logging_bucket_prefix/g' | \ -sed 's/cache_logging_bucket/executor_cache_s3_logging_bucket_id/g' | \ -sed 's/cache_bucket_set_random_suffix/executor_cache_s3_bucket_enable_random_suffix/g' | \ -sed 's/cache_bucket_name_include_account_id/executor_cache_s3_bucket_name_include_account_id/g' | \ -sed 's/cache_bucket_prefix/executor_cache_s3_bucket_prefix/g' | \ +sed 's/cache_shared/runner_worker_cache_shared/g' | \ +sed 's/cache_expiration_days/runner_worker_cache_s3_expiration_days/g' | \ +sed 's/cache_bucket_versioning/runner_worker_cache_s3_enable_versioning/g' | \ +sed 's/cache_logging_bucket_prefix/runner_worker_cache_s3_logging_bucket_prefix/g' | \ +sed 's/cache_logging_bucket/runner_worker_cache_s3_logging_bucket_id/g' | \ +sed 's/cache_bucket_set_random_suffix/runner_worker_cache_s3_bucket_enable_random_suffix/g' | \ +sed 's/cache_bucket_name_include_account_id/runner_worker_cache_s3_bucket_name_include_account_id/g' | \ +sed 's/cache_bucket_prefix/runner_worker_cache_s3_bucket_prefix/g' | \ sed 's/runner_agent_uses_private_address/runner_manager_use_private_address/g' | \ -sed 's/runners_use_private_address/executor_docker_machine_use_private_address/g' | \ -sed 's/runners_request_spot_instance/executor_docker_machine_request_spot_instances/g' | \ +sed 's/runners_use_private_address/runner_worker_docker_machine_use_private_address/g' | \ +sed 's/runners_request_spot_instance/runner_worker_docker_machine_request_spot_instances/g' | \ sed 's/userdata_pre_install/runner_manager_userdata_pre_install/g' | \ sed 's/userdata_post_install/runner_manager_userdata_post_install/g' | \ -sed 's/runners_pre_build_script/executor_pre_build_script/g' | \ -sed 's/runners_post_build_script/executor_post_build_script/g' | \ -sed 's/runners_pre_clone_script/executor_pre_clone_script/g' | \ -sed 's/runners_request_concurrency/executor_request_concurrency/g' | \ -sed 's/runners_output_limit/executor_output_limit/g' | \ -sed 's/runners_environment_vars/executor_extra_environment_variables/g' | \ -sed 's/runners_docker_registry_mirror/executor_docker_machine_docker_registry_mirror_url/g' | \ -sed 's/docker_machine_egress_rules/executor_docker_machine_extra_egress_rules/g' | \ -sed 's/docker_machine_iam_policy_arns/executor_docker_machine_extra_iam_policy_arns/g' | \ +sed 's/runners_pre_build_script/runner_worker_pre_build_script/g' | \ +sed 's/runners_post_build_script/runner_worker_post_build_script/g' | \ +sed 's/runners_pre_clone_script/runner_worker_pre_clone_script/g' | \ +sed 's/runners_request_concurrency/runner_worker_request_concurrency/g' | \ +sed 's/runners_output_limit/runner_worker_output_limit/g' | \ +sed 's/runners_environment_vars/runner_worker_extra_environment_variables/g' | \ +sed 's/runners_docker_registry_mirror/runner_worker_docker_machine_docker_registry_mirror_url/g' | \ +sed 's/docker_machine_egress_rules/runner_worker_docker_machine_extra_egress_rules/g' | \ +sed 's/docker_machine_iam_policy_arns/runner_worker_docker_machine_extra_iam_policy_arns/g' | \ sed 's/enable_cloudwatch_logging/runner_manager_cloudwatch_enable/g' | \ sed 's/cloudwatch_logging_retention_in_days/runner_manager_cloudwatch_retention_days/g' | \ sed 's/log_group_name/runner_manager_cloudwatch_log_group_name/g' | \ sed 's/asg_max_instance_lifetime/runner_manager_max_instance_lifetime_seconds/g' | \ sed 's/asg_delete_timeout/runner_manager_terraform_timeout_delete_asg/g' | \ -sed 's/enable_docker_machine_ssm_access/executor_enable_ssm_access/g' | \ -sed 's/cache_bucket/executor_cache_s3_bucket/g' | \ +sed 's/enable_docker_machine_ssm_access/runner_worker_enable_ssm_access/g' | \ +sed 's/cache_bucket/runner_worker_cache_s3_bucket/g' | \ sed 's/docker_machine_security_group_description//g' | \ -sed 's/docker_machine_options/executor_docker_machine_ec2_options/g' | \ -sed 's/runners_iam_instance_profile_name/executor_docker_machine_iam_instance_profile_name/g' | \ -sed 's/runners_volume_type/executor_docker_machine_ec2_volume_type/g' | \ -sed 's/runners_ebs_optimized/executor_docker_machine_ec2_ebs_optimized/g' | \ -sed 's/runners_monitoring/executor_docker_machine_enable_monitoring/g' | \ -sed 's/runners_machine_autoscaling_options/executor_docker_machine_autoscaling_options/g' | \ -sed 's/runners_docker_services/executor_docker_services/g' | \ -sed 's/runners_services_volumes_tmpfs/executor_docker_services_volumes_tmpfs/g' | \ -sed 's/runners_volumes_tmpfs/executor_docker_volumes_tmpfs/g' | \ -sed 's/runners_root_size/executor_docker_machine_ec2_root_size/g' | \ +sed 's/docker_machine_options/runner_worker_docker_machine_ec2_options/g' | \ +sed 's/runners_iam_instance_profile_name/runner_worker_docker_machine_iam_instance_profile_name/g' | \ +sed 's/runners_volume_type/runner_worker_docker_machine_ec2_volume_type/g' | \ +sed 's/runners_ebs_optimized/runner_worker_docker_machine_ec2_ebs_optimized/g' | \ +sed 's/runners_monitoring/runner_worker_docker_machine_enable_monitoring/g' | \ +sed 's/runners_machine_autoscaling_options/runner_worker_docker_machine_autoscaling_options/g' | \ +sed 's/runners_docker_services/runner_worker_docker_services/g' | \ +sed 's/runners_services_volumes_tmpfs/runner_worker_docker_services_volumes_tmpfs/g' | \ +sed 's/runners_volumes_tmpfs/runner_worker_docker_volumes_tmpfs/g' | \ +sed 's/runners_root_size/runner_worker_docker_machine_ec2_root_size/g' | \ sed 's/enable_asg_recreation/runner_manager_enable_asg_recreation/g' | \ sed 's/secure_parameter_store_runner_sentry_dsn/runner_manager_sentry_secure_parameter_store_name/g' | \ sed 's/secure_parameter_store_runner_token_key/runner_manager_gitlab_token_secure_parameter_store/g' | \ sed 's/allow_iam_service_linked_role_creation/runner_manager_allow_iam_service_linked_role_creation/g' | \ -sed 's/runners_add_dind_volumes/executor_docker_add_dind_volumes/g' | \ +sed 's/runners_add_dind_volumes/runner_worker_docker_add_dind_volumes/g' | \ sed 's/runners_token/runner_manager_gitlab_token/g' | \ sed 's/runners_name/runner_manager_gitlab_runner_name/g' | \ sed 's/docker_machine_version/runner_manager_docker_machine_version/g' | \ sed 's/docker_machine_download_url/runner_manager_docker_machine_download_url/g' | \ -sed 's/docker_machine_spot_price_bid/executor_docker_machine_ec2_spot_price_bid/g' | \ -sed 's/docker_machine_instance_type/executor_docker_machine_instance_type/g' | \ -sed 's/docker_machine_instance_metadata_options/executor_docker_machine_ec2_metadata_options/g' | \ +sed 's/docker_machine_spot_price_bid/runner_worker_docker_machine_ec2_spot_price_bid/g' | \ +sed 's/docker_machine_instance_type/runner_worker_docker_machine_instance_type/g' | \ +sed 's/docker_machine_instance_metadata_options/runner_worker_docker_machine_ec2_metadata_options/g' | \ sed 's/runner_instance_spot_price/runner_manager_spot_price/g' | \ sed 's/metrics_autoscaling/runner_manager_collect_autoscaling_metrics/g' | \ -sed 's/auth_type_cache_sr/executor_cache_s3_authentication_type/g' \ +sed 's/auth_type_cache_sr/runner_worker_cache_s3_authentication_type/g' \ > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" # overrides block @@ -201,7 +201,7 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/name_sg/security_group_prefix/g' | \ sed 's/name_iam_objects/iam_object_prefix/g' | \ sed 's/name_runner_agent_instance/runner_manager_instance_prefix/g' | \ - sed 's/name_docker_machine_runners/executor_docker_machine_instance_prefix/g' + sed 's/name_docker_machine_runners/runner_worker_docker_machine_instance_prefix/g' ) sed '/name_sg/d' "$converted_file" | \ diff --git a/security_groups.tf b/security_groups.tf index e4464bea8..9327d3e64 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -66,14 +66,14 @@ resource "aws_security_group_rule" "runner_ping_group" { resource "aws_security_group" "docker_machine" { # checkov:skip=CKV2_AWS_5:Security group is used within an template and assigned to the docker machines - count = var.executor_type == "docker+machine" ? 1 : 0 + count = var.runner_worker_type == "docker+machine" ? 1 : 0 name_prefix = "${local.name_sg}-docker-machine" vpc_id = var.vpc_id - description = var.executor_docker_machine_security_group_description + description = var.runner_worker_docker_machine_security_group_description dynamic "egress" { - for_each = var.executor_docker_machine_extra_egress_rules + for_each = var.runner_worker_docker_machine_extra_egress_rules iterator = each content { @@ -107,7 +107,7 @@ resource "aws_security_group" "docker_machine" { # Allow docker-machine traffic from gitlab-runner agent instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_docker_runner" { - count = var.executor_type == "docker+machine" ? 1 : 0 + count = var.runner_worker_type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 2376 @@ -136,7 +136,7 @@ locals { # Allow SSH traffic from gitlab-runner agent instances and security group IDs to docker-machine instances resource "aws_security_group_rule" "docker_machine_ssh_runner" { - count = var.executor_type == "docker+machine" ? 1 : 0 + count = var.runner_worker_type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 22 @@ -155,7 +155,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_runner" { # Allow ICMP traffic from gitlab-runner agent instances and security group IDs to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_runner" { - count = var.executor_type == "docker+machine" ? length(local.security_groups_ping) : 0 + count = var.runner_worker_type == "docker+machine" ? length(local.security_groups_ping) : 0 type = "ingress" from_port = -1 @@ -178,7 +178,7 @@ resource "aws_security_group_rule" "docker_machine_ping_runner" { # Allow docker-machine traffic from docker-machine instances to docker-machine instances on port 2376 resource "aws_security_group_rule" "docker_machine_docker_self" { - count = var.executor_type == "docker+machine" ? 1 : 0 + count = var.runner_worker_type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 2376 @@ -196,7 +196,7 @@ resource "aws_security_group_rule" "docker_machine_docker_self" { # Allow SSH traffic from docker-machine instances to docker-machine instances on port 22 resource "aws_security_group_rule" "docker_machine_ssh_self" { - count = var.executor_type == "docker+machine" ? 1 : 0 + count = var.runner_worker_type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 22 @@ -214,7 +214,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_self" { # Allow ICMP traffic from docker-machine instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_self" { - count = (var.executor_type == "docker+machine" && var.runner_manager_ping_enable) ? 1 : 0 + count = (var.runner_worker_type == "docker+machine" && var.runner_manager_ping_enable) ? 1 : 0 type = "ingress" from_port = -1 diff --git a/tags.tf b/tags.tf index 7109c262a..e00900559 100644 --- a/tags.tf +++ b/tags.tf @@ -26,9 +26,9 @@ locals { runner_tags_merged = merge( local.tags, - var.executor_docker_machine_extra_role_tags, + var.runner_worker_docker_machine_extra_role_tags, # overwrites the `Name` key from `local.tags` - var.executor_docker_machine_instance_prefix == "" ? { Name = substr(format("%s", var.environment), 0, 16) } : { Name = var.executor_docker_machine_instance_prefix }, + var.runner_worker_docker_machine_instance_prefix == "" ? { Name = substr(format("%s", var.environment), 0, 16) } : { Name = var.runner_worker_docker_machine_instance_prefix }, ) # remove the `Name` tag in addition if docker+machine adds one to avoid a failure due to a duplicate `Name` tag diff --git a/variables.tf b/variables.tf index 8b690f26b..6c6cd4766 100644 --- a/variables.tf +++ b/variables.tf @@ -464,68 +464,68 @@ variable "runner_manager_terraform_timeout_delete_asg" { } /* - * Executor variables valid for all executors. + * Runner Worker: The process created by the runner on the host computing platform to run jobs. */ -variable "executor_type" { +variable "runner_worker_type" { description = "The executor type to use. Currently supports `docker+machine` or `docker`." type = string default = "docker+machine" validation { - condition = contains(["docker+machine", "docker"], var.executor_type) + condition = contains(["docker+machine", "docker"], var.runner_worker_type) error_message = "The executor currently supports `docker+machine` or `docker`." } } -variable "executor_enable_ssm_access" { +variable "runner_worker_enable_ssm_access" { description = "Allows to connect to the Executor via SSM." type = bool default = false } -variable "executor_max_jobs" { +variable "runner_worker_max_jobs" { description = "Number of jobs which can be processed in parallel by the executor." type = number default = 0 } -variable "executor_idle_time" { +variable "runner_worker_idle_time" { description = "Idle time of the runners before they are destroyed." type = number default = 600 } -variable "executor_idle_count" { +variable "runner_worker_idle_count" { description = "Number of idle Executor instances." type = number default = 0 } -variable "executor_request_concurrency" { +variable "runner_worker_request_concurrency" { description = "Limit number of concurrent requests for new jobs from GitLab (default 1)." type = number default = 1 } -variable "executor_output_limit" { +variable "runner_worker_output_limit" { description = "Sets the maximum build log size in kilobytes, by default set to 4096 (4MB)." type = number default = 4096 } -variable "executor_extra_environment_variables" { +variable "runner_worker_extra_environment_variables" { description = "Environment variables during build execution, e.g. KEY=Value, see runner-public example." type = list(string) default = [] } -variable "executor_cache_shared" { +variable "runner_worker_cache_shared" { description = "Enables cache sharing between runners. `false` by default." type = bool default = false } -variable "executor_cache_s3_bucket" { +variable "runner_worker_cache_s3_bucket" { description = <<-EOT Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared cache. To use the same cache across multiple runners disable the creation of the cache and provide a policy and @@ -539,67 +539,67 @@ variable "executor_cache_s3_bucket" { } } -variable "executor_cache_s3_authentication_type" { +variable "runner_worker_cache_s3_authentication_type" { description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" type = string default = "iam" } -variable "executor_cache_s3_expiration_days" { +variable "runner_worker_cache_s3_expiration_days" { description = "Number of days before cache objects expire." type = number default = 1 } -variable "executor_cache_s3_enable_versioning" { +variable "runner_worker_cache_s3_enable_versioning" { description = "Boolean used to enable versioning on the cache bucket, false by default." type = bool default = false } -variable "executor_cache_s3_bucket_prefix" { +variable "runner_worker_cache_s3_bucket_prefix" { description = "Prefix for s3 cache bucket name." type = string default = "" } -variable "executor_cache_s3_bucket_name_include_account_id" { +variable "runner_worker_cache_s3_bucket_name_include_account_id" { description = "Boolean to add current account ID to cache bucket name." type = bool default = true } -variable "executor_cache_s3_bucket_enable_random_suffix" { +variable "runner_worker_cache_s3_bucket_enable_random_suffix" { description = "Append the cache bucket name with a random string suffix" type = bool default = false } -variable "executor_cache_s3_logging_bucket_id" { +variable "runner_worker_cache_s3_logging_bucket_id" { type = string description = "S3 Bucket ID where the access logs to the cache bucket are stored." default = null } -variable "executor_cache_s3_logging_bucket_prefix" { +variable "runner_worker_cache_s3_logging_bucket_prefix" { type = string description = "Prefix within the `executor_cache_logging_bucket_name`." default = null } -variable "executor_pre_clone_script" { +variable "runner_worker_pre_clone_script" { description = "Script to execute in the pipeline before cloning the Git repository. this can be used to adjust the Git client configuration first, for example." type = string default = "\"\"" } -variable "executor_pre_build_script" { +variable "runner_worker_pre_build_script" { description = "Script to execute in the pipeline just before the build." type = string default = "\"\"" } -variable "executor_post_build_script" { +variable "runner_worker_post_build_script" { description = "Script to execute in the pipeline just after the build, but before executing after_script." type = string default = "\"\"" @@ -608,7 +608,7 @@ variable "executor_post_build_script" { /* * Docker Executor variables. */ -variable "executor_docker_volumes_tmpfs" { +variable "runner_worker_docker_volumes_tmpfs" { description = "Mount a tmpfs in Executor container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" type = list(object({ volume = string @@ -617,7 +617,7 @@ variable "executor_docker_volumes_tmpfs" { default = [] } -variable "executor_docker_services" { +variable "runner_worker_docker_services" { description = "Starts additional services with the Docker container. All fields must be set (examine the Dockerfile of the service image for the entrypoint - see ./examples/runner-default/main.tf)" type = list(object({ name = string @@ -628,7 +628,7 @@ variable "executor_docker_services" { default = [] } -variable "executor_docker_services_volumes_tmpfs" { +variable "runner_worker_docker_services_volumes_tmpfs" { description = "Mount a tmpfs in gitlab service container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram" type = list(object({ volume = string @@ -637,13 +637,13 @@ variable "executor_docker_services_volumes_tmpfs" { default = [] } -variable "executor_docker_add_dind_volumes" { +variable "runner_worker_docker_add_dind_volumes" { description = "Add certificates and docker.sock to the volumes to support docker-in-docker (dind)" type = bool default = false } -variable "executor_docker_options" { +variable "runner_worker_docker_options" { description = < Date: Thu, 20 Apr 2023 11:50:15 +0200 Subject: [PATCH 31/74] identify runner_manager variables --- variables.tf | 51 +++++++++++++++++++++++++++------------------------ 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/variables.tf b/variables.tf index 6c6cd4766..afff7f0e1 100644 --- a/variables.tf +++ b/variables.tf @@ -73,6 +73,33 @@ variable "iam_object_prefix" { /* * Runner Manager: A type of runner that can create multiple runners for autoscaling. Specific to the type of executor used. */ +variable "runner_manager_maximum_concurrent_jobs" { + description = "The maximum number of jobs which can be processed by all executors at the same time." + type = number + default = 10 +} + +variable "runner_manager_sentry_dsn" { + description = "Sentry DSN of the project for the Agent to use (uses legacy DSN format)" + type = string + default = "__SENTRY_DSN_REPLACED_BY_USER_DATA__" +} + +variable "runner_manager_gitlab_check_interval" { + description = "Number of seconds between checking for available jobs." + type = number + default = 3 +} + +variable "runner_manager_prometheus_listen_address" { + description = "Defines an address (:) the Prometheus metrics HTTP server should listen on." + type = string + default = "" +} + +/* + * Runner: The agent that runs the code on the host platform and displays in the UI. + */ variable "runner_manager_instance_prefix" { description = "Set the name prefix and override the `Name` tag for the Agent instance." type = string @@ -404,12 +431,6 @@ variable "runner_manager_gitlab_certificate" { default = "" } -variable "runner_manager_gitlab_check_interval" { - description = "Number of seconds between checking for available jobs." - type = number - default = 3 -} - variable "runner_manager_gitlab_url" { description = "URL of the GitLab instance to connect to." type = string @@ -427,30 +448,12 @@ variable "runner_manager_gitlab_token" { default = "__REPLACED_BY_USER_DATA__" } -variable "runner_manager_maximum_concurrent_jobs" { - description = "The maximum number of jobs which can be processed by all executors at the same time." - type = number - default = 10 -} - -variable "runner_manager_sentry_dsn" { - description = "Sentry DSN of the project for the Agent to use (uses legacy DSN format)" - type = string - default = "__SENTRY_DSN_REPLACED_BY_USER_DATA__" -} - variable "runner_manager_sentry_secure_parameter_store_name" { description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" type = string default = "sentry-dsn" } -variable "runner_manager_prometheus_listen_address" { - description = "Defines an address (:) the Prometheus metrics HTTP server should listen on." - type = string - default = "" -} - variable "runner_manager_terminate_ec2_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string From 3a76dc7e5b2a4850a83a8c4c7ef75cd23e31e92a Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 11:57:14 +0200 Subject: [PATCH 32/74] split variables in runner_manager and runner --- examples/runner-certificates/main.tf | 6 +- examples/runner-default/main.tf | 12 +- examples/runner-docker/main.tf | 10 +- examples/runner-multi-region/main.tf | 16 +-- examples/runner-pre-registered/main.tf | 6 +- examples/runner-public/main.tf | 14 +-- locals.tf | 14 +-- logging.tf | 12 +- main.tf | 168 ++++++++++++------------- migrations/migrate-to-7-0-0.sh | 102 +++++++-------- security_groups.tf | 14 +-- tags.tf | 2 +- variables.tf | 100 +++++++-------- 13 files changed, 238 insertions(+), 238 deletions(-) diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index 4a9a25969..df096c041 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -28,8 +28,8 @@ module "runner" { # General ############################################### - runner_manager_gitlab_runner_name = var.runner_name - runner_manager_gitlab_url = var.gitlab_url + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url runner_worker_type = "docker" @@ -62,7 +62,7 @@ module "runner" { # Registration ############################################### - runner_manager_gitlab_registration_config = { + runner_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_runner" description = "runner docker - auto" diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index ac0871b00..18c7f0963 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -54,17 +54,17 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.private_subnets, 0) - runner_manager_collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] + runner_collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] - runner_manager_gitlab_runner_name = var.runner_name - runner_manager_gitlab_url = var.gitlab_url - runner_manager_enable_ssm_access = true + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url + runner_enable_ssm_access = true - runner_manager_ping_allow_from_security_groups = [data.aws_security_group.default.id] + runner_ping_allow_from_security_groups = [data.aws_security_group.default.id] runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" - runner_manager_gitlab_registration_config = { + runner_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner default - auto" diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index fc18b0cad..2f34ea0a9 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -44,19 +44,19 @@ module "runner" { environment = var.environment runner_worker_docker_machine_use_private_address = false - runner_manager_enable_eip = true + runner_enable_eip = true runner_worker_docker_machine_security_group_description = "Custom description for docker-machine" - runner_manager_security_group_description = "Custom description for gitlab-runner" + runner_security_group_description = "Custom description for gitlab-runner" vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.public_subnets, 0) runner_worker_type = "docker" - runner_manager_gitlab_runner_name = var.runner_name - runner_manager_gitlab_url = var.gitlab_url + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url - runner_manager_gitlab_registration_config = { + runner_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_runner" description = "runner docker - auto" diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index 3067df63c..245a76815 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -33,8 +33,8 @@ module "runner_main_region" { runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" - runner_manager_gitlab_runner_name = var.runner_name - runner_manager_gitlab_url = var.gitlab_url + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url runner_worker_extra_environment_variables = ["KEY=Value", "FOO=bar"] runner_worker_docker_options = { @@ -42,7 +42,7 @@ module "runner_main_region" { volumes = ["/var/run/docker.sock:/var/run/docker.sock"] } - runner_manager_gitlab_registration_config = { + runner_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner public - auto" @@ -52,7 +52,7 @@ module "runner_main_region" { } security_group_prefix = "my-security-group" - runner_manager_instance_prefix = "my-runner-agent" + runner_instance_prefix = "my-runner-agent" runner_worker_docker_machine_instance_prefix = "my-runners-dm" iam_object_prefix = local.name_iam_objects_main_region @@ -102,8 +102,8 @@ module "runner_alternate_region" { runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" - runner_manager_gitlab_runner_name = var.runner_name - runner_manager_gitlab_url = var.gitlab_url + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url runner_worker_extra_environment_variables = ["KEY=Value", "FOO=bar"] runner_worker_docker_options = { @@ -111,7 +111,7 @@ module "runner_alternate_region" { volumes = ["/var/run/docker.sock:/var/run/docker.sock"] } - runner_manager_gitlab_registration_config = { + runner_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner public - auto" @@ -122,7 +122,7 @@ module "runner_alternate_region" { } security_group_prefix = "my-security-group" - runner_manager_instance_prefix = "my-runner-agent" + runner_instance_prefix = "my-runner-agent" runner_worker_docker_machine_instance_prefix = "my-runners-dm" iam_object_prefix = local.name_iam_objects_main_region # <-- diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index 27f351a7d..29703ec0d 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -34,9 +34,9 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.private_subnets, 0) - runner_manager_gitlab_runner_name = var.runner_name - runner_manager_gitlab_url = var.gitlab_url - runner_manager_gitlab_token = var.runner_token + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url + runner_gitlab_token = var.runner_token # working 9 to 5 :) runner_worker_docker_machine_autoscaling_options = [ diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index 31f0d8176..38722f37a 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -38,8 +38,8 @@ module "runner" { runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" - runner_manager_gitlab_runner_name = var.runner_name - runner_manager_gitlab_url = var.gitlab_url + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url runner_worker_extra_environment_variables = ["KEY=Value", "FOO=bar"] runner_worker_docker_options = { @@ -47,7 +47,7 @@ module "runner" { volumes = ["/var/run/docker.sock:/var/run/docker.sock"] } - runner_manager_gitlab_registration_config = { + runner_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner" description = "runner public - auto" @@ -58,7 +58,7 @@ module "runner" { } security_group_prefix = "my-security-group" - runner_manager_instance_prefix = "my-runner-agent" + runner_instance_prefix = "my-runner-agent" runner_worker_docker_machine_instance_prefix = "my-runners-dm" runner_worker_cache_shared = "true" @@ -82,10 +82,10 @@ module "runner2" { runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" - runner_manager_gitlab_runner_name = var.runner_name - runner_manager_gitlab_url = var.gitlab_url + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url - runner_manager_gitlab_registration_config = { + runner_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_spot_runner_2" description = "runner public - auto" diff --git a/locals.tf b/locals.tf index ecca13a55..7d27b66d8 100644 --- a/locals.tf +++ b/locals.tf @@ -1,7 +1,7 @@ locals { # Manage certificates pre_install_gitlab_certificate = ( - length(var.runner_manager_gitlab_certificate) > 0 + length(var.runner_gitlab_certificate) > 0 ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/gitlab.crt @@ -11,7 +11,7 @@ locals { : "" ) pre_install_ca_certificate = ( - length(var.runner_manager_gitlab_ca_certificate) > 0 + length(var.runner_gitlab_ca_certificate) > 0 ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/ca.crt @@ -39,7 +39,7 @@ locals { # Determine IAM role for runner instance aws_iam_role_instance_name = coalesce( - var.runner_manager_iam_role_profile_name, + var.runner_iam_role_profile_name, "${local.name_iam_objects}-instance" ) aws_iam_role_instance_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${local.aws_iam_role_instance_name}" @@ -65,11 +65,11 @@ locals { runners_max_builds_string = var.runner_worker_docker_machine_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runner_worker_docker_machine_max_builds) # Define key for runner token for SSM - secure_parameter_store_runner_token_key = "${var.environment}-${var.runner_manager_gitlab_token_secure_parameter_store}" - secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.runner_manager_sentry_secure_parameter_store_name}" + secure_parameter_store_runner_token_key = "${var.environment}-${var.runner_gitlab_token_secure_parameter_store}" + secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.runner_sentry_secure_parameter_store_name}" # Custom names for runner agent instance, security groups, and IAM objects - name_runner_agent_instance = var.runner_manager_instance_prefix == "" ? local.tags["Name"] : var.runner_manager_instance_prefix + name_runner_agent_instance = var.runner_instance_prefix == "" ? local.tags["Name"] : var.runner_instance_prefix name_sg = var.security_group_prefix == "" ? local.tags["Name"] : var.security_group_prefix name_iam_objects = var.iam_object_prefix == "" ? local.tags["Name"] : var.iam_object_prefix @@ -84,7 +84,7 @@ locals { /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" - docker_machine_version_used = split(".", split("-", var.runner_manager_docker_machine_version)[0]) + docker_machine_version_used = split(".", split("-", var.runner_docker_machine_version)[0]) docker_machine_version_with_name_tag = split(".", "0.16.2") docker_machine_version_test = [ for i, j in reverse(range(length(local.docker_machine_version_used))) diff --git a/logging.tf b/logging.tf index 86c78820b..4ec5a4f0f 100644 --- a/logging.tf +++ b/logging.tf @@ -1,25 +1,25 @@ resource "aws_iam_role_policy" "instance" { - count = var.runner_manager_cloudwatch_enable && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_cloudwatch_enable && var.runner_create_runner_iam_role_profile ? 1 : 0 name = "${local.name_iam_objects}-logging" - role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy = templatefile("${path.module}/policies/instance-logging-policy.json", { partition = data.aws_partition.current.partition }) } locals { logging_user_data = templatefile("${path.module}/template/logging.tftpl", { - log_group_name = var.runner_manager_cloudwatch_log_group_name != null ? var.runner_manager_cloudwatch_log_group_name : var.environment + log_group_name = var.runner_cloudwatch_log_group_name != null ? var.runner_cloudwatch_log_group_name : var.environment }) provided_kms_key = var.kms_key_id != "" ? var.kms_key_id : "" kms_key = local.provided_kms_key == "" && var.enable_managed_kms_key ? aws_kms_key.default[0].arn : local.provided_kms_key } resource "aws_cloudwatch_log_group" "environment" { - count = var.runner_manager_cloudwatch_enable ? 1 : 0 - name = var.runner_manager_cloudwatch_log_group_name != null ? var.runner_manager_cloudwatch_log_group_name : var.environment + count = var.runner_cloudwatch_enable ? 1 : 0 + name = var.runner_cloudwatch_log_group_name != null ? var.runner_cloudwatch_log_group_name : var.environment # ignores a false positive: retention_in_days not set # kics-scan ignore-line - retention_in_days = var.runner_manager_cloudwatch_retention_days + retention_in_days = var.runner_cloudwatch_retention_days tags = local.tags # ignored as decided by the user diff --git a/main.tf b/main.tf index 15c1d1c72..c39dec54e 100644 --- a/main.tf +++ b/main.tf @@ -38,12 +38,12 @@ resource "aws_ssm_parameter" "runner_sentry_dsn" { locals { template_user_data = templatefile("${path.module}/template/user-data.tftpl", { - eip = var.runner_manager_enable_eip ? local.template_eip : "" - logging = var.runner_manager_cloudwatch_enable ? local.logging_user_data : "" + eip = var.runner_enable_eip ? local.template_eip : "" + logging = var.runner_cloudwatch_enable ? local.logging_user_data : "" gitlab_runner = local.template_gitlab_runner - user_data_trace_log = var.runner_manager_user_data_enable_trace_log - yum_update = var.runner_manager_yum_update ? local.file_yum_update : "" - extra_config = var.runner_manager_user_data_extra + user_data_trace_log = var.runner_user_data_enable_trace_log + yum_update = var.runner_yum_update ? local.file_yum_update : "" + extra_config = var.runner_user_data_extra }) file_yum_update = file("${path.module}/template/yum_update.tftpl") @@ -54,38 +54,38 @@ locals { template_gitlab_runner = templatefile("${path.module}/template/gitlab-runner.tftpl", { - gitlab_runner_version = var.runner_manager_gitlab_runner_version - docker_machine_version = var.runner_manager_docker_machine_version - docker_machine_download_url = var.runner_manager_docker_machine_download_url + gitlab_runner_version = var.runner_gitlab_runner_version + docker_machine_version = var.runner_docker_machine_version + docker_machine_download_url = var.runner_docker_machine_download_url runners_config = local.template_runner_config runners_userdata = var.runner_worker_docker_machine_userdata runners_executor = var.runner_worker_type - runners_install_amazon_ecr_credential_helper = var.runner_manager_install_amazon_ecr_credential_helper - curl_cacert = length(var.runner_manager_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" + runners_install_amazon_ecr_credential_helper = var.runner_install_amazon_ecr_credential_helper + curl_cacert = length(var.runner_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates - pre_install = var.runner_manager_userdata_pre_install - post_install = var.runner_manager_userdata_post_install - runners_gitlab_url = var.runner_manager_gitlab_url - runners_token = var.runner_manager_gitlab_token + pre_install = var.runner_userdata_pre_install + post_install = var.runner_userdata_post_install + runners_gitlab_url = var.runner_gitlab_url + runners_token = var.runner_gitlab_token secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key secure_parameter_store_runner_sentry_dsn = local.secure_parameter_store_runner_sentry_dsn secure_parameter_store_region = data.aws_region.current.name - gitlab_runner_registration_token = var.runner_manager_gitlab_registration_config["registration_token"] - gitlab_runner_description = var.runner_manager_gitlab_registration_config["description"] - gitlab_runner_tag_list = var.runner_manager_gitlab_registration_config["tag_list"] - gitlab_runner_locked_to_project = var.runner_manager_gitlab_registration_config["locked_to_project"] - gitlab_runner_run_untagged = var.runner_manager_gitlab_registration_config["run_untagged"] - gitlab_runner_maximum_timeout = var.runner_manager_gitlab_registration_config["maximum_timeout"] - gitlab_runner_access_level = lookup(var.runner_manager_gitlab_registration_config, "access_level", "not_protected") + gitlab_runner_registration_token = var.runner_gitlab_registration_config["registration_token"] + gitlab_runner_description = var.runner_gitlab_registration_config["description"] + gitlab_runner_tag_list = var.runner_gitlab_registration_config["tag_list"] + gitlab_runner_locked_to_project = var.runner_gitlab_registration_config["locked_to_project"] + gitlab_runner_run_untagged = var.runner_gitlab_registration_config["run_untagged"] + gitlab_runner_maximum_timeout = var.runner_gitlab_registration_config["maximum_timeout"] + gitlab_runner_access_level = lookup(var.runner_gitlab_registration_config, "access_level", "not_protected") sentry_dsn = var.runner_manager_sentry_dsn }) template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { aws_region = data.aws_region.current.name - gitlab_url = var.runner_manager_gitlab_url - gitlab_clone_url = var.runner_manager_gitlab_clone_url - tls_ca_file = length(var.runner_manager_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" + gitlab_url = var.runner_gitlab_url + gitlab_clone_url = var.runner_gitlab_clone_url + tls_ca_file = length(var.runner_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_machine_autoscaling = [for config in var.runner_worker_docker_machine_autoscaling_options : { for key, value in config : # Convert key from snake_case to PascalCase which is the casing for this section. @@ -104,9 +104,9 @@ locals { runners_instance_profile = var.runner_worker_type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed - runners_name = var.runner_manager_gitlab_runner_name + runners_name = var.runner_gitlab_runner_name runners_tags = replace(replace(local.runner_tags_string, ",,", ","), "/,$/", "") - runners_token = var.runner_manager_gitlab_token + runners_token = var.runner_gitlab_token runners_userdata = var.runner_worker_docker_machine_userdata runners_executor = var.runner_worker_type runners_limit = var.runner_worker_max_jobs @@ -162,15 +162,15 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { # TODO Please explain how `agent_enable_asg_recreation` works - name = var.runner_manager_enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" + name = var.runner_enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" vpc_zone_identifier = [var.subnet_id] min_size = "1" max_size = "1" desired_capacity = "1" health_check_grace_period = 0 - max_instance_lifetime = var.runner_manager_max_instance_lifetime_seconds - enabled_metrics = var.runner_manager_collect_autoscaling_metrics + max_instance_lifetime = var.runner_max_instance_lifetime_seconds + enabled_metrics = var.runner_collect_autoscaling_metrics dynamic "tag" { for_each = local.agent_tags @@ -196,7 +196,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { } timeouts { - delete = var.runner_manager_terraform_timeout_delete_asg + delete = var.runner_terraform_timeout_delete_asg } lifecycle { ignore_changes = [min_size, max_size, desired_capacity] @@ -204,39 +204,39 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { } resource "aws_autoscaling_schedule" "scale_in" { - count = var.runner_manager_schedule_enable ? 1 : 0 + count = var.runner_schedule_enable ? 1 : 0 autoscaling_group_name = aws_autoscaling_group.gitlab_runner_instance.name scheduled_action_name = "scale_in-${aws_autoscaling_group.gitlab_runner_instance.name}" - recurrence = var.runner_manager_schedule_config["scale_in_recurrence"] - time_zone = try(var.runner_manager_schedule_config["scale_in_time_zone"], "Etc/UTC") - min_size = try(var.runner_manager_schedule_config["scale_in_min_size"], var.runner_manager_schedule_config["scale_in_count"]) - desired_capacity = try(var.runner_manager_schedule_config["scale_in_desired_capacity"], var.runner_manager_schedule_config["scale_in_count"]) - max_size = try(var.runner_manager_schedule_config["scale_in_max_size"], var.runner_manager_schedule_config["scale_in_count"]) + recurrence = var.runner_schedule_config["scale_in_recurrence"] + time_zone = try(var.runner_schedule_config["scale_in_time_zone"], "Etc/UTC") + min_size = try(var.runner_schedule_config["scale_in_min_size"], var.runner_schedule_config["scale_in_count"]) + desired_capacity = try(var.runner_schedule_config["scale_in_desired_capacity"], var.runner_schedule_config["scale_in_count"]) + max_size = try(var.runner_schedule_config["scale_in_max_size"], var.runner_schedule_config["scale_in_count"]) } resource "aws_autoscaling_schedule" "scale_out" { - count = var.runner_manager_schedule_enable ? 1 : 0 + count = var.runner_schedule_enable ? 1 : 0 autoscaling_group_name = aws_autoscaling_group.gitlab_runner_instance.name scheduled_action_name = "scale_out-${aws_autoscaling_group.gitlab_runner_instance.name}" - recurrence = var.runner_manager_schedule_config["scale_out_recurrence"] - time_zone = try(var.runner_manager_schedule_config["scale_out_time_zone"], "Etc/UTC") - min_size = try(var.runner_manager_schedule_config["scale_out_min_size"], var.runner_manager_schedule_config["scale_out_count"]) - desired_capacity = try(var.runner_manager_schedule_config["scale_out_desired_capacity"], var.runner_manager_schedule_config["scale_out_count"]) - max_size = try(var.runner_manager_schedule_config["scale_out_max_size"], var.runner_manager_schedule_config["scale_out_count"]) + recurrence = var.runner_schedule_config["scale_out_recurrence"] + time_zone = try(var.runner_schedule_config["scale_out_time_zone"], "Etc/UTC") + min_size = try(var.runner_schedule_config["scale_out_min_size"], var.runner_schedule_config["scale_out_count"]) + desired_capacity = try(var.runner_schedule_config["scale_out_desired_capacity"], var.runner_schedule_config["scale_out_count"]) + max_size = try(var.runner_schedule_config["scale_out_max_size"], var.runner_schedule_config["scale_out_count"]) } data "aws_ami" "runner" { most_recent = "true" dynamic "filter" { - for_each = var.runner_manager_ami_filter + for_each = var.runner_ami_filter content { name = filter.key values = filter.value } } - owners = var.runner_manager_ami_owners + owners = var.runner_ami_owners } resource "aws_launch_template" "gitlab_runner_instance" { @@ -246,20 +246,20 @@ resource "aws_launch_template" "gitlab_runner_instance" { image_id = data.aws_ami.runner.id user_data = base64gzip(local.template_user_data) - instance_type = var.runner_manager_instance_type + instance_type = var.runner_instance_type update_default_version = true - ebs_optimized = var.runner_manager_ebs_optimized + ebs_optimized = var.runner_ebs_optimized monitoring { - enabled = var.runner_manager_enable_monitoring + enabled = var.runner_enable_monitoring } dynamic "instance_market_options" { - for_each = var.runner_manager_spot_price == null || var.runner_manager_spot_price == "" ? [] : ["spot"] + for_each = var.runner_spot_price == null || var.runner_spot_price == "" ? [] : ["spot"] content { market_type = instance_market_options.value dynamic "spot_options" { - for_each = var.runner_manager_spot_price == "on-demand-price" ? [] : [0] + for_each = var.runner_spot_price == "on-demand-price" ? [] : [0] content { - max_price = var.runner_manager_spot_price + max_price = var.runner_spot_price } } } @@ -268,7 +268,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { name = local.aws_iam_role_instance_name } dynamic "block_device_mappings" { - for_each = [var.runner_manager_root_block_device] + for_each = [var.runner_root_block_device] content { # cSpell:ignore xvda device_name = lookup(block_device_mappings.value, "device_name", "/dev/xvda") @@ -284,8 +284,8 @@ resource "aws_launch_template" "gitlab_runner_instance" { } } network_interfaces { - security_groups = concat([aws_security_group.runner.id], var.runner_manager_extra_security_group_ids) - associate_public_ip_address = false == (var.runner_manager_use_private_address == false ? var.runner_manager_use_private_address : var.runner_worker_docker_machine_use_private_address) + security_groups = concat([aws_security_group.runner.id], var.runner_extra_security_group_ids) + associate_public_ip_address = false == (var.runner_use_private_address == false ? var.runner_use_private_address : var.runner_worker_docker_machine_use_private_address) } tag_specifications { resource_type = "instance" @@ -296,7 +296,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { tags = local.tags } dynamic "tag_specifications" { - for_each = var.runner_manager_spot_price == null || var.runner_manager_spot_price == "" ? [] : ["spot"] + for_each = var.runner_spot_price == null || var.runner_spot_price == "" ? [] : ["spot"] content { resource_type = "spot-instances-request" tags = local.tags @@ -306,10 +306,10 @@ resource "aws_launch_template" "gitlab_runner_instance" { tags = local.tags metadata_options { - http_endpoint = var.runner_manager_metadata_options.http_endpoint - http_tokens = var.runner_manager_metadata_options.http_tokens - http_put_response_hop_limit = var.runner_manager_metadata_options.http_put_response_hop_limit - instance_metadata_tags = var.runner_manager_metadata_options.instance_metadata_tags + http_endpoint = var.runner_metadata_options.http_endpoint + http_tokens = var.runner_metadata_options.http_tokens + http_put_response_hop_limit = var.runner_metadata_options.http_put_response_hop_limit + instance_metadata_tags = var.runner_metadata_options.instance_metadata_tags } lifecycle { @@ -353,7 +353,7 @@ module "cache" { ### Trust policy ################################################################################ resource "aws_iam_instance_profile" "instance" { - count = var.runner_manager_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_create_runner_iam_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name role = local.aws_iam_role_instance_name @@ -362,13 +362,13 @@ resource "aws_iam_instance_profile" "instance" { } resource "aws_iam_role" "instance" { - count = var.runner_manager_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_create_runner_iam_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name - assume_role_policy = length(var.runner_manager_assume_role_json) > 0 ? var.runner_manager_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) + assume_role_policy = length(var.runner_assume_role_json) > 0 ? var.runner_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" - tags = merge(local.tags, var.runner_manager_extra_role_tags) + tags = merge(local.tags, var.runner_extra_role_tags) } ################################################################################ @@ -392,7 +392,7 @@ resource "aws_iam_policy" "instance_kms_policy" { resource "aws_iam_role_policy_attachment" "instance_kms_policy" { count = var.enable_managed_kms_key ? 1 : 0 - role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_kms_policy[0].arn } @@ -403,7 +403,7 @@ resource "aws_iam_role_policy_attachment" "instance_kms_policy" { ### iam:PassRole To pass the role from the agent to the docker machine runners ################################################################################ resource "aws_iam_policy" "instance_docker_machine_policy" { - count = var.runner_worker_type == "docker+machine" && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_worker_type == "docker+machine" && var.runner_create_runner_iam_role_profile ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" path = "/" @@ -417,7 +417,7 @@ resource "aws_iam_policy" "instance_docker_machine_policy" { } resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { - count = var.runner_worker_type == "docker+machine" && var.runner_manager_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_worker_type == "docker+machine" && var.runner_create_runner_iam_role_profile ? 1 : 0 role = aws_iam_role.instance[0].name policy_arn = aws_iam_policy.instance_docker_machine_policy[0].arn @@ -427,7 +427,7 @@ resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { ### Policies for runner agent instance to allow connection via Session Manager ################################################################################ resource "aws_iam_policy" "instance_session_manager_policy" { - count = var.runner_manager_enable_ssm_access ? 1 : 0 + count = var.runner_enable_ssm_access ? 1 : 0 name = "${local.name_iam_objects}-session-manager" path = "/" @@ -438,16 +438,16 @@ resource "aws_iam_policy" "instance_session_manager_policy" { } resource "aws_iam_role_policy_attachment" "instance_session_manager_policy" { - count = var.runner_manager_enable_ssm_access ? 1 : 0 + count = var.runner_enable_ssm_access ? 1 : 0 - role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_session_manager_policy[0].arn } resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" { - count = var.runner_manager_enable_ssm_access ? 1 : 0 + count = var.runner_enable_ssm_access ? 1 : 0 - role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" } @@ -455,10 +455,10 @@ resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" ### Add user defined policies ################################################################################ resource "aws_iam_role_policy_attachment" "user_defined_policies" { - count = length(var.runner_manager_extra_iam_policy_arns) + count = length(var.runner_extra_iam_policy_arns) - role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name - policy_arn = var.runner_manager_extra_iam_policy_arns[count.index] + role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + policy_arn = var.runner_extra_iam_policy_arns[count.index] } ################################################################################ @@ -470,7 +470,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */ count = var.runner_worker_type == "docker+machine" ? (var.runner_worker_cache_s3_bucket["create"] || lookup(var.runner_worker_cache_s3_bucket, "policy", "") != "" ? 1 : 0) : 0 - role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = local.bucket_policy } @@ -519,7 +519,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_ma ### Service linked policy, optional ################################################################################ resource "aws_iam_policy" "service_linked_role" { - count = var.runner_manager_allow_iam_service_linked_role_creation ? 1 : 0 + count = var.runner_allow_iam_service_linked_role_creation ? 1 : 0 name = "${local.name_iam_objects}-service_linked_role" path = "/" @@ -530,15 +530,15 @@ resource "aws_iam_policy" "service_linked_role" { } resource "aws_iam_role_policy_attachment" "service_linked_role" { - count = var.runner_manager_allow_iam_service_linked_role_creation ? 1 : 0 + count = var.runner_allow_iam_service_linked_role_creation ? 1 : 0 - role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.service_linked_role[0].arn } resource "aws_eip" "gitlab_runner" { # checkov:skip=CKV2_AWS_19:We can't use NAT gateway here as we are contacted from the outside. - count = var.runner_manager_enable_eip ? 1 : 0 + count = var.runner_enable_eip ? 1 : 0 tags = local.tags } @@ -556,7 +556,7 @@ resource "aws_iam_policy" "ssm" { } resource "aws_iam_role_policy_attachment" "ssm" { - role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.ssm.arn } @@ -564,7 +564,7 @@ resource "aws_iam_role_policy_attachment" "ssm" { ### AWS assign EIP ################################################################################ resource "aws_iam_policy" "eip" { - count = var.runner_manager_enable_eip ? 1 : 0 + count = var.runner_enable_eip ? 1 : 0 name = "${local.name_iam_objects}-eip" path = "/" @@ -575,9 +575,9 @@ resource "aws_iam_policy" "eip" { } resource "aws_iam_role_policy_attachment" "eip" { - count = var.runner_manager_enable_eip ? 1 : 0 + count = var.runner_enable_eip ? 1 : 0 - role = var.runner_manager_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.eip[0].arn } @@ -587,11 +587,11 @@ resource "aws_iam_role_policy_attachment" "eip" { module "terminate_agent_hook" { source = "./modules/terminate-agent-hook" - name = var.runner_manager_terminate_ec2_lifecycle_hook_name == null ? "terminate-instances" : var.runner_manager_terminate_ec2_lifecycle_hook_name + name = var.runner_terminate_ec2_lifecycle_hook_name == null ? "terminate-instances" : var.runner_terminate_ec2_lifecycle_hook_name environment = var.environment asg_arn = aws_autoscaling_group.gitlab_runner_instance.arn asg_name = aws_autoscaling_group.gitlab_runner_instance.name - cloudwatch_logging_retention_in_days = var.runner_manager_cloudwatch_retention_days + cloudwatch_logging_retention_in_days = var.runner_cloudwatch_retention_days name_iam_objects = local.name_iam_objects name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 714693de1..7b1180991 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -90,16 +90,16 @@ sed 's/enable_kms/enable_managed_kms_key/g' "$converted_file" | \ sed 's/kms_alias_name/kms_managed_alias_name/g' | \ sed 's/kms_deletion_window_in_days/kms_managed_deletion_rotation_window_in_days/g' | \ sed 's/permission_boundary/iam_permission_boundary/g' | \ -sed 's/extra_security_group_ids_runner_agent/runner_manager_extra_security_group_ids/g' | \ -sed 's/instance_type/runner_manager_instance_type/g' | \ -sed 's/runner_instance_ebs_optimized/runner_manager_ebs_optimized/g' | \ -sed 's/runner_instance_enable_monitoring/runner_manager_enable_monitoring/g' | \ -sed 's/runner_instance_metadata_options/runner_manager_metadata_options/g' | \ +sed 's/extra_security_group_ids_runner_agent/runner_extra_security_group_ids/g' | \ +sed 's/instance_type/runner_instance_type/g' | \ +sed 's/runner_instance_ebs_optimized/runner_ebs_optimized/g' | \ +sed 's/runner_instance_enable_monitoring/runner_enable_monitoring/g' | \ +sed 's/runner_instance_metadata_options/runner_metadata_options/g' | \ sed 's/runners_userdata/runner_worker_docker_machine_userdata/g' | \ sed 's/runners_executor/runner_worker_type/g' | \ -sed 's/runners_install_amazon_ecr_credential_helper/runner_manager_install_amazon_ecr_credential_helper/g' | \ -sed 's/runners_clone_url/runner_manager_gitlab_clone_url/g' | \ -sed 's/runners_gitlab_url/runner_manager_gitlab_url/g' | \ +sed 's/runners_install_amazon_ecr_credential_helper/runner_install_amazon_ecr_credential_helper/g' | \ +sed 's/runners_clone_url/runner_gitlab_clone_url/g' | \ +sed 's/runners_gitlab_url/runner_gitlab_url/g' | \ sed 's/runners_max_builds/runner_worker_docker_machine_max_builds/g' | \ sed 's/runners_idle_count/runner_worker_idle_count/g' | \ sed 's/runners_idle_time/runner_worker_idle_time/g' | \ @@ -108,35 +108,35 @@ sed 's/runners_limit/runner_worker_max_jobs/g' | \ sed 's/runners_check_interval/runner_manager_gitlab_check_interval/g' | \ sed 's/sentry_dsn/runner_manager_sentry_dsn/g' | \ sed 's/prometheus_listen_address/runner_manager_prometheus_listen_address/g' | \ -sed 's/runner_extra_config/runner_manager_user_data_extra/g' | \ -sed 's/runners_ca_certificate/runner_manager_gitlab_ca_certificate/g' | \ -sed 's/runners_yum_update/runner_manager_yum_update/g' | \ +sed 's/runner_extra_config/runner_user_data_extra/g' | \ +sed 's/runners_ca_certificate/runner_gitlab_ca_certificate/g' | \ +sed 's/runners_yum_update/runner_yum_update/g' | \ sed 's/runners_gitlab_certificate/runners_gitlab_certificate/g' | \ -sed 's/asg_terminate_lifecycle_hook_name/runner_manager_terminate_ec2_lifecycle_hook_name/g' | \ -sed 's/runner_iam_policy_arns/runner_manager_extra_iam_policy_arns/g' | \ -sed 's/create_runner_iam_role/runner_manager_create_runner_iam_role_profile/g' | \ -sed 's/runner_iam_role_name/runner_manager_iam_role_profile_name/g' | \ -sed 's/enable_eip/runner_manager_enable_eip/g' | \ -sed 's/enable_runner_ssm_access/runner_manager_enable_ssm_access/g' | \ -sed 's/enable_runner_user_data_trace_log/runner_manager_user_data_enable_trace_log/g' | \ -sed 's/enable_schedule/runner_manager_schedule_enable/g' | \ -sed 's/schedule_config/runner_manager_schedule_config/g' | \ -sed 's/runner_root_block_device/runner_manager_root_block_device/g' | \ -sed 's/gitlab_runner_registration_config/runner_manager_gitlab_registration_config/g' | \ -sed 's/[^_]ami_filter/runner_manager_ami_filter/g' | \ -sed 's/[^_]ami_owners/runner_manager_ami_owners/g' | \ +sed 's/asg_terminate_lifecycle_hook_name/runner_terminate_ec2_lifecycle_hook_name/g' | \ +sed 's/runner_iam_policy_arns/runner_extra_iam_policy_arns/g' | \ +sed 's/create_runner_iam_role/runner_create_runner_iam_role_profile/g' | \ +sed 's/runner_iam_role_name/runner_iam_role_profile_name/g' | \ +sed 's/enable_eip/runner_enable_eip/g' | \ +sed 's/enable_runner_ssm_access/runner_enable_ssm_access/g' | \ +sed 's/enable_runner_user_data_trace_log/runner_user_data_enable_trace_log/g' | \ +sed 's/enable_schedule/runner_schedule_enable/g' | \ +sed 's/schedule_config/runner_schedule_config/g' | \ +sed 's/runner_root_block_device/runner_root_block_device/g' | \ +sed 's/gitlab_runner_registration_config/runner_gitlab_registration_config/g' | \ +sed 's/[^_]ami_filter/runner_ami_filter/g' | \ +sed 's/[^_]ami_owners/runner_ami_owners/g' | \ sed 's/runner_ami_filter/runner_worker_docker_machine_ami_filter/g' | \ sed 's/runner_ami_owners/runner_worker_docker_machine_ami_owners/g' | \ -sed 's/instance_role_json/runner_manager_assume_role_json/g' | \ +sed 's/instance_role_json/runner_assume_role_json/g' | \ sed 's/docker_machine_role_json/runner_worker_docker_machine_assume_role_json/g' | \ -sed 's/role_tags/runner_manager_extra_role_tags/g' | \ +sed 's/role_tags/runner_extra_role_tags/g' | \ sed 's/runner_tags/runner_worker_docker_machine_extra_role_tags/g' | \ -sed 's/agent_tags/runner_manager_extra_instance_tags/g' | \ -sed 's/enable_ping/runner_manager_ping_enable/g' | \ -sed 's/gitlab_runner_version/runner_manager_gitlab_runner_version/g' | \ -sed 's/gitlab_runner_egress_rules/runner_manager_extra_egress_rules/g' | \ -sed 's/gitlab_runner_security_group_ids/runner_manager_ping_allow_from_security_groups/g' | \ -sed 's/gitlab_runner_security_group_description/runner_manager_security_group_description/g' | \ +sed 's/agent_tags/runner_extra_instance_tags/g' | \ +sed 's/enable_ping/runner_ping_enable/g' | \ +sed 's/gitlab_runner_version/runner_gitlab_runner_version/g' | \ +sed 's/gitlab_runner_egress_rules/runner_extra_egress_rules/g' | \ +sed 's/gitlab_runner_security_group_ids/runner_ping_allow_from_security_groups/g' | \ +sed 's/gitlab_runner_security_group_description/runner_security_group_description/g' | \ sed 's/cache_shared/runner_worker_cache_shared/g' | \ sed 's/cache_expiration_days/runner_worker_cache_s3_expiration_days/g' | \ sed 's/cache_bucket_versioning/runner_worker_cache_s3_enable_versioning/g' | \ @@ -145,11 +145,11 @@ sed 's/cache_logging_bucket/runner_worker_cache_s3_logging_bucket_id/g' | \ sed 's/cache_bucket_set_random_suffix/runner_worker_cache_s3_bucket_enable_random_suffix/g' | \ sed 's/cache_bucket_name_include_account_id/runner_worker_cache_s3_bucket_name_include_account_id/g' | \ sed 's/cache_bucket_prefix/runner_worker_cache_s3_bucket_prefix/g' | \ -sed 's/runner_agent_uses_private_address/runner_manager_use_private_address/g' | \ +sed 's/runner_agent_uses_private_address/runner_use_private_address/g' | \ sed 's/runners_use_private_address/runner_worker_docker_machine_use_private_address/g' | \ sed 's/runners_request_spot_instance/runner_worker_docker_machine_request_spot_instances/g' | \ -sed 's/userdata_pre_install/runner_manager_userdata_pre_install/g' | \ -sed 's/userdata_post_install/runner_manager_userdata_post_install/g' | \ +sed 's/userdata_pre_install/runner_userdata_pre_install/g' | \ +sed 's/userdata_post_install/runner_userdata_post_install/g' | \ sed 's/runners_pre_build_script/runner_worker_pre_build_script/g' | \ sed 's/runners_post_build_script/runner_worker_post_build_script/g' | \ sed 's/runners_pre_clone_script/runner_worker_pre_clone_script/g' | \ @@ -159,11 +159,11 @@ sed 's/runners_environment_vars/runner_worker_extra_environment_variables/g' | \ sed 's/runners_docker_registry_mirror/runner_worker_docker_machine_docker_registry_mirror_url/g' | \ sed 's/docker_machine_egress_rules/runner_worker_docker_machine_extra_egress_rules/g' | \ sed 's/docker_machine_iam_policy_arns/runner_worker_docker_machine_extra_iam_policy_arns/g' | \ -sed 's/enable_cloudwatch_logging/runner_manager_cloudwatch_enable/g' | \ -sed 's/cloudwatch_logging_retention_in_days/runner_manager_cloudwatch_retention_days/g' | \ -sed 's/log_group_name/runner_manager_cloudwatch_log_group_name/g' | \ -sed 's/asg_max_instance_lifetime/runner_manager_max_instance_lifetime_seconds/g' | \ -sed 's/asg_delete_timeout/runner_manager_terraform_timeout_delete_asg/g' | \ +sed 's/enable_cloudwatch_logging/runner_cloudwatch_enable/g' | \ +sed 's/cloudwatch_logging_retention_in_days/runner_cloudwatch_retention_days/g' | \ +sed 's/log_group_name/runner_cloudwatch_log_group_name/g' | \ +sed 's/asg_max_instance_lifetime/runner_max_instance_lifetime_seconds/g' | \ +sed 's/asg_delete_timeout/runner_terraform_timeout_delete_asg/g' | \ sed 's/enable_docker_machine_ssm_access/runner_worker_enable_ssm_access/g' | \ sed 's/cache_bucket/runner_worker_cache_s3_bucket/g' | \ sed 's/docker_machine_security_group_description//g' | \ @@ -177,20 +177,20 @@ sed 's/runners_docker_services/runner_worker_docker_services/g' | \ sed 's/runners_services_volumes_tmpfs/runner_worker_docker_services_volumes_tmpfs/g' | \ sed 's/runners_volumes_tmpfs/runner_worker_docker_volumes_tmpfs/g' | \ sed 's/runners_root_size/runner_worker_docker_machine_ec2_root_size/g' | \ -sed 's/enable_asg_recreation/runner_manager_enable_asg_recreation/g' | \ -sed 's/secure_parameter_store_runner_sentry_dsn/runner_manager_sentry_secure_parameter_store_name/g' | \ -sed 's/secure_parameter_store_runner_token_key/runner_manager_gitlab_token_secure_parameter_store/g' | \ -sed 's/allow_iam_service_linked_role_creation/runner_manager_allow_iam_service_linked_role_creation/g' | \ +sed 's/enable_asg_recreation/runner_enable_asg_recreation/g' | \ +sed 's/secure_parameter_store_runner_sentry_dsn/runner_sentry_secure_parameter_store_name/g' | \ +sed 's/secure_parameter_store_runner_token_key/runner_gitlab_token_secure_parameter_store/g' | \ +sed 's/allow_iam_service_linked_role_creation/runner_allow_iam_service_linked_role_creation/g' | \ sed 's/runners_add_dind_volumes/runner_worker_docker_add_dind_volumes/g' | \ -sed 's/runners_token/runner_manager_gitlab_token/g' | \ -sed 's/runners_name/runner_manager_gitlab_runner_name/g' | \ -sed 's/docker_machine_version/runner_manager_docker_machine_version/g' | \ -sed 's/docker_machine_download_url/runner_manager_docker_machine_download_url/g' | \ +sed 's/runners_token/runner_gitlab_token/g' | \ +sed 's/runners_name/runner_gitlab_runner_name/g' | \ +sed 's/docker_machine_version/runner_docker_machine_version/g' | \ +sed 's/docker_machine_download_url/runner_docker_machine_download_url/g' | \ sed 's/docker_machine_spot_price_bid/runner_worker_docker_machine_ec2_spot_price_bid/g' | \ sed 's/docker_machine_instance_type/runner_worker_docker_machine_instance_type/g' | \ sed 's/docker_machine_instance_metadata_options/runner_worker_docker_machine_ec2_metadata_options/g' | \ -sed 's/runner_instance_spot_price/runner_manager_spot_price/g' | \ -sed 's/metrics_autoscaling/runner_manager_collect_autoscaling_metrics/g' | \ +sed 's/runner_instance_spot_price/runner_spot_price/g' | \ +sed 's/metrics_autoscaling/runner_collect_autoscaling_metrics/g' | \ sed 's/auth_type_cache_sr/runner_worker_cache_s3_authentication_type/g' \ > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" @@ -200,7 +200,7 @@ extracted_variables=$(grep -E '(name_sg|name_iam_objects|name_runner_agent_insta extracted_variables=$(echo "$extracted_variables" | \ sed 's/name_sg/security_group_prefix/g' | \ sed 's/name_iam_objects/iam_object_prefix/g' | \ - sed 's/name_runner_agent_instance/runner_manager_instance_prefix/g' | \ + sed 's/name_runner_agent_instance/runner_instance_prefix/g' | \ sed 's/name_docker_machine_runners/runner_worker_docker_machine_instance_prefix/g' ) diff --git a/security_groups.tf b/security_groups.tf index 9327d3e64..290025dec 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -6,10 +6,10 @@ resource "aws_security_group" "runner" { # checkov:skip=CKV2_AWS_5:False positive. Security group is used in a launch template network interface section. name_prefix = local.name_sg vpc_id = var.vpc_id - description = var.runner_manager_security_group_description + description = var.runner_security_group_description dynamic "egress" { - for_each = var.runner_manager_extra_egress_rules + for_each = var.runner_extra_egress_rules iterator = each content { @@ -43,19 +43,19 @@ resource "aws_security_group" "runner" { # Allow ICMP traffic from allowed security group IDs to gitlab-runner agent instances resource "aws_security_group_rule" "runner_ping_group" { - count = length(var.runner_manager_ping_allow_from_security_groups) > 0 && var.runner_manager_ping_enable ? length(var.runner_manager_ping_allow_from_security_groups) : 0 + count = length(var.runner_ping_allow_from_security_groups) > 0 && var.runner_ping_enable ? length(var.runner_ping_allow_from_security_groups) : 0 type = "ingress" from_port = -1 to_port = -1 protocol = "icmp" - source_security_group_id = element(var.runner_manager_ping_allow_from_security_groups, count.index) + source_security_group_id = element(var.runner_ping_allow_from_security_groups, count.index) security_group_id = aws_security_group.runner.id description = format( "Allow ICMP traffic from %s to gitlab-runner agent instances in group %s", - element(var.runner_manager_ping_allow_from_security_groups, count.index), + element(var.runner_ping_allow_from_security_groups, count.index), aws_security_group.runner.name ) } @@ -131,7 +131,7 @@ resource "aws_security_group_rule" "docker_machine_docker_runner" { # Combine runner security group id and additional security group IDs locals { # Only include runner security group id and additional if ping is enabled - security_groups_ping = var.runner_manager_ping_enable && length(var.runner_manager_ping_allow_from_security_groups) > 0 ? concat(var.runner_manager_ping_allow_from_security_groups, [aws_security_group.runner.id]) : [] + security_groups_ping = var.runner_ping_enable && length(var.runner_ping_allow_from_security_groups) > 0 ? concat(var.runner_ping_allow_from_security_groups, [aws_security_group.runner.id]) : [] } # Allow SSH traffic from gitlab-runner agent instances and security group IDs to docker-machine instances @@ -214,7 +214,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_self" { # Allow ICMP traffic from docker-machine instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_self" { - count = (var.runner_worker_type == "docker+machine" && var.runner_manager_ping_enable) ? 1 : 0 + count = (var.runner_worker_type == "docker+machine" && var.runner_ping_enable) ? 1 : 0 type = "ingress" from_port = -1 diff --git a/tags.tf b/tags.tf index e00900559..08f535c7f 100644 --- a/tags.tf +++ b/tags.tf @@ -19,7 +19,7 @@ locals { "Environment" = format("%s", var.environment) }, var.tags, - var.runner_manager_extra_instance_tags + var.runner_extra_instance_tags ) agent_tags = { for k, v in local.agent_tags_merged : k => v if !contains(var.suppressed_tags, k) } diff --git a/variables.tf b/variables.tf index afff7f0e1..235b8804e 100644 --- a/variables.tf +++ b/variables.tf @@ -100,43 +100,43 @@ variable "runner_manager_prometheus_listen_address" { /* * Runner: The agent that runs the code on the host platform and displays in the UI. */ -variable "runner_manager_instance_prefix" { +variable "runner_instance_prefix" { description = "Set the name prefix and override the `Name` tag for the Agent instance." type = string default = "" } -variable "runner_manager_instance_type" { +variable "runner_instance_type" { description = "Agent instance type used." type = string default = "t3.micro" } -variable "runner_manager_extra_instance_tags" { +variable "runner_extra_instance_tags" { description = "Map of tags that will be added to Agent EC2 instance." type = map(string) default = {} } -variable "runner_manager_spot_price" { +variable "runner_spot_price" { description = "By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen." type = string default = null } -variable "runner_manager_ebs_optimized" { +variable "runner_ebs_optimized" { description = "Enable the Agent instance to be EBS-optimized." type = bool default = true } -variable "runner_manager_root_block_device" { +variable "runner_root_block_device" { description = "The Agent's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`" type = map(string) default = {} } -variable "runner_manager_ami_filter" { +variable "runner_ami_filter" { description = "List of maps used to create the AMI filter for the Agent AMI. Must resolve to an Amazon Linux 1 or 2 image." type = map(list(string)) @@ -145,49 +145,49 @@ variable "runner_manager_ami_filter" { } } -variable "runner_manager_ami_owners" { +variable "runner_ami_owners" { description = "The list of owners used to select the AMI of the Agent instance." type = list(string) default = ["amazon"] } -variable "runner_manager_enable_monitoring" { +variable "runner_enable_monitoring" { description = "Enable the detailed monitoring on the Agent instance." type = bool default = true } -variable "runner_manager_collect_autoscaling_metrics" { +variable "runner_collect_autoscaling_metrics" { description = "A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances." type = list(string) default = null } -variable "runner_manager_ping_enable" { +variable "runner_ping_enable" { description = "Allow ICMP Ping to the Agent. Specify `agent_ping_allowed_from_security_groups` too!" type = bool default = false } -variable "runner_manager_ping_allow_from_security_groups" { +variable "runner_ping_allow_from_security_groups" { description = "A list of security group ids that are allowed to access the gitlab runner agent" type = list(string) default = [] } -variable "runner_manager_security_group_description" { +variable "runner_security_group_description" { description = "A description for the Agents security group" type = string default = "A security group containing gitlab-runner agent instances" } -variable "runner_manager_extra_security_group_ids" { +variable "runner_extra_security_group_ids" { description = "IDs of security groups to add to the Agent." type = list(string) default = [] } -variable "runner_manager_extra_egress_rules" { +variable "runner_extra_egress_rules" { description = "List of egress rules for the Agent." type = list(object({ cidr_blocks = list(string) @@ -215,61 +215,61 @@ variable "runner_manager_extra_egress_rules" { ] } -variable "runner_manager_allow_iam_service_linked_role_creation" { +variable "runner_allow_iam_service_linked_role_creation" { description = "Boolean used to control attaching the policy to the Agent to create service linked roles." type = bool default = true } -variable "runner_manager_create_runner_iam_role_profile" { +variable "runner_create_runner_iam_role_profile" { description = "Whether to create the IAM role/profile for the Agent. If you provide your own role, make sure that it has the required permissions." type = bool default = true } -variable "runner_manager_iam_role_profile_name" { +variable "runner_iam_role_profile_name" { description = "IAM role/profile name for the Agent. If unspecified then `$${var.iam_object_prefix}-instance` is used." type = string default = "" } -variable "runner_manager_extra_role_tags" { +variable "runner_extra_role_tags" { description = "Map of tags that will be added to the role created. Useful for tag based authorization." type = map(string) default = {} } -variable "runner_manager_assume_role_json" { +variable "runner_assume_role_json" { description = "The assume role policy for the Agent." type = string default = "" } -variable "runner_manager_extra_iam_policy_arns" { +variable "runner_extra_iam_policy_arns" { description = "List of policy ARNs to be added to the instance profile of the Agent." type = list(string) default = [] } -variable "runner_manager_enable_eip" { +variable "runner_enable_eip" { description = "Assigns an EIP to the Agent." type = bool default = false } -variable "runner_manager_use_private_address" { +variable "runner_use_private_address" { description = "Restrict the Agent to the use of a private IP address. If this is set to `false` it will override the `runners_use_private_address` for the agent." type = bool default = true } -variable "runner_manager_enable_ssm_access" { +variable "runner_enable_ssm_access" { description = "Allows to connect to the Agent via SSM." type = bool default = false } -variable "runner_manager_metadata_options" { +variable "runner_metadata_options" { description = "Enable the Gitlab runner agent instance metadata service. IMDSv2 is enabled by default." type = object({ http_endpoint = string @@ -285,25 +285,25 @@ variable "runner_manager_metadata_options" { } } -variable "runner_manager_schedule_enable" { +variable "runner_schedule_enable" { description = "Set to `true` to enable the auto scaling group schedule for the Agent." type = bool default = false } -variable "runner_manager_max_instance_lifetime_seconds" { +variable "runner_max_instance_lifetime_seconds" { description = "The maximum time an Agent should live before it is killed." default = null type = number } -variable "runner_manager_enable_asg_recreation" { +variable "runner_enable_asg_recreation" { description = "Enable automatic redeployment of the Agent ASG when the Launch Configs change." default = true type = bool } -variable "runner_manager_schedule_config" { +variable "runner_schedule_config" { description = "Map containing the configuration of the ASG scale-out and scale-in for the Agent. Will only be used if `agent_schedule_enable` is set to `true`. " type = map(any) default = { @@ -321,84 +321,84 @@ variable "runner_manager_schedule_config" { } } -variable "runner_manager_install_amazon_ecr_credential_helper" { +variable "runner_install_amazon_ecr_credential_helper" { description = "Install amazon-ecr-credential-helper inside `userdata_pre_install` script" type = bool default = false } -variable "runner_manager_docker_machine_version" { +variable "runner_docker_machine_version" { description = "By default docker_machine_download_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases" type = string default = "0.16.2-gitlab.19-cki.2" } -variable "runner_manager_docker_machine_download_url" { +variable "runner_docker_machine_download_url" { description = "(Optional) By default the module will use `docker_machine_version` to download the CKI maintained version (https://gitlab.com/cki-project/docker-machine) of Docker Machine. Alternative you can set this property to download location of the distribution of for the OS. See also https://docs.gitlab.com/runner/executors/docker_machine.html#install" type = string default = "" } -variable "runner_manager_yum_update" { +variable "runner_yum_update" { description = "Run a `yum` update as part of starting the Agent" type = bool default = true } -variable "runner_manager_userdata_pre_install" { +variable "runner_userdata_pre_install" { description = "User-data script snippet to insert before GitLab Runner install" type = string default = "" } -variable "runner_manager_userdata_post_install" { +variable "runner_userdata_post_install" { description = "User-data script snippet to insert after GitLab Runner install" type = string default = "" } -variable "runner_manager_user_data_extra" { +variable "runner_user_data_extra" { description = "Extra commands to run as part of starting the Agent" type = string default = "" } -variable "runner_manager_user_data_enable_trace_log" { +variable "runner_user_data_enable_trace_log" { description = "Enable bash trace for the user data script on the Agent. Be aware this could log sensitive data such as you GitLab runner token." type = bool default = true } -variable "runner_manager_cloudwatch_enable" { +variable "runner_cloudwatch_enable" { description = "Boolean used to enable or disable the CloudWatch logging." type = bool default = true } -variable "runner_manager_cloudwatch_retention_days" { +variable "runner_cloudwatch_retention_days" { description = "Retention for cloudwatch logs. Defaults to unlimited. Requires `agent_cloudwatch_enable = true`." type = number default = 0 } -variable "runner_manager_cloudwatch_log_group_name" { +variable "runner_cloudwatch_log_group_name" { description = "Option to override the default name (`environment`) of the log group. Requires `agent_cloudwatch_enable = true`." default = null type = string } -variable "runner_manager_gitlab_runner_name" { +variable "runner_gitlab_runner_name" { description = "Name of the Gitlab Runner." type = string } -variable "runner_manager_gitlab_runner_version" { +variable "runner_gitlab_runner_version" { description = "Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases)." type = string default = "15.8.2" } -variable "runner_manager_gitlab_registration_config" { +variable "runner_gitlab_registration_config" { description = "Configuration used to register the Agent. See the README for an example, or reference the examples in the examples directory of this repo." type = map(string) @@ -413,7 +413,7 @@ variable "runner_manager_gitlab_registration_config" { } } -variable "runner_manager_gitlab_token_secure_parameter_store" { +variable "runner_gitlab_token_secure_parameter_store" { description = "Name of the Secure Parameter Store entry to hold the GitLab Runner token." type = string default = "runner-token" @@ -431,36 +431,36 @@ variable "runner_manager_gitlab_certificate" { default = "" } -variable "runner_manager_gitlab_url" { +variable "runner_gitlab_url" { description = "URL of the GitLab instance to connect to." type = string } -variable "runner_manager_gitlab_clone_url" { +variable "runner_gitlab_clone_url" { description = "Overwrites the URL for the GitLab instance. Use only if the agent can’t connect to the GitLab URL." type = string default = "" } -variable "runner_manager_gitlab_token" { +variable "runner_gitlab_token" { description = "Token for the Agent to connect to GitLab" type = string default = "__REPLACED_BY_USER_DATA__" } -variable "runner_manager_sentry_secure_parameter_store_name" { +variable "runner_sentry_secure_parameter_store_name" { description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" type = string default = "sentry-dsn" } -variable "runner_manager_terminate_ec2_lifecycle_hook_name" { +variable "runner_terminate_ec2_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string default = null } -variable "runner_manager_terraform_timeout_delete_asg" { +variable "runner_terraform_timeout_delete_asg" { description = "Timeout when trying to delete the Agent ASG." default = "10m" type = string From ea2401dc65829b51a05b0aa6d0858368e1e5e6d0 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 12:00:24 +0200 Subject: [PATCH 33/74] format code --- examples/runner-default/main.tf | 4 ++-- examples/runner-docker/main.tf | 6 +++--- examples/runner-multi-region/main.tf | 20 ++++++++++---------- examples/runner-public/main.tf | 8 ++++---- main.tf | 8 ++++---- 5 files changed, 23 insertions(+), 23 deletions(-) diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 18c7f0963..f241eba54 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -52,8 +52,8 @@ module "runner" { environment = var.environment - vpc_id = module.vpc.vpc_id - subnet_id = element(module.vpc.private_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.private_subnets, 0) runner_collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] runner_gitlab_runner_name = var.runner_name diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index 2f34ea0a9..604499cd8 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -44,15 +44,15 @@ module "runner" { environment = var.environment runner_worker_docker_machine_use_private_address = false - runner_enable_eip = true + runner_enable_eip = true runner_worker_docker_machine_security_group_description = "Custom description for docker-machine" - runner_security_group_description = "Custom description for gitlab-runner" + runner_security_group_description = "Custom description for gitlab-runner" vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.public_subnets, 0) - runner_worker_type = "docker" + runner_worker_type = "docker" runner_gitlab_runner_name = var.runner_name runner_gitlab_url = var.gitlab_url diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index 245a76815..414330519 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -33,8 +33,8 @@ module "runner_main_region" { runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" - runner_gitlab_runner_name = var.runner_name - runner_gitlab_url = var.gitlab_url + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url runner_worker_extra_environment_variables = ["KEY=Value", "FOO=bar"] runner_worker_docker_options = { @@ -51,10 +51,10 @@ module "runner_main_region" { maximum_timeout = "3600" } - security_group_prefix = "my-security-group" - runner_instance_prefix = "my-runner-agent" + security_group_prefix = "my-security-group" + runner_instance_prefix = "my-runner-agent" runner_worker_docker_machine_instance_prefix = "my-runners-dm" - iam_object_prefix = local.name_iam_objects_main_region + iam_object_prefix = local.name_iam_objects_main_region runner_worker_cache_shared = "true" @@ -102,8 +102,8 @@ module "runner_alternate_region" { runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" - runner_gitlab_runner_name = var.runner_name - runner_gitlab_url = var.gitlab_url + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url runner_worker_extra_environment_variables = ["KEY=Value", "FOO=bar"] runner_worker_docker_options = { @@ -121,10 +121,10 @@ module "runner_alternate_region" { access_level = "ref_protected" } - security_group_prefix = "my-security-group" - runner_instance_prefix = "my-runner-agent" + security_group_prefix = "my-security-group" + runner_instance_prefix = "my-runner-agent" runner_worker_docker_machine_instance_prefix = "my-runners-dm" - iam_object_prefix = local.name_iam_objects_main_region # <-- + iam_object_prefix = local.name_iam_objects_main_region # <-- runner_worker_cache_shared = "true" diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index 38722f37a..495ba541d 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -38,8 +38,8 @@ module "runner" { runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" - runner_gitlab_runner_name = var.runner_name - runner_gitlab_url = var.gitlab_url + runner_gitlab_runner_name = var.runner_name + runner_gitlab_url = var.gitlab_url runner_worker_extra_environment_variables = ["KEY=Value", "FOO=bar"] runner_worker_docker_options = { @@ -57,8 +57,8 @@ module "runner" { access_level = "ref_protected" } - security_group_prefix = "my-security-group" - runner_instance_prefix = "my-runner-agent" + security_group_prefix = "my-security-group" + runner_instance_prefix = "my-runner-agent" runner_worker_docker_machine_instance_prefix = "my-runners-dm" runner_worker_cache_shared = "true" diff --git a/main.tf b/main.tf index c39dec54e..7e7694c63 100644 --- a/main.tf +++ b/main.tf @@ -82,10 +82,10 @@ locals { template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { - aws_region = data.aws_region.current.name - gitlab_url = var.runner_gitlab_url - gitlab_clone_url = var.runner_gitlab_clone_url - tls_ca_file = length(var.runner_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" + aws_region = data.aws_region.current.name + gitlab_url = var.runner_gitlab_url + gitlab_clone_url = var.runner_gitlab_clone_url + tls_ca_file = length(var.runner_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_machine_autoscaling = [for config in var.runner_worker_docker_machine_autoscaling_options : { for key, value in config : # Convert key from snake_case to PascalCase which is the casing for this section. From 71b4f9f5954e41778ef6dd45fa7025ae82cc787d Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 12:03:04 +0200 Subject: [PATCH 34/74] fix syntax error --- examples/runner-certificates/main.tf | 4 ++-- variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index df096c041..ffc72a952 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -40,10 +40,10 @@ module "runner" { ############################################### # Public cert of my companys gitlab instance - agent_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt") + runner_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt") # Other public certs relating to my company. - agent_gitlab_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") + runner_gitlab_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") # Mount EC2 host certs in docker so all user docker images can reference them. # Each user image will need to do: diff --git a/variables.tf b/variables.tf index 235b8804e..f9b38687b 100644 --- a/variables.tf +++ b/variables.tf @@ -419,13 +419,13 @@ variable "runner_gitlab_token_secure_parameter_store" { default = "runner-token" } -variable "runner_manager_gitlab_ca_certificate" { +variable "runner_gitlab_ca_certificate" { description = "Trusted CA certificate bundle (PEM format). Example: `file(\"$${path.module}/ca.crt\")`" type = string default = "" } -variable "runner_manager_gitlab_certificate" { +variable "runner_gitlab_certificate" { description = "Certificate of the GitLab instance to connect to (PEM format). Example: `file(\"$${path.module}/my-gitlab.crt\")`" type = string default = "" From 8887fb0d90d52cc9b6011c5f5469c8faac64e8af Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 12:05:12 +0200 Subject: [PATCH 35/74] fix syntax error --- locals.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/locals.tf b/locals.tf index 7d27b66d8..a1b6a77c4 100644 --- a/locals.tf +++ b/locals.tf @@ -5,7 +5,7 @@ locals { ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/gitlab.crt - ${var.runner_manager_gitlab_certificate} + ${var.runner_gitlab_certificate} EOF EOT : "" @@ -15,7 +15,7 @@ locals { ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/ca.crt - ${var.runner_manager_gitlab_ca_certificate} + ${var.runner_gitlab_ca_certificate} EOF EOT : "" @@ -28,7 +28,7 @@ locals { EOT pre_install_certificates = ( # If either (or both) _certificate variables are specified - length(var.runner_manager_gitlab_certificate) + length(var.runner_manager_gitlab_ca_certificate) > 0 + length(var.runner_gitlab_certificate) + length(var.runner_gitlab_ca_certificate) > 0 ? join("\n", [ local.pre_install_gitlab_certificate, local.pre_install_ca_certificate, From 5f507a174e668f86c5f9fe1917f113c57d7dc010 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 12:12:28 +0200 Subject: [PATCH 36/74] fix wrong variable name in conversion --- migrations/migrate-to-7-0-0.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 7b1180991..f8703f6c1 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -73,10 +73,10 @@ extracted_variables=$(echo "$extracted_variables" | \ # add new block runners_docker_options at the end echo "$(head -n -1 "$converted_file") -runners_docker_options { +runner_worker_docker_options = { $extracted_variables } -}" > x +" > x mv x "$converted_file" From b2e3f4cb0179a48e2a31c41a34878e335cff3d21 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 20 Apr 2023 16:16:36 +0200 Subject: [PATCH 37/74] runner_role and runner_instance --- locals.tf | 4 +- logging.tf | 4 +- main.tf | 48 +++++++-------- migrations/migrate-to-7-0-0.sh | 56 +++++++++++++++++ tags.tf | 2 +- variables.tf | 106 ++++++++++++--------------------- 6 files changed, 123 insertions(+), 97 deletions(-) diff --git a/locals.tf b/locals.tf index a1b6a77c4..eb9cc1913 100644 --- a/locals.tf +++ b/locals.tf @@ -39,7 +39,7 @@ locals { # Determine IAM role for runner instance aws_iam_role_instance_name = coalesce( - var.runner_iam_role_profile_name, + var.runner_role.role_profile_name, "${local.name_iam_objects}-instance" ) aws_iam_role_instance_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${local.aws_iam_role_instance_name}" @@ -69,7 +69,7 @@ locals { secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.runner_sentry_secure_parameter_store_name}" # Custom names for runner agent instance, security groups, and IAM objects - name_runner_agent_instance = var.runner_instance_prefix == "" ? local.tags["Name"] : var.runner_instance_prefix + name_runner_agent_instance = var.runner_instance.name_prefix == "" ? local.tags["Name"] : var.runner_instance.name_prefix name_sg = var.security_group_prefix == "" ? local.tags["Name"] : var.security_group_prefix name_iam_objects = var.iam_object_prefix == "" ? local.tags["Name"] : var.iam_object_prefix diff --git a/logging.tf b/logging.tf index 4ec5a4f0f..a6edaf082 100644 --- a/logging.tf +++ b/logging.tf @@ -1,7 +1,7 @@ resource "aws_iam_role_policy" "instance" { - count = var.runner_cloudwatch_enable && var.runner_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_cloudwatch_enable && var.runner_role.create_role_profile ? 1 : 0 name = "${local.name_iam_objects}-logging" - role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy = templatefile("${path.module}/policies/instance-logging-policy.json", { partition = data.aws_partition.current.partition }) } diff --git a/main.tf b/main.tf index 7e7694c63..ac5ce7dab 100644 --- a/main.tf +++ b/main.tf @@ -246,20 +246,20 @@ resource "aws_launch_template" "gitlab_runner_instance" { image_id = data.aws_ami.runner.id user_data = base64gzip(local.template_user_data) - instance_type = var.runner_instance_type + instance_type = var.runner_instance.type update_default_version = true ebs_optimized = var.runner_ebs_optimized monitoring { enabled = var.runner_enable_monitoring } dynamic "instance_market_options" { - for_each = var.runner_spot_price == null || var.runner_spot_price == "" ? [] : ["spot"] + for_each = var.runner_instance.spot_price == null || var.runner_instance.spot_price == "" ? [] : ["spot"] content { market_type = instance_market_options.value dynamic "spot_options" { - for_each = var.runner_spot_price == "on-demand-price" ? [] : [0] + for_each = var.runner_instance.spot_price == "on-demand-price" ? [] : [0] content { - max_price = var.runner_spot_price + max_price = var.runner_instance.spot_price } } } @@ -268,7 +268,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { name = local.aws_iam_role_instance_name } dynamic "block_device_mappings" { - for_each = [var.runner_root_block_device] + for_each = [var.runner_instance.root_device_config] content { # cSpell:ignore xvda device_name = lookup(block_device_mappings.value, "device_name", "/dev/xvda") @@ -296,7 +296,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { tags = local.tags } dynamic "tag_specifications" { - for_each = var.runner_spot_price == null || var.runner_spot_price == "" ? [] : ["spot"] + for_each = var.runner_instance.spot_price == null || var.runner_instance.spot_price == "" ? [] : ["spot"] content { resource_type = "spot-instances-request" tags = local.tags @@ -353,7 +353,7 @@ module "cache" { ### Trust policy ################################################################################ resource "aws_iam_instance_profile" "instance" { - count = var.runner_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_role.create_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name role = local.aws_iam_role_instance_name @@ -362,13 +362,13 @@ resource "aws_iam_instance_profile" "instance" { } resource "aws_iam_role" "instance" { - count = var.runner_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_role.create_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name - assume_role_policy = length(var.runner_assume_role_json) > 0 ? var.runner_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) + assume_role_policy = length(var.runner_role.assume_role_policy_json) > 0 ? var.var.runner_role.assume_role_policy_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" - tags = merge(local.tags, var.runner_extra_role_tags) + tags = merge(local.tags, var.runner_role.additional_tags) } ################################################################################ @@ -392,7 +392,7 @@ resource "aws_iam_policy" "instance_kms_policy" { resource "aws_iam_role_policy_attachment" "instance_kms_policy" { count = var.enable_managed_kms_key ? 1 : 0 - role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_kms_policy[0].arn } @@ -403,7 +403,7 @@ resource "aws_iam_role_policy_attachment" "instance_kms_policy" { ### iam:PassRole To pass the role from the agent to the docker machine runners ################################################################################ resource "aws_iam_policy" "instance_docker_machine_policy" { - count = var.runner_worker_type == "docker+machine" && var.runner_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_worker_type == "docker+machine" && var.runner_role.create_role_profile ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" path = "/" @@ -417,7 +417,7 @@ resource "aws_iam_policy" "instance_docker_machine_policy" { } resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { - count = var.runner_worker_type == "docker+machine" && var.runner_create_runner_iam_role_profile ? 1 : 0 + count = var.runner_worker_type == "docker+machine" && var.runner_role.create_role_profile ? 1 : 0 role = aws_iam_role.instance[0].name policy_arn = aws_iam_policy.instance_docker_machine_policy[0].arn @@ -440,14 +440,14 @@ resource "aws_iam_policy" "instance_session_manager_policy" { resource "aws_iam_role_policy_attachment" "instance_session_manager_policy" { count = var.runner_enable_ssm_access ? 1 : 0 - role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_session_manager_policy[0].arn } resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" { count = var.runner_enable_ssm_access ? 1 : 0 - role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" } @@ -455,10 +455,10 @@ resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" ### Add user defined policies ################################################################################ resource "aws_iam_role_policy_attachment" "user_defined_policies" { - count = length(var.runner_extra_iam_policy_arns) + count = length(var.runner_role.policy_arns) - role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name - policy_arn = var.runner_extra_iam_policy_arns[count.index] + role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + policy_arn = var.runner_role.policy_arns[count.index] } ################################################################################ @@ -470,7 +470,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */ count = var.runner_worker_type == "docker+machine" ? (var.runner_worker_cache_s3_bucket["create"] || lookup(var.runner_worker_cache_s3_bucket, "policy", "") != "" ? 1 : 0) : 0 - role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = local.bucket_policy } @@ -519,7 +519,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_ma ### Service linked policy, optional ################################################################################ resource "aws_iam_policy" "service_linked_role" { - count = var.runner_allow_iam_service_linked_role_creation ? 1 : 0 + count = var.runner_role.allow_iam_service_linked_role_creation ? 1 : 0 name = "${local.name_iam_objects}-service_linked_role" path = "/" @@ -530,9 +530,9 @@ resource "aws_iam_policy" "service_linked_role" { } resource "aws_iam_role_policy_attachment" "service_linked_role" { - count = var.runner_allow_iam_service_linked_role_creation ? 1 : 0 + count = var.runner_role.allow_iam_service_linked_role_creation ? 1 : 0 - role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.service_linked_role[0].arn } @@ -556,7 +556,7 @@ resource "aws_iam_policy" "ssm" { } resource "aws_iam_role_policy_attachment" "ssm" { - role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.ssm.arn } @@ -577,7 +577,7 @@ resource "aws_iam_policy" "eip" { resource "aws_iam_role_policy_attachment" "eip" { count = var.runner_enable_eip ? 1 : 0 - role = var.runner_create_runner_iam_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name + role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.eip[0].arn } diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index f8703f6c1..693e444cc 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -215,4 +215,60 @@ echo "$(head -n -1 "$converted_file") $extracted_variables }" > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" + +# +# PR #810 refactor!: group variables for better overview +# +extracted_variables=$(grep -E '(runner_root_block_device|runner_ebs_optimized|runner_spot_price|runner_instance_prefix|runner_instance_type|runner_extra_instance_tags)' "$converted_file") + +sed -i '/runner_root_block_device/d' "$converted_file" +sed -i '/runner_ebs_optimized/d' "$converted_file" +sed -i '/runner_spot_price/d' "$converted_file" +sed -i '/runner_instance_prefix/d' "$converted_file" +sed -i '/runner_instance_type/d' "$converted_file" +sed -i '/runner_extra_instance_tags/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_root_block_device/root_device_config/g' | \ + sed 's/runner_ebs_optimized/ebs_optimized/g' | \ + sed 's/runner_spot_price/spot_price/g' | \ + sed 's/runner_instance_prefix/name_prefix/g' | \ + sed 's/runner_instance_type/type/g' | \ + sed 's/runner_extra_instance_tags/additional_tags/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_instance = { + $extracted_variables +} +" > x && mv x "$converted_file" + +extracted_variables=$(grep -E '(runner_allow_iam_service_linked_role_creation|runner_create_runner_iam_role_profile|runner_iam_role_profile_name|runner_extra_role_tags|runner_assume_role_json)|runner_extra_iam_policy_arns' "$converted_file") + +sed -i '/runner_allow_iam_service_linked_role_creation/d' "$converted_file" +sed -i '/runner_create_runner_iam_role_profile/d' "$converted_file" +sed -i '/runner_iam_role_profile_name/d' "$converted_file" +sed -i '/runner_extra_role_tags/d' "$converted_file" +sed -i '/runner_assume_role_json/d' "$converted_file" +sed -i '/runner_extra_iam_policy_arns/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_allow_iam_service_linked_role_creation/allow_iam_service_linked_role_creation/g' | \ + sed 's/runner_create_runner_iam_role_profile/create_role_profile/g' | \ + sed 's/runner_iam_role_profile_name/role_profile_name/g' | \ + sed 's/runner_extra_role_tags/additional_tags/g' | \ + sed 's/runner_assume_role_json/assume_role_policy_json/g' | \ + sed 's/runner_extra_iam_policy_arns/policy_arns/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_role = { + $extracted_variables +} +" > x && mv x "$converted_file" + echo "Module call converted. Output: $converted_file" diff --git a/tags.tf b/tags.tf index 08f535c7f..9a0827a61 100644 --- a/tags.tf +++ b/tags.tf @@ -19,7 +19,7 @@ locals { "Environment" = format("%s", var.environment) }, var.tags, - var.runner_extra_instance_tags + var.runner_instance.additional_tags ) agent_tags = { for k, v in local.agent_tags_merged : k => v if !contains(var.suppressed_tags, k) } diff --git a/variables.tf b/variables.tf index f9b38687b..f8ed0d205 100644 --- a/variables.tf +++ b/variables.tf @@ -100,40 +100,26 @@ variable "runner_manager_prometheus_listen_address" { /* * Runner: The agent that runs the code on the host platform and displays in the UI. */ -variable "runner_instance_prefix" { - description = "Set the name prefix and override the `Name` tag for the Agent instance." - type = string - default = "" -} - -variable "runner_instance_type" { - description = "Agent instance type used." - type = string - default = "t3.micro" -} - -variable "runner_extra_instance_tags" { - description = "Map of tags that will be added to Agent EC2 instance." - type = map(string) - default = {} -} - -variable "runner_spot_price" { - description = "By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen." - type = string - default = null -} - -variable "runner_ebs_optimized" { - description = "Enable the Agent instance to be EBS-optimized." - type = bool - default = true -} - -variable "runner_root_block_device" { - description = "The Agent's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`" - type = map(string) - default = {} +variable "runner_instance" { + description = <<-EOT + additional_tags = Map of tags that will be added to the Agent instance. + ebs_optimized = Enable EBS optimization for the Agent instance. + name_prefix = Set the name prefix and override the `Name` tag for the Agent instance. + root_device_config = The Agent's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id` + spot_price = By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen. + type = EC2 instance type used. + EOT + type = object({ + additional_tags = optional(map(string)) + ebs_optimized = optional(bool, true) + name_prefix = optional(string) + root_device_config = optional(map(string)) + spot_price = optional(string, null) + type = string + }) + default = { + type = "t3.micro" + } } variable "runner_ami_filter" { @@ -215,40 +201,24 @@ variable "runner_extra_egress_rules" { ] } -variable "runner_allow_iam_service_linked_role_creation" { - description = "Boolean used to control attaching the policy to the Agent to create service linked roles." - type = bool - default = true -} - -variable "runner_create_runner_iam_role_profile" { - description = "Whether to create the IAM role/profile for the Agent. If you provide your own role, make sure that it has the required permissions." - type = bool - default = true -} - -variable "runner_iam_role_profile_name" { - description = "IAM role/profile name for the Agent. If unspecified then `$${var.iam_object_prefix}-instance` is used." - type = string - default = "" -} - -variable "runner_extra_role_tags" { - description = "Map of tags that will be added to the role created. Useful for tag based authorization." - type = map(string) - default = {} -} - -variable "runner_assume_role_json" { - description = "The assume role policy for the Agent." - type = string - default = "" -} - -variable "runner_extra_iam_policy_arns" { - description = "List of policy ARNs to be added to the instance profile of the Agent." - type = list(string) - default = [] +variable "runner_role" { + description = <<-EOT + additional_tags = Map of tags that will be added to the role created. Useful for tag based authorization. + allow_iam_service_linked_role_creation = Boolean used to control attaching the policy to the Agent to create service linked roles. + assume_role_policy_json = The assume role policy for the Agent. + create_role_profile = Whether to create the IAM role/profile for the Agent. If you provide your own role, make sure that it has the required permissions. + policy_arns = List of policy ARNs to be added to the instance profile of the Agent. + role_profile_name = IAM role/profile name for the Agent. If unspecified then `$${var.iam_object_prefix}-instance` is used. + EOT + type = object({ + additional_tags = optional(map(string)) + allow_iam_service_linked_role_creation = optional(bool, true) + assume_role_policy_json = optional(string, "") + create_role_profile = optional(bool, true) + policy_arns = optional(list(string), []) + role_profile_name = optional(string) + }) + default = {} } variable "runner_enable_eip" { From 8f62a0fcdfc242eabf86789fc38e630c6bc922a6 Mon Sep 17 00:00:00 2001 From: kayma Date: Fri, 21 Apr 2023 20:15:06 +0200 Subject: [PATCH 38/74] introduce runner_manager --- main.tf | 10 +++++----- migrations/migrate-to-7-0-0.sh | 22 +++++++++++++++++++++ variables.tf | 36 +++++++++++++--------------------- 3 files changed, 41 insertions(+), 27 deletions(-) diff --git a/main.tf b/main.tf index ac5ce7dab..035cb9f50 100644 --- a/main.tf +++ b/main.tf @@ -77,7 +77,7 @@ locals { gitlab_runner_run_untagged = var.runner_gitlab_registration_config["run_untagged"] gitlab_runner_maximum_timeout = var.runner_gitlab_registration_config["maximum_timeout"] gitlab_runner_access_level = lookup(var.runner_gitlab_registration_config, "access_level", "not_protected") - sentry_dsn = var.runner_manager_sentry_dsn + sentry_dsn = var.runner_manager.sentry_dsn }) template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", @@ -110,7 +110,7 @@ locals { runners_userdata = var.runner_worker_docker_machine_userdata runners_executor = var.runner_worker_type runners_limit = var.runner_worker_max_jobs - runners_concurrent = var.runner_manager_maximum_concurrent_jobs + runners_concurrent = var.runner_manager.maximum_concurrent_jobs runners_pull_policies = local.runners_pull_policies runners_idle_count = var.runner_worker_idle_count runners_idle_time = var.runner_worker_idle_time @@ -127,15 +127,15 @@ locals { runners_pre_clone_script = var.runner_worker_pre_clone_script runners_request_concurrency = var.runner_worker_request_concurrency runners_output_limit = var.runner_worker_output_limit - runners_check_interval = var.runner_manager_gitlab_check_interval + runners_check_interval = var.runner_manager.gitlab_check_interval runners_volumes_tmpfs = join("\n", [for v in var.runner_worker_docker_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_services_volumes_tmpfs = join("\n", [for v in var.runner_worker_docker_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services runners_docker_options = local.runners_docker_options_toml bucket_name = local.bucket_name shared_cache = var.runner_worker_cache_shared - sentry_dsn = var.runner_manager_sentry_dsn - prometheus_listen_address = var.runner_manager_prometheus_listen_address + sentry_dsn = var.runner_manager.sentry_dsn + prometheus_listen_address = var.runner_manager.prometheus_listen_address auth_type = var.runner_worker_cache_s3_authentication_type } ) diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 693e444cc..c74854213 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -271,4 +271,26 @@ runner_role = { } " > x && mv x "$converted_file" +extracted_variables=$(grep -E '(runner_manager_maximum_concurrent_jobs|runner_manager_sentry_dsn|runner_manager_gitlab_check_interval|runner_manager_prometheus_listen_address' "$converted_file") + +sed -i '/runner_manager_maximum_concurrent_jobs/d' "$converted_file" +sed -i '/runner_manager_sentry_dsn/d' "$converted_file" +sed -i '/runner_manager_gitlab_check_interval/d' "$converted_file" +sed -i '/runner_manager_prometheus_listen_address/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_manager_maximum_concurrent_jobs/maximum_concurrent_jobs/g' | \ + sed 's/runner_manager_sentry_dsn/sentry_dsn/g' | \ + sed 's/runner_manager_gitlab_check_interval/gitlab_check_interval/g' | \ + sed 's/runner_manager_prometheus_listen_address/prometheus_listen_address/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_manager = { + $extracted_variables +} +" > x && mv x "$converted_file" + echo "Module call converted. Output: $converted_file" diff --git a/variables.tf b/variables.tf index f8ed0d205..cc1eb52ab 100644 --- a/variables.tf +++ b/variables.tf @@ -73,28 +73,20 @@ variable "iam_object_prefix" { /* * Runner Manager: A type of runner that can create multiple runners for autoscaling. Specific to the type of executor used. */ -variable "runner_manager_maximum_concurrent_jobs" { - description = "The maximum number of jobs which can be processed by all executors at the same time." - type = number - default = 10 -} - -variable "runner_manager_sentry_dsn" { - description = "Sentry DSN of the project for the Agent to use (uses legacy DSN format)" - type = string - default = "__SENTRY_DSN_REPLACED_BY_USER_DATA__" -} - -variable "runner_manager_gitlab_check_interval" { - description = "Number of seconds between checking for available jobs." - type = number - default = 3 -} - -variable "runner_manager_prometheus_listen_address" { - description = "Defines an address (:) the Prometheus metrics HTTP server should listen on." - type = string - default = "" +variable "runner_manager" { + description = <<-EOT + gitlab_check_interval = Number of seconds between checking for available jobs. + maximum_concurrent_jobs = The maximum number of jobs which can be processed by all executors at the same time. + prometheus_listen_address = Defines an address (:) the Prometheus metrics HTTP server should listen on. + sentry_dsn = Sentry DSN of the project for the Agent to use (uses legacy DSN format) + EOT + type = object({ + gitlab_check_interval = optional(number, 3) + maximum_concurrent_jobs = optional(number, 10) + prometheus_listen_address = optional(string, "") + sentry_dsn = optional(string, "__SENTRY_DSN_REPLACED_BY_USER_DATA__") + }) + default = {} } /* From 103a2b698578994652025ced31f4ae072ce02e92 Mon Sep 17 00:00:00 2001 From: kayma Date: Fri, 21 Apr 2023 20:36:11 +0200 Subject: [PATCH 39/74] runner_install --- locals.tf | 2 +- main.tf | 22 +++++----- migrations/migrate-to-7-0-0.sh | 37 ++++++++++++++++- variables.tf | 76 +++++++++++----------------------- 4 files changed, 71 insertions(+), 66 deletions(-) diff --git a/locals.tf b/locals.tf index eb9cc1913..efeddbdd2 100644 --- a/locals.tf +++ b/locals.tf @@ -84,7 +84,7 @@ locals { /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" - docker_machine_version_used = split(".", split("-", var.runner_docker_machine_version)[0]) + docker_machine_version_used = split(".", split("-", var.runner_install.docker_machine_version)[0]) docker_machine_version_with_name_tag = split(".", "0.16.2") docker_machine_version_test = [ for i, j in reverse(range(length(local.docker_machine_version_used))) diff --git a/main.tf b/main.tf index 035cb9f50..9d3dc0d16 100644 --- a/main.tf +++ b/main.tf @@ -42,8 +42,8 @@ locals { logging = var.runner_cloudwatch_enable ? local.logging_user_data : "" gitlab_runner = local.template_gitlab_runner user_data_trace_log = var.runner_user_data_enable_trace_log - yum_update = var.runner_yum_update ? local.file_yum_update : "" - extra_config = var.runner_user_data_extra + yum_update = var.runner_install.yum_update ? local.file_yum_update : "" + extra_config = var.runner_install.start_script }) file_yum_update = file("${path.module}/template/yum_update.tftpl") @@ -55,16 +55,16 @@ locals { template_gitlab_runner = templatefile("${path.module}/template/gitlab-runner.tftpl", { gitlab_runner_version = var.runner_gitlab_runner_version - docker_machine_version = var.runner_docker_machine_version - docker_machine_download_url = var.runner_docker_machine_download_url + docker_machine_version = var.runner_install.docker_machine_version + docker_machine_download_url = var.runner_install.docker_machine_download_url runners_config = local.template_runner_config runners_userdata = var.runner_worker_docker_machine_userdata runners_executor = var.runner_worker_type - runners_install_amazon_ecr_credential_helper = var.runner_install_amazon_ecr_credential_helper + runners_install_amazon_ecr_credential_helper = var.runner_install.ecr_credential_helper curl_cacert = length(var.runner_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates - pre_install = var.runner_userdata_pre_install - post_install = var.runner_userdata_post_install + pre_install = var.runner_install.pre_install_script + post_install = var.runner_install.post_install_script runners_gitlab_url = var.runner_gitlab_url runners_token = var.runner_gitlab_token secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key @@ -285,7 +285,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { } network_interfaces { security_groups = concat([aws_security_group.runner.id], var.runner_extra_security_group_ids) - associate_public_ip_address = false == (var.runner_use_private_address == false ? var.runner_use_private_address : var.runner_worker_docker_machine_use_private_address) + associate_public_ip_address = false == (var.runner_instance.private_address_only == false ? var.runner_instance.private_address_only : var.runner_worker_docker_machine_use_private_address) } tag_specifications { resource_type = "instance" @@ -427,7 +427,7 @@ resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { ### Policies for runner agent instance to allow connection via Session Manager ################################################################################ resource "aws_iam_policy" "instance_session_manager_policy" { - count = var.runner_enable_ssm_access ? 1 : 0 + count = var.runner_instance.ssm_access ? 1 : 0 name = "${local.name_iam_objects}-session-manager" path = "/" @@ -438,14 +438,14 @@ resource "aws_iam_policy" "instance_session_manager_policy" { } resource "aws_iam_role_policy_attachment" "instance_session_manager_policy" { - count = var.runner_enable_ssm_access ? 1 : 0 + count = var.runner_instance.ssm_access ? 1 : 0 role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.instance_session_manager_policy[0].arn } resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" { - count = var.runner_enable_ssm_access ? 1 : 0 + count = var.runner_instance.ssm_access ? 1 : 0 role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index c74854213..a231f2613 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -219,7 +219,7 @@ echo "$(head -n -1 "$converted_file") # # PR #810 refactor!: group variables for better overview # -extracted_variables=$(grep -E '(runner_root_block_device|runner_ebs_optimized|runner_spot_price|runner_instance_prefix|runner_instance_type|runner_extra_instance_tags)' "$converted_file") +extracted_variables=$(grep -E '(runner_enable_ssm_access|runner_use_private_address|runner_root_block_device|runner_ebs_optimized|runner_spot_price|runner_instance_prefix|runner_instance_type|runner_extra_instance_tags)' "$converted_file") sed -i '/runner_root_block_device/d' "$converted_file" sed -i '/runner_ebs_optimized/d' "$converted_file" @@ -227,6 +227,8 @@ sed -i '/runner_spot_price/d' "$converted_file" sed -i '/runner_instance_prefix/d' "$converted_file" sed -i '/runner_instance_type/d' "$converted_file" sed -i '/runner_extra_instance_tags/d' "$converted_file" +sed -i '/runner_use_private_address/d' "$converted_file" +sed -i '/runner_enable_ssm_access/d' "$converted_file" # rename the variables extracted_variables=$(echo "$extracted_variables" | \ @@ -235,7 +237,9 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/runner_spot_price/spot_price/g' | \ sed 's/runner_instance_prefix/name_prefix/g' | \ sed 's/runner_instance_type/type/g' | \ - sed 's/runner_extra_instance_tags/additional_tags/g' + sed 's/runner_extra_instance_tags/additional_tags/g' | \ + sed 's/runner_use_private_address/private_address_only/g' | \ + sed 's/runner_enable_ssm_access/ssm_access/g' ) # add new block runners_docker_options at the end @@ -293,4 +297,33 @@ runner_manager = { } " > x && mv x "$converted_file" +extracted_variables=$(grep -E '(runner_yum_update|runner_user_data_extra|runner_userdata_post_install|runner_userdata_pre_install|runner_install_amazon_ecr_credential_helper|runner_docker_machine_version|runner_docker_machine_download_url)' "$converted_file") + +sed -i '/runner_docker_machine_download_url/d' "$converted_file" +sed -i '/runner_docker_machine_version/d' "$converted_file" +sed -i '/runner_install_amazon_ecr_credential_helper/d' "$converted_file" +sed -i '/runner_userdata_pre_install/d' "$converted_file" +sed -i '/runner_userdata_post_install/d' "$converted_file" +sed -i '/runner_user_data_extra/d' "$converted_file" +sed -i '/runner_yum_update/d' "$converted_file" + + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_docker_machine_download_url/docker_machine_download_url/g' | \ + sed 's/runner_docker_machine_version/docker_machine_version/g' | \ + sed 's/runner_install_amazon_ecr_credential_helper/amazon_ecr_credential_helper/g' | \ + sed 's/runner_userdata_pre_install/pre_install_script/g' | \ + sed 's/runner_userdata_post_install/post_install_script/g' | \ + sed 's/runner_user_data_extra/start_script/g' | \ + sed 's/runner_yum_update/yum_update/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_install = { + $extracted_variables +} +" > x && mv x "$converted_file" + echo "Module call converted. Output: $converted_file" diff --git a/variables.tf b/variables.tf index cc1eb52ab..81db016bf 100644 --- a/variables.tf +++ b/variables.tf @@ -97,16 +97,20 @@ variable "runner_instance" { additional_tags = Map of tags that will be added to the Agent instance. ebs_optimized = Enable EBS optimization for the Agent instance. name_prefix = Set the name prefix and override the `Name` tag for the Agent instance. + private_address_only = Restrict the Agent to the use of a private IP address. If this is set to `false` it will override the `runners_use_private_address` for the agent. root_device_config = The Agent's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id` spot_price = By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen. + ssm_access = Allows to connect to the Agent via SSM. type = EC2 instance type used. EOT type = object({ additional_tags = optional(map(string)) ebs_optimized = optional(bool, true) name_prefix = optional(string) + private_address_only = optional(bool, true) root_device_config = optional(map(string)) spot_price = optional(string, null) + ssm_access = optional(bool, false) type = string }) default = { @@ -219,18 +223,6 @@ variable "runner_enable_eip" { default = false } -variable "runner_use_private_address" { - description = "Restrict the Agent to the use of a private IP address. If this is set to `false` it will override the `runners_use_private_address` for the agent." - type = bool - default = true -} - -variable "runner_enable_ssm_access" { - description = "Allows to connect to the Agent via SSM." - type = bool - default = false -} - variable "runner_metadata_options" { description = "Enable the Gitlab runner agent instance metadata service. IMDSv2 is enabled by default." type = object({ @@ -283,46 +275,26 @@ variable "runner_schedule_config" { } } -variable "runner_install_amazon_ecr_credential_helper" { - description = "Install amazon-ecr-credential-helper inside `userdata_pre_install` script" - type = bool - default = false -} - -variable "runner_docker_machine_version" { - description = "By default docker_machine_download_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases" - type = string - default = "0.16.2-gitlab.19-cki.2" -} - -variable "runner_docker_machine_download_url" { - description = "(Optional) By default the module will use `docker_machine_version` to download the CKI maintained version (https://gitlab.com/cki-project/docker-machine) of Docker Machine. Alternative you can set this property to download location of the distribution of for the OS. See also https://docs.gitlab.com/runner/executors/docker_machine.html#install" - type = string - default = "" -} - -variable "runner_yum_update" { - description = "Run a `yum` update as part of starting the Agent" - type = bool - default = true -} - -variable "runner_userdata_pre_install" { - description = "User-data script snippet to insert before GitLab Runner install" - type = string - default = "" -} - -variable "runner_userdata_post_install" { - description = "User-data script snippet to insert after GitLab Runner install" - type = string - default = "" -} - -variable "runner_user_data_extra" { - description = "Extra commands to run as part of starting the Agent" - type = string - default = "" +variable "runner_install" { + description = <<-EOT + amazon_ecr_credentials_helper = Install amazon-ecr-credential-helper inside `userdata_pre_install` script + docker_machine_download_url = URL to download docker machine binary. If not set, the docker machine version will be used to download the binary. + docker_machine_version = By default docker_machine_download_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases + pre_install_script = Script to run before installing the runner + post_install_script = Script to run after installing the runner + start_script = Script to run after starting the runner + yum_update = Update the yum packages before installing the runner + EOT + type = object({ + amazon_ecr_credential_helper = optional(bool, false) + docker_machine_download_url = optional(string, "") + docker_machine_version = optional(string, "0.16.2-gitlab.19-cki.2") + pre_install_script = optional(string, "") + post_install_script = optional(string, "") + start_script = optional(string, "") + yum_update = optional(bool, true) + }) + default = {} } variable "runner_user_data_enable_trace_log" { From 5c987f3fe3f34f809e4b5d21603229761b5aa07d Mon Sep 17 00:00:00 2001 From: kayma Date: Fri, 21 Apr 2023 21:19:12 +0200 Subject: [PATCH 40/74] some more variable groupings --- locals.tf | 15 ++-- logging.tf | 10 +-- main.tf | 28 +++---- migrations/migrate-to-7-0-0.sh | 70 +++++++++++++++- variables.tf | 141 +++++++++++++-------------------- 5 files changed, 154 insertions(+), 110 deletions(-) diff --git a/locals.tf b/locals.tf index efeddbdd2..3fd1e51e3 100644 --- a/locals.tf +++ b/locals.tf @@ -1,21 +1,21 @@ locals { # Manage certificates pre_install_gitlab_certificate = ( - length(var.runner_gitlab_certificate) > 0 + length(var.runner_gitlab.certificate) > 0 ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/gitlab.crt - ${var.runner_gitlab_certificate} + ${var.runner_gitlab.certificate} EOF EOT : "" ) pre_install_ca_certificate = ( - length(var.runner_gitlab_ca_certificate) > 0 + length(var.runner_gitlab.ca_certificate) > 0 ? <<-EOT mkdir -p /etc/gitlab-runner/certs/ cat <<- EOF > /etc/gitlab-runner/certs/ca.crt - ${var.runner_gitlab_ca_certificate} + ${var.runner_gitlab.ca_certificate} EOF EOT : "" @@ -28,7 +28,7 @@ locals { EOT pre_install_certificates = ( # If either (or both) _certificate variables are specified - length(var.runner_gitlab_certificate) + length(var.runner_gitlab_ca_certificate) > 0 + length(var.runner_gitlab.certificate) + length(var.runner_gitlab.ca_certificate) > 0 ? join("\n", [ local.pre_install_gitlab_certificate, local.pre_install_ca_certificate, @@ -95,12 +95,15 @@ locals { } resource "local_file" "config_toml" { + count = var.debug.write_runner_config_to_file ? 1 : 0 + content = local.template_runner_config filename = "${path.module}/debug/runner_config.toml" } resource "local_file" "user_data" { - count = var.show_user_data_in_plan ? 1 : 0 + count = var.debug.write_runner_config_to_file ? 1 : 0 + content = nonsensitive(local.template_user_data) filename = "${path.module}/debug/user_data.sh" } diff --git a/logging.tf b/logging.tf index a6edaf082..62ccfde1f 100644 --- a/logging.tf +++ b/logging.tf @@ -1,5 +1,5 @@ resource "aws_iam_role_policy" "instance" { - count = var.runner_cloudwatch_enable && var.runner_role.create_role_profile ? 1 : 0 + count = var.runner_cloudwatch.enable && var.runner_role.create_role_profile ? 1 : 0 name = "${local.name_iam_objects}-logging" role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy = templatefile("${path.module}/policies/instance-logging-policy.json", { partition = data.aws_partition.current.partition }) @@ -8,18 +8,18 @@ resource "aws_iam_role_policy" "instance" { locals { logging_user_data = templatefile("${path.module}/template/logging.tftpl", { - log_group_name = var.runner_cloudwatch_log_group_name != null ? var.runner_cloudwatch_log_group_name : var.environment + log_group_name = var.runner_cloudwatch.log_group_name != null ? var.runner_cloudwatch.log_group_name : var.environment }) provided_kms_key = var.kms_key_id != "" ? var.kms_key_id : "" kms_key = local.provided_kms_key == "" && var.enable_managed_kms_key ? aws_kms_key.default[0].arn : local.provided_kms_key } resource "aws_cloudwatch_log_group" "environment" { - count = var.runner_cloudwatch_enable ? 1 : 0 - name = var.runner_cloudwatch_log_group_name != null ? var.runner_cloudwatch_log_group_name : var.environment + count = var.runner_cloudwatch.enable ? 1 : 0 + name = var.runner_cloudwatch.log_group_name != null ? var.runner_cloudwatch.log_group_name : var.environment # ignores a false positive: retention_in_days not set # kics-scan ignore-line - retention_in_days = var.runner_cloudwatch_retention_days + retention_in_days = var.runner_cloudwatch.retention_days tags = local.tags # ignored as decided by the user diff --git a/main.tf b/main.tf index 9d3dc0d16..10977a8e6 100644 --- a/main.tf +++ b/main.tf @@ -39,9 +39,9 @@ locals { template_user_data = templatefile("${path.module}/template/user-data.tftpl", { eip = var.runner_enable_eip ? local.template_eip : "" - logging = var.runner_cloudwatch_enable ? local.logging_user_data : "" + logging = var.runner_cloudwatch.enable ? local.logging_user_data : "" gitlab_runner = local.template_gitlab_runner - user_data_trace_log = var.runner_user_data_enable_trace_log + user_data_trace_log = var.debug.trace_runner_user_data yum_update = var.runner_install.yum_update ? local.file_yum_update : "" extra_config = var.runner_install.start_script }) @@ -54,19 +54,19 @@ locals { template_gitlab_runner = templatefile("${path.module}/template/gitlab-runner.tftpl", { - gitlab_runner_version = var.runner_gitlab_runner_version + gitlab_runner_version = var.runner_gitlab.runner_version docker_machine_version = var.runner_install.docker_machine_version docker_machine_download_url = var.runner_install.docker_machine_download_url runners_config = local.template_runner_config runners_userdata = var.runner_worker_docker_machine_userdata runners_executor = var.runner_worker_type runners_install_amazon_ecr_credential_helper = var.runner_install.ecr_credential_helper - curl_cacert = length(var.runner_gitlab_certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" + curl_cacert = length(var.runner_gitlab.certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates pre_install = var.runner_install.pre_install_script post_install = var.runner_install.post_install_script - runners_gitlab_url = var.runner_gitlab_url - runners_token = var.runner_gitlab_token + runners_gitlab_url = var.runner_gitlab.url + runners_token = var.runner_gitlab.registration_token secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key secure_parameter_store_runner_sentry_dsn = local.secure_parameter_store_runner_sentry_dsn secure_parameter_store_region = data.aws_region.current.name @@ -83,9 +83,9 @@ locals { template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { aws_region = data.aws_region.current.name - gitlab_url = var.runner_gitlab_url - gitlab_clone_url = var.runner_gitlab_clone_url - tls_ca_file = length(var.runner_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" + gitlab_url = var.runner_gitlab.url + gitlab_clone_url = var.runner_gitlab.clone_url + tls_ca_file = length(var.runner_gitlab.certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_machine_autoscaling = [for config in var.runner_worker_docker_machine_autoscaling_options : { for key, value in config : # Convert key from snake_case to PascalCase which is the casing for this section. @@ -104,9 +104,9 @@ locals { runners_instance_profile = var.runner_worker_type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed - runners_name = var.runner_gitlab_runner_name + runners_name = var.runner_instance.name runners_tags = replace(replace(local.runner_tags_string, ",,", ","), "/,$/", "") - runners_token = var.runner_gitlab_token + runners_token = var.runner_gitlab.registration_token runners_userdata = var.runner_worker_docker_machine_userdata runners_executor = var.runner_worker_type runners_limit = var.runner_worker_max_jobs @@ -248,9 +248,9 @@ resource "aws_launch_template" "gitlab_runner_instance" { user_data = base64gzip(local.template_user_data) instance_type = var.runner_instance.type update_default_version = true - ebs_optimized = var.runner_ebs_optimized + ebs_optimized = var.runner_instance.ebs_optimized monitoring { - enabled = var.runner_enable_monitoring + enabled = var.runner_instance.enable_monitoring } dynamic "instance_market_options" { for_each = var.runner_instance.spot_price == null || var.runner_instance.spot_price == "" ? [] : ["spot"] @@ -591,7 +591,7 @@ module "terminate_agent_hook" { environment = var.environment asg_arn = aws_autoscaling_group.gitlab_runner_instance.arn asg_name = aws_autoscaling_group.gitlab_runner_instance.name - cloudwatch_logging_retention_in_days = var.runner_cloudwatch_retention_days + cloudwatch_logging_retention_in_days = var.runner_cloudwatch.retention_days name_iam_objects = local.name_iam_objects name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index a231f2613..1b05d38ea 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -219,7 +219,7 @@ echo "$(head -n -1 "$converted_file") # # PR #810 refactor!: group variables for better overview # -extracted_variables=$(grep -E '(runner_enable_ssm_access|runner_use_private_address|runner_root_block_device|runner_ebs_optimized|runner_spot_price|runner_instance_prefix|runner_instance_type|runner_extra_instance_tags)' "$converted_file") +extracted_variables=$(grep -E '(runner_enable_monitoring|runner_gitlab_runner_name|runner_enable_ssm_access|runner_use_private_address|runner_root_block_device|runner_ebs_optimized|runner_spot_price|runner_instance_prefix|runner_instance_type|runner_extra_instance_tags)' "$converted_file") sed -i '/runner_root_block_device/d' "$converted_file" sed -i '/runner_ebs_optimized/d' "$converted_file" @@ -229,6 +229,8 @@ sed -i '/runner_instance_type/d' "$converted_file" sed -i '/runner_extra_instance_tags/d' "$converted_file" sed -i '/runner_use_private_address/d' "$converted_file" sed -i '/runner_enable_ssm_access/d' "$converted_file" +sed -i '/runner_gitlab_runner_name/d' "$converted_file" +sed -i '/runner_enable_monitoring/d' "$converted_file" # rename the variables extracted_variables=$(echo "$extracted_variables" | \ @@ -239,6 +241,8 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/runner_instance_type/type/g' | \ sed 's/runner_extra_instance_tags/additional_tags/g' | \ sed 's/runner_use_private_address/private_address_only/g' | \ + sed 's/runner_gitlab_runner_name/name/g' | \ + sed 's/runner_enable_monitoring/monitoring/g' | \ sed 's/runner_enable_ssm_access/ssm_access/g' ) @@ -326,4 +330,68 @@ runner_install = { } " > x && mv x "$converted_file" +extracted_variables=$(grep -E '(runner_gitlab_clone_url|runner_gitlab_url|runner_gitlab_runner_version|runner_gitlab_token|runner_gitlab_certificate|runner_gitlab_ca_certificate)' "$converted_file") + +sed -i '/runner_gitlab_ca_certificate/d' "$converted_file" +sed -i '/runner_gitlab_certificate/d' "$converted_file" +sed -i '/runner_gitlab_token/d' "$converted_file" +sed -i '/runner_gitlab_runner_version/d' "$converted_file" +sed -i '/runner_gitlab_url/d' "$converted_file" +sed -i '/runner_gitlab_clone_url/d' "$converted_file" + + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_gitlab_ca_certificate/ca_certificate/g' | \ + sed 's/runner_gitlab_certificate/certificate/g' | \ + sed 's/runner_gitlab_token/registration_token/g' | \ + sed 's/runner_gitlab_runner_version/runner_version/g' | \ + sed 's/runner_gitlab_url/url/g' | \ + sed 's/runner_gitlab_clone_url/url_clone/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_gitlab = { + $extracted_variables +} +" > x && mv x "$converted_file" + +extracted_variables=$(grep -E '(show_user_data_in_plan|runner_user_data_enable_trace_log)' "$converted_file") + +sed -i '/runner_user_data_enable_trace_log/d' "$converted_file" +sed -i '/show_user_data_in_plan/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_user_data_enable_trace_log/trace_runner_user_data/g' | \ + sed 's/show_user_data_in_plan/write_runner_config_to_file/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +debug = { + $extracted_variables +} +" > x && mv x "$converted_file" + +extracted_variables=$(grep -E '(runner_cloudwatch_log_group_name|runner_cloudwatch_retention_days|runner_cloudwatch_enable)' "$converted_file") + +sed -i '/runner_cloudwatch_enable/d' "$converted_file" +sed -i '/runner_cloudwatch_retention_days/d' "$converted_file" +sed -i '/runner_cloudwatch_log_group_name/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_cloudwatch_enable/enable/g' | \ + sed 's/runner_cloudwatch_retention_days/retention_days/g' | \ + sed 's/runner_cloudwatch_log_group_name/log_group_name/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_cloudwatch = { + $extracted_variables +} +" > x && mv x "$converted_file" echo "Module call converted. Output: $converted_file" diff --git a/variables.tf b/variables.tf index 81db016bf..48540047f 100644 --- a/variables.tf +++ b/variables.tf @@ -96,6 +96,8 @@ variable "runner_instance" { description = <<-EOT additional_tags = Map of tags that will be added to the Agent instance. ebs_optimized = Enable EBS optimization for the Agent instance. + monitoring = Enable the detailed monitoring on the Agent instance. + name = Name of the Runner instance. name_prefix = Set the name prefix and override the `Name` tag for the Agent instance. private_address_only = Restrict the Agent to the use of a private IP address. If this is set to `false` it will override the `runners_use_private_address` for the agent. root_device_config = The Agent's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id` @@ -106,15 +108,17 @@ variable "runner_instance" { type = object({ additional_tags = optional(map(string)) ebs_optimized = optional(bool, true) + monitoring = optional(bool, true) + name = string name_prefix = optional(string) private_address_only = optional(bool, true) root_device_config = optional(map(string)) spot_price = optional(string, null) ssm_access = optional(bool, false) - type = string + type = optional(string, "t3.micro") }) default = { - type = "t3.micro" + name = "gitlab-runner" } } @@ -133,12 +137,6 @@ variable "runner_ami_owners" { default = ["amazon"] } -variable "runner_enable_monitoring" { - description = "Enable the detailed monitoring on the Agent instance." - type = bool - default = true -} - variable "runner_collect_autoscaling_metrics" { description = "A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances." type = list(string) @@ -297,54 +295,52 @@ variable "runner_install" { default = {} } -variable "runner_user_data_enable_trace_log" { - description = "Enable bash trace for the user data script on the Agent. Be aware this could log sensitive data such as you GitLab runner token." - type = bool - default = true -} - -variable "runner_cloudwatch_enable" { - description = "Boolean used to enable or disable the CloudWatch logging." - type = bool - default = true -} - -variable "runner_cloudwatch_retention_days" { - description = "Retention for cloudwatch logs. Defaults to unlimited. Requires `agent_cloudwatch_enable = true`." - type = number - default = 0 -} - -variable "runner_cloudwatch_log_group_name" { - description = "Option to override the default name (`environment`) of the log group. Requires `agent_cloudwatch_enable = true`." - default = null - type = string -} - -variable "runner_gitlab_runner_name" { - description = "Name of the Gitlab Runner." - type = string -} - -variable "runner_gitlab_runner_version" { - description = "Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases)." - type = string - default = "15.8.2" +variable "runner_cloudwatch" { + description = <<-EOT + enable = Boolean used to enable or disable the CloudWatch logging. + log_group_name = Option to override the default name (`environment`) of the log group. Requires `enable = true`. + retention_days = Retention for cloudwatch logs. Defaults to unlimited. Requires `enable = true`. + EOT + type = object({ + enable = optional(bool, true) + log_group_name = optional(string, null) + retention_days = optional(number, 0) + }) + default = {} } variable "runner_gitlab_registration_config" { description = "Configuration used to register the Agent. See the README for an example, or reference the examples in the examples directory of this repo." - type = map(string) + type = object({ + registration_token = optional(string, "") + tag_list = optional(string, "") + description = optional(string, "") + locked_to_project = optional(string, "") + run_untagged = optional(string, "") + maximum_timeout = optional(string, "") + access_level = optional(string, "") + }) - default = { - registration_token = "" - tag_list = "" - description = "" - locked_to_project = "" - run_untagged = "" - maximum_timeout = "" - access_level = "" - } + default = {} +} + +variable "runner_gitlab" { + description = <<-EOT + ca_certificate = Trusted CA certificate bundle (PEM format). + certificate = Certificate of the GitLab instance to connect to (PEM format). + registration_token = Registration token to use to register the runner. Do not use. This is replaced by the `registration_token` in `runner_gitlab_registration_config`. + runner_version = Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). + url = URL of the GitLab instance to connect to. + url_clone = URL of the GitLab instance to clone from. Use only if the agent can’t connect to the GitLab URL. + EOT + type = object({ + ca_certificate = optional(string, "") + certificate = optional(string, "") + registration_token = optional(string, "__REPLACED_BY_USER_DATA__") + runner_version = optional(string, "15.8.2") + url = optional(string) + url_clone = optional(string) + }) } variable "runner_gitlab_token_secure_parameter_store" { @@ -353,35 +349,6 @@ variable "runner_gitlab_token_secure_parameter_store" { default = "runner-token" } -variable "runner_gitlab_ca_certificate" { - description = "Trusted CA certificate bundle (PEM format). Example: `file(\"$${path.module}/ca.crt\")`" - type = string - default = "" -} - -variable "runner_gitlab_certificate" { - description = "Certificate of the GitLab instance to connect to (PEM format). Example: `file(\"$${path.module}/my-gitlab.crt\")`" - type = string - default = "" -} - -variable "runner_gitlab_url" { - description = "URL of the GitLab instance to connect to." - type = string -} - -variable "runner_gitlab_clone_url" { - description = "Overwrites the URL for the GitLab instance. Use only if the agent can’t connect to the GitLab URL." - type = string - default = "" -} - -variable "runner_gitlab_token" { - description = "Token for the Agent to connect to GitLab" - type = string - default = "__REPLACED_BY_USER_DATA__" -} - variable "runner_sentry_secure_parameter_store_name" { description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" type = string @@ -850,8 +817,14 @@ variable "runner_worker_docker_machine_docker_registry_mirror_url" { default = "" } -variable "show_user_data_in_plan" { - description = "When enabled, shows the diff for agent configuration files in Terraform plan: `config.toml` and user data script" - type = bool - default = false +variable "debug" { + description = <<-EOT + trace_runner_user_data: Enable bash trace for the user data script on the Agent. Be aware this could log sensitive data such as you GitLab runner token. + write_runner_config_to_file: Outputs the user data script and `config.toml` to the local file system. + EOT + type = object({ + trace_runner_user_data = optional(bool, false) + write_runner_config_to_file = optional(bool, false) + }) + default = {} } From b61ad3f919db7c29b2e2483349cd3d578499ce1b Mon Sep 17 00:00:00 2001 From: kayma Date: Fri, 21 Apr 2023 22:12:45 +0200 Subject: [PATCH 41/74] rework cache variables --- examples/runner-public/main.tf | 4 +- main.tf | 64 ++++++------- migrations/migrate-to-7-0-0.sh | 61 +++++++++++++ security_groups.tf | 14 +-- variables.tf | 158 +++++++++++---------------------- 5 files changed, 154 insertions(+), 147 deletions(-) diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index 495ba541d..aa1140cdb 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -63,7 +63,7 @@ module "runner" { runner_worker_cache_shared = "true" - runner_worker_cache_s3_bucket = { + runner_worker_cache = { create = false policy = module.cache.policy_arn bucket = module.cache.bucket @@ -96,7 +96,7 @@ module "runner2" { runner_worker_cache_shared = "true" - runner_worker_cache_s3_bucket = { + runner_worker_cache = { create = false policy = module.cache.policy_arn bucket = module.cache.bucket diff --git a/main.tf b/main.tf index 10977a8e6..40619c242 100644 --- a/main.tf +++ b/main.tf @@ -59,7 +59,7 @@ locals { docker_machine_download_url = var.runner_install.docker_machine_download_url runners_config = local.template_runner_config runners_userdata = var.runner_worker_docker_machine_userdata - runners_executor = var.runner_worker_type + runners_executor = var.runner_worker.type runners_install_amazon_ecr_credential_helper = var.runner_install.ecr_credential_helper curl_cacert = length(var.runner_gitlab.certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates @@ -97,23 +97,23 @@ locals { runners_aws_zone = data.aws_availability_zone.runners.name_suffix runners_instance_type = var.runner_worker_docker_machine_instance_type runners_spot_price_bid = var.runner_worker_docker_machine_ec2_spot_price_bid == "on-demand-price" || var.runner_worker_docker_machine_ec2_spot_price_bid == null ? "" : var.runner_worker_docker_machine_ec2_spot_price_bid - runners_ami = var.runner_worker_type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" - runners_security_group_name = var.runner_worker_type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" + runners_ami = var.runner_worker.type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" + runners_security_group_name = var.runner_worker.type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" runners_monitoring = var.runner_worker_docker_machine_enable_monitoring runners_ebs_optimized = var.runner_worker_docker_machine_ec2_ebs_optimized - runners_instance_profile = var.runner_worker_type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" + runners_instance_profile = var.runner_worker.type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed runners_name = var.runner_instance.name runners_tags = replace(replace(local.runner_tags_string, ",,", ","), "/,$/", "") runners_token = var.runner_gitlab.registration_token runners_userdata = var.runner_worker_docker_machine_userdata - runners_executor = var.runner_worker_type - runners_limit = var.runner_worker_max_jobs + runners_executor = var.runner_worker.type + runners_limit = var.runner_worker.max_jobs runners_concurrent = var.runner_manager.maximum_concurrent_jobs runners_pull_policies = local.runners_pull_policies - runners_idle_count = var.runner_worker_idle_count - runners_idle_time = var.runner_worker_idle_time + runners_idle_count = var.runner_worker.idle_count + runners_idle_time = var.runner_worker.idle_time runners_max_builds = local.runners_max_builds_string runners_root_size = var.runner_worker_docker_machine_ec2_root_size runners_volume_type = var.runner_worker_docker_machine_ec2_volume_type @@ -121,28 +121,28 @@ locals { runners_use_private_address_only = var.runner_worker_docker_machine_use_private_address runners_use_private_address = !var.runner_worker_docker_machine_use_private_address runners_request_spot_instance = var.runner_worker_docker_machine_request_spot_instances - runners_environment_vars = jsonencode(var.runner_worker_extra_environment_variables) + runners_environment_vars = jsonencode(var.runner_worker.environment_variables) runners_pre_build_script = var.runner_worker_pre_build_script runners_post_build_script = var.runner_worker_post_build_script runners_pre_clone_script = var.runner_worker_pre_clone_script - runners_request_concurrency = var.runner_worker_request_concurrency - runners_output_limit = var.runner_worker_output_limit + runners_request_concurrency = var.runner_worker.request_concurrency + runners_output_limit = var.runner_worker.output_limit runners_check_interval = var.runner_manager.gitlab_check_interval runners_volumes_tmpfs = join("\n", [for v in var.runner_worker_docker_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_services_volumes_tmpfs = join("\n", [for v in var.runner_worker_docker_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services runners_docker_options = local.runners_docker_options_toml bucket_name = local.bucket_name - shared_cache = var.runner_worker_cache_shared + shared_cache = var.runner_worker_cache.shared sentry_dsn = var.runner_manager.sentry_dsn prometheus_listen_address = var.runner_manager.prometheus_listen_address - auth_type = var.runner_worker_cache_s3_authentication_type + auth_type = var.runner_worker_cache.authentication_type } ) } data "aws_ami" "docker-machine" { - count = var.runner_worker_type == "docker+machine" ? 1 : 0 + count = var.runner_worker.type == "docker+machine" ? 1 : 0 most_recent = "true" @@ -324,25 +324,25 @@ resource "aws_launch_template" "gitlab_runner_instance" { ### Create cache bucket ################################################################################ locals { - bucket_name = var.runner_worker_cache_s3_bucket["create"] ? module.cache[0].bucket : var.runner_worker_cache_s3_bucket["bucket"] - bucket_policy = var.runner_worker_cache_s3_bucket["create"] ? module.cache[0].policy_arn : var.runner_worker_cache_s3_bucket["policy"] + bucket_name = var.runner_worker_cache["create"] ? module.cache[0].bucket : var.runner_worker_cache["bucket"] + bucket_policy = var.runner_worker_cache["create"] ? module.cache[0].policy_arn : var.runner_worker_cache["policy"] } module "cache" { - count = var.runner_worker_cache_s3_bucket["create"] ? 1 : 0 + count = var.runner_worker_cache["create"] ? 1 : 0 source = "./modules/cache" environment = var.environment tags = local.tags - cache_bucket_prefix = var.runner_worker_cache_s3_bucket_prefix - cache_bucket_name_include_account_id = var.runner_worker_cache_s3_bucket_name_include_account_id - cache_bucket_set_random_suffix = var.runner_worker_cache_s3_bucket_enable_random_suffix - cache_bucket_versioning = var.runner_worker_cache_s3_enable_versioning - cache_expiration_days = var.runner_worker_cache_s3_expiration_days - cache_lifecycle_prefix = var.runner_worker_cache_shared ? "project/" : "runner/" - cache_logging_bucket = var.runner_worker_cache_s3_logging_bucket_id - cache_logging_bucket_prefix = var.runner_worker_cache_s3_logging_bucket_prefix + cache_bucket_prefix = var.runner_worker_cache.bucket_prefix + cache_bucket_name_include_account_id = var.runner_worker_cache.bucket_include_account_id + cache_bucket_set_random_suffix = var.runner_worker_cache.random_suffix + cache_bucket_versioning = var.runner_worker_cache.versioning + cache_expiration_days = var.runner_worker_cache.expiration_days + cache_lifecycle_prefix = var.runner_worker_cache.shared ? "project/" : "runner/" + cache_logging_bucket = var.runner_worker_cache.access_log_bucket_id + cache_logging_bucket_prefix = var.runner_worker_cache.access_log_bucket_prefix kms_key_id = local.kms_key @@ -403,7 +403,7 @@ resource "aws_iam_role_policy_attachment" "instance_kms_policy" { ### iam:PassRole To pass the role from the agent to the docker machine runners ################################################################################ resource "aws_iam_policy" "instance_docker_machine_policy" { - count = var.runner_worker_type == "docker+machine" && var.runner_role.create_role_profile ? 1 : 0 + count = var.runner_worker.type == "docker+machine" && var.runner_role.create_role_profile ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" path = "/" @@ -417,7 +417,7 @@ resource "aws_iam_policy" "instance_docker_machine_policy" { } resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { - count = var.runner_worker_type == "docker+machine" && var.runner_role.create_role_profile ? 1 : 0 + count = var.runner_worker.type == "docker+machine" && var.runner_role.create_role_profile ? 1 : 0 role = aws_iam_role.instance[0].name policy_arn = aws_iam_policy.instance_docker_machine_policy[0].arn @@ -468,7 +468,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { /* If the S3 cache adapter is configured to use an IAM instance profile, the adapter uses the profile attached to the GitLab Runner machine. So do not use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */ - count = var.runner_worker_type == "docker+machine" ? (var.runner_worker_cache_s3_bucket["create"] || lookup(var.runner_worker_cache_s3_bucket, "policy", "") != "" ? 1 : 0) : 0 + count = var.runner_worker.type == "docker+machine" ? (var.runner_worker_cache["create"] || lookup(var.runner_worker_cache, "policy", "") != "" ? 1 : 0) : 0 role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = local.bucket_policy @@ -478,7 +478,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { ### docker machine instance policy ################################################################################ resource "aws_iam_role" "docker_machine" { - count = var.runner_worker_type == "docker+machine" ? 1 : 0 + count = var.runner_worker.type == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" assume_role_policy = length(var.runner_worker_docker_machine_assume_role_json) > 0 ? var.runner_worker_docker_machine_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" @@ -489,7 +489,7 @@ resource "aws_iam_role" "docker_machine" { resource "aws_iam_instance_profile" "docker_machine" { - count = var.runner_worker_type == "docker+machine" ? 1 : 0 + count = var.runner_worker.type == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" role = aws_iam_role.docker_machine[0].name tags = local.tags @@ -499,7 +499,7 @@ resource "aws_iam_instance_profile" "docker_machine" { ### Add user defined policies ################################################################################ resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" { - count = var.runner_worker_type == "docker+machine" ? length(var.runner_worker_docker_machine_extra_iam_policy_arns) : 0 + count = var.runner_worker.type == "docker+machine" ? length(var.runner_worker_docker_machine_extra_iam_policy_arns) : 0 role = aws_iam_role.docker_machine[0].name policy_arn = var.runner_worker_docker_machine_extra_iam_policy_arns[count.index] @@ -507,7 +507,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" ################################################################################ resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_managed" { - count = (var.runner_worker_type == "docker+machine" && var.runner_worker_enable_ssm_access) ? 1 : 0 + count = (var.runner_worker.type == "docker+machine" && var.runner_worker.ssm_access) ? 1 : 0 role = aws_iam_role.docker_machine[0].name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 1b05d38ea..e2c2200b3 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -394,4 +394,65 @@ runner_cloudwatch = { $extracted_variables } " > x && mv x "$converted_file" + +extracted_variables=$(grep -E '(runner_worker_extra_environment_variables|runner_worker_output_limit|runner_worker_request_concurrency|runner_worker_idle_count|runner_worker_idle_time|runner_worker_max_jobs|runner_worker_type|runner_worker_enable_ssm_access)' "$converted_file") + +sed -i '/runner_worker_enable_ssm_access/d' "$converted_file" +sed -i '/runner_worker_type/d' "$converted_file" +sed -i '/runner_worker_max_jobs/d' "$converted_file" +sed -i '/runner_worker_idle_time/d' "$converted_file" +sed -i '/runner_worker_idle_count/d' "$converted_file" +sed -i '/runner_worker_request_concurrency/d' "$converted_file" +sed -i '/runner_worker_output_limit/d' "$converted_file" +sed -i '/runner_worker_extra_environment_variables/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_worker_enable_ssm_access/ssm_access/g' | \ + sed 's/runner_worker_max_jobs/max_jobs/g' | \ + sed 's/runner_worker_idle_time/idle_time/g' | \ + sed 's/runner_worker_idle_count/idle_count/g' | \ + sed 's/runner_worker_request_concurrency/request_concurrency/g' | \ + sed 's/runner_worker_output_limit/output_limit/g' | \ + sed 's/runner_worker_extra_environment_variables/environment_variables/g' | \ + sed 's/runner_worker_type/type/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_worker = { + $extracted_variables +} +" > x && mv x "$converted_file" + +sed -i 's/runner_worker_cache_s3_bucket/runner_worker_cache/g' "$converted_file" + +# integrate the new variables into existing block +extracted_variables=$(grep -E '(runner_worker_cache_s3_logging_bucket_prefix|runner_worker_cache_s3_logging_bucket_id|runner_worker_cache_s3_bucket_enable_random_suffix|runner_worker_cache_s3_bucket_name_include_account_id|runner_worker_cache_s3_bucket_prefix|runner_worker_cache_s3_enable_versioning|runner_worker_cache_s3_expiration_days|runner_worker_cache_s3_authentication_type|runner_worker_cache_shared)' "$converted_file") + +sed -i '/runner_worker_cache_shared/d' "$converted_file" +sed -i '/runner_worker_cache_s3_authentication_type/d' "$converted_file" +sed -i '/runner_worker_cache_s3_expiration_days/d' "$converted_file" +sed -i '/runner_worker_cache_s3_enable_versioning/d' "$converted_file" +sed -i '/runner_worker_cache_s3_bucket_prefix/d' "$converted_file" +sed -i '/runner_worker_cache_s3_bucket_name_include_account_id/d' "$converted_file" +sed -i '/runner_worker_cache_s3_bucket_enable_random_suffix/d' "$converted_file" +sed -i '/runner_worker_cache_s3_logging_bucket_id/d' "$converted_file" +sed -i '/runner_worker_cache_s3_logging_bucket_prefix/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_worker_cache_shared/shared/g' | \ + sed 's/runner_worker_cache_s3_authentication_type/authentication_type/g' | \ + sed 's/runner_worker_cache_s3_expiration_days/expiration_days/g' | \ + sed 's/runner_worker_cache_s3_enable_versioning/versioning/g' | \ + sed 's/runner_worker_cache_s3_bucket_prefix/bucket_prefix/g' | \ + sed 's/runner_worker_cache_s3_bucket_name_include_account_id/include_account_id/g' | \ + sed 's/runner_worker_cache_s3_bucket_enable_random_suffix/random_suffix/g' | \ + sed 's/runner_worker_cache_s3_logging_bucket_id/access_log_bucket_id/g' | \ + sed 's/runner_worker_cache_s3_logging_bucket_prefix/access_log_bucket_prefix/g' + ) +# insert the new variables into the existing block +sed -i "/runner_worker_cache/runner_worker_cache { $extracted_variables/g" "$converted_file" + echo "Module call converted. Output: $converted_file" diff --git a/security_groups.tf b/security_groups.tf index 290025dec..9091574a4 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -66,7 +66,7 @@ resource "aws_security_group_rule" "runner_ping_group" { resource "aws_security_group" "docker_machine" { # checkov:skip=CKV2_AWS_5:Security group is used within an template and assigned to the docker machines - count = var.runner_worker_type == "docker+machine" ? 1 : 0 + count = var.runner_worker.type == "docker+machine" ? 1 : 0 name_prefix = "${local.name_sg}-docker-machine" vpc_id = var.vpc_id @@ -107,7 +107,7 @@ resource "aws_security_group" "docker_machine" { # Allow docker-machine traffic from gitlab-runner agent instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_docker_runner" { - count = var.runner_worker_type == "docker+machine" ? 1 : 0 + count = var.runner_worker.type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 2376 @@ -136,7 +136,7 @@ locals { # Allow SSH traffic from gitlab-runner agent instances and security group IDs to docker-machine instances resource "aws_security_group_rule" "docker_machine_ssh_runner" { - count = var.runner_worker_type == "docker+machine" ? 1 : 0 + count = var.runner_worker.type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 22 @@ -155,7 +155,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_runner" { # Allow ICMP traffic from gitlab-runner agent instances and security group IDs to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_runner" { - count = var.runner_worker_type == "docker+machine" ? length(local.security_groups_ping) : 0 + count = var.runner_worker.type == "docker+machine" ? length(local.security_groups_ping) : 0 type = "ingress" from_port = -1 @@ -178,7 +178,7 @@ resource "aws_security_group_rule" "docker_machine_ping_runner" { # Allow docker-machine traffic from docker-machine instances to docker-machine instances on port 2376 resource "aws_security_group_rule" "docker_machine_docker_self" { - count = var.runner_worker_type == "docker+machine" ? 1 : 0 + count = var.runner_worker.type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 2376 @@ -196,7 +196,7 @@ resource "aws_security_group_rule" "docker_machine_docker_self" { # Allow SSH traffic from docker-machine instances to docker-machine instances on port 22 resource "aws_security_group_rule" "docker_machine_ssh_self" { - count = var.runner_worker_type == "docker+machine" ? 1 : 0 + count = var.runner_worker.type == "docker+machine" ? 1 : 0 type = "ingress" from_port = 22 @@ -214,7 +214,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_self" { # Allow ICMP traffic from docker-machine instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_self" { - count = (var.runner_worker_type == "docker+machine" && var.runner_ping_enable) ? 1 : 0 + count = (var.runner_worker.type == "docker+machine" && var.runner_ping_enable) ? 1 : 0 type = "ingress" from_port = -1 diff --git a/variables.tf b/variables.tf index 48540047f..c86430475 100644 --- a/variables.tf +++ b/variables.tf @@ -370,127 +370,73 @@ variable "runner_terraform_timeout_delete_asg" { /* * Runner Worker: The process created by the runner on the host computing platform to run jobs. */ -variable "runner_worker_type" { - description = "The executor type to use. Currently supports `docker+machine` or `docker`." - type = string - default = "docker+machine" +variable "runner_worker" { + description = <<-EOT + environment_variables = List of environment variables to add to the runner. + idle_count = Number of idle Executor instances. + idle_time = Idle time of the runners before they are destroyed. + max_jobs = Number of jobs which can be processed in parallel by the executor. + output_limit = Sets the maximum build log size in kilobytes. Default is 4MB + request_concurrency = Limit number of concurrent requests for new jobs from GitLab (default 1). + ssm_access = Allows to connect to the Executor via SSM. + type = The executor type to use. Currently supports `docker+machine` or `docker`. + EOT + type = object({ + environment_variables = optional(list(string), []) + idle_count = optional(number, 0) + idle_time = optional(number, 600) + max_jobs = optional(number, 0) + output_limit = optional(number, 4096) + request_concurrency = optional(number, 1) + ssm_access = optional(bool, false) + type = optional(string, "docker+machine") + }) + default = {} validation { - condition = contains(["docker+machine", "docker"], var.runner_worker_type) - error_message = "The executor currently supports `docker+machine` or `docker`." + condition = contains(["docker+machine", "docker"], var.runner_worker.executor_type) + error_message = "The executor currently supports `docker+machine` and `docker`." } } -variable "runner_worker_enable_ssm_access" { - description = "Allows to connect to the Executor via SSM." - type = bool - default = false -} - -variable "runner_worker_max_jobs" { - description = "Number of jobs which can be processed in parallel by the executor." - type = number - default = 0 -} - -variable "runner_worker_idle_time" { - description = "Idle time of the runners before they are destroyed." - type = number - default = 600 -} - -variable "runner_worker_idle_count" { - description = "Number of idle Executor instances." - type = number - default = 0 -} - -variable "runner_worker_request_concurrency" { - description = "Limit number of concurrent requests for new jobs from GitLab (default 1)." - type = number - default = 1 -} - -variable "runner_worker_output_limit" { - description = "Sets the maximum build log size in kilobytes, by default set to 4096 (4MB)." - type = number - default = 4096 -} - -variable "runner_worker_extra_environment_variables" { - description = "Environment variables during build execution, e.g. KEY=Value, see runner-public example." - type = list(string) - default = [] -} - -variable "runner_worker_cache_shared" { - description = "Enables cache sharing between runners. `false` by default." - type = bool - default = false -} - -variable "runner_worker_cache_s3_bucket" { +variable "runner_worker_cache" { description = <<-EOT Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared cache. To use the same cache across multiple runners disable the creation of the cache and provide a policy and bucket name. See the public runner example for more details." + + access_log_bucker_id = The ID of the bucket where the access logs are stored. + access_log_bucket_prefix = The bucket prefix for the access logs. + authentication_type = A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials' + bucket = Name of the cache bucket. Requires `create = false`. + bucket_prefix = Prefix for s3 cache bucket name. Requires `create = true`. + create = Boolean used to enable or disable the creation of the cache bucket. + expiration_days = Number of days before cache objects expire. Requires `create = true`. + include_account_id = Boolean used to include the account id in the cache bucket name. Requires `create = true`. + policy = Policy to use for the cache bucket. Requires `create = false`. + random_suffix = Boolean used to enable or disable the use of a random string suffix on the cache bucket name. Requires `create = true`. + shared = Boolean used to enable or disable the use of the cache bucket as shared cache. + versioning = Boolean used to enable versioning on the cache bucket. Requires `create = true`. EOT - type = map(any) + type = object({ + access_log_bucket_id = optional(string, null) + access_log_bucket_prefix = optional(string, null) + authentication_type = optional(string, "iam") + bucket = optional(string, "") + bucket_prefix = optional(string, "") + create = bool + expiration_days = optional(number, 1) + include_account_id = optional(bool, true) + policy = optional(string, "") + random_suffix = optional(bool, false) + shared = optional(bool, false) + versioning = optional(bool, false) + }) default = { create = true - policy = "" - bucket = "" } } -variable "runner_worker_cache_s3_authentication_type" { - description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" - type = string - default = "iam" -} - -variable "runner_worker_cache_s3_expiration_days" { - description = "Number of days before cache objects expire." - type = number - default = 1 -} - -variable "runner_worker_cache_s3_enable_versioning" { - description = "Boolean used to enable versioning on the cache bucket, false by default." - type = bool - default = false -} - -variable "runner_worker_cache_s3_bucket_prefix" { - description = "Prefix for s3 cache bucket name." - type = string - default = "" -} - -variable "runner_worker_cache_s3_bucket_name_include_account_id" { - description = "Boolean to add current account ID to cache bucket name." - type = bool - default = true -} - -variable "runner_worker_cache_s3_bucket_enable_random_suffix" { - description = "Append the cache bucket name with a random string suffix" - type = bool - default = false -} - -variable "runner_worker_cache_s3_logging_bucket_id" { - type = string - description = "S3 Bucket ID where the access logs to the cache bucket are stored." - default = null -} - -variable "runner_worker_cache_s3_logging_bucket_prefix" { - type = string - description = "Prefix within the `executor_cache_logging_bucket_name`." - default = null -} - variable "runner_worker_pre_clone_script" { description = "Script to execute in the pipeline before cloning the Git repository. this can be used to adjust the Git client configuration first, for example." type = string From 60e1c96b206e587fce9a0299660e5078d477e6be Mon Sep 17 00:00:00 2001 From: kayma Date: Sat, 22 Apr 2023 11:43:37 +0200 Subject: [PATCH 42/74] runner_worker_docker_machine_instance --- main.tf | 18 ++++----- migrations/migrate-to-7-0-0.sh | 28 +++++++++++++ tags.tf | 2 +- variables.tf | 73 +++++++++++++--------------------- 4 files changed, 65 insertions(+), 56 deletions(-) diff --git a/main.tf b/main.tf index 40619c242..6d3747c59 100644 --- a/main.tf +++ b/main.tf @@ -58,7 +58,7 @@ locals { docker_machine_version = var.runner_install.docker_machine_version docker_machine_download_url = var.runner_install.docker_machine_download_url runners_config = local.template_runner_config - runners_userdata = var.runner_worker_docker_machine_userdata + runners_userdata = var.runner_worker_docker_machine_instance.start_script runners_executor = var.runner_worker.type runners_install_amazon_ecr_credential_helper = var.runner_install.ecr_credential_helper curl_cacert = length(var.runner_gitlab.certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" @@ -99,15 +99,15 @@ locals { runners_spot_price_bid = var.runner_worker_docker_machine_ec2_spot_price_bid == "on-demand-price" || var.runner_worker_docker_machine_ec2_spot_price_bid == null ? "" : var.runner_worker_docker_machine_ec2_spot_price_bid runners_ami = var.runner_worker.type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" runners_security_group_name = var.runner_worker.type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" - runners_monitoring = var.runner_worker_docker_machine_enable_monitoring - runners_ebs_optimized = var.runner_worker_docker_machine_ec2_ebs_optimized + runners_monitoring = var.runner_worker_docker_machine_instance.monitoring + runners_ebs_optimized = var.runner_worker_docker_machine_instance.ebs_optimized runners_instance_profile = var.runner_worker.type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed runners_name = var.runner_instance.name runners_tags = replace(replace(local.runner_tags_string, ",,", ","), "/,$/", "") runners_token = var.runner_gitlab.registration_token - runners_userdata = var.runner_worker_docker_machine_userdata + runners_userdata = var.runner_worker_docker_machine_instance.start_script runners_executor = var.runner_worker.type runners_limit = var.runner_worker.max_jobs runners_concurrent = var.runner_manager.maximum_concurrent_jobs @@ -115,11 +115,11 @@ locals { runners_idle_count = var.runner_worker.idle_count runners_idle_time = var.runner_worker.idle_time runners_max_builds = local.runners_max_builds_string - runners_root_size = var.runner_worker_docker_machine_ec2_root_size - runners_volume_type = var.runner_worker_docker_machine_ec2_volume_type + runners_root_size = var.runner_worker_docker_machine_instance.root_size + runners_volume_type = var.runner_worker_docker_machine_instance.volume_type runners_iam_instance_profile_name = var.runner_worker_docker_machine_iam_instance_profile_name - runners_use_private_address_only = var.runner_worker_docker_machine_use_private_address - runners_use_private_address = !var.runner_worker_docker_machine_use_private_address + runners_use_private_address_only = var.runner_worker_docker_machine_instance.private_address_only + runners_use_private_address = !var.runner_worker_docker_machine_instance.private_address_only runners_request_spot_instance = var.runner_worker_docker_machine_request_spot_instances runners_environment_vars = jsonencode(var.runner_worker.environment_variables) runners_pre_build_script = var.runner_worker_pre_build_script @@ -285,7 +285,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { } network_interfaces { security_groups = concat([aws_security_group.runner.id], var.runner_extra_security_group_ids) - associate_public_ip_address = false == (var.runner_instance.private_address_only == false ? var.runner_instance.private_address_only : var.runner_worker_docker_machine_use_private_address) + associate_public_ip_address = false == (var.runner_instance.private_address_only == false ? var.runner_instance.private_address_only : var.runner_worker_docker_machine_instance.private_address_only) } tag_specifications { resource_type = "instance" diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index e2c2200b3..9fe02c067 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -455,4 +455,32 @@ extracted_variables=$(echo "$extracted_variables" | \ # insert the new variables into the existing block sed -i "/runner_worker_cache/runner_worker_cache { $extracted_variables/g" "$converted_file" +extracted_variables=$(grep -E '(runner_worker_docker_machine_ec2_ebs_optimized|runner_worker_docker_machine_ec2_root_size|runner_worker_docker_machine_ec2_volume_type|runner_worker_docker_machine_userdata|runner_worker_docker_machine_enable_monitoring|runner_worker_enable_ssm_access|runner_worker_docker_machine_instance_prefix)' "$converted_file") + +sed -i '/runner_worker_enable_ssm_access/d' "$converted_file" +sed -i '/runner_worker_docker_machine_instance_prefix/d' "$converted_file" +sed -i '/runner_worker_docker_machine_enable_monitoring/d' "$converted_file" +sed -i '/runner_worker_docker_machine_userdata/d' "$converted_file" +sed -i '/runner_worker_docker_machine_ec2_volume_type/d' "$converted_file" +sed -i '/runner_worker_docker_machine_ec2_root_size/d' "$converted_file" +sed -i '/runner_worker_docker_machine_ec2_ebs_optimized/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_worker_docker_machine_use_private_address/private_address_only/g' | \ + sed 's/runner_worker_docker_machine_enable_monitoring/monitoring/g' | \ + sed 's/runner_worker_docker_machine_userdata/start_script/g' | \ + sed 's/runner_worker_docker_machine_ec2_volume_type/volume_type/g' | \ + sed 's/runner_worker_docker_machine_ec2_root_size/root_size/g' | \ + sed 's/runner_worker_docker_machine_ec2_ebs_optimized/ebs_optimized/g' | \ + sed 's/runner_worker_docker_machine_instance_prefix/name_prefix/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_worker_docker_machine_instance = { + $extracted_variables +} +" > x && mv x "$converted_file" + echo "Module call converted. Output: $converted_file" diff --git a/tags.tf b/tags.tf index 9a0827a61..7841ddfcc 100644 --- a/tags.tf +++ b/tags.tf @@ -28,7 +28,7 @@ locals { local.tags, var.runner_worker_docker_machine_extra_role_tags, # overwrites the `Name` key from `local.tags` - var.runner_worker_docker_machine_instance_prefix == "" ? { Name = substr(format("%s", var.environment), 0, 16) } : { Name = var.runner_worker_docker_machine_instance_prefix }, + var.runner_worker_docker_machine_instance.name_prefix == "" ? { Name = substr(format("%s", var.environment), 0, 16) } : { Name = var.runner_worker_docker_machine_instance.name_prefix }, ) # remove the `Name` tag in addition if docker+machine adds one to avoid a failure due to a duplicate `Name` tag diff --git a/variables.tf b/variables.tf index c86430475..e3a4576f3 100644 --- a/variables.tf +++ b/variables.tf @@ -654,32 +654,43 @@ variable "runner_worker_docker_machine_ami_owners" { default = ["099720109477"] } -variable "runner_worker_docker_machine_use_private_address" { - description = "Restrict Executors to the use of a private IP address. If `agent_use_private_address` is set to `true` (default), `executor_docker_machine_use_private_address` will also apply for the agent." - type = bool - default = true -} - -variable "runner_worker_docker_machine_instance_prefix" { - description = "Set the name prefix and override the `Name` tag for the GitLab Runner Executor instances." - type = string - default = "" +variable "runner_worker_docker_machine_instance" { + description = <<-EOT + ebs_optimized = Enable EBS optimization for the GitLab Runner Executor instances. + monitoring = Enable detailed monitoring for the GitLab Runner Executor instances. + name_prefix = Set the name prefix and override the `Name` tag for the GitLab Runner Executor instances. + private_address_only = Restrict Executors to the use of a private IP address. If `agent_use_private_address` is set to `true` (default), `executor_docker_machine_use_private_address` will also apply for the agent. + root_size = The size of the root volume for the GitLab Runner Executor instances. + start_script = Cloud-init user data that will be passed to the Executor EC2 instance. Should not be base64 encrypted. + volume_type = The type of volume to use for the GitLab Runner Executor instances. + EOT + type = object({ + ebs_optimized = optional(bool, true) + monitoring = optional(bool, false) + name_prefix = optional(string, "") + private_address_only = optional(bool, true) + root_size = optional(number, 8) + start_script = optional(string, "") + volume_type = optional(string, "gp2") + }) + default = { + } validation { - condition = length(var.runner_worker_docker_machine_instance_prefix) <= 28 + condition = length(var.runner_worker_docker_machine_instance.name_prefix) <= 28 error_message = "Maximum length for docker+machine executor name is 28 characters!" } validation { - condition = var.runner_worker_docker_machine_instance_prefix == "" || can(regex("^[a-zA-Z0-9\\.-]+$", var.runner_worker_docker_machine_instance_prefix)) + condition = var.runner_worker_docker_machine_instance.name_prefix == "" || can(regex("^[a-zA-Z0-9\\.-]+$", var.runner_worker_docker_machine_instance_prefix)) error_message = "Valid characters for the docker+machine executor name are: [a-zA-Z0-9\\.-]." } } -variable "runner_worker_docker_machine_enable_monitoring" { - description = "Enable detailed cloudwatch monitoring for spot instances." - type = bool - default = false +variable "runner_worker_docker_machine_ec2_spot_price_bid" { + description = "Spot price bid. The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen." + type = string + default = "on-demand-price" } variable "runner_worker_docker_machine_request_spot_instances" { @@ -688,36 +699,6 @@ variable "runner_worker_docker_machine_request_spot_instances" { default = true } -variable "runner_worker_docker_machine_userdata" { - description = "Cloud-init user data that will be passed to the Executor EC2 instance. Should not be base64 encrypted." - type = string - default = "" -} - -variable "runner_worker_docker_machine_ec2_volume_type" { - description = "Executor volume type" - type = string - default = "gp2" -} - -variable "runner_worker_docker_machine_ec2_root_size" { - description = "Executor root size in GB." - type = number - default = 16 -} - -variable "runner_worker_docker_machine_ec2_ebs_optimized" { - description = "Enable Executors to be EBS-optimized." - type = bool - default = true -} - -variable "runner_worker_docker_machine_ec2_spot_price_bid" { - description = "Spot price bid. The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen." - type = string - default = "on-demand-price" -} - variable "runner_worker_docker_machine_ec2_options" { # cspell:ignore amazonec description = "List of additional options for the docker+machine config. Each element of this list must be a key=value pair. E.g. '[\"amazonec2-zone=a\"]'" From 139f02d9c5e5692dccc33e0f67f1a20769f46577 Mon Sep 17 00:00:00 2001 From: kayma Date: Sat, 22 Apr 2023 15:08:48 +0200 Subject: [PATCH 43/74] runner_worker_docker_machine_instance_spot --- locals.tf | 4 ++-- main.tf | 4 ++-- migrations/migrate-to-7-0-0.sh | 24 ++++++++++++++++++++++- variables.tf | 36 +++++++++++++--------------------- 4 files changed, 41 insertions(+), 27 deletions(-) diff --git a/locals.tf b/locals.tf index 3fd1e51e3..de8f29784 100644 --- a/locals.tf +++ b/locals.tf @@ -50,7 +50,7 @@ locals { join(",", formatlist("%q", concat(var.runner_worker_docker_machine_ec2_options, local.runners_docker_registry_mirror_option))), ) - runners_docker_registry_mirror_option = var.runner_worker_docker_machine_docker_registry_mirror_url == "" ? [] : ["engine-registry-mirror=${var.runner_worker_docker_machine_docker_registry_mirror_url}"] + runners_docker_registry_mirror_option = var.runner_worker_docker_machine_instance.docker_registry_mirror_url == "" ? [] : ["engine-registry-mirror=${var.runner_worker_docker_machine_instance.docker_registry_mirror_url}"] runners_docker_options_toml = templatefile("${path.module}/template/runners_docker_options.tftpl", { options = merge({ @@ -62,7 +62,7 @@ locals { ) # Ensure max builds is optional - runners_max_builds_string = var.runner_worker_docker_machine_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runner_worker_docker_machine_max_builds) + runners_max_builds_string = var.runner_worker_docker_machine_instance.destroy_after_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runner_worker_docker_machine_instance.destroy_after_max_builds) # Define key for runner token for SSM secure_parameter_store_runner_token_key = "${var.environment}-${var.runner_gitlab_token_secure_parameter_store}" diff --git a/main.tf b/main.tf index 6d3747c59..02a0d44c5 100644 --- a/main.tf +++ b/main.tf @@ -96,7 +96,7 @@ locals { runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix runners_instance_type = var.runner_worker_docker_machine_instance_type - runners_spot_price_bid = var.runner_worker_docker_machine_ec2_spot_price_bid == "on-demand-price" || var.runner_worker_docker_machine_ec2_spot_price_bid == null ? "" : var.runner_worker_docker_machine_ec2_spot_price_bid + runners_spot_price_bid = var.runner_worker_docker_machine_instance_spot.max_price == "on-demand-price" || var.runner_worker_docker_machine_instance_spot.max_price == null ? "" : var.runner_worker_docker_machine_instance_spot.max_price runners_ami = var.runner_worker.type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" runners_security_group_name = var.runner_worker.type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" runners_monitoring = var.runner_worker_docker_machine_instance.monitoring @@ -120,7 +120,7 @@ locals { runners_iam_instance_profile_name = var.runner_worker_docker_machine_iam_instance_profile_name runners_use_private_address_only = var.runner_worker_docker_machine_instance.private_address_only runners_use_private_address = !var.runner_worker_docker_machine_instance.private_address_only - runners_request_spot_instance = var.runner_worker_docker_machine_request_spot_instances + runners_request_spot_instance = var.runner_worker_docker_machine_instance_spot.enable runners_environment_vars = jsonencode(var.runner_worker.environment_variables) runners_pre_build_script = var.runner_worker_pre_build_script runners_post_build_script = var.runner_worker_post_build_script diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 9fe02c067..096ac096f 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -455,7 +455,7 @@ extracted_variables=$(echo "$extracted_variables" | \ # insert the new variables into the existing block sed -i "/runner_worker_cache/runner_worker_cache { $extracted_variables/g" "$converted_file" -extracted_variables=$(grep -E '(runner_worker_docker_machine_ec2_ebs_optimized|runner_worker_docker_machine_ec2_root_size|runner_worker_docker_machine_ec2_volume_type|runner_worker_docker_machine_userdata|runner_worker_docker_machine_enable_monitoring|runner_worker_enable_ssm_access|runner_worker_docker_machine_instance_prefix)' "$converted_file") +extracted_variables=$(grep -E '(runner_worker_docker_machine_docker_registry_mirror_url|runner_worker_docker_machine_max_builds|runner_worker_docker_machine_ec2_ebs_optimized|runner_worker_docker_machine_ec2_root_size|runner_worker_docker_machine_ec2_volume_type|runner_worker_docker_machine_userdata|runner_worker_docker_machine_enable_monitoring|runner_worker_enable_ssm_access|runner_worker_docker_machine_instance_prefix)' "$converted_file") sed -i '/runner_worker_enable_ssm_access/d' "$converted_file" sed -i '/runner_worker_docker_machine_instance_prefix/d' "$converted_file" @@ -464,6 +464,8 @@ sed -i '/runner_worker_docker_machine_userdata/d' "$converted_file" sed -i '/runner_worker_docker_machine_ec2_volume_type/d' "$converted_file" sed -i '/runner_worker_docker_machine_ec2_root_size/d' "$converted_file" sed -i '/runner_worker_docker_machine_ec2_ebs_optimized/d' "$converted_file" +sed -i '/runner_worker_docker_machine_max_builds/d' "$converted_file" +sed -i '/runner_worker_docker_machine_docker_registry_mirror_url/d' "$converted_file" # rename the variables extracted_variables=$(echo "$extracted_variables" | \ @@ -473,6 +475,8 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/runner_worker_docker_machine_ec2_volume_type/volume_type/g' | \ sed 's/runner_worker_docker_machine_ec2_root_size/root_size/g' | \ sed 's/runner_worker_docker_machine_ec2_ebs_optimized/ebs_optimized/g' | \ + sed 's/runner_worker_docker_machine_max_builds/destroy_after_max_builds/g' | \ + sed 's/runner_worker_docker_machine_docker_registry_mirror_url/docker_registry_mirror_url/g' | \ sed 's/runner_worker_docker_machine_instance_prefix/name_prefix/g' ) @@ -483,4 +487,22 @@ runner_worker_docker_machine_instance = { } " > x && mv x "$converted_file" +extracted_variables=$(grep -E '(runner_worker_docker_machine_request_spot_instances|runner_worker_docker_machine_ec2_spot_price_bid)' "$converted_file") + +sed -i '/runner_worker_docker_machine_ec2_spot_price_bid/d' "$converted_file" +sed -i '/runner_worker_docker_machine_request_spot_instances/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_worker_docker_machine_ec2_spot_price_bid/max_price/g' | \ + sed 's/runner_worker_docker_machine_request_spot_instances/enable/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_worker_docker_machine_instance_spot = { + $extracted_variables +} +" > x && mv x "$converted_file" + echo "Module call converted. Output: $converted_file" diff --git a/variables.tf b/variables.tf index e3a4576f3..18c4deb45 100644 --- a/variables.tf +++ b/variables.tf @@ -656,6 +656,8 @@ variable "runner_worker_docker_machine_ami_owners" { variable "runner_worker_docker_machine_instance" { description = <<-EOT + docker_registry_mirror_url = The URL of the Docker registry mirror to use for the GitLab Runner Executor instances. + destroy_after_max_builds = Destroy the instance after the maximum number of builds has been reached. ebs_optimized = Enable EBS optimization for the GitLab Runner Executor instances. monitoring = Enable detailed monitoring for the GitLab Runner Executor instances. name_prefix = Set the name prefix and override the `Name` tag for the GitLab Runner Executor instances. @@ -665,6 +667,8 @@ variable "runner_worker_docker_machine_instance" { volume_type = The type of volume to use for the GitLab Runner Executor instances. EOT type = object({ + destroy_after_max_builds = optional(number, 0) + docker_registry_mirror_url = optional(string, "") ebs_optimized = optional(bool, true) monitoring = optional(bool, false) name_prefix = optional(string, "") @@ -687,16 +691,16 @@ variable "runner_worker_docker_machine_instance" { } } -variable "runner_worker_docker_machine_ec2_spot_price_bid" { - description = "Spot price bid. The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen." - type = string - default = "on-demand-price" -} - -variable "runner_worker_docker_machine_request_spot_instances" { - description = "Whether or not to request spot instances via docker-machine" - type = bool - default = true +variable "runner_worker_docker_machine_instance_spot" { + description = <<-EOT + enable = Enable spot instances for the docker+machine Executor. + max_price = The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen. + EOT + type = object({ + enable = optional(bool, true) + max_price = optional(string, "on-demand-price") + }) + default = {} } variable "runner_worker_docker_machine_ec2_options" { @@ -732,18 +736,6 @@ variable "runner_worker_docker_machine_autoscaling_options" { } -variable "runner_worker_docker_machine_max_builds" { - description = "Destroys the executor after processing this many jobs. Set to `0` to disable this feature." - type = number - default = 0 -} - -variable "runner_worker_docker_machine_docker_registry_mirror_url" { - description = "The docker registry mirror to use to avoid rate limiting by hub.docker.com" - type = string - default = "" -} - variable "debug" { description = <<-EOT trace_runner_user_data: Enable bash trace for the user data script on the Agent. Be aware this could log sensitive data such as you GitLab runner token. From 2e267e05a543adcdec5f9729df49e82b64af2626 Mon Sep 17 00:00:00 2001 From: kayma Date: Sat, 22 Apr 2023 16:05:07 +0200 Subject: [PATCH 44/74] runner_worker_docker_machine_role --- locals.tf | 4 +- main.tf | 30 ++-- migrations/migrate-to-7-0-0.sh | 78 +++++++++- security_groups.tf | 12 +- tags.tf | 2 +- variables.tf | 265 ++++++++++++++------------------- 6 files changed, 214 insertions(+), 177 deletions(-) diff --git a/locals.tf b/locals.tf index de8f29784..cf291438a 100644 --- a/locals.tf +++ b/locals.tf @@ -95,14 +95,14 @@ locals { } resource "local_file" "config_toml" { - count = var.debug.write_runner_config_to_file ? 1 : 0 + count = var.debug.write_runner_config_to_file ? 1 : 0 content = local.template_runner_config filename = "${path.module}/debug/runner_config.toml" } resource "local_file" "user_data" { - count = var.debug.write_runner_config_to_file ? 1 : 0 + count = var.debug.write_runner_config_to_file ? 1 : 0 content = nonsensitive(local.template_user_data) filename = "${path.module}/debug/user_data.sh" diff --git a/main.tf b/main.tf index 02a0d44c5..e55895d46 100644 --- a/main.tf +++ b/main.tf @@ -38,7 +38,7 @@ resource "aws_ssm_parameter" "runner_sentry_dsn" { locals { template_user_data = templatefile("${path.module}/template/user-data.tftpl", { - eip = var.runner_enable_eip ? local.template_eip : "" + eip = var.runner_instance.use_eip ? local.template_eip : "" logging = var.runner_cloudwatch.enable ? local.logging_user_data : "" gitlab_runner = local.template_gitlab_runner user_data_trace_log = var.debug.trace_runner_user_data @@ -95,7 +95,7 @@ locals { runners_vpc_id = var.vpc_id runners_subnet_id = var.subnet_id runners_aws_zone = data.aws_availability_zone.runners.name_suffix - runners_instance_type = var.runner_worker_docker_machine_instance_type + runners_instance_type = var.runner_worker_docker_machine_instance.type runners_spot_price_bid = var.runner_worker_docker_machine_instance_spot.max_price == "on-demand-price" || var.runner_worker_docker_machine_instance_spot.max_price == null ? "" : var.runner_worker_docker_machine_instance_spot.max_price runners_ami = var.runner_worker.type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" runners_security_group_name = var.runner_worker.type == "docker+machine" ? aws_security_group.docker_machine[0].name : "" @@ -117,14 +117,14 @@ locals { runners_max_builds = local.runners_max_builds_string runners_root_size = var.runner_worker_docker_machine_instance.root_size runners_volume_type = var.runner_worker_docker_machine_instance.volume_type - runners_iam_instance_profile_name = var.runner_worker_docker_machine_iam_instance_profile_name + runners_iam_instance_profile_name = var.runner_worker_docker_machine_role.profile_name runners_use_private_address_only = var.runner_worker_docker_machine_instance.private_address_only runners_use_private_address = !var.runner_worker_docker_machine_instance.private_address_only runners_request_spot_instance = var.runner_worker_docker_machine_instance_spot.enable runners_environment_vars = jsonencode(var.runner_worker.environment_variables) - runners_pre_build_script = var.runner_worker_pre_build_script - runners_post_build_script = var.runner_worker_post_build_script - runners_pre_clone_script = var.runner_worker_pre_clone_script + runners_pre_build_script = var.runner_worker_gitlab_pipeline.pre_build_script + runners_post_build_script = var.runner_worker_gitlab_pipeline.post_build_script + runners_pre_clone_script = var.runner_worker_gitlab_pipeline.pre_clone_script runners_request_concurrency = var.runner_worker.request_concurrency runners_output_limit = var.runner_worker.output_limit runners_check_interval = var.runner_manager.gitlab_check_interval @@ -169,8 +169,8 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { max_size = "1" desired_capacity = "1" health_check_grace_period = 0 - max_instance_lifetime = var.runner_max_instance_lifetime_seconds - enabled_metrics = var.runner_collect_autoscaling_metrics + max_instance_lifetime = var.runner_instance.max_lifetime_seconds + enabled_metrics = var.runner_instance.collect_autoscaling_metrics dynamic "tag" { for_each = local.agent_tags @@ -284,7 +284,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { } } network_interfaces { - security_groups = concat([aws_security_group.runner.id], var.runner_extra_security_group_ids) + security_groups = concat([aws_security_group.runner.id], var.runner_networking.security_group_ids) associate_public_ip_address = false == (var.runner_instance.private_address_only == false ? var.runner_instance.private_address_only : var.runner_worker_docker_machine_instance.private_address_only) } tag_specifications { @@ -480,7 +480,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { resource "aws_iam_role" "docker_machine" { count = var.runner_worker.type == "docker+machine" ? 1 : 0 name = "${local.name_iam_objects}-docker-machine" - assume_role_policy = length(var.runner_worker_docker_machine_assume_role_json) > 0 ? var.runner_worker_docker_machine_assume_role_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) + assume_role_policy = length(var.runner_worker_docker_machine_role.assume_role_policy_json) > 0 ? var.runner_worker_docker_machine_role.assume_role_policy_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" tags = local.tags @@ -499,10 +499,10 @@ resource "aws_iam_instance_profile" "docker_machine" { ### Add user defined policies ################################################################################ resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" { - count = var.runner_worker.type == "docker+machine" ? length(var.runner_worker_docker_machine_extra_iam_policy_arns) : 0 + count = var.runner_worker.type == "docker+machine" ? length(var.runner_worker_docker_machine_role.policy_arns) : 0 role = aws_iam_role.docker_machine[0].name - policy_arn = var.runner_worker_docker_machine_extra_iam_policy_arns[count.index] + policy_arn = var.runner_worker_docker_machine_role.policy_arns[count.index] } ################################################################################ @@ -538,7 +538,7 @@ resource "aws_iam_role_policy_attachment" "service_linked_role" { resource "aws_eip" "gitlab_runner" { # checkov:skip=CKV2_AWS_19:We can't use NAT gateway here as we are contacted from the outside. - count = var.runner_enable_eip ? 1 : 0 + count = var.runner_instance.use_eip ? 1 : 0 tags = local.tags } @@ -564,7 +564,7 @@ resource "aws_iam_role_policy_attachment" "ssm" { ### AWS assign EIP ################################################################################ resource "aws_iam_policy" "eip" { - count = var.runner_enable_eip ? 1 : 0 + count = var.runner_instance.use_eip ? 1 : 0 name = "${local.name_iam_objects}-eip" path = "/" @@ -575,7 +575,7 @@ resource "aws_iam_policy" "eip" { } resource "aws_iam_role_policy_attachment" "eip" { - count = var.runner_enable_eip ? 1 : 0 + count = var.runner_instance.use_eip ? 1 : 0 role = var.runner_role.create_role_profile ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name policy_arn = aws_iam_policy.eip[0].arn diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 096ac096f..b58ca6e49 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -219,7 +219,7 @@ echo "$(head -n -1 "$converted_file") # # PR #810 refactor!: group variables for better overview # -extracted_variables=$(grep -E '(runner_enable_monitoring|runner_gitlab_runner_name|runner_enable_ssm_access|runner_use_private_address|runner_root_block_device|runner_ebs_optimized|runner_spot_price|runner_instance_prefix|runner_instance_type|runner_extra_instance_tags)' "$converted_file") +extracted_variables=$(grep -E '(runner_max_instance_lifetime_seconds|runner_enable_eip|runner_collect_autoscaling_metrics|runner_enable_monitoring|runner_gitlab_runner_name|runner_enable_ssm_access|runner_use_private_address|runner_root_block_device|runner_ebs_optimized|runner_spot_price|runner_instance_prefix|runner_instance_type|runner_extra_instance_tags)' "$converted_file") sed -i '/runner_root_block_device/d' "$converted_file" sed -i '/runner_ebs_optimized/d' "$converted_file" @@ -231,6 +231,9 @@ sed -i '/runner_use_private_address/d' "$converted_file" sed -i '/runner_enable_ssm_access/d' "$converted_file" sed -i '/runner_gitlab_runner_name/d' "$converted_file" sed -i '/runner_enable_monitoring/d' "$converted_file" +sed -i '/runner_collect_autoscaling_metrics/d' "$converted_file" +sed -i '/runner_enable_eip/d' "$converted_file" +sed -i '/runner_max_instance_lifetime_seconds/d' "$converted_file" # rename the variables extracted_variables=$(echo "$extracted_variables" | \ @@ -243,6 +246,9 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/runner_use_private_address/private_address_only/g' | \ sed 's/runner_gitlab_runner_name/name/g' | \ sed 's/runner_enable_monitoring/monitoring/g' | \ + sed 's/runner_collect_autoscaling_metrics/collect_autoscaling_metrics/g' | \ + sed 's/runner_enable_eip/use_eip/g' | \ + sed 's/runner_max_instance_lifetime_seconds/max_lifetime_seconds/g' | \ sed 's/runner_enable_ssm_access/ssm_access/g' ) @@ -455,7 +461,7 @@ extracted_variables=$(echo "$extracted_variables" | \ # insert the new variables into the existing block sed -i "/runner_worker_cache/runner_worker_cache { $extracted_variables/g" "$converted_file" -extracted_variables=$(grep -E '(runner_worker_docker_machine_docker_registry_mirror_url|runner_worker_docker_machine_max_builds|runner_worker_docker_machine_ec2_ebs_optimized|runner_worker_docker_machine_ec2_root_size|runner_worker_docker_machine_ec2_volume_type|runner_worker_docker_machine_userdata|runner_worker_docker_machine_enable_monitoring|runner_worker_enable_ssm_access|runner_worker_docker_machine_instance_prefix)' "$converted_file") +extracted_variables=$(grep -E '(runner_worker_docker_machine_instance_type|runner_worker_docker_machine_docker_registry_mirror_url|runner_worker_docker_machine_max_builds|runner_worker_docker_machine_ec2_ebs_optimized|runner_worker_docker_machine_ec2_root_size|runner_worker_docker_machine_ec2_volume_type|runner_worker_docker_machine_userdata|runner_worker_docker_machine_enable_monitoring|runner_worker_enable_ssm_access|runner_worker_docker_machine_instance_prefix)' "$converted_file") sed -i '/runner_worker_enable_ssm_access/d' "$converted_file" sed -i '/runner_worker_docker_machine_instance_prefix/d' "$converted_file" @@ -466,6 +472,7 @@ sed -i '/runner_worker_docker_machine_ec2_root_size/d' "$converted_file" sed -i '/runner_worker_docker_machine_ec2_ebs_optimized/d' "$converted_file" sed -i '/runner_worker_docker_machine_max_builds/d' "$converted_file" sed -i '/runner_worker_docker_machine_docker_registry_mirror_url/d' "$converted_file" +sed -i '/runner_worker_docker_machine_instance_type/d' "$converted_file" # rename the variables extracted_variables=$(echo "$extracted_variables" | \ @@ -477,6 +484,7 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/runner_worker_docker_machine_ec2_ebs_optimized/ebs_optimized/g' | \ sed 's/runner_worker_docker_machine_max_builds/destroy_after_max_builds/g' | \ sed 's/runner_worker_docker_machine_docker_registry_mirror_url/docker_registry_mirror_url/g' | \ + sed 's/runner_worker_docker_machine_instance_type/type/g' | \ sed 's/runner_worker_docker_machine_instance_prefix/name_prefix/g' ) @@ -505,4 +513,70 @@ runner_worker_docker_machine_instance_spot = { } " > x && mv x "$converted_file" +extracted_variables=$(grep -E '(runner_extra_security_group_ids|runner_security_group_description|runner_ping_allow_from_security_groups|runner_ping_enable)' "$converted_file") + +sed -i '/runner_ping_enable/d' "$converted_file" +sed -i '/runner_ping_allow_from_security_groups/d' "$converted_file" +sed -i '/runner_security_group_description/d' "$converted_file" +sed -i '/runner_extra_security_group_ids/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_ping_enable/allow_incoming_ping/g' | \ + sed 's/runner_security_group_description/security_group_description/g' | \ + sed 's/runner_extra_security_group_ids/security_group_ids/g' | \ + sed 's/runner_ping_allow_from_security_groups/allow_incoming_ping_security_group_ids/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_networking = { + $extracted_variables +} +" > x && mv x "$converted_file" + +sed -i 's/runner_extra_egress_rules/runner_networking_egress_rules/g' "$converted_file" + +extracted_variables=$(grep -E '(runner_worker_post_build_script|runner_worker_pre_build_script|runner_worker_pre_clone_script)' "$converted_file") + +sed -i '/runner_worker_pre_clone_script/d' "$converted_file" +sed -i '/runner_worker_pre_build_script/d' "$converted_file" +sed -i '/runner_worker_post_build_script/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_worker_pre_clone_script/pre_clone_script/g' | \ + sed 's/runner_worker_pre_build_script/pre_build_script/g' | \ + sed 's/runner_worker_post_build_script/post_build_script/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_worker_gitlab_pipeline = { + $extracted_variables +} +" > x && mv x "$converted_file" + +extracted_variables=$(grep -E '(runner_worker_docker_machine_extra_iam_policy_arns|runner_worker_docker_machine_assume_role_json|runner_worker_docker_machine_iam_instance_profile_name|runner_worker_docker_machine_extra_role_tags)' "$converted_file") + +sed -i '/runner_worker_docker_machine_extra_role_tags/d' "$converted_file" +sed -i '/runner_worker_docker_machine_iam_instance_profile_name/d' "$converted_file" +sed -i '/runner_worker_docker_machine_assume_role_json/d' "$converted_file" +sed -i '/runner_worker_docker_machine_extra_iam_policy_arns/d' "$converted_file" + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_worker_docker_machine_iam_instance_profile_name/profile_name/g' | \ + sed 's/runner_worker_docker_machine_assume_role_json/assume_role_policy_json/g' | \ + sed 's/runner_worker_docker_machine_extra_iam_policy_arns/policy_arns/g' | \ + sed 's/runner_worker_docker_machine_extra_role_tags/additional_tags/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runner_worker_docker_machine_role = { + $extracted_variables +} +" > x && mv x "$converted_file" + echo "Module call converted. Output: $converted_file" diff --git a/security_groups.tf b/security_groups.tf index 9091574a4..eac0a33cd 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -6,7 +6,7 @@ resource "aws_security_group" "runner" { # checkov:skip=CKV2_AWS_5:False positive. Security group is used in a launch template network interface section. name_prefix = local.name_sg vpc_id = var.vpc_id - description = var.runner_security_group_description + description = var.runner_networking.security_group_description dynamic "egress" { for_each = var.runner_extra_egress_rules @@ -43,19 +43,19 @@ resource "aws_security_group" "runner" { # Allow ICMP traffic from allowed security group IDs to gitlab-runner agent instances resource "aws_security_group_rule" "runner_ping_group" { - count = length(var.runner_ping_allow_from_security_groups) > 0 && var.runner_ping_enable ? length(var.runner_ping_allow_from_security_groups) : 0 + count = length(var.runner_networking.allow_incoming_ping_security_group_ids) > 0 && var.runner_networking.allow_incoming_ping ? length(var.runner_networking.allow_incoming_ping_security_group_ids) : 0 type = "ingress" from_port = -1 to_port = -1 protocol = "icmp" - source_security_group_id = element(var.runner_ping_allow_from_security_groups, count.index) + source_security_group_id = element(var.runner_networking.allow_incoming_ping_security_group_ids, count.index) security_group_id = aws_security_group.runner.id description = format( "Allow ICMP traffic from %s to gitlab-runner agent instances in group %s", - element(var.runner_ping_allow_from_security_groups, count.index), + element(var.runner_networking.allow_incoming_ping_security_group_ids, count.index), aws_security_group.runner.name ) } @@ -131,7 +131,7 @@ resource "aws_security_group_rule" "docker_machine_docker_runner" { # Combine runner security group id and additional security group IDs locals { # Only include runner security group id and additional if ping is enabled - security_groups_ping = var.runner_ping_enable && length(var.runner_ping_allow_from_security_groups) > 0 ? concat(var.runner_ping_allow_from_security_groups, [aws_security_group.runner.id]) : [] + security_groups_ping = var.runner_networking.allow_incoming_ping && length(var.runner_networking.allow_incoming_ping_security_group_ids) > 0 ? concat(var.runner_networking.allow_incoming_ping_security_group_ids, [aws_security_group.runner.id]) : [] } # Allow SSH traffic from gitlab-runner agent instances and security group IDs to docker-machine instances @@ -214,7 +214,7 @@ resource "aws_security_group_rule" "docker_machine_ssh_self" { # Allow ICMP traffic from docker-machine instances to docker-machine instances resource "aws_security_group_rule" "docker_machine_ping_self" { - count = (var.runner_worker.type == "docker+machine" && var.runner_ping_enable) ? 1 : 0 + count = (var.runner_worker.type == "docker+machine" && var.runner_networking.allow_incoming_ping) ? 1 : 0 type = "ingress" from_port = -1 diff --git a/tags.tf b/tags.tf index 7841ddfcc..05150f7d0 100644 --- a/tags.tf +++ b/tags.tf @@ -26,7 +26,7 @@ locals { runner_tags_merged = merge( local.tags, - var.runner_worker_docker_machine_extra_role_tags, + var.runner_worker_docker_machine_role.additional_tags, # overwrites the `Name` key from `local.tags` var.runner_worker_docker_machine_instance.name_prefix == "" ? { Name = substr(format("%s", var.environment), 0, 16) } : { Name = var.runner_worker_docker_machine_instance.name_prefix }, ) diff --git a/variables.tf b/variables.tf index 18c4deb45..1dd9c63fb 100644 --- a/variables.tf +++ b/variables.tf @@ -81,10 +81,10 @@ variable "runner_manager" { sentry_dsn = Sentry DSN of the project for the Agent to use (uses legacy DSN format) EOT type = object({ - gitlab_check_interval = optional(number, 3) - maximum_concurrent_jobs = optional(number, 10) + gitlab_check_interval = optional(number, 3) + maximum_concurrent_jobs = optional(number, 10) prometheus_listen_address = optional(string, "") - sentry_dsn = optional(string, "__SENTRY_DSN_REPLACED_BY_USER_DATA__") + sentry_dsn = optional(string, "__SENTRY_DSN_REPLACED_BY_USER_DATA__") }) default = {} } @@ -95,7 +95,9 @@ variable "runner_manager" { variable "runner_instance" { description = <<-EOT additional_tags = Map of tags that will be added to the Agent instance. + collect_autoscaling_metrics = A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances. ebs_optimized = Enable EBS optimization for the Agent instance. + max_lifetime_seconds = The maximum time an Agent should live before it is killed. monitoring = Enable the detailed monitoring on the Agent instance. name = Name of the Runner instance. name_prefix = Set the name prefix and override the `Name` tag for the Agent instance. @@ -104,18 +106,22 @@ variable "runner_instance" { spot_price = By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen. ssm_access = Allows to connect to the Agent via SSM. type = EC2 instance type used. + use_eip = Assigns an EIP to the Agent. EOT type = object({ - additional_tags = optional(map(string)) - ebs_optimized = optional(bool, true) - monitoring = optional(bool, true) - name = string - name_prefix = optional(string) - private_address_only = optional(bool, true) - root_device_config = optional(map(string)) - spot_price = optional(string, null) - ssm_access = optional(bool, false) - type = optional(string, "t3.micro") + additional_tags = optional(map(string)) + collect_autoscaling_metrics = optional(list(string), null) + ebs_optimized = optional(bool, true) + max_lifetime_seconds = optional(number, null) + monitoring = optional(bool, true) + name = string + name_prefix = optional(string) + private_address_only = optional(bool, true) + root_device_config = optional(map(string)) + spot_price = optional(string, null) + ssm_access = optional(bool, false) + type = optional(string, "t3.micro") + use_eip = optional(bool, false) }) default = { name = "gitlab-runner" @@ -137,37 +143,23 @@ variable "runner_ami_owners" { default = ["amazon"] } -variable "runner_collect_autoscaling_metrics" { - description = "A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances." - type = list(string) - default = null -} - -variable "runner_ping_enable" { - description = "Allow ICMP Ping to the Agent. Specify `agent_ping_allowed_from_security_groups` too!" - type = bool - default = false -} - -variable "runner_ping_allow_from_security_groups" { - description = "A list of security group ids that are allowed to access the gitlab runner agent" - type = list(string) - default = [] -} - -variable "runner_security_group_description" { - description = "A description for the Agents security group" - type = string - default = "A security group containing gitlab-runner agent instances" -} - -variable "runner_extra_security_group_ids" { - description = "IDs of security groups to add to the Agent." - type = list(string) - default = [] +variable "runner_networking" { + description = <<-EOT + allow_incoming_ping = Allow ICMP Ping to the Agent. Specify `allow_incoming_ping_security_group_ids` too! + allow_incoming_ping_security_group_ids = A list of security group ids that are allowed to ping the gitlab runner agent + security_group_description = A description for the Agent's security group + security_group_ids = IDs of security groups to add to the Agent. + EOT + type = object({ + allow_incoming_ping = optional(bool, false) + allow_incoming_ping_security_group_ids = optional(list(string), []) + security_group_description = optional(string, "A security group containing gitlab-runner agent instances") + security_group_ids = optional(list(string), []) + }) + default = {} } -variable "runner_extra_egress_rules" { +variable "runner_networking_egress_rules" { description = "List of egress rules for the Agent." type = list(object({ cidr_blocks = list(string) @@ -196,7 +188,7 @@ variable "runner_extra_egress_rules" { } variable "runner_role" { - description = <<-EOT + description = <<-EOT additional_tags = Map of tags that will be added to the role created. Useful for tag based authorization. allow_iam_service_linked_role_creation = Boolean used to control attaching the policy to the Agent to create service linked roles. assume_role_policy_json = The assume role policy for the Agent. @@ -204,21 +196,15 @@ variable "runner_role" { policy_arns = List of policy ARNs to be added to the instance profile of the Agent. role_profile_name = IAM role/profile name for the Agent. If unspecified then `$${var.iam_object_prefix}-instance` is used. EOT - type = object({ - additional_tags = optional(map(string)) - allow_iam_service_linked_role_creation = optional(bool, true) - assume_role_policy_json = optional(string, "") - create_role_profile = optional(bool, true) - policy_arns = optional(list(string), []) - role_profile_name = optional(string) - }) - default = {} -} - -variable "runner_enable_eip" { - description = "Assigns an EIP to the Agent." - type = bool - default = false + type = object({ + additional_tags = optional(map(string)) + allow_iam_service_linked_role_creation = optional(bool, true) + assume_role_policy_json = optional(string, "") + create_role_profile = optional(bool, true) + policy_arns = optional(list(string), []) + role_profile_name = optional(string) + }) + default = {} } variable "runner_metadata_options" { @@ -243,11 +229,6 @@ variable "runner_schedule_enable" { default = false } -variable "runner_max_instance_lifetime_seconds" { - description = "The maximum time an Agent should live before it is killed." - default = null - type = number -} variable "runner_enable_asg_recreation" { description = "Enable automatic redeployment of the Agent ASG when the Launch Configs change." @@ -285,12 +266,12 @@ variable "runner_install" { EOT type = object({ amazon_ecr_credential_helper = optional(bool, false) - docker_machine_download_url = optional(string, "") - docker_machine_version = optional(string, "0.16.2-gitlab.19-cki.2") - pre_install_script = optional(string, "") - post_install_script = optional(string, "") - start_script = optional(string, "") - yum_update = optional(bool, true) + docker_machine_download_url = optional(string, "") + docker_machine_version = optional(string, "0.16.2-gitlab.19-cki.2") + pre_install_script = optional(string, "") + post_install_script = optional(string, "") + start_script = optional(string, "") + yum_update = optional(bool, true) }) default = {} } @@ -302,7 +283,7 @@ variable "runner_cloudwatch" { retention_days = Retention for cloudwatch logs. Defaults to unlimited. Requires `enable = true`. EOT type = object({ - enable = optional(bool, true) + enable = optional(bool, true) log_group_name = optional(string, null) retention_days = optional(number, 0) }) @@ -311,7 +292,7 @@ variable "runner_cloudwatch" { variable "runner_gitlab_registration_config" { description = "Configuration used to register the Agent. See the README for an example, or reference the examples in the examples directory of this repo." - type = object({ + type = object({ registration_token = optional(string, "") tag_list = optional(string, "") description = optional(string, "") @@ -334,12 +315,12 @@ variable "runner_gitlab" { url_clone = URL of the GitLab instance to clone from. Use only if the agent can’t connect to the GitLab URL. EOT type = object({ - ca_certificate = optional(string, "") - certificate = optional(string, "") + ca_certificate = optional(string, "") + certificate = optional(string, "") registration_token = optional(string, "__REPLACED_BY_USER_DATA__") - runner_version = optional(string, "15.8.2") - url = optional(string) - url_clone = optional(string) + runner_version = optional(string, "15.8.2") + url = optional(string) + url_clone = optional(string) }) } @@ -383,13 +364,13 @@ variable "runner_worker" { EOT type = object({ environment_variables = optional(list(string), []) - idle_count = optional(number, 0) - idle_time = optional(number, 600) - max_jobs = optional(number, 0) - output_limit = optional(number, 4096) - request_concurrency = optional(number, 1) - ssm_access = optional(bool, false) - type = optional(string, "docker+machine") + idle_count = optional(number, 0) + idle_time = optional(number, 600) + max_jobs = optional(number, 0) + output_limit = optional(number, 4096) + request_concurrency = optional(number, 1) + ssm_access = optional(bool, false) + type = optional(string, "docker+machine") }) default = {} @@ -418,41 +399,37 @@ variable "runner_worker_cache" { shared = Boolean used to enable or disable the use of the cache bucket as shared cache. versioning = Boolean used to enable versioning on the cache bucket. Requires `create = true`. EOT - type = object({ - access_log_bucket_id = optional(string, null) + type = object({ + access_log_bucket_id = optional(string, null) access_log_bucket_prefix = optional(string, null) - authentication_type = optional(string, "iam") - bucket = optional(string, "") - bucket_prefix = optional(string, "") - create = bool - expiration_days = optional(number, 1) - include_account_id = optional(bool, true) - policy = optional(string, "") - random_suffix = optional(bool, false) - shared = optional(bool, false) - versioning = optional(bool, false) + authentication_type = optional(string, "iam") + bucket = optional(string, "") + bucket_prefix = optional(string, "") + create = bool + expiration_days = optional(number, 1) + include_account_id = optional(bool, true) + policy = optional(string, "") + random_suffix = optional(bool, false) + shared = optional(bool, false) + versioning = optional(bool, false) }) default = { create = true } } -variable "runner_worker_pre_clone_script" { - description = "Script to execute in the pipeline before cloning the Git repository. this can be used to adjust the Git client configuration first, for example." - type = string - default = "\"\"" -} - -variable "runner_worker_pre_build_script" { - description = "Script to execute in the pipeline just before the build." - type = string - default = "\"\"" -} - -variable "runner_worker_post_build_script" { - description = "Script to execute in the pipeline just after the build, but before executing after_script." - type = string - default = "\"\"" +variable "runner_worker_gitlab_pipeline" { + description = <<-EOT + post_build_script = Script to execute in the pipeline just after the build, but before executing after_script. + pre_build_script = Script to execute in the pipeline just before the build. + pre_clone_script = Script to execute in the pipeline before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. + EOT + type = object({ + post_build_script = optional(string, "\"\"") + pre_build_script = optional(string, "\"\"") + pre_clone_script = optional(string, "\"\"") + }) + default = {} } /* @@ -572,16 +549,20 @@ variable "runner_worker_docker_options" { * docker+machine Executor variables. The executor is the actual machine that runs the job. Please specify the * `executor_docker_*` variables as well as Docker is used on the docker+machine executor. */ -variable "runner_worker_docker_machine_instance_type" { - description = "Instance type used for the instances hosting docker-machine." - type = string - default = "m5.large" -} - -variable "runner_worker_docker_machine_extra_role_tags" { - description = "Map of tags that will be added to runner EC2 instances." - type = map(string) - default = {} +variable "runner_worker_docker_machine_role" { + description = <<-EOT + additional_tags = Map of tags that will be added to runner EC2 instances. + assume_role_policy_json = Assume role policy for the docker+machine Executor. + policy_arns = List of ARNs of IAM policies to attach to the runner EC2 instances. + profile_name = Name of the IAM profile to attach to the runner EC2 instances. + EOT + type = object({ + additional_tags = optional(map(string), {}) + assume_role_policy_json = optional(string, "") + policy_arns = optional(list(string), []) + profile_name = optional(string, "") + }) + default = {} } variable "runner_worker_docker_machine_extra_egress_rules" { @@ -612,25 +593,6 @@ variable "runner_worker_docker_machine_extra_egress_rules" { ] } -variable "runner_worker_docker_machine_iam_instance_profile_name" { - description = "IAM instance profile name of the Executors." - type = string - default = "" -} - -variable "runner_worker_docker_machine_assume_role_json" { - description = "Assume role policy for the docker+machine Executor." - type = string - default = "" -} - -# executor -variable "runner_worker_docker_machine_extra_iam_policy_arns" { - type = list(string) - description = "List of policy ARNs to be added to the instance profile of the docker+machine Executor." - default = [] -} - variable "runner_worker_docker_machine_security_group_description" { description = "A description for the docker+machine Executor security group" type = string @@ -664,18 +626,20 @@ variable "runner_worker_docker_machine_instance" { private_address_only = Restrict Executors to the use of a private IP address. If `agent_use_private_address` is set to `true` (default), `executor_docker_machine_use_private_address` will also apply for the agent. root_size = The size of the root volume for the GitLab Runner Executor instances. start_script = Cloud-init user data that will be passed to the Executor EC2 instance. Should not be base64 encrypted. + type = The type of instance to use for the GitLab Runner Executor instances. volume_type = The type of volume to use for the GitLab Runner Executor instances. EOT type = object({ - destroy_after_max_builds = optional(number, 0) + destroy_after_max_builds = optional(number, 0) docker_registry_mirror_url = optional(string, "") - ebs_optimized = optional(bool, true) - monitoring = optional(bool, false) - name_prefix = optional(string, "") - private_address_only = optional(bool, true) - root_size = optional(number, 8) - start_script = optional(string, "") - volume_type = optional(string, "gp2") + ebs_optimized = optional(bool, true) + monitoring = optional(bool, false) + name_prefix = optional(string, "") + private_address_only = optional(bool, true) + root_size = optional(number, 8) + start_script = optional(string, "") + type = optional(string, "m5.large") + volume_type = optional(string, "gp2") }) default = { } @@ -697,14 +661,13 @@ variable "runner_worker_docker_machine_instance_spot" { max_price = The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen. EOT type = object({ - enable = optional(bool, true) + enable = optional(bool, true) max_price = optional(string, "on-demand-price") }) default = {} } variable "runner_worker_docker_machine_ec2_options" { - # cspell:ignore amazonec description = "List of additional options for the docker+machine config. Each element of this list must be a key=value pair. E.g. '[\"amazonec2-zone=a\"]'" type = list(string) default = [] @@ -742,7 +705,7 @@ variable "debug" { write_runner_config_to_file: Outputs the user data script and `config.toml` to the local file system. EOT type = object({ - trace_runner_user_data = optional(bool, false) + trace_runner_user_data = optional(bool, false) write_runner_config_to_file = optional(bool, false) }) default = {} From b43ee5b6626c0e53cb855017a4aeb2565783f40b Mon Sep 17 00:00:00 2001 From: kayma Date: Sat, 22 Apr 2023 16:28:56 +0200 Subject: [PATCH 45/74] GROUP-VARIABLES --- migrations/a.sh | 19 ++++ migrations/main.tf | 121 +++++++++++++++++++++ migrations/main.tf.old | 107 ++++++++++++++++++ migrations/migrate-to-7-0-0.sh | 191 +++++++++++++++++++-------------- 4 files changed, 359 insertions(+), 79 deletions(-) create mode 100644 migrations/a.sh create mode 100644 migrations/main.tf create mode 100644 migrations/main.tf.old diff --git a/migrations/a.sh b/migrations/a.sh new file mode 100644 index 000000000..0d8d29f28 --- /dev/null +++ b/migrations/a.sh @@ -0,0 +1,19 @@ +extracted_variables=$(grep -E '(runner_max_instance_lifetime_seconds|runner_enable_eip|runner_collect_autoscaling_metrics|runner_enable_monitoring|runner_gitlab_runner_name|runner_enable_ssm_access|runner_use_private_address|runner_root_block_device|runner_ebs_optimized|runner_spot_price|runner_instance_prefix|runner_instance_type|runner_extra_instance_tags)' "$1") + +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runner_root_block_device/root_device_config/g' | \ + sed 's/runner_ebs_optimized/ebs_optimized/g' | \ + sed 's/runner_spot_price/spot_price/g' | \ + sed 's/runner_instance_prefix/name_prefix/g' | \ + sed 's/runner_instance_type/type/g' | \ + sed 's/runner_extra_instance_tags/additional_tags/g' | \ + sed 's/runner_use_private_address/private_address_only/g' | \ + sed 's/runner_gitlab_runner_name/name/g' | \ + sed 's/runner_enable_monitoring/monitoring/g' | \ + sed 's/runner_collect_autoscaling_metrics/collect_autoscaling_metrics/g' | \ + sed 's/runner_enable_eip/use_eip/g' | \ + sed 's/runner_max_instance_lifetime_seconds/max_lifetime_seconds/g' | \ + sed 's/runner_enable_ssm_access/ssm_access/g' + ) + +echo $extracted_variables diff --git a/migrations/main.tf b/migrations/main.tf new file mode 100644 index 000000000..14c2b91bc --- /dev/null +++ b/migrations/main.tf @@ -0,0 +1,121 @@ +module "runner" { + source = "../../" + + environment = var.environment + + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.private_subnets, 0) + + + + + runner_gitlab_registration_config = { + registration_token = var.registration_token + tag_list = "docker_spot_runner" + description = "runner default - auto" + locked_to_project = "true" + run_untagged = "false" + maximum_timeout = "3600" + } + + tags = { + "tf-aws-gitlab-runner:example" = "runner-default" + "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" + } + + runner_worker_docker_volumes_tmpfs = [ + { + volume = "/var/opt/cache", + options = "rw,noexec" + } + ] + + runner_worker_docker_services_volumes_tmpfs = [ + { + volume = "/var/lib/mysql", + options = "rw,noexec" + } + ] + + # working 9 to 5 :) + runner_worker_docker_machine_autoscaling_options = [ + { + periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] + idle_count = 0 + idle_time = 60 + timezone = var.timezone + } + ] + + runner_worker_docker_options = { + privileged = "true" + volumes = ["/cache", "/certs/client"] + } + + + + + # Uncomment the HCL code below to configure a docker service so that registry mirror is used in auto-devops jobs + # See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27171 and https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#the-service-in-the-gitlab-runner-configuration-file + # You can check this works with a CI job like: + # 
+  # default:
+  #    tags:
+  #        - "docker_spot_runner"
+  # docker-mirror-check:
+  #    image: docker:20.10.16
+  #    stage: build
+  #    variables:
+  #        DOCKER_TLS_CERTDIR: ''
+  #    script:
+  #        - |
+  #        - docker info
+  #          if ! docker info | grep -i mirror
+  #            then
+  #              exit 1
+  #              echo "No mirror config found"
+  #          fi
+  #
+ # + # If not using an official docker image for your job, you may need to specify `DOCKER_HOST: tcp://docker:2375` + ## UNCOMMENT 6 LINES BELOW + # runner_worker_docker_services = [{ + # name = "docker:20.10.16-dind" + # alias = "docker" + # command = ["--registry-mirror", "https://mirror.gcr.io"] + # entrypoint = ["dockerd-entrypoint.sh"] + # }] + + + # Example how to configure runners, to utilize EC2 user-data feature + # example template, creates (configurable) swap file for the runner + # swap_size = "512" + # }) + runner_instance = { + collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] + name = var.runner_name + ssm_access = true + } + runner_gitlab = { + url = var.gitlab_url + } + runner_worker_docker_machine_instance = { + # start_script = templatefile("${path.module}/../../templates/swap.tpl", { + } + runner_worker_docker_machine_instance_spot = { + max_price = "on-demand-price" + } + runner_networking = { + allow_incoming_ping_security_group_ids = [data.aws_security_group.default.id] + } + runner_worker_gitlab_pipeline = { + pre_build_script = < + # default: + # tags: + # - "docker_spot_runner" + # docker-mirror-check: + # image: docker:20.10.16 + # stage: build + # variables: + # DOCKER_TLS_CERTDIR: '' + # script: + # - | + # - docker info + # if ! docker info | grep -i mirror + # then + # exit 1 + # echo "No mirror config found" + # fi + # + # + # If not using an official docker image for your job, you may need to specify `DOCKER_HOST: tcp://docker:2375` + ## UNCOMMENT 6 LINES BELOW + # runners_docker_services = [{ + # name = "docker:20.10.16-dind" + # alias = "docker" + # command = ["--registry-mirror", "https://mirror.gcr.io"] + # entrypoint = ["dockerd-entrypoint.sh"] + # }] + + + # Example how to configure runners, to utilize EC2 user-data feature + # example template, creates (configurable) swap file for the runner + # runners_userdata = templatefile("${path.module}/../../templates/swap.tpl", { + # swap_size = "512" + # }) +} diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index b58ca6e49..8a49a4d0b 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -1,5 +1,5 @@ #!/bin/sh -set -eu +set -u # # Precondition: The module call has been extracted to a separate file given in "$1". The code is well-formatted. @@ -72,13 +72,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_worker_docker_options = { - $extracted_variables -} -" > x - -mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_worker_docker_options = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi # # PR #757 refactor!: rename variables and prefix with agent, executor and global scope @@ -211,10 +211,11 @@ sed '/name_docker_machine_runners/d' | \ sed '/overrides = {/d' \ > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" -echo "$(head -n -1 "$converted_file") - $extracted_variables -}" > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" - +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + $extracted_variables + }" > "$converted_file.tmp" && mv "$converted_file.tmp" "$converted_file" +fi # # PR #810 refactor!: group variables for better overview @@ -253,13 +254,15 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_instance = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_instance = { + $extracted_variables + } + " > x && cp x "$converted_file" +fi -extracted_variables=$(grep -E '(runner_allow_iam_service_linked_role_creation|runner_create_runner_iam_role_profile|runner_iam_role_profile_name|runner_extra_role_tags|runner_assume_role_json)|runner_extra_iam_policy_arns' "$converted_file") +extracted_variables=$(grep -E '(runner_allow_iam_service_linked_role_creation|runner_create_runner_iam_role_profile|runner_iam_role_profile_name|runner_extra_role_tags|runner_assume_role_json)|runner_extra_iam_policy_arns)' "$converted_file") sed -i '/runner_allow_iam_service_linked_role_creation/d' "$converted_file" sed -i '/runner_create_runner_iam_role_profile/d' "$converted_file" @@ -279,13 +282,15 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_role = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_role = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi -extracted_variables=$(grep -E '(runner_manager_maximum_concurrent_jobs|runner_manager_sentry_dsn|runner_manager_gitlab_check_interval|runner_manager_prometheus_listen_address' "$converted_file") +extracted_variables=$(grep -E '(runner_manager_maximum_concurrent_jobs|runner_manager_sentry_dsn|runner_manager_gitlab_check_interval|runner_manager_prometheus_listen_address)' "$converted_file") sed -i '/runner_manager_maximum_concurrent_jobs/d' "$converted_file" sed -i '/runner_manager_sentry_dsn/d' "$converted_file" @@ -301,11 +306,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_manager = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_manager = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi extracted_variables=$(grep -E '(runner_yum_update|runner_user_data_extra|runner_userdata_post_install|runner_userdata_pre_install|runner_install_amazon_ecr_credential_helper|runner_docker_machine_version|runner_docker_machine_download_url)' "$converted_file") @@ -330,11 +337,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_install = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_install = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi extracted_variables=$(grep -E '(runner_gitlab_clone_url|runner_gitlab_url|runner_gitlab_runner_version|runner_gitlab_token|runner_gitlab_certificate|runner_gitlab_ca_certificate)' "$converted_file") @@ -357,11 +366,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_gitlab = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_gitlab = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi extracted_variables=$(grep -E '(show_user_data_in_plan|runner_user_data_enable_trace_log)' "$converted_file") @@ -375,11 +386,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -debug = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + debug = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi extracted_variables=$(grep -E '(runner_cloudwatch_log_group_name|runner_cloudwatch_retention_days|runner_cloudwatch_enable)' "$converted_file") @@ -395,11 +408,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_cloudwatch = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_cloudwatch = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi extracted_variables=$(grep -E '(runner_worker_extra_environment_variables|runner_worker_output_limit|runner_worker_request_concurrency|runner_worker_idle_count|runner_worker_idle_time|runner_worker_max_jobs|runner_worker_type|runner_worker_enable_ssm_access)' "$converted_file") @@ -425,11 +440,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_worker = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_worker = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi sed -i 's/runner_worker_cache_s3_bucket/runner_worker_cache/g' "$converted_file" @@ -489,11 +506,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_worker_docker_machine_instance = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_worker_docker_machine_instance = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi extracted_variables=$(grep -E '(runner_worker_docker_machine_request_spot_instances|runner_worker_docker_machine_ec2_spot_price_bid)' "$converted_file") @@ -507,11 +526,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_worker_docker_machine_instance_spot = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_worker_docker_machine_instance_spot = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi extracted_variables=$(grep -E '(runner_extra_security_group_ids|runner_security_group_description|runner_ping_allow_from_security_groups|runner_ping_enable)' "$converted_file") @@ -529,11 +550,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_networking = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_networking = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi sed -i 's/runner_extra_egress_rules/runner_networking_egress_rules/g' "$converted_file" @@ -551,11 +574,13 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_worker_gitlab_pipeline = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_worker_gitlab_pipeline = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi extracted_variables=$(grep -E '(runner_worker_docker_machine_extra_iam_policy_arns|runner_worker_docker_machine_assume_role_json|runner_worker_docker_machine_iam_instance_profile_name|runner_worker_docker_machine_extra_role_tags)' "$converted_file") @@ -573,10 +598,18 @@ extracted_variables=$(echo "$extracted_variables" | \ ) # add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runner_worker_docker_machine_role = { - $extracted_variables -} -" > x && mv x "$converted_file" +if [ -n "$extracted_variables" ]; then + echo "$(head -n -1 "$converted_file") + runner_worker_docker_machine_role = { + $extracted_variables + } + " > x && mv x "$converted_file" +fi + +cat < Date: Sun, 23 Apr 2023 10:00:55 +0200 Subject: [PATCH 46/74] converted the examples with migration script --- examples/runner-certificates/main.tf | 25 ++--- examples/runner-default/main.tf | 59 ++++++------ examples/runner-docker/main.tf | 32 +++++-- examples/runner-multi-region/main.tf | 101 ++++++++++++--------- examples/runner-pre-registered/main.tf | 14 ++- examples/runner-public/main.tf | 67 ++++++++------ migrations/a.sh | 19 ---- migrations/main.tf | 121 ------------------------- migrations/main.tf.old | 107 ---------------------- migrations/migrate-to-7-0-0.sh | 26 ++++-- 10 files changed, 193 insertions(+), 378 deletions(-) delete mode 100644 migrations/a.sh delete mode 100644 migrations/main.tf delete mode 100644 migrations/main.tf.old diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index ffc72a952..c61b3f1b4 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -27,12 +27,6 @@ module "runner" { ############################################### # General ############################################### - - runner_gitlab_runner_name = var.runner_name - runner_gitlab_url = var.gitlab_url - - runner_worker_type = "docker" - environment = var.environment ############################################### @@ -40,10 +34,12 @@ module "runner" { ############################################### # Public cert of my companys gitlab instance - runner_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt") - # Other public certs relating to my company. - runner_gitlab_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") + runner_gitlab = { + url = var.gitlab_url + certificate = file("${path.module}/my_gitlab_instance_cert.crt") + ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") + } # Mount EC2 host certs in docker so all user docker images can reference them. # Each user image will need to do: @@ -61,7 +57,6 @@ module "runner" { ############################################### # Registration ############################################### - runner_gitlab_registration_config = { registration_token = var.registration_token tag_list = "docker_runner" @@ -74,7 +69,13 @@ module "runner" { ############################################### # Network ############################################### - vpc_id = module.vpc.vpc_id - subnet_id = element(module.vpc.public_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.public_subnets, 0) + runner_instance = { + name = var.runner_name + } + runner_worker = { + type = "docker" + } } diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index f241eba54..06d777e08 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -54,15 +54,20 @@ module "runner" { vpc_id = module.vpc.vpc_id subnet_id = element(module.vpc.private_subnets, 0) - runner_collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] - runner_gitlab_runner_name = var.runner_name - runner_gitlab_url = var.gitlab_url - runner_enable_ssm_access = true + runner_instance = { + collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] + name = var.runner_name + ssm_access = true + } - runner_ping_allow_from_security_groups = [data.aws_security_group.default.id] + runner_networking = { + allow_incoming_ping_security_group_ids = [data.aws_security_group.default.id] + } - runner_worker_docker_machine_ec2_spot_price_bid = "on-demand-price" + runner_gitlab = { + url = var.gitlab_url + } runner_gitlab_registration_config = { registration_token = var.registration_token @@ -73,9 +78,19 @@ module "runner" { maximum_timeout = "3600" } - tags = { - "tf-aws-gitlab-runner:example" = "runner-default" - "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" + runner_worker_gitlab_pipeline = { + pre_build_script = < - # default: - # tags: - # - "docker_spot_runner" - # docker-mirror-check: - # image: docker:20.10.16 - # stage: build - # variables: - # DOCKER_TLS_CERTDIR: '' - # script: - # - | - # - docker info - # if ! docker info | grep -i mirror - # then - # exit 1 - # echo "No mirror config found" - # fi - # - # - # If not using an official docker image for your job, you may need to specify `DOCKER_HOST: tcp://docker:2375` - ## UNCOMMENT 6 LINES BELOW - # runner_worker_docker_services = [{ - # name = "docker:20.10.16-dind" - # alias = "docker" - # command = ["--registry-mirror", "https://mirror.gcr.io"] - # entrypoint = ["dockerd-entrypoint.sh"] - # }] - - - # Example how to configure runners, to utilize EC2 user-data feature - # example template, creates (configurable) swap file for the runner - # swap_size = "512" - # }) - runner_instance = { - collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] - name = var.runner_name - ssm_access = true - } - runner_gitlab = { - url = var.gitlab_url - } - runner_worker_docker_machine_instance = { - # start_script = templatefile("${path.module}/../../templates/swap.tpl", { - } - runner_worker_docker_machine_instance_spot = { - max_price = "on-demand-price" - } - runner_networking = { - allow_incoming_ping_security_group_ids = [data.aws_security_group.default.id] - } - runner_worker_gitlab_pipeline = { - pre_build_script = < - # default: - # tags: - # - "docker_spot_runner" - # docker-mirror-check: - # image: docker:20.10.16 - # stage: build - # variables: - # DOCKER_TLS_CERTDIR: '' - # script: - # - | - # - docker info - # if ! docker info | grep -i mirror - # then - # exit 1 - # echo "No mirror config found" - # fi - # - # - # If not using an official docker image for your job, you may need to specify `DOCKER_HOST: tcp://docker:2375` - ## UNCOMMENT 6 LINES BELOW - # runners_docker_services = [{ - # name = "docker:20.10.16-dind" - # alias = "docker" - # command = ["--registry-mirror", "https://mirror.gcr.io"] - # entrypoint = ["dockerd-entrypoint.sh"] - # }] - - - # Example how to configure runners, to utilize EC2 user-data feature - # example template, creates (configurable) swap file for the runner - # runners_userdata = templatefile("${path.module}/../../templates/swap.tpl", { - # swap_size = "512" - # }) -} diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 8a49a4d0b..858c98bfb 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -165,8 +165,8 @@ sed 's/log_group_name/runner_cloudwatch_log_group_name/g' | \ sed 's/asg_max_instance_lifetime/runner_max_instance_lifetime_seconds/g' | \ sed 's/asg_delete_timeout/runner_terraform_timeout_delete_asg/g' | \ sed 's/enable_docker_machine_ssm_access/runner_worker_enable_ssm_access/g' | \ -sed 's/cache_bucket/runner_worker_cache_s3_bucket/g' | \ -sed 's/docker_machine_security_group_description//g' | \ +sed 's/ cache_bucket/ runner_worker_cache_s3_bucket/g' | \ +sed 's/docker_machine_security_group_description/runner_worker_docker_machine_security_group_description/g' | \ sed 's/docker_machine_options/runner_worker_docker_machine_ec2_options/g' | \ sed 's/runners_iam_instance_profile_name/runner_worker_docker_machine_iam_instance_profile_name/g' | \ sed 's/runners_volume_type/runner_worker_docker_machine_ec2_volume_type/g' | \ @@ -448,7 +448,8 @@ if [ -n "$extracted_variables" ]; then " > x && mv x "$converted_file" fi -sed -i 's/runner_worker_cache_s3_bucket/runner_worker_cache/g' "$converted_file" +# renames the block +sed -i 's/runner_worker_cache_s3_bucket /runner_worker_cache /g' "$converted_file" # integrate the new variables into existing block extracted_variables=$(grep -E '(runner_worker_cache_s3_logging_bucket_prefix|runner_worker_cache_s3_logging_bucket_id|runner_worker_cache_s3_bucket_enable_random_suffix|runner_worker_cache_s3_bucket_name_include_account_id|runner_worker_cache_s3_bucket_prefix|runner_worker_cache_s3_enable_versioning|runner_worker_cache_s3_expiration_days|runner_worker_cache_s3_authentication_type|runner_worker_cache_shared)' "$converted_file") @@ -475,10 +476,22 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/runner_worker_cache_s3_logging_bucket_id/access_log_bucket_id/g' | \ sed 's/runner_worker_cache_s3_logging_bucket_prefix/access_log_bucket_prefix/g' ) -# insert the new variables into the existing block -sed -i "/runner_worker_cache/runner_worker_cache { $extracted_variables/g" "$converted_file" -extracted_variables=$(grep -E '(runner_worker_docker_machine_instance_type|runner_worker_docker_machine_docker_registry_mirror_url|runner_worker_docker_machine_max_builds|runner_worker_docker_machine_ec2_ebs_optimized|runner_worker_docker_machine_ec2_root_size|runner_worker_docker_machine_ec2_volume_type|runner_worker_docker_machine_userdata|runner_worker_docker_machine_enable_monitoring|runner_worker_enable_ssm_access|runner_worker_docker_machine_instance_prefix)' "$converted_file") +# insert the new variables into the existing block or append new block +if [ -n "$extracted_variables" ]; then + if grep -q "runner_worker_cache = {" "$converted_file"; then + cp "$converted_file" "$converted_file.bak" + sed -i "s/runner_worker_cache = {/runner_worker_cache = { $extracted_variables/g" "$converted_file" + else + echo "$(head -n -1 "$converted_file") + runner_worker_cache = { + $extracted_variables + } + " > x && mv x "$converted_file" + fi +fi + +extracted_variables=$(grep -E '(runner_worker_docker_machine_use_private_address|runner_worker_docker_machine_instance_type|runner_worker_docker_machine_docker_registry_mirror_url|runner_worker_docker_machine_max_builds|runner_worker_docker_machine_ec2_ebs_optimized|runner_worker_docker_machine_ec2_root_size|runner_worker_docker_machine_ec2_volume_type|runner_worker_docker_machine_userdata|runner_worker_docker_machine_enable_monitoring|runner_worker_enable_ssm_access|runner_worker_docker_machine_instance_prefix)' "$converted_file") sed -i '/runner_worker_enable_ssm_access/d' "$converted_file" sed -i '/runner_worker_docker_machine_instance_prefix/d' "$converted_file" @@ -489,6 +502,7 @@ sed -i '/runner_worker_docker_machine_ec2_root_size/d' "$converted_file" sed -i '/runner_worker_docker_machine_ec2_ebs_optimized/d' "$converted_file" sed -i '/runner_worker_docker_machine_max_builds/d' "$converted_file" sed -i '/runner_worker_docker_machine_docker_registry_mirror_url/d' "$converted_file" +sed -i '/runner_worker_docker_machine_use_private_address/d' "$converted_file" sed -i '/runner_worker_docker_machine_instance_type/d' "$converted_file" # rename the variables From d845abf61b52feb3802f74ed497149c7dab2a119 Mon Sep 17 00:00:00 2001 From: kayma Date: Sun, 23 Apr 2023 10:02:54 +0200 Subject: [PATCH 47/74] fix syntax error and format code --- examples/runner-certificates/main.tf | 4 ++-- examples/runner-default/main.tf | 12 ++++++------ examples/runner-multi-region/main.tf | 4 ++-- examples/runner-pre-registered/main.tf | 4 ++-- examples/runner-public/main.tf | 4 ++-- variables.tf | 2 +- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index c61b3f1b4..38e9c7b77 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -69,8 +69,8 @@ module "runner" { ############################################### # Network ############################################### - vpc_id = module.vpc.vpc_id - subnet_id = element(module.vpc.public_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.public_subnets, 0) runner_instance = { name = var.runner_name } diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 06d777e08..96d42d86c 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -52,13 +52,13 @@ module "runner" { environment = var.environment - vpc_id = module.vpc.vpc_id - subnet_id = element(module.vpc.private_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.private_subnets, 0) runner_instance = { collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"] - name = var.runner_name - ssm_access = true + name = var.runner_name + ssm_access = true } runner_networking = { @@ -66,7 +66,7 @@ module "runner" { } runner_gitlab = { - url = var.gitlab_url + url = var.gitlab_url } runner_gitlab_registration_config = { @@ -79,7 +79,7 @@ module "runner" { } runner_worker_gitlab_pipeline = { - pre_build_script = < Date: Sun, 23 Apr 2023 10:09:51 +0200 Subject: [PATCH 48/74] fix syntax errors --- main.tf | 10 +++++----- security_groups.tf | 2 +- variables.tf | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index e55895d46..e78ea80d6 100644 --- a/main.tf +++ b/main.tf @@ -60,7 +60,7 @@ locals { runners_config = local.template_runner_config runners_userdata = var.runner_worker_docker_machine_instance.start_script runners_executor = var.runner_worker.type - runners_install_amazon_ecr_credential_helper = var.runner_install.ecr_credential_helper + runners_install_amazon_ecr_credential_helper = var.runner_install.amazon_ecr_credential_helper curl_cacert = length(var.runner_gitlab.certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" pre_install_certificates = local.pre_install_certificates pre_install = var.runner_install.pre_install_script @@ -84,7 +84,7 @@ locals { { aws_region = data.aws_region.current.name gitlab_url = var.runner_gitlab.url - gitlab_clone_url = var.runner_gitlab.clone_url + gitlab_clone_url = var.runner_gitlab.url_clone tls_ca_file = length(var.runner_gitlab.certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_machine_autoscaling = [for config in var.runner_worker_docker_machine_autoscaling_options : { for key, value in config : @@ -250,7 +250,7 @@ resource "aws_launch_template" "gitlab_runner_instance" { update_default_version = true ebs_optimized = var.runner_instance.ebs_optimized monitoring { - enabled = var.runner_instance.enable_monitoring + enabled = var.runner_instance.monitoring } dynamic "instance_market_options" { for_each = var.runner_instance.spot_price == null || var.runner_instance.spot_price == "" ? [] : ["spot"] @@ -336,7 +336,7 @@ module "cache" { tags = local.tags cache_bucket_prefix = var.runner_worker_cache.bucket_prefix - cache_bucket_name_include_account_id = var.runner_worker_cache.bucket_include_account_id + cache_bucket_name_include_account_id = var.runner_worker_cache.include_account_id cache_bucket_set_random_suffix = var.runner_worker_cache.random_suffix cache_bucket_versioning = var.runner_worker_cache.versioning cache_expiration_days = var.runner_worker_cache.expiration_days @@ -365,7 +365,7 @@ resource "aws_iam_role" "instance" { count = var.runner_role.create_role_profile ? 1 : 0 name = local.aws_iam_role_instance_name - assume_role_policy = length(var.runner_role.assume_role_policy_json) > 0 ? var.var.runner_role.assume_role_policy_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) + assume_role_policy = length(var.runner_role.assume_role_policy_json) > 0 ? var.runner_role.assume_role_policy_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}" tags = merge(local.tags, var.runner_role.additional_tags) diff --git a/security_groups.tf b/security_groups.tf index eac0a33cd..868123f5f 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -9,7 +9,7 @@ resource "aws_security_group" "runner" { description = var.runner_networking.security_group_description dynamic "egress" { - for_each = var.runner_extra_egress_rules + for_each = var.runner_networking_egress_rules iterator = each content { diff --git a/variables.tf b/variables.tf index 0e83fb945..dc6f78623 100644 --- a/variables.tf +++ b/variables.tf @@ -375,7 +375,7 @@ variable "runner_worker" { default = {} validation { - condition = contains(["docker+machine", "docker"], var.runner_worker.executor_type) + condition = contains(["docker+machine", "docker"], var.runner_worker.type) error_message = "The executor currently supports `docker+machine` and `docker`." } } From 56a14a9ed4f68b97d35f20296f8dd55d6a4f1aa0 Mon Sep 17 00:00:00 2001 From: Tyrone Meijn Date: Thu, 2 Mar 2023 09:25:58 +0100 Subject: [PATCH 49/74] fix!: remove deprecated pull policy variable (#710) ## Description Removes the earlier deprecated `runners_pull_policy` variable. Since were making a Major release I thought this one was nice to catch. ## Migrations required YES. Replace the `runners_pull_policy` by `runners_pull_policies`. --- README.md | 1 - locals.tf | 2 +- variables.tf | 6 ------ 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/README.md b/README.md index 5bb01c1cb..d9fd3e6a4 100644 --- a/README.md +++ b/README.md @@ -668,7 +668,6 @@ Made with [contributors-img](https://contrib.rocks). | [runners\_pre\_clone\_script](#input\_runners\_pre\_clone\_script) | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | `string` | `"\"\""` | no | | [runners\_privileged](#input\_runners\_privileged) | Runners will run in privileged mode, will be used in the runner config.toml | `bool` | `true` | no | | [runners\_pull\_policies](#input\_runners\_pull\_policies) | pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies | `list(string)` | 
[
  "always"
]
| no | -| [runners\_pull\_policy](#input\_runners\_pull\_policy) | Deprecated! Use runners\_pull\_policies instead. pull\_policy for the runners, will be used in the runner config.toml | `string` | `""` | no | | [runners\_request\_concurrency](#input\_runners\_request\_concurrency) | Limit number of concurrent requests for new jobs from GitLab (default 1). | `number` | `1` | no | | [runners\_request\_spot\_instance](#input\_runners\_request\_spot\_instance) | Whether or not to request spot instances via docker-machine | `bool` | `true` | no | | [runners\_root\_size](#input\_runners\_root\_size) | Runner instance root size in GB. | `number` | `16` | no | diff --git a/locals.tf b/locals.tf index d7126f554..58122f219 100644 --- a/locals.tf +++ b/locals.tf @@ -78,7 +78,7 @@ locals { } ) - runners_pull_policies = var.runners_pull_policy != "" ? "[\"${var.runners_pull_policy}\"]" : "[\"${join("\",\"", var.runners_pull_policies)}\"]" + runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" diff --git a/variables.tf b/variables.tf index 42176f76c..8716845a7 100644 --- a/variables.tf +++ b/variables.tf @@ -266,12 +266,6 @@ variable "runners_helper_image" { default = "" } -variable "runners_pull_policy" { - description = "Deprecated! Use runners_pull_policies instead. pull_policy for the runners, will be used in the runner config.toml" - type = string - default = "" -} - variable "runners_pull_policies" { description = "pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " type = list(string) From 2cb01ad81e3e2cfadc0792c25b8ff7cf19ede3ea Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 08:53:40 +0200 Subject: [PATCH 50/74] chore!: remove deprecated variables (#738) This PR removes all variables which are marked as deprecated. - `arn_format` - `subnet_id_runners` - `subnet_ids_gitlab_runner` - `asg_terminate_lifecycle_hook_create` - `asg_terminate_lifecycle_hook_heartbeat_timeout` - `asg_terminate_lifecycle_lambda_memory_size` - `asg_terminate_lifecycle_lambda_runtime` - `asg_terminate_lifecycle_lambda_timeout` Yes. Remove the variables from your configuration. This is done automatically by the migration script. None. --------- Co-authored-by: Tyrone Meijn # Conflicts: # main.tf --- .cspell.json | 2 + README.md | 3 +- examples/runner-public/main.tf | 7 ++- main.tf | 9 ++-- migrations/migrate-to-7-0-0.sh | 25 +++++++++ modules/terminate-agent-hook/variables.tf | 6 --- variables.tf | 64 ----------------------- 7 files changed, 36 insertions(+), 80 deletions(-) create mode 100755 migrations/migrate-to-7-0-0.sh diff --git a/.cspell.json b/.cspell.json index 15180d9ab..b8a95ecdd 100644 --- a/.cspell.json +++ b/.cspell.json @@ -4,6 +4,7 @@ "words": [ "amazonec", "amannn", + "amazonec", "anytrue", "aquasecurity", "awscli", @@ -50,6 +51,7 @@ "tflint", "tftpl", "tfsec", + "tftpl", "tfvars", "tmpfs", "trivy", diff --git a/README.md b/README.md index d9fd3e6a4..c7c028e7b 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,9 @@ - + [![Terraform registry](https://img.shields.io/github/v/release/cattle-ops/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws/) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Actions](https://github.com/cattle-ops/terraform-aws-gitlab-runner/workflows/CI/badge.svg)](https://github.com/cattle-ops/terraform-aws-gitlab-runner/actions) + # Terraform module for GitLab auto scaling runners on AWS spot instances diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index ffd2ae3ea..0d5d2c82e 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -2,7 +2,7 @@ data "aws_availability_zones" "available" { state = "available" } -# VPC Flow logs are not needed here +# Every VPC resource should have an associated Flow Log: This is an example only. No flow logs are created. # kics-scan ignore-line module "vpc" { source = "terraform-aws-modules/vpc/aws" @@ -79,9 +79,8 @@ module "runner2" { runners_use_private_address = false - vpc_id = module.vpc.vpc_id - subnet_ids_gitlab_runner = module.vpc.public_subnets - subnet_id_runners = element(module.vpc.public_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.public_subnets, 0) docker_machine_spot_price_bid = "on-demand-price" diff --git a/main.tf b/main.tf index 609352f46..cc8ee68ef 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,7 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} data "aws_subnet" "runners" { - id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + id = var.subnet_id } data "aws_availability_zone" "runners" { @@ -90,8 +90,8 @@ locals { tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id - runners_subnet_id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners - runners_subnet_ids = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : length(var.subnet_id) > 0 ? [var.subnet_id] : [var.subnet_id_runners] + runners_subnet_id = var.subnet_id + runners_subnet_ids = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : [var.subnet_id] runners_aws_zone = data.aws_availability_zone.runners.name_suffix runners_instance_type = var.docker_machine_instance_type runners_instance_types = length(var.docker_machine_instance_types_fleet) > 0 ? var.docker_machine_instance_types_fleet : [var.docker_machine_instance_type] @@ -170,7 +170,7 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { name = var.enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" - vpc_zone_identifier = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : length(var.subnet_id) > 0 ? [var.subnet_id] : var.subnet_ids_gitlab_runner + vpc_zone_identifier = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : [var.subnet_id] min_size = "1" max_size = "1" desired_capacity = "1" @@ -673,7 +673,6 @@ module "terminate_agent_hook" { name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" kms_key_id = local.kms_key - arn_format = var.arn_format tags = local.tags } diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh new file mode 100755 index 000000000..8aaaa9b4e --- /dev/null +++ b/migrations/migrate-to-7-0-0.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -eu + +# +# Precondition: The module call has been extracted to a separate file given in "$1". The code is well-formatted. +# Run `terraform fmt` to do that +# +# $1: file name containing the module call to be converted +# + +converted_file="$1.new" + +cp "$1" "$converted_file" + +# +# PR #738 chore!: remove deprecated variables +# +sed -i '/arn_format/d' "$converted_file" +sed -i '/subnet_id_runners/d' "$converted_file" +sed -i '/subnet_ids_gitlab_runner/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_create/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf index 3f8a22897..3cfb49970 100644 --- a/modules/terminate-agent-hook/variables.tf +++ b/modules/terminate-agent-hook/variables.tf @@ -60,9 +60,3 @@ variable "enable_xray_tracing" { type = bool default = false } - -variable "arn_format" { - type = string - default = "arn:aws" - description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} diff --git a/variables.tf b/variables.tf index 8716845a7..7d6d95f10 100644 --- a/variables.tf +++ b/variables.tf @@ -3,12 +3,6 @@ variable "aws_region" { type = string } -variable "arn_format" { - type = string - default = null - description = "Deprecated! Calculated automatically by the module. ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} - variable "auth_type_cache_sr" { description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" type = string @@ -879,70 +873,12 @@ variable "docker_machine_egress_rules" { }] } -variable "subnet_id_runners" { - description = "Deprecated! Use subnet_id instead. List of subnets used for hosting the gitlab-runners." - type = string - default = "" -} - -variable "subnet_ids_gitlab_runner" { - description = "Deprecated! Use subnet_id instead. Subnet used for hosting the GitLab runner." - type = list(string) - default = [] -} - variable "asg_terminate_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string default = null } -variable "asg_terminate_lifecycle_hook_create" { - description = "(Deprecated and always true now) Boolean toggling the creation of the ASG instance terminate lifecycle hook." - type = bool - default = true - - validation { - condition = var.asg_terminate_lifecycle_hook_create - error_message = "The hook must be created. Please remove the variable declaration." - } -} - -variable "asg_terminate_lifecycle_hook_heartbeat_timeout" { - description = "(Deprecated and no longer in use) The amount of time, in seconds, for the instances to remain in wait state." - type = number - default = null - - validation { - condition = var.asg_terminate_lifecycle_hook_heartbeat_timeout == null - error_message = "The timeout value is managed by the module. Please remove the variable declaration." - } -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_memory_size" { - description = "(Deprecated and no longer in use) The memory size in MB to allocate to the terminate-instances Lambda function." - type = number - default = 128 -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_runtime" { - description = "(Deprecated and no longer in use) Identifier of the function's runtime. This should be a python3.x runtime. See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime for more information." - type = string - default = "python3.8" -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_timeout" { - description = "(Deprecated and no longer in use) Amount of time the terminate-instances Lambda Function has to run in seconds." - default = 30 - type = number -} - variable "runner_yum_update" { description = "Run a yum update as part of starting the runner" type = bool From 05b052ff54bc4be5435e8c2cca60410684fc4bad Mon Sep 17 00:00:00 2001 From: Tyrone Meijn Date: Thu, 20 Apr 2023 08:50:14 +0200 Subject: [PATCH 51/74] feat!: add idle_count_min` and `idle_scale_factor` to Docker Machine autoscaling options (#711) ## Description Switches from hardcoded options to free-from scaling configuration. This reduces the module complexity by allowing to get rid of a number of variables while giving more control to the user to define their options without us having to build support into it for. Adds `idle_scale_factor` and `idle_count_min` Docker Machine options. See [documentation](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section"). ## Migrations required YES - users will have to change the input name from `runners_machine_autoscaling` to `runners_machine_autoscaling_options`. No other changes should be needed, we just support _more_ options. A migration script is available. ## Verification No input given: (end of rendered `config.toml`) ![image](https://user-images.githubusercontent.com/17970041/225890782-02fe4adc-4c6a-4237-9752-a64349464113.png) Input: ```hcl runners_machine_autoscaling_options = [ { periods = ["* * 9-17 * * mon-fri *", "* * 9-17 * * mon-fri *"] idle_count = 50 idle_count_min = 10 idle_time = 3600 timezone = "UTC" idle_scale_factor = 1.5 }, { periods = ["* * 9-17 * * mon-fri *", "* * 9-17 * * mon-fri *"] idle_count = 50 idle_time = 3600 timezone = "Europe/Amsterdam" } ] ``` Rendered `config.toml`: ![image](https://user-images.githubusercontent.com/17970041/225891085-add03ee8-3943-4c56-96a4-d1a8c252deb0.png) Apply results: ![image](https://user-images.githubusercontent.com/17970041/225893020-a9850486-4aa6-4eb0-b996-558ec7bccfea.png) Closes #556 --------- Co-authored-by: Matthias Kay --- .cspell.json | 7 ++++--- .github/workflows/ci.yml | 2 +- .terraform-version | 2 +- examples/runner-default/main.tf | 4 ++-- examples/runner-pre-registered/main.tf | 4 ++-- locals.tf | 5 ----- main.tf | 7 ++++++- migrations/migrate-to-7-0-0.sh | 5 +++++ outputs.tf | 5 +++++ template/runner-config.tftpl | 8 +++++++- template/runners_machine_autoscaling.tftpl | 7 ------- variables.tf | 23 +++++++++++++++++----- 12 files changed, 51 insertions(+), 28 deletions(-) delete mode 100644 template/runners_machine_autoscaling.tftpl diff --git a/.cspell.json b/.cspell.json index b8a95ecdd..877c3e397 100644 --- a/.cspell.json +++ b/.cspell.json @@ -2,6 +2,7 @@ "version": "0.2", "language": "en", "words": [ + "alltrue", "amazonec", "amannn", "amazonec", @@ -22,9 +23,7 @@ "endfor", "formatlist", "gitter", - "godotenv", - "golangci", - "gruntwork", + "glrunners", "instancelifecycle", "kics", "joho", @@ -39,10 +38,12 @@ "pylint", "pylintrc", "pyright", + "setsubtract", "shuf", "signoff", "signum", "stretchr", + "subkey", "substr", "templatefile", "terrascan", diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 324db2a70..a96f7f751 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: strategy: fail-fast: false matrix: - terraform: [ 1.0.11, 1.3.9, latest ] + terraform: [1.3.9, latest] example: [ "runner-default", diff --git a/.terraform-version b/.terraform-version index 337a6a8f1..589268e6f 100644 --- a/.terraform-version +++ b/.terraform-version @@ -1 +1 @@ -1.0.8 \ No newline at end of file +1.3.0 \ No newline at end of file diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 84e089824..39a49fbe1 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -97,9 +97,9 @@ module "runner" { ] # working 9 to 5 :) - runners_machine_autoscaling = [ + runners_machine_autoscaling_options = [ { - periods = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""] + periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] idle_count = 0 idle_time = 60 timezone = var.timezone diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index e6d204c15..75d50d7b6 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -40,9 +40,9 @@ module "runner" { runners_token = var.runner_token # working 9 to 5 :) - runners_machine_autoscaling = [ + runners_machine_autoscaling_options = [ { - periods = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""] + periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] idle_count = 0 idle_time = 60 timezone = var.timezone diff --git a/locals.tf b/locals.tf index 58122f219..6d9342440 100644 --- a/locals.tf +++ b/locals.tf @@ -68,11 +68,6 @@ locals { %{~if var.runners_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.runners_additional_volumes~},"${volume}"%{endfor~} EOT - runners_machine_autoscaling = templatefile("${path.module}/template/runners_machine_autoscaling.tftpl", { - runners_machine_autoscaling = var.runners_machine_autoscaling - } - ) - runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tftpl", { runners_docker_services = var.runners_docker_services } diff --git a/main.tf b/main.tf index cc8ee68ef..d4094708b 100644 --- a/main.tf +++ b/main.tf @@ -84,6 +84,12 @@ locals { template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { + runners_machine_autoscaling = [for config in var.runners_machine_autoscaling_options : { + for key, value in config : + # Convert key from snake_case to PascalCase which is the casing for this section. + join("", [for subkey in split("_", key) : title(subkey)]) => jsonencode(value) if value != null + }] + aws_region = var.aws_region gitlab_url = var.runners_gitlab_url gitlab_clone_url = var.runners_clone_url @@ -121,7 +127,6 @@ locals { runners_idle_count = var.runners_idle_count runners_idle_time = var.runners_idle_time runners_max_builds = local.runners_max_builds_string - runners_machine_autoscaling = local.runners_machine_autoscaling runners_root_size = var.runners_root_size runners_volume_type = var.runners_volume_type runners_iam_instance_profile_name = var.runners_iam_instance_profile_name diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 8aaaa9b4e..de69a715d 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -23,3 +23,8 @@ sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" + +# +# PR #711 feat!: refactor Docker Machine autoscaling options +# +sed -i 's/runners_machine_autoscaling/runners_machine_autoscaling_options/g' "$converted_file" diff --git a/outputs.tf b/outputs.tf index 66a6ba3bd..6956b3c90 100644 --- a/outputs.tf +++ b/outputs.tf @@ -57,3 +57,8 @@ output "runner_user_data" { description = "The user data of the Gitlab Runner Agent's launch template." value = local.template_user_data } + +output "runner_config_toml_rendered" { + description = "The rendered config.toml given to the Runner Manager." + value = local.template_runner_config +} diff --git a/template/runner-config.tftpl b/template/runner-config.tftpl index 64c80975c..021e0645a 100644 --- a/template/runner-config.tftpl +++ b/template/runner-config.tftpl @@ -80,4 +80,10 @@ listen_address = "${prometheus_listen_address}" ${docker_machine_options} ] -${runners_machine_autoscaling} +%{~ for config in runners_machine_autoscaling ~} + [[runners.machine.autoscaling]] + %{~ for key, value in config ~} + ${key} = ${value} + %{~ endfor ~} +%{~ endfor ~} + diff --git a/template/runners_machine_autoscaling.tftpl b/template/runners_machine_autoscaling.tftpl deleted file mode 100644 index 71b40fda1..000000000 --- a/template/runners_machine_autoscaling.tftpl +++ /dev/null @@ -1,7 +0,0 @@ -%{ for config in runners_machine_autoscaling ~} - [[runners.machine.autoscaling]] - Periods = [${replace(format("\"%s\"", join("\",\"", config.periods)), "/\"{2,}/", "\"")}] - IdleCount = ${config.idle_count} - IdleTime = ${config.idle_time} - Timezone = "${config.timezone}" -%{ endfor ~} diff --git a/variables.tf b/variables.tf index 7d6d95f10..647ab9ceb 100644 --- a/variables.tf +++ b/variables.tf @@ -278,14 +278,27 @@ variable "runners_ebs_optimized" { default = true } -variable "runners_machine_autoscaling" { +variable "runners_machine_autoscaling_options" { description = "Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section" type = list(object({ - periods = list(string) - idle_count = number - idle_time = number - timezone = string + periods = list(string) + idle_count = optional(number) + idle_scale_factor = optional(number) + idle_count_min = optional(number) + idle_time = optional(number) + timezone = optional(string, "UTC") })) + + validation { + condition = alltrue([ + for options in var.runners_machine_autoscaling_options : + length( + setsubtract([for key, value in options : key if value != null], ["periods", "timezone"]) + ) > 0 + ]) + + error_message = "Please specify an attribute that affects Autoscaling." + } default = [] } From dc5a758573382780cd2ee0c50eddb3be71cea2f7 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 20 Apr 2023 10:14:17 +0200 Subject: [PATCH 52/74] feat!: allow to set all docker options for the Executor (#511) ## Description Adds a new variable `runners_docker_options` which holds all values for the `[runners.docker]` section and makes the single variables - `runners_image` - `runners_privileged` - `runners_disable_cache` - `runners_additional_volumes` - `runners_shm_size` - `runners_docker_runtime` - `runners_helper_image` - `runners_pull_policy` obsolete. ## Migrations required Yes, as the minimum Terraform version is 1.3.0 to support optional block variables with defaults. A migration script is provided to restructure the variables. See `/migrations/migrate-to-7-0-0.sh`. Attention Mac users: The script will not work out of the box as the `sed` implementation is different. Use a Docker container with Alpine or Ubuntu to run the script. ```hcl module "gitlab_ci_runner" { ... runners_docker_options { # set whatever is necessary } ``` ## Verification - [x] Use current configuration and ensure that the `config.toml` remains unchanged - [x] Set all new block variables and ensure that the `config.toml` is valid (use `gitlab-runner verify) - [x] Check that the default settings with Terraform 1.3 work as expected - [x] Verify all docker settings against the documentation to ensure correct names The runner starts in both cases and is available in Gitlab. No example tested but used our active configuration at Hapag-Lloyd. --------- Co-authored-by: Tyrone Meijn --- .github/workflows/ci.yml | 2 +- examples/runner-certificates/main.tf | 7 +- examples/runner-default/main.tf | 8 +- examples/runner-multi-region/main.tf | 12 ++- examples/runner-public/main.tf | 6 +- locals.tf | 16 ++-- main.tf | 10 +-- migrations/migrate-to-7-0-0.sh | 51 ++++++++++++ template/runner-config.tftpl | 20 ++--- template/runners_docker_options.tftpl | 4 + variables.tf | 111 ++++++++++++++------------ versions.tf | 2 +- 12 files changed, 162 insertions(+), 87 deletions(-) create mode 100644 template/runners_docker_options.tftpl diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a96f7f751..d40a29f15 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: strategy: fail-fast: false matrix: - terraform: [1.3.9, latest] + terraform: [ 1.3.9, latest ] example: [ "runner-default", diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index e7c9c5875..c0bef14ae 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -51,7 +51,12 @@ module "runner" { # cp /etc/gitlab-runner/certs/* /usr/local/share/ca-certificates/ # update-ca-certificates # Or similar OS-dependent commands. The above are an example for Ubuntu. - runners_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"] + runners_docker_options = { + volumes = [ + "/cache", + "/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro" + ] + } ############################################### # Registration diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 39a49fbe1..5038a9e9e 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -79,9 +79,6 @@ module "runner" { "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" } - runners_privileged = "true" - runners_additional_volumes = ["/certs/client"] - runners_volumes_tmpfs = [ { volume = "/var/opt/cache", @@ -106,6 +103,11 @@ module "runner" { } ] + runners_docker_options = { + privileged = "true" + volumes = ["/cache", "/certs/client"] + } + runners_pre_build_script = < value if value != null && key != "volumes" + }, { + volumes = local.runners_volumes + }) + } + ) + + # Ensure max builds is optional runners_max_builds_string = var.runners_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runners_max_builds) @@ -64,17 +74,13 @@ locals { name_sg = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"] name_iam_objects = lookup(var.overrides, "name_iam_objects", "") == "" ? local.tags["Name"] : var.overrides["name_iam_objects"] - runners_additional_volumes = <<-EOT - %{~if var.runners_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.runners_additional_volumes~},"${volume}"%{endfor~} - EOT + runners_volumes = concat(var.runners_docker_options.volumes, var.runners_add_dind_volumes ? ["/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"] : []) runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tftpl", { runners_docker_services = var.runners_docker_services } ) - runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" - /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" docker_machine_version_used = split(".", split("-", var.docker_machine_version)[0]) diff --git a/main.tf b/main.tf index d4094708b..4ae6be50f 100644 --- a/main.tf +++ b/main.tf @@ -94,7 +94,6 @@ locals { gitlab_url = var.runners_gitlab_url gitlab_clone_url = var.runners_clone_url tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" - runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id runners_subnet_id = var.subnet_id runners_subnet_ids = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : [var.subnet_id] @@ -107,7 +106,6 @@ locals { runners_monitoring = var.runners_monitoring runners_ebs_optimized = var.runners_ebs_optimized runners_instance_profile = var.runners_executor == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" - runners_additional_volumes = local.runners_additional_volumes docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed runners_name = var.runners_name @@ -117,13 +115,6 @@ locals { runners_executor = var.runners_executor runners_limit = var.runners_limit runners_concurrent = var.runners_concurrent - runners_image = var.runners_image - runners_privileged = var.runners_privileged - runners_disable_cache = var.runners_disable_cache - runners_docker_runtime = var.runners_docker_runtime - runners_helper_image = var.runners_helper_image - runners_shm_size = var.runners_shm_size - runners_pull_policies = local.runners_pull_policies runners_idle_count = var.runners_idle_count runners_idle_time = var.runners_idle_time runners_max_builds = local.runners_max_builds_string @@ -140,6 +131,7 @@ locals { runners_request_concurrency = var.runners_request_concurrency runners_output_limit = var.runners_output_limit runners_check_interval = var.runners_check_interval + runners_docker_options = local.runners_docker_options_toml runners_volumes_tmpfs = join("\n", [for v in var.runners_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_services_volumes_tmpfs = join("\n", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index de69a715d..540743aa4 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -28,3 +28,54 @@ sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" # PR #711 feat!: refactor Docker Machine autoscaling options # sed -i 's/runners_machine_autoscaling/runners_machine_autoscaling_options/g' "$converted_file" + +# +# PR #710 chore!: remove old variable `runners_pull_policy` +# +sed -i '/runners_pull_policy/d' "$converted_file" + +# +# PR #511 feat!: allow to set all docker options for the Executor +# +extracted_variables=$(grep -E '(runners_docker_runtime|runners_helper_image|runners_shm_size|runners_shm_size|runners_extra_hosts|runners_disable_cache|runners_image|runners_privileged)' "$converted_file") + +sed -i '/runners_image/d' "$converted_file" +sed -i '/runners_privileged/d' "$converted_file" +sed -i '/runners_disable_cache/d' "$converted_file" +sed -i '/runners_extra_hosts/d' "$converted_file" +sed -i '/runners_shm_size/d' "$converted_file" +sed -i '/runners_docker_runtime/d' "$converted_file" +sed -i '/runners_helper_image/d' "$converted_file" + +# content to be added to `volumes` +volumes=$(grep "runners_additional_volumes" "$converted_file" | cut -d '=' -f 2 | tr -d '[]') + +if [ -n "$volumes" ]; then + extracted_variables="$extracted_variables + volumes = [\"/cache\", $volumes]" +fi + +sed -i '/runners_additional_volumes/d' "$converted_file" + + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runners_image/image/g' | \ + sed 's/runners_privileged/privileged/g' | \ + sed 's/runners_disable_cache/disable_cache/g' | \ + sed 's/runners_extra_hosts/extra_hosts/g' | \ + sed 's/runners_shm_size/shm_size/g' | \ + sed 's/runners_docker_runtime/runtime/g' | \ + sed 's/runners_helper_image/helper_image/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runners_docker_options { + $extracted_variables +} +}" > x + +mv x "$converted_file" + +echo "Module call converted. Output: $converted_file" \ No newline at end of file diff --git a/template/runner-config.tftpl b/template/runner-config.tftpl index 021e0645a..7381062b8 100644 --- a/template/runner-config.tftpl +++ b/template/runner-config.tftpl @@ -18,22 +18,17 @@ listen_address = "${prometheus_listen_address}" request_concurrency = ${runners_request_concurrency} output_limit = ${runners_output_limit} limit = ${runners_limit} - [runners.docker] - tls_verify = false - image = "${runners_image}" - privileged = ${runners_privileged} - disable_cache = ${runners_disable_cache} - volumes = ["/cache"${runners_additional_volumes}] - extra_hosts = ${jsonencode(runners_extra_hosts)} - shm_size = ${runners_shm_size} - pull_policy = ${runners_pull_policies} - runtime = "${runners_docker_runtime}" - helper_image = "${runners_helper_image}" - ${runners_docker_services} + + ${runners_docker_options} + + ${runners_docker_services} + [runners.docker.tmpfs] ${runners_volumes_tmpfs} + [runners.docker.services_tmpfs] ${runners_services_volumes_tmpfs} + [runners.cache] Type = "s3" Shared = ${shared_cache} @@ -43,6 +38,7 @@ listen_address = "${prometheus_listen_address}" BucketName = "${bucket_name}" BucketLocation = "${aws_region}" Insecure = false + [runners.machine] IdleCount = ${runners_idle_count} IdleTime = ${runners_idle_time} diff --git a/template/runners_docker_options.tftpl b/template/runners_docker_options.tftpl new file mode 100644 index 000000000..2a4dcac4a --- /dev/null +++ b/template/runners_docker_options.tftpl @@ -0,0 +1,4 @@ + [runners.docker] +%{ for key, value in options ~} + ${key} = ${jsonencode(value)} +%{ endfor ~} diff --git a/variables.tf b/variables.tf index 647ab9ceb..66284e254 100644 --- a/variables.tf +++ b/variables.tf @@ -206,64 +206,77 @@ variable "runners_max_builds" { default = 0 } -variable "runners_image" { - description = "Image to run builds, will be used in the runner config.toml" - type = string - default = "docker:18.03.1-ce" -} - -variable "runners_privileged" { - description = "Runners will run in privileged mode, will be used in the runner config.toml" - type = bool - default = true -} - -variable "runners_disable_cache" { - description = "Runners will not use local cache, will be used in the runner config.toml" - type = bool - default = false -} - variable "runners_add_dind_volumes" { description = "Add certificates and docker.sock to the volumes to support docker-in-docker (dind)" type = bool default = false } -variable "runners_additional_volumes" { - description = "Additional volumes that will be used in the runner config.toml, e.g Docker socket" - type = list(any) - default = [] -} - -variable "runners_extra_hosts" { - description = "Extra hosts that will be used in the runner config.toml, e.g other-host:127.0.0.1" - type = list(any) - default = [] -} - -variable "runners_shm_size" { - description = "shm_size for the runners, will be used in the runner config.toml" - type = number - default = 0 -} +variable "runners_docker_options" { + description = < Date: Thu, 27 Apr 2023 10:34:20 +0200 Subject: [PATCH 53/74] format code --- main.tf | 4 ++-- variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 09175bdc7..f9ffda923 100644 --- a/main.tf +++ b/main.tf @@ -81,7 +81,7 @@ locals { public_key = var.runner_worker_docker_machine_fleet.enable == true ? tls_private_key.fleet[0].public_key_openssh : "" use_fleet = var.runner_worker_docker_machine_fleet.enable private_key = var.runner_worker_docker_machine_fleet.enable == true ? tls_private_key.fleet[0].private_key_pem : "" - }) + }) template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { @@ -168,7 +168,7 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { # TODO Please explain how `agent_enable_asg_recreation` works - name = var.runner_enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" + name = var.runner_enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" vpc_zone_identifier = length(var.runner_worker_docker_machine_instance.subnet_ids) > 0 ? var.runner_worker_docker_machine_instance.subnet_ids : [var.subnet_id] min_size = "1" max_size = "1" diff --git a/variables.tf b/variables.tf index d1a0ba493..591be2faa 100644 --- a/variables.tf +++ b/variables.tf @@ -548,7 +548,7 @@ variable "runner_worker_docker_machine_fleet" { key_pair_name = The name of the key pair used by the runner to connect to the docker-machine executors. This variable is only supported when use_fleet is set to true. EOT type = object({ - enable = bool + enable = bool key_pair_name = optional(string, "fleet-key") }) default = { @@ -713,7 +713,7 @@ variable "debug" { trace_runner_user_data: Enable bash trace for the user data script on the Agent. Be aware this could log sensitive data such as you GitLab runner token. write_runner_config_to_file: Outputs the user data script and `config.toml` to the local file system. EOT - type = object({ + type = object({ trace_runner_user_data = optional(bool, false) write_runner_config_to_file = optional(bool, false) }) From ba9201651018fef4213ad74dbef2c2d6dc8dd706 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 10:36:50 +0200 Subject: [PATCH 54/74] add suppressed_tags again --- variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.tf b/variables.tf index 591be2faa..26aa0ac8b 100644 --- a/variables.tf +++ b/variables.tf @@ -52,6 +52,12 @@ variable "tags" { default = {} } +variable "suppressed_tags" { + description = "List of tag keys which are removed from tags, agent_tags and runner_tags and never added as default tag by the module." + type = list(string) + default = [] +} + variable "security_group_prefix" { description = "Set the name prefix and overwrite the `Name` tag for all security groups." type = string From d82d8e7b06e9c0eaef1ce7da90e78003e759a61c Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 10:42:15 +0200 Subject: [PATCH 55/74] fix instance_types --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index f9ffda923..af6c6e5dd 100644 --- a/main.tf +++ b/main.tf @@ -98,7 +98,6 @@ locals { runners_subnet_id = var.subnet_id runners_subnet_ids = length(var.runner_worker_docker_machine_instance.subnet_ids) > 0 ? var.runner_worker_docker_machine_instance.subnet_ids : [var.subnet_id] runners_aws_zone = data.aws_availability_zone.runners.name_suffix - runners_instance_type = var.runner_worker_docker_machine_instance.type runners_instance_types = var.runner_worker_docker_machine_instance.types runners_spot_price_bid = var.runner_worker_docker_machine_instance_spot.max_price == "on-demand-price" || var.runner_worker_docker_machine_instance_spot.max_price == null ? "" : var.runner_worker_docker_machine_instance_spot.max_price runners_ami = var.runner_worker.type == "docker+machine" ? data.aws_ami.docker-machine[0].id : "" From 9a10733f52f846ee63c0c026da9d9fb9a825a691 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 10:45:44 +0200 Subject: [PATCH 56/74] fix example --- examples/runner-multi-region/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/runner-multi-region/main.tf b/examples/runner-multi-region/main.tf index 24a7b920f..4416c5ed8 100644 --- a/examples/runner-multi-region/main.tf +++ b/examples/runner-multi-region/main.tf @@ -29,7 +29,7 @@ module "runner_main_region" { environment = var.environment security_group_prefix = "my-security-group" - iam_object_prefix = local.iam_object_prefix_main_region + iam_object_prefix = local.name_iam_objects_main_region runner_instance = { name = var.runner_name @@ -55,7 +55,7 @@ module "runner_main_region" { runner_worker_cache = { shared = "true" - bucket_prefix = local.bucket_prefix_main_region + bucket_prefix = local.cache_bucket_prefix_main_region include_account_id = false } @@ -102,7 +102,7 @@ module "runner_alternate_region" { environment = var.environment security_group_prefix = "my-security-group" - iam_object_prefix = local.iam_object_prefix_main_region # <-- + iam_object_prefix = local.name_iam_objects_alternate_region # <-- runner_gitlab = { url = var.gitlab_url @@ -129,7 +129,7 @@ module "runner_alternate_region" { runner_worker_cache = { shared = "true" - bucket_prefix = local.bucket_prefix_alternate_region + bucket_prefix = local.cache_bucket_prefix_alternate_region } runner_worker_docker_options = { From 0ef219d28388734c83031c871c4e411363ab846a Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 11:23:12 +0200 Subject: [PATCH 57/74] rework variable descriptions --- .cspell.json | 2 + .mega-linter.yml | 2 + variables.tf | 162 ++++++++++++++++++++++++----------------------- 3 files changed, 86 insertions(+), 80 deletions(-) diff --git a/.cspell.json b/.cspell.json index 6d0ad9557..79f3d4a5a 100644 --- a/.cspell.json +++ b/.cspell.json @@ -19,6 +19,7 @@ "companys", "concat", "cpu", + "cpus", "cpuset", "devskim", "dind", @@ -48,6 +49,7 @@ "subkey", "substr", "sysctl", + "sysctls", "templatefile", "terrascan", "terratest", diff --git a/.mega-linter.yml b/.mega-linter.yml index a529a0722..be1a8a09f 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -4,6 +4,8 @@ DISABLE_LINTERS: - TERRAFORM_TFLINT # Super slow linter, but useful. We disable it here and run it in parallel to Megalinter saves some minutes. - TERRAFORM_KICS + # has issues with the Terraform code `optional` variable definitions: https://github.com/tenable/terrascan/issues/1532 + - TERRAFORM_TERRASCAN # Nice linter to report CVEs and other cool stuff. But it reports problems with the Terraform code which can't be disabled by # configuration. - REPOSITORY_TRIVY diff --git a/variables.tf b/variables.tf index 26aa0ac8b..362ac4756 100644 --- a/variables.tf +++ b/variables.tf @@ -2,17 +2,20 @@ * Global variables */ variable "vpc_id" { - description = "The target VPC for the agent and executors (e.g. docker-machine) instances." + description = "The VPC used for the runner and runner workers." type = string } variable "subnet_id" { - description = "Subnet id used for the agent and executors. Must belong to the `vpc_id`." + description = <<-EOT + Subnet id used for the Runner and Runner Workers. Must belong to the `vpc_id`. In case the fleet mode is used, multiple subnets for + the Runner Workers can be provided with runner_worker_docker_machine_instance.subnet_ids. + EOT type = string } variable "kms_key_id" { - description = "KMS key id to encrypt the resources. Ensure CloudWatch and Agent/Executors have access to the provided KMS key." + description = "KMS key id to encrypt the resources. Ensure that CloudWatch and Runner/Runner Workers have access to the provided KMS key." type = string default = "" } @@ -53,7 +56,7 @@ variable "tags" { } variable "suppressed_tags" { - description = "List of tag keys which are removed from tags, agent_tags and runner_tags and never added as default tag by the module." + description = "List of tag keys which are automatically removed and never added as default tag by the module." type = list(string) default = [] } @@ -71,14 +74,15 @@ variable "iam_object_prefix" { } /* - * Runner Manager: A type of runner that can create multiple runners for autoscaling. Specific to the type of executor used. + * Runner Manager: A manager which creates multiple Runners (only one Runner supported by this module) which in turn creates + * multiple Runner Workers (e.g. docker-machine). */ variable "runner_manager" { description = <<-EOT gitlab_check_interval = Number of seconds between checking for available jobs. - maximum_concurrent_jobs = The maximum number of jobs which can be processed by all executors at the same time. + maximum_concurrent_jobs = The maximum number of jobs which can be processed by all Runners at the same time. prometheus_listen_address = Defines an address (:) the Prometheus metrics HTTP server should listen on. - sentry_dsn = Sentry DSN of the project for the Agent to use (uses legacy DSN format) + sentry_dsn = Sentry DSN of the project for the Runner Manager to use (uses legacy DSN format) EOT type = object({ gitlab_check_interval = optional(number, 3) @@ -94,19 +98,19 @@ variable "runner_manager" { */ variable "runner_instance" { description = <<-EOT - additional_tags = Map of tags that will be added to the Agent instance. + additional_tags = Map of tags that will be added to the Runner instance. collect_autoscaling_metrics = A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances. - ebs_optimized = Enable EBS optimization for the Agent instance. - max_lifetime_seconds = The maximum time an Agent should live before it is killed. - monitoring = Enable the detailed monitoring on the Agent instance. + ebs_optimized = Enable EBS optimization for the Runner instance. + max_lifetime_seconds = The maximum time a Runner should live before it is killed. + monitoring = Enable the detailed monitoring on the Runner instance. name = Name of the Runner instance. - name_prefix = Set the name prefix and override the `Name` tag for the Agent instance. - private_address_only = Restrict the Agent to the use of a private IP address. If this is set to `false` it will override the `runners_use_private_address` for the agent. - root_device_config = The Agent's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id` - spot_price = By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen. - ssm_access = Allows to connect to the Agent via SSM. + name_prefix = Set the name prefix and override the `Name` tag for the Runner instance. + private_address_only = Restrict the Runner to use private IP addresses only. If this is set to `true` the Runner will use a private IP address only in case the Runner Workers use private addresses only. + root_device_config = The Runner's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id` + spot_price = By setting a spot price bid price the Runner is created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen. + ssm_access = Allows to connect to the Runner via SSM. type = EC2 instance type used. - use_eip = Assigns an EIP to the Agent. + use_eip = Assigns an EIP to the Runner. EOT type = object({ additional_tags = optional(map(string)) @@ -129,7 +133,7 @@ variable "runner_instance" { } variable "runner_ami_filter" { - description = "List of maps used to create the AMI filter for the Agent AMI. Must resolve to an Amazon Linux 1 or 2 image." + description = "List of maps used to create the AMI filter for the Runner AMI. Must resolve to an Amazon Linux 1 or 2 image." type = map(list(string)) default = { @@ -138,17 +142,17 @@ variable "runner_ami_filter" { } variable "runner_ami_owners" { - description = "The list of owners used to select the AMI of the Agent instance." + description = "The list of owners used to select the AMI of the Runner instance." type = list(string) default = ["amazon"] } variable "runner_networking" { description = <<-EOT - allow_incoming_ping = Allow ICMP Ping to the Agent. Specify `allow_incoming_ping_security_group_ids` too! - allow_incoming_ping_security_group_ids = A list of security group ids that are allowed to ping the gitlab runner agent - security_group_description = A description for the Agent's security group - security_group_ids = IDs of security groups to add to the Agent. + allow_incoming_ping = Allow ICMP Ping to the Runner. Specify `allow_incoming_ping_security_group_ids` too! + allow_incoming_ping_security_group_ids = A list of security group ids that are allowed to ping the Runner. + security_group_description = A description for the Runner's security group + security_group_ids = IDs of security groups to add to the Runner. EOT type = object({ allow_incoming_ping = optional(bool, false) @@ -160,7 +164,7 @@ variable "runner_networking" { } variable "runner_networking_egress_rules" { - description = "List of egress rules for the Agent." + description = "List of egress rules for the Runner." type = list(object({ cidr_blocks = list(string) ipv6_cidr_blocks = list(string) @@ -190,11 +194,11 @@ variable "runner_networking_egress_rules" { variable "runner_role" { description = <<-EOT additional_tags = Map of tags that will be added to the role created. Useful for tag based authorization. - allow_iam_service_linked_role_creation = Boolean used to control attaching the policy to the Agent to create service linked roles. - assume_role_policy_json = The assume role policy for the Agent. - create_role_profile = Whether to create the IAM role/profile for the Agent. If you provide your own role, make sure that it has the required permissions. - policy_arns = List of policy ARNs to be added to the instance profile of the Agent. - role_profile_name = IAM role/profile name for the Agent. If unspecified then `$${var.iam_object_prefix}-instance` is used. + allow_iam_service_linked_role_creation = Boolean used to control attaching the policy to the Runner to create service linked roles. + assume_role_policy_json = The assume role policy for the Runner. + create_role_profile = Whether to create the IAM role/profile for the Runner. If you provide your own role, make sure that it has the required permissions. + policy_arns = List of policy ARNs to be added to the instance profile of the Runner. + role_profile_name = IAM role/profile name for the Runner. If unspecified then `$${var.iam_object_prefix}-instance` is used. EOT type = object({ additional_tags = optional(map(string)) @@ -208,7 +212,7 @@ variable "runner_role" { } variable "runner_metadata_options" { - description = "Enable the Gitlab runner agent instance metadata service. IMDSv2 is enabled by default." + description = "Enable the Runner instance metadata service. IMDSv2 is enabled by default." type = object({ http_endpoint = string http_tokens = string @@ -224,19 +228,19 @@ variable "runner_metadata_options" { } variable "runner_schedule_enable" { - description = "Set to `true` to enable the auto scaling group schedule for the Agent." + description = "Set to `true` to enable the auto scaling group schedule for the Runner." type = bool default = false } variable "runner_enable_asg_recreation" { - description = "Enable automatic redeployment of the Agent ASG when the Launch Configs change." + description = "Enable automatic redeployment of the Runner's ASG when the Launch Configs change." default = true type = bool } variable "runner_schedule_config" { - description = "Map containing the configuration of the ASG scale-out and scale-in for the Agent. Will only be used if `agent_schedule_enable` is set to `true`. " + description = "Map containing the configuration of the ASG scale-out and scale-in for the Runner. Will only be used if `agent_schedule_enable` is set to `true`. " type = map(any) default = { # Configure optional scale_out scheduled action @@ -258,10 +262,10 @@ variable "runner_install" { amazon_ecr_credentials_helper = Install amazon-ecr-credential-helper inside `userdata_pre_install` script docker_machine_download_url = URL to download docker machine binary. If not set, the docker machine version will be used to download the binary. docker_machine_version = By default docker_machine_download_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases - pre_install_script = Script to run before installing the runner - post_install_script = Script to run after installing the runner - start_script = Script to run after starting the runner - yum_update = Update the yum packages before installing the runner + pre_install_script = Script to run before installing the Runner + post_install_script = Script to run after installing the Runner + start_script = Script to run after starting the Runner + yum_update = Update the yum packages before installing the Runner EOT type = object({ amazon_ecr_credential_helper = optional(bool, false) @@ -290,7 +294,7 @@ variable "runner_cloudwatch" { } variable "runner_gitlab_registration_config" { - description = "Configuration used to register the Agent. See the README for an example, or reference the examples in the examples directory of this repo." + description = "Configuration used to register the Runner. See the README for an example, or reference the examples in the examples directory of this repo." type = object({ registration_token = optional(string, "") tag_list = optional(string, "") @@ -308,8 +312,8 @@ variable "runner_gitlab" { description = <<-EOT ca_certificate = Trusted CA certificate bundle (PEM format). certificate = Certificate of the GitLab instance to connect to (PEM format). - registration_token = Registration token to use to register the runner. Do not use. This is replaced by the `registration_token` in `runner_gitlab_registration_config`. - runner_version = Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). + registration_token = Registration token to use to register the Runner. Do not use. This is replaced by the `registration_token` in `runner_gitlab_registration_config`. + runner_version = Version of the [GitLab Runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). url = URL of the GitLab instance to connect to. url_clone = URL of the GitLab instance to clone from. Use only if the agent can’t connect to the GitLab URL. EOT @@ -342,24 +346,24 @@ variable "runner_terminate_ec2_lifecycle_hook_name" { } variable "runner_terraform_timeout_delete_asg" { - description = "Timeout when trying to delete the Agent ASG." + description = "Timeout when trying to delete the Runner ASG." default = "10m" type = string } /* - * Runner Worker: The process created by the runner on the host computing platform to run jobs. + * Runner Worker: The process created by the Runner on the host computing platform to run jobs. */ variable "runner_worker" { description = <<-EOT - environment_variables = List of environment variables to add to the runner. - idle_count = Number of idle Executor instances. - idle_time = Idle time of the runners before they are destroyed. - max_jobs = Number of jobs which can be processed in parallel by the executor. + environment_variables = List of environment variables to add to the Runner Worker. + idle_count = Number of idle Runner Worker instances. + idle_time = Idle time of the Runner Worker before they are destroyed. + max_jobs = Number of jobs which can be processed in parallel by the Runner Worker. output_limit = Sets the maximum build log size in kilobytes. Default is 4MB request_concurrency = Limit number of concurrent requests for new jobs from GitLab (default 1). - ssm_access = Allows to connect to the Executor via SSM. - type = The executor type to use. Currently supports `docker+machine` or `docker`. + ssm_access = Allows to connect to the Runner Worker via SSM. + type = The Runner Worker type to use. Currently supports `docker+machine` or `docker`. EOT type = object({ environment_variables = optional(list(string), []) @@ -382,7 +386,7 @@ variable "runner_worker" { variable "runner_worker_cache" { description = <<-EOT Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared - cache. To use the same cache across multiple runners disable the creation of the cache and provide a policy and + cache. To use the same cache across multiple Runner Worker disable the creation of the cache and provide a policy and bucket name. See the public runner example for more details." access_log_bucker_id = The ID of the bucket where the access logs are stored. @@ -404,7 +408,7 @@ variable "runner_worker_cache" { authentication_type = optional(string, "iam") bucket = optional(string, "") bucket_prefix = optional(string, "") - create = bool + create = optional(bool, true) expiration_days = optional(number, 1) include_account_id = optional(bool, true) policy = optional(string, "") @@ -412,9 +416,7 @@ variable "runner_worker_cache" { shared = optional(bool, false) versioning = optional(bool, false) }) - default = { - create = true - } + default = {} } variable "runner_worker_gitlab_pipeline" { @@ -471,7 +473,7 @@ variable "runner_worker_docker_add_dind_volumes" { variable "runner_worker_docker_options" { description = < Date: Thu, 27 Apr 2023 11:29:29 +0200 Subject: [PATCH 58/74] GROUP-VARIABLES --- tags.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tags.tf b/tags.tf index 05150f7d0..13fc0bd98 100644 --- a/tags.tf +++ b/tags.tf @@ -13,6 +13,8 @@ locals { agent_tags_merged = merge( { + # false positive: TfLint fails with: Call to function "format" failed: unsupported value for "%s" at 0: null value cannot be formatted. + # tflint-ignore: aws_iam_policy_sid_invalid_characters "Name" = format("%s", local.name_runner_agent_instance) }, { From 53fb67d1eb3da38105ec8d8eba5ad3dfcd4a4c51 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 11:42:10 +0200 Subject: [PATCH 59/74] GROUP-VARIABLES --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d40a29f15..8481524d7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,7 +137,8 @@ jobs: run: tflint --init - name: Run TFLint - run: tflint + # assign necessary variables to avoid errors + run: "tflint -var:'runner_instance={\"name_prefix\": \"a\", \"name\": \"b\"}'" tfsec: name: tfsec PR commenter From ee1adc7560596ad3f76f1a9f6ba1789a7869f0fe Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 11:45:59 +0200 Subject: [PATCH 60/74] GROUP-VARIABLES --- .cspell.json | 4 +++- .github/workflows/ci.yml | 2 +- main.tf | 1 - modules/terminate-agent-hook/main.tf | 1 - 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.cspell.json b/.cspell.json index 79f3d4a5a..15b42a6cb 100644 --- a/.cspell.json +++ b/.cspell.json @@ -24,6 +24,7 @@ "devskim", "dind", "endfor", + "filesha", "formatlist", "gitter", "glrunners", @@ -64,7 +65,8 @@ "typecheck", "userdata", "userns", - "xanzy" + "xanzy", + "xvda" ], "flagWords": [] } diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8481524d7..8fa97be2c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -138,7 +138,7 @@ jobs: - name: Run TFLint # assign necessary variables to avoid errors - run: "tflint -var:'runner_instance={\"name_prefix\": \"a\", \"name\": \"b\"}'" + run: "tflint --var='runner_instance={\"name_prefix\": \"a\", \"name\": \"b\"}'" tfsec: name: tfsec PR commenter diff --git a/main.tf b/main.tf index af6c6e5dd..0211c23d4 100644 --- a/main.tf +++ b/main.tf @@ -274,7 +274,6 @@ resource "aws_launch_template" "gitlab_runner_instance" { dynamic "block_device_mappings" { for_each = [var.runner_instance.root_device_config] content { - # cSpell:ignore xvda device_name = lookup(block_device_mappings.value, "device_name", "/dev/xvda") ebs { delete_on_termination = lookup(block_device_mappings.value, "delete_on_termination", true) diff --git a/modules/terminate-agent-hook/main.tf b/modules/terminate-agent-hook/main.tf index 8a5f02a32..cae28368b 100644 --- a/modules/terminate-agent-hook/main.tf +++ b/modules/terminate-agent-hook/main.tf @@ -5,7 +5,6 @@ # terminating orphaned runner instances. # ---------------------------------------------------------------------------- locals { - # cSpell:ignore filesha source_sha256 = filesha256("${path.module}/lambda/lambda_function.py") } From c983ad567b4a0c4ac5471f89a007a54befe91223 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 11:51:59 +0200 Subject: [PATCH 61/74] GROUP-VARIABLES --- README.md | 12 ++++++++---- variables.tf | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c7c028e7b..864441439 100644 --- a/README.md +++ b/README.md @@ -374,10 +374,14 @@ module "runner" { ### Scenario: Use of Spot Fleet -Since spot instances can be taken over by AWS depending on the instance type and AZ you are using, you may want multiple instances types in multiple AZs. This is where spot fleets come in, when there is no capacity on one instance type and one AZ, AWS will take the next instance type and so on. This update has been possible since the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine supports spot fleets. - -We have seen that the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine this module is using consume more RAM using spot fleets. -For comparison, if you launch 50 machines in the same time, it consumes ~1.2GB of RAM. In our case, we had to change the `instance_type` of the runner from `t3.micro` to `t3.small`. +Since spot instances can be taken over by AWS depending on the instance type and AZ you are using, you may want multiple instances +types in multiple AZs. This is where spot fleets come in, when there is no capacity on one instance type and one AZ, AWS will take +the next instance type and so on. This update has been possible since the +[fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine supports spot fleets. + +We have seen that the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine this +module is using consume more RAM using spot fleets. For comparison, if you launch 50 machines in the same time, it consumes +~1.2GB of RAM. In our case, we had to change the `instance_type` of the runner from `t3.micro` to `t3.small`. #### Configuration example ```hcl diff --git a/variables.tf b/variables.tf index 362ac4756..e7a6f0073 100644 --- a/variables.tf +++ b/variables.tf @@ -638,7 +638,7 @@ variable "runner_worker_docker_machine_instance" { ebs_optimized = Enable EBS optimization for the Runner Worker. monitoring = Enable detailed monitoring for the Runner Worker. name_prefix = Set the name prefix and override the `Name` tag for the Runner Worker. - private_address_only = Restrict Runner Worker to the use of a private IP address. If `runner_isntance.use_private_address_only` is set to `true` (default), `runner_worker_docker_machine_instance.private_address_only` will also apply for the Runner. + private_address_only = Restrict Runner Worker to the use of a private IP address. If `runner_instance.use_private_address_only` is set to `true` (default), `runner_worker_docker_machine_instance.private_address_only` will also apply for the Runner. root_size = The size of the root volume for the Runner Worker. start_script = Cloud-init user data that will be passed to the Runner Worker. Should not be base64 encrypted. subnet_ids = The list of subnet IDs to use for the Runner Worker when the fleet mode is enabled. From 62c73d8950fc38c5fcc069b7334306bf64d62bca Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 12:36:37 +0200 Subject: [PATCH 62/74] add docs --- variables.tf | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/variables.tf b/variables.tf index e7a6f0073..dfbe84b70 100644 --- a/variables.tf +++ b/variables.tf @@ -79,10 +79,12 @@ variable "iam_object_prefix" { */ variable "runner_manager" { description = <<-EOT - gitlab_check_interval = Number of seconds between checking for available jobs. - maximum_concurrent_jobs = The maximum number of jobs which can be processed by all Runners at the same time. - prometheus_listen_address = Defines an address (:) the Prometheus metrics HTTP server should listen on. - sentry_dsn = Sentry DSN of the project for the Runner Manager to use (uses legacy DSN format) + For details check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section + + gitlab_check_interval = Number of seconds between checking for available jobs (check_interval) + maximum_concurrent_jobs = The maximum number of jobs which can be processed by all Runners at the same time (concurrent). + prometheus_listen_address = Defines an address (:) the Prometheus metrics HTTP server should listen on (listen_address). + sentry_dsn = Sentry DSN of the project for the Runner Manager to use (uses legacy DSN format) (sentry_dsn) EOT type = object({ gitlab_check_interval = optional(number, 3) @@ -294,7 +296,7 @@ variable "runner_cloudwatch" { } variable "runner_gitlab_registration_config" { - description = "Configuration used to register the Runner. See the README for an example, or reference the examples in the examples directory of this repo." + description = "Configuration used to register the Runner. See the README for an example, or reference the examples in the examples directory of this repo. There is also a good GitLab documentation available at: https://docs.gitlab.com/ee/ci/runners/configure_runners.html" type = object({ registration_token = optional(string, "") tag_list = optional(string, "") @@ -356,12 +358,15 @@ variable "runner_terraform_timeout_delete_asg" { */ variable "runner_worker" { description = <<-EOT - environment_variables = List of environment variables to add to the Runner Worker. - idle_count = Number of idle Runner Worker instances. - idle_time = Idle time of the Runner Worker before they are destroyed. + For detailed information, check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section + and https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section + + environment_variables = List of environment variables to add to the Runner Worker (environment). + idle_count = Number of idle Runner Worker instances (not working for the Docker Runner Worker) (IdleCount). + idle_time = Idle time of the Runner Worker before they are destroyed (not working for the Docker Runner Worker) (IdleTime). max_jobs = Number of jobs which can be processed in parallel by the Runner Worker. - output_limit = Sets the maximum build log size in kilobytes. Default is 4MB - request_concurrency = Limit number of concurrent requests for new jobs from GitLab (default 1). + output_limit = Sets the maximum build log size in kilobytes. Default is 4MB (output_limit). + request_concurrency = Limit number of concurrent requests for new jobs from GitLab (default 1) (request_concurrency). ssm_access = Allows to connect to the Runner Worker via SSM. type = The Runner Worker type to use. Currently supports `docker+machine` or `docker`. EOT From 9c7db8f6b59afaa34b2f46a9ad7b93c2d6072430 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 15:18:27 +0200 Subject: [PATCH 63/74] more docs --- migrations/migrate-to-7-0-0.sh | 12 ++++++------ variables.tf | 15 +++++++++------ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 9ae65fe15..d6e41568f 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -416,13 +416,11 @@ if [ -n "$extracted_variables" ]; then " > x && mv x "$converted_file" fi -extracted_variables=$(grep -E '(runner_worker_extra_environment_variables|runner_worker_output_limit|runner_worker_request_concurrency|runner_worker_idle_count|runner_worker_idle_time|runner_worker_max_jobs|runner_worker_type|runner_worker_enable_ssm_access)' "$converted_file") +extracted_variables=$(grep -E '(runner_worker_extra_environment_variables|runner_worker_output_limit|runner_worker_request_concurrency|runner_worker_max_jobs|runner_worker_type|runner_worker_enable_ssm_access)' "$converted_file") sed -i '/runner_worker_enable_ssm_access/d' "$converted_file" sed -i '/runner_worker_type/d' "$converted_file" sed -i '/runner_worker_max_jobs/d' "$converted_file" -sed -i '/runner_worker_idle_time/d' "$converted_file" -sed -i '/runner_worker_idle_count/d' "$converted_file" sed -i '/runner_worker_request_concurrency/d' "$converted_file" sed -i '/runner_worker_output_limit/d' "$converted_file" sed -i '/runner_worker_extra_environment_variables/d' "$converted_file" @@ -431,8 +429,6 @@ sed -i '/runner_worker_extra_environment_variables/d' "$converted_file" extracted_variables=$(echo "$extracted_variables" | \ sed 's/runner_worker_enable_ssm_access/ssm_access/g' | \ sed 's/runner_worker_max_jobs/max_jobs/g' | \ - sed 's/runner_worker_idle_time/idle_time/g' | \ - sed 's/runner_worker_idle_count/idle_count/g' | \ sed 's/runner_worker_request_concurrency/request_concurrency/g' | \ sed 's/runner_worker_output_limit/output_limit/g' | \ sed 's/runner_worker_extra_environment_variables/environment_variables/g' | \ @@ -491,7 +487,7 @@ if [ -n "$extracted_variables" ]; then fi fi -extracted_variables=$(grep -E '(runner_worker_docker_machine_use_private_address|runner_worker_docker_machine_instance_type|runner_worker_docker_machine_docker_registry_mirror_url|runner_worker_docker_machine_max_builds|runner_worker_docker_machine_ec2_ebs_optimized|runner_worker_docker_machine_ec2_root_size|runner_worker_docker_machine_ec2_volume_type|runner_worker_docker_machine_userdata|runner_worker_docker_machine_enable_monitoring|runner_worker_enable_ssm_access|runner_worker_docker_machine_instance_prefix)' "$converted_file") +extracted_variables=$(grep -E '(runner_worker_idle_count|runner_worker_idle_time|runner_worker_docker_machine_use_private_address|runner_worker_docker_machine_instance_type|runner_worker_docker_machine_docker_registry_mirror_url|runner_worker_docker_machine_max_builds|runner_worker_docker_machine_ec2_ebs_optimized|runner_worker_docker_machine_ec2_root_size|runner_worker_docker_machine_ec2_volume_type|runner_worker_docker_machine_userdata|runner_worker_docker_machine_enable_monitoring|runner_worker_enable_ssm_access|runner_worker_docker_machine_instance_prefix)' "$converted_file") sed -i '/runner_worker_enable_ssm_access/d' "$converted_file" sed -i '/runner_worker_docker_machine_instance_prefix/d' "$converted_file" @@ -504,6 +500,8 @@ sed -i '/runner_worker_docker_machine_max_builds/d' "$converted_file" sed -i '/runner_worker_docker_machine_docker_registry_mirror_url/d' "$converted_file" sed -i '/runner_worker_docker_machine_use_private_address/d' "$converted_file" sed -i '/runner_worker_docker_machine_instance_type/d' "$converted_file" +sed -i '/runner_worker_idle_time/d' "$converted_file" +sed -i '/runner_worker_idle_count/d' "$converted_file" # rename the variables extracted_variables=$(echo "$extracted_variables" | \ @@ -516,6 +514,8 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/runner_worker_docker_machine_max_builds/destroy_after_max_builds/g' | \ sed 's/runner_worker_docker_machine_docker_registry_mirror_url/docker_registry_mirror_url/g' | \ sed 's/runner_worker_docker_machine_instance_type/types/g' | \ + sed 's/runner_worker_idle_time/idle_time/g' | \ + sed 's/runner_worker_idle_count/idle_count/g' | \ sed 's/runner_worker_docker_machine_instance_prefix/name_prefix/g' ) diff --git a/variables.tf b/variables.tf index dfbe84b70..a03331ca1 100644 --- a/variables.tf +++ b/variables.tf @@ -358,12 +358,9 @@ variable "runner_terraform_timeout_delete_asg" { */ variable "runner_worker" { description = <<-EOT - For detailed information, check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section - and https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section + For detailed information, check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section. environment_variables = List of environment variables to add to the Runner Worker (environment). - idle_count = Number of idle Runner Worker instances (not working for the Docker Runner Worker) (IdleCount). - idle_time = Idle time of the Runner Worker before they are destroyed (not working for the Docker Runner Worker) (IdleTime). max_jobs = Number of jobs which can be processed in parallel by the Runner Worker. output_limit = Sets the maximum build log size in kilobytes. Default is 4MB (output_limit). request_concurrency = Limit number of concurrent requests for new jobs from GitLab (default 1) (request_concurrency). @@ -372,8 +369,6 @@ variable "runner_worker" { EOT type = object({ environment_variables = optional(list(string), []) - idle_count = optional(number, 0) - idle_time = optional(number, 600) max_jobs = optional(number, 0) output_limit = optional(number, 4096) request_concurrency = optional(number, 1) @@ -394,6 +389,8 @@ variable "runner_worker_cache" { cache. To use the same cache across multiple Runner Worker disable the creation of the cache and provide a policy and bucket name. See the public runner example for more details." + For detailed documentation check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscaches3-section + access_log_bucker_id = The ID of the bucket where the access logs are stored. access_log_bucket_prefix = The bucket prefix for the access logs. authentication_type = A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials' @@ -638,9 +635,13 @@ variable "runner_worker_docker_machine_ami_owners" { variable "runner_worker_docker_machine_instance" { description = <<-EOT + For detailed documentation check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section + docker_registry_mirror_url = The URL of the Docker registry mirror to use for the Runner Worker. destroy_after_max_builds = Destroy the instance after the maximum number of builds has been reached. ebs_optimized = Enable EBS optimization for the Runner Worker. + idle_count = Number of idle Runner Worker instances (not working for the Docker Runner Worker) (IdleCount). + idle_time = Idle time of the Runner Worker before they are destroyed (not working for the Docker Runner Worker) (IdleTime). monitoring = Enable detailed monitoring for the Runner Worker. name_prefix = Set the name prefix and override the `Name` tag for the Runner Worker. private_address_only = Restrict Runner Worker to the use of a private IP address. If `runner_instance.use_private_address_only` is set to `true` (default), `runner_worker_docker_machine_instance.private_address_only` will also apply for the Runner. @@ -654,6 +655,8 @@ variable "runner_worker_docker_machine_instance" { destroy_after_max_builds = optional(number, 0) docker_registry_mirror_url = optional(string, "") ebs_optimized = optional(bool, true) + idle_count = optional(number, 0) + idle_time = optional(number, 600) monitoring = optional(bool, false) name_prefix = optional(string, "") private_address_only = optional(bool, true) From bcb967f7198ba13c97df67a31c4930feeb32cde5 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 15:20:23 +0200 Subject: [PATCH 64/74] GROUP-VARIABLES --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 0211c23d4..e69de8af3 100644 --- a/main.tf +++ b/main.tf @@ -115,8 +115,8 @@ locals { runners_limit = var.runner_worker.max_jobs runners_concurrent = var.runner_manager.maximum_concurrent_jobs runners_pull_policies = local.runners_pull_policies - runners_idle_count = var.runner_worker.idle_count - runners_idle_time = var.runner_worker.idle_time + runners_idle_count = var.runner_worker_docker_machine_instance.idle_count + runners_idle_time = var.runner_worker_docker_machine_instance.idle_time runners_max_builds = local.runners_max_builds_string runners_root_size = var.runner_worker_docker_machine_instance.root_size runners_volume_type = var.runner_worker_docker_machine_instance.volume_type From 026b7e7f42e2b985525fd7a59ca80365b45b1a1b Mon Sep 17 00:00:00 2001 From: Tyrone Meijn Date: Thu, 2 Mar 2023 09:25:58 +0100 Subject: [PATCH 65/74] fix!: remove deprecated pull policy variable (#710) ## Description Removes the earlier deprecated `runners_pull_policy` variable. Since were making a Major release I thought this one was nice to catch. ## Migrations required YES. Replace the `runners_pull_policy` by `runners_pull_policies`. --- README.md | 1 - locals.tf | 2 +- variables.tf | 6 ------ 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/README.md b/README.md index 27ed360f1..61d5c4ab8 100644 --- a/README.md +++ b/README.md @@ -685,7 +685,6 @@ Made with [contributors-img](https://contrib.rocks). | [runners\_pre\_clone\_script](#input\_runners\_pre\_clone\_script) | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | `string` | `"\"\""` | no | | [runners\_privileged](#input\_runners\_privileged) | Runners will run in privileged mode, will be used in the runner config.toml | `bool` | `true` | no | | [runners\_pull\_policies](#input\_runners\_pull\_policies) | pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies | `list(string)` | 
[
  "always"
]
| no | -| [runners\_pull\_policy](#input\_runners\_pull\_policy) | Deprecated! Use runners\_pull\_policies instead. pull\_policy for the runners, will be used in the runner config.toml | `string` | `""` | no | | [runners\_request\_concurrency](#input\_runners\_request\_concurrency) | Limit number of concurrent requests for new jobs from GitLab (default 1). | `number` | `1` | no | | [runners\_request\_spot\_instance](#input\_runners\_request\_spot\_instance) | Whether or not to request spot instances via docker-machine | `bool` | `true` | no | | [runners\_root\_size](#input\_runners\_root\_size) | Runner instance root size in GB. | `number` | `16` | no | diff --git a/locals.tf b/locals.tf index 1ec0f29ee..51ae3ed85 100644 --- a/locals.tf +++ b/locals.tf @@ -78,7 +78,7 @@ locals { } ) - runners_pull_policies = var.runners_pull_policy != "" ? "[\"${var.runners_pull_policy}\"]" : "[\"${join("\",\"", var.runners_pull_policies)}\"]" + runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" diff --git a/variables.tf b/variables.tf index 334f793c7..2219c8234 100644 --- a/variables.tf +++ b/variables.tf @@ -266,12 +266,6 @@ variable "runners_helper_image" { default = "" } -variable "runners_pull_policy" { - description = "Deprecated! Use runners_pull_policies instead. pull_policy for the runners, will be used in the runner config.toml" - type = string - default = "" -} - variable "runners_pull_policies" { description = "pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies " type = list(string) From 1e289df86162e71477c1b6a0e5c9b4bd0d354db5 Mon Sep 17 00:00:00 2001 From: kayma Date: Thu, 27 Apr 2023 08:53:40 +0200 Subject: [PATCH 66/74] chore!: remove deprecated variables (#738) This PR removes all variables which are marked as deprecated. - `arn_format` - `subnet_id_runners` - `subnet_ids_gitlab_runner` - `asg_terminate_lifecycle_hook_create` - `asg_terminate_lifecycle_hook_heartbeat_timeout` - `asg_terminate_lifecycle_lambda_memory_size` - `asg_terminate_lifecycle_lambda_runtime` - `asg_terminate_lifecycle_lambda_timeout` Yes. Remove the variables from your configuration. This is done automatically by the migration script. None. --------- Co-authored-by: Tyrone Meijn # Conflicts: # main.tf --- .cspell.json | 2 + README.md | 3 +- examples/runner-public/main.tf | 7 ++- main.tf | 9 ++-- migrations/migrate-to-7-0-0.sh | 25 +++++++++ modules/terminate-agent-hook/variables.tf | 6 --- variables.tf | 64 ----------------------- 7 files changed, 36 insertions(+), 80 deletions(-) create mode 100755 migrations/migrate-to-7-0-0.sh diff --git a/.cspell.json b/.cspell.json index 15180d9ab..b8a95ecdd 100644 --- a/.cspell.json +++ b/.cspell.json @@ -4,6 +4,7 @@ "words": [ "amazonec", "amannn", + "amazonec", "anytrue", "aquasecurity", "awscli", @@ -50,6 +51,7 @@ "tflint", "tftpl", "tfsec", + "tftpl", "tfvars", "tmpfs", "trivy", diff --git a/README.md b/README.md index 61d5c4ab8..40934ad91 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,9 @@ - + [![Terraform registry](https://img.shields.io/github/v/release/cattle-ops/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws/) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Actions](https://github.com/cattle-ops/terraform-aws-gitlab-runner/workflows/CI/badge.svg)](https://github.com/cattle-ops/terraform-aws-gitlab-runner/actions) + # Terraform module for GitLab auto scaling runners on AWS spot instances diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index ffd2ae3ea..0d5d2c82e 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -2,7 +2,7 @@ data "aws_availability_zones" "available" { state = "available" } -# VPC Flow logs are not needed here +# Every VPC resource should have an associated Flow Log: This is an example only. No flow logs are created. # kics-scan ignore-line module "vpc" { source = "terraform-aws-modules/vpc/aws" @@ -79,9 +79,8 @@ module "runner2" { runners_use_private_address = false - vpc_id = module.vpc.vpc_id - subnet_ids_gitlab_runner = module.vpc.public_subnets - subnet_id_runners = element(module.vpc.public_subnets, 0) + vpc_id = module.vpc.vpc_id + subnet_id = element(module.vpc.public_subnets, 0) docker_machine_spot_price_bid = "on-demand-price" diff --git a/main.tf b/main.tf index 5f9ed1bae..ef2f12ad2 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,7 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} data "aws_subnet" "runners" { - id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners + id = var.subnet_id } data "aws_availability_zone" "runners" { @@ -91,8 +91,8 @@ locals { tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id - runners_subnet_id = length(var.subnet_id) > 0 ? var.subnet_id : var.subnet_id_runners - runners_subnet_ids = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : length(var.subnet_id) > 0 ? [var.subnet_id] : [var.subnet_id_runners] + runners_subnet_id = var.subnet_id + runners_subnet_ids = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : [var.subnet_id] runners_aws_zone = data.aws_availability_zone.runners.name_suffix runners_instance_type = var.docker_machine_instance_type runners_instance_types = length(var.docker_machine_instance_types_fleet) > 0 ? var.docker_machine_instance_types_fleet : [var.docker_machine_instance_type] @@ -171,7 +171,7 @@ data "aws_ami" "docker-machine" { # kics-scan ignore-line resource "aws_autoscaling_group" "gitlab_runner_instance" { name = var.enable_asg_recreation ? "${aws_launch_template.gitlab_runner_instance.name}-asg" : "${var.environment}-as-group" - vpc_zone_identifier = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : length(var.subnet_id) > 0 ? [var.subnet_id] : var.subnet_ids_gitlab_runner + vpc_zone_identifier = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : [var.subnet_id] min_size = "1" max_size = "1" desired_capacity = "1" @@ -674,7 +674,6 @@ module "terminate_agent_hook" { name_docker_machine_runners = local.runner_tags_merged["Name"] role_permissions_boundary = var.permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" kms_key_id = local.kms_key - arn_format = var.arn_format tags = local.tags } diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh new file mode 100755 index 000000000..8aaaa9b4e --- /dev/null +++ b/migrations/migrate-to-7-0-0.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -eu + +# +# Precondition: The module call has been extracted to a separate file given in "$1". The code is well-formatted. +# Run `terraform fmt` to do that +# +# $1: file name containing the module call to be converted +# + +converted_file="$1.new" + +cp "$1" "$converted_file" + +# +# PR #738 chore!: remove deprecated variables +# +sed -i '/arn_format/d' "$converted_file" +sed -i '/subnet_id_runners/d' "$converted_file" +sed -i '/subnet_ids_gitlab_runner/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_create/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" +sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf index 3f8a22897..3cfb49970 100644 --- a/modules/terminate-agent-hook/variables.tf +++ b/modules/terminate-agent-hook/variables.tf @@ -60,9 +60,3 @@ variable "enable_xray_tracing" { type = bool default = false } - -variable "arn_format" { - type = string - default = "arn:aws" - description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} diff --git a/variables.tf b/variables.tf index 2219c8234..93c57e9d7 100644 --- a/variables.tf +++ b/variables.tf @@ -3,12 +3,6 @@ variable "aws_region" { type = string } -variable "arn_format" { - type = string - default = null - description = "Deprecated! Calculated automatically by the module. ARN format to be used. May be changed to support deployment in GovCloud/China regions." -} - variable "auth_type_cache_sr" { description = "A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'" type = string @@ -885,70 +879,12 @@ variable "docker_machine_egress_rules" { }] } -variable "subnet_id_runners" { - description = "Deprecated! Use subnet_id instead. List of subnets used for hosting the gitlab-runners." - type = string - default = "" -} - -variable "subnet_ids_gitlab_runner" { - description = "Deprecated! Use subnet_id instead. Subnet used for hosting the GitLab runner." - type = list(string) - default = [] -} - variable "asg_terminate_lifecycle_hook_name" { description = "Specifies a custom name for the ASG terminate lifecycle hook and related resources." type = string default = null } -variable "asg_terminate_lifecycle_hook_create" { - description = "(Deprecated and always true now) Boolean toggling the creation of the ASG instance terminate lifecycle hook." - type = bool - default = true - - validation { - condition = var.asg_terminate_lifecycle_hook_create - error_message = "The hook must be created. Please remove the variable declaration." - } -} - -variable "asg_terminate_lifecycle_hook_heartbeat_timeout" { - description = "(Deprecated and no longer in use) The amount of time, in seconds, for the instances to remain in wait state." - type = number - default = null - - validation { - condition = var.asg_terminate_lifecycle_hook_heartbeat_timeout == null - error_message = "The timeout value is managed by the module. Please remove the variable declaration." - } -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_memory_size" { - description = "(Deprecated and no longer in use) The memory size in MB to allocate to the terminate-instances Lambda function." - type = number - default = 128 -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_runtime" { - description = "(Deprecated and no longer in use) Identifier of the function's runtime. This should be a python3.x runtime. See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime for more information." - type = string - default = "python3.8" -} - -# to be removed in future release -# tflint-ignore: terraform_unused_declarations -variable "asg_terminate_lifecycle_lambda_timeout" { - description = "(Deprecated and no longer in use) Amount of time the terminate-instances Lambda Function has to run in seconds." - default = 30 - type = number -} - variable "runner_yum_update" { description = "Run a yum update as part of starting the runner" type = bool From 41281052428ca477982179f69b02c50269e44a75 Mon Sep 17 00:00:00 2001 From: Tyrone Meijn Date: Thu, 20 Apr 2023 08:50:14 +0200 Subject: [PATCH 67/74] feat!: add idle_count_min` and `idle_scale_factor` to Docker Machine autoscaling options (#711) ## Description Switches from hardcoded options to free-from scaling configuration. This reduces the module complexity by allowing to get rid of a number of variables while giving more control to the user to define their options without us having to build support into it for. Adds `idle_scale_factor` and `idle_count_min` Docker Machine options. See [documentation](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section"). ## Migrations required YES - users will have to change the input name from `runners_machine_autoscaling` to `runners_machine_autoscaling_options`. No other changes should be needed, we just support _more_ options. A migration script is available. ## Verification No input given: (end of rendered `config.toml`) ![image](https://user-images.githubusercontent.com/17970041/225890782-02fe4adc-4c6a-4237-9752-a64349464113.png) Input: ```hcl runners_machine_autoscaling_options = [ { periods = ["* * 9-17 * * mon-fri *", "* * 9-17 * * mon-fri *"] idle_count = 50 idle_count_min = 10 idle_time = 3600 timezone = "UTC" idle_scale_factor = 1.5 }, { periods = ["* * 9-17 * * mon-fri *", "* * 9-17 * * mon-fri *"] idle_count = 50 idle_time = 3600 timezone = "Europe/Amsterdam" } ] ``` Rendered `config.toml`: ![image](https://user-images.githubusercontent.com/17970041/225891085-add03ee8-3943-4c56-96a4-d1a8c252deb0.png) Apply results: ![image](https://user-images.githubusercontent.com/17970041/225893020-a9850486-4aa6-4eb0-b996-558ec7bccfea.png) Closes #556 --------- Co-authored-by: Matthias Kay --- .cspell.json | 7 ++++--- .github/workflows/ci.yml | 2 +- .terraform-version | 2 +- examples/runner-default/main.tf | 4 ++-- examples/runner-pre-registered/main.tf | 4 ++-- locals.tf | 5 ----- main.tf | 7 ++++++- migrations/migrate-to-7-0-0.sh | 5 +++++ outputs.tf | 5 +++++ template/runner-config.tftpl | 8 +++++++- template/runners_machine_autoscaling.tftpl | 7 ------- variables.tf | 23 +++++++++++++++++----- 12 files changed, 51 insertions(+), 28 deletions(-) delete mode 100644 template/runners_machine_autoscaling.tftpl diff --git a/.cspell.json b/.cspell.json index b8a95ecdd..877c3e397 100644 --- a/.cspell.json +++ b/.cspell.json @@ -2,6 +2,7 @@ "version": "0.2", "language": "en", "words": [ + "alltrue", "amazonec", "amannn", "amazonec", @@ -22,9 +23,7 @@ "endfor", "formatlist", "gitter", - "godotenv", - "golangci", - "gruntwork", + "glrunners", "instancelifecycle", "kics", "joho", @@ -39,10 +38,12 @@ "pylint", "pylintrc", "pyright", + "setsubtract", "shuf", "signoff", "signum", "stretchr", + "subkey", "substr", "templatefile", "terrascan", diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 324db2a70..a96f7f751 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: strategy: fail-fast: false matrix: - terraform: [ 1.0.11, 1.3.9, latest ] + terraform: [1.3.9, latest] example: [ "runner-default", diff --git a/.terraform-version b/.terraform-version index 337a6a8f1..589268e6f 100644 --- a/.terraform-version +++ b/.terraform-version @@ -1 +1 @@ -1.0.8 \ No newline at end of file +1.3.0 \ No newline at end of file diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 84e089824..39a49fbe1 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -97,9 +97,9 @@ module "runner" { ] # working 9 to 5 :) - runners_machine_autoscaling = [ + runners_machine_autoscaling_options = [ { - periods = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""] + periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] idle_count = 0 idle_time = 60 timezone = var.timezone diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index e6d204c15..75d50d7b6 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -40,9 +40,9 @@ module "runner" { runners_token = var.runner_token # working 9 to 5 :) - runners_machine_autoscaling = [ + runners_machine_autoscaling_options = [ { - periods = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""] + periods = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"] idle_count = 0 idle_time = 60 timezone = var.timezone diff --git a/locals.tf b/locals.tf index 51ae3ed85..b841f590d 100644 --- a/locals.tf +++ b/locals.tf @@ -68,11 +68,6 @@ locals { %{~if var.runners_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.runners_additional_volumes~},"${volume}"%{endfor~} EOT - runners_machine_autoscaling = templatefile("${path.module}/template/runners_machine_autoscaling.tftpl", { - runners_machine_autoscaling = var.runners_machine_autoscaling - } - ) - runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tftpl", { runners_docker_services = var.runners_docker_services } diff --git a/main.tf b/main.tf index ef2f12ad2..dda108c71 100644 --- a/main.tf +++ b/main.tf @@ -85,6 +85,12 @@ locals { template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", { + runners_machine_autoscaling = [for config in var.runners_machine_autoscaling_options : { + for key, value in config : + # Convert key from snake_case to PascalCase which is the casing for this section. + join("", [for subkey in split("_", key) : title(subkey)]) => jsonencode(value) if value != null + }] + aws_region = var.aws_region gitlab_url = var.runners_gitlab_url gitlab_clone_url = var.runners_clone_url @@ -122,7 +128,6 @@ locals { runners_idle_count = var.runners_idle_count runners_idle_time = var.runners_idle_time runners_max_builds = local.runners_max_builds_string - runners_machine_autoscaling = local.runners_machine_autoscaling runners_root_size = var.runners_root_size runners_volume_type = var.runners_volume_type runners_iam_instance_profile_name = var.runners_iam_instance_profile_name diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 8aaaa9b4e..de69a715d 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -23,3 +23,8 @@ sed -i '/asg_terminate_lifecycle_hook_heartbeat_timeout/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_memory_size/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" + +# +# PR #711 feat!: refactor Docker Machine autoscaling options +# +sed -i 's/runners_machine_autoscaling/runners_machine_autoscaling_options/g' "$converted_file" diff --git a/outputs.tf b/outputs.tf index ac7e92104..81b0fa3b0 100644 --- a/outputs.tf +++ b/outputs.tf @@ -57,3 +57,8 @@ output "runner_user_data" { description = "The user data of the Gitlab Runner Agent's launch template." value = nonsensitive(local.template_user_data) } + +output "runner_config_toml_rendered" { + description = "The rendered config.toml given to the Runner Manager." + value = local.template_runner_config +} diff --git a/template/runner-config.tftpl b/template/runner-config.tftpl index 64c80975c..021e0645a 100644 --- a/template/runner-config.tftpl +++ b/template/runner-config.tftpl @@ -80,4 +80,10 @@ listen_address = "${prometheus_listen_address}" ${docker_machine_options} ] -${runners_machine_autoscaling} +%{~ for config in runners_machine_autoscaling ~} + [[runners.machine.autoscaling]] + %{~ for key, value in config ~} + ${key} = ${value} + %{~ endfor ~} +%{~ endfor ~} + diff --git a/template/runners_machine_autoscaling.tftpl b/template/runners_machine_autoscaling.tftpl deleted file mode 100644 index 71b40fda1..000000000 --- a/template/runners_machine_autoscaling.tftpl +++ /dev/null @@ -1,7 +0,0 @@ -%{ for config in runners_machine_autoscaling ~} - [[runners.machine.autoscaling]] - Periods = [${replace(format("\"%s\"", join("\",\"", config.periods)), "/\"{2,}/", "\"")}] - IdleCount = ${config.idle_count} - IdleTime = ${config.idle_time} - Timezone = "${config.timezone}" -%{ endfor ~} diff --git a/variables.tf b/variables.tf index 93c57e9d7..b4efcf66b 100644 --- a/variables.tf +++ b/variables.tf @@ -278,14 +278,27 @@ variable "runners_ebs_optimized" { default = true } -variable "runners_machine_autoscaling" { +variable "runners_machine_autoscaling_options" { description = "Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section" type = list(object({ - periods = list(string) - idle_count = number - idle_time = number - timezone = string + periods = list(string) + idle_count = optional(number) + idle_scale_factor = optional(number) + idle_count_min = optional(number) + idle_time = optional(number) + timezone = optional(string, "UTC") })) + + validation { + condition = alltrue([ + for options in var.runners_machine_autoscaling_options : + length( + setsubtract([for key, value in options : key if value != null], ["periods", "timezone"]) + ) > 0 + ]) + + error_message = "Please specify an attribute that affects Autoscaling." + } default = [] } From 7e05787031be82899b038db23094581b3f5f7906 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 20 Apr 2023 10:14:17 +0200 Subject: [PATCH 68/74] feat!: allow to set all docker options for the Executor (#511) ## Description Adds a new variable `runners_docker_options` which holds all values for the `[runners.docker]` section and makes the single variables - `runners_image` - `runners_privileged` - `runners_disable_cache` - `runners_additional_volumes` - `runners_shm_size` - `runners_docker_runtime` - `runners_helper_image` - `runners_pull_policy` obsolete. ## Migrations required Yes, as the minimum Terraform version is 1.3.0 to support optional block variables with defaults. A migration script is provided to restructure the variables. See `/migrations/migrate-to-7-0-0.sh`. Attention Mac users: The script will not work out of the box as the `sed` implementation is different. Use a Docker container with Alpine or Ubuntu to run the script. ```hcl module "gitlab_ci_runner" { ... runners_docker_options { # set whatever is necessary } ``` ## Verification - [x] Use current configuration and ensure that the `config.toml` remains unchanged - [x] Set all new block variables and ensure that the `config.toml` is valid (use `gitlab-runner verify) - [x] Check that the default settings with Terraform 1.3 work as expected - [x] Verify all docker settings against the documentation to ensure correct names The runner starts in both cases and is available in Gitlab. No example tested but used our active configuration at Hapag-Lloyd. --------- Co-authored-by: Tyrone Meijn --- .github/workflows/ci.yml | 2 +- examples/runner-certificates/main.tf | 7 +- examples/runner-default/main.tf | 8 +- examples/runner-multi-region/main.tf | 12 ++- examples/runner-public/main.tf | 6 +- locals.tf | 16 ++-- main.tf | 10 +-- migrations/migrate-to-7-0-0.sh | 51 ++++++++++++ template/runner-config.tftpl | 20 ++--- template/runners_docker_options.tftpl | 4 + variables.tf | 113 ++++++++++++++------------ versions.tf | 2 +- 12 files changed, 163 insertions(+), 88 deletions(-) create mode 100644 template/runners_docker_options.tftpl diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a96f7f751..d40a29f15 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: strategy: fail-fast: false matrix: - terraform: [1.3.9, latest] + terraform: [ 1.3.9, latest ] example: [ "runner-default", diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf index e7c9c5875..c0bef14ae 100644 --- a/examples/runner-certificates/main.tf +++ b/examples/runner-certificates/main.tf @@ -51,7 +51,12 @@ module "runner" { # cp /etc/gitlab-runner/certs/* /usr/local/share/ca-certificates/ # update-ca-certificates # Or similar OS-dependent commands. The above are an example for Ubuntu. - runners_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"] + runners_docker_options = { + volumes = [ + "/cache", + "/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro" + ] + } ############################################### # Registration diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 39a49fbe1..5038a9e9e 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -79,9 +79,6 @@ module "runner" { "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes" } - runners_privileged = "true" - runners_additional_volumes = ["/certs/client"] - runners_volumes_tmpfs = [ { volume = "/var/opt/cache", @@ -106,6 +103,11 @@ module "runner" { } ] + runners_docker_options = { + privileged = "true" + volumes = ["/cache", "/certs/client"] + } + runners_pre_build_script = < value if value != null && key != "volumes" + }, { + volumes = local.runners_volumes + }) + } + ) + + # Ensure max builds is optional runners_max_builds_string = var.runners_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runners_max_builds) @@ -64,17 +74,13 @@ locals { name_sg = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"] name_iam_objects = lookup(var.overrides, "name_iam_objects", "") == "" ? local.tags["Name"] : var.overrides["name_iam_objects"] - runners_additional_volumes = <<-EOT - %{~if var.runners_add_dind_volumes~},"/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"%{endif~}%{~for volume in var.runners_additional_volumes~},"${volume}"%{endfor~} - EOT + runners_volumes = concat(var.runners_docker_options.volumes, var.runners_add_dind_volumes ? ["/certs/client", "/builds", "/var/run/docker.sock:/var/run/docker.sock"] : []) runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tftpl", { runners_docker_services = var.runners_docker_services } ) - runners_pull_policies = "[\"${join("\",\"", var.runners_pull_policies)}\"]" - /* determines if the docker machine executable adds the Name tag automatically (versions >= 0.16.2) */ # make sure to skip pre-release stuff in the semver by ignoring everything after "-" docker_machine_version_used = split(".", split("-", var.docker_machine_version)[0]) diff --git a/main.tf b/main.tf index dda108c71..68c0ee056 100644 --- a/main.tf +++ b/main.tf @@ -95,7 +95,6 @@ locals { gitlab_url = var.runners_gitlab_url gitlab_clone_url = var.runners_clone_url tls_ca_file = length(var.runners_gitlab_certificate) > 0 ? "tls-ca-file=\"/etc/gitlab-runner/certs/gitlab.crt\"" : "" - runners_extra_hosts = var.runners_extra_hosts runners_vpc_id = var.vpc_id runners_subnet_id = var.subnet_id runners_subnet_ids = length(var.fleet_executor_subnet_ids) > 0 ? var.fleet_executor_subnet_ids : [var.subnet_id] @@ -108,7 +107,6 @@ locals { runners_monitoring = var.runners_monitoring runners_ebs_optimized = var.runners_ebs_optimized runners_instance_profile = var.runners_executor == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : "" - runners_additional_volumes = local.runners_additional_volumes docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed runners_name = var.runners_name @@ -118,13 +116,6 @@ locals { runners_executor = var.runners_executor runners_limit = var.runners_limit runners_concurrent = var.runners_concurrent - runners_image = var.runners_image - runners_privileged = var.runners_privileged - runners_disable_cache = var.runners_disable_cache - runners_docker_runtime = var.runners_docker_runtime - runners_helper_image = var.runners_helper_image - runners_shm_size = var.runners_shm_size - runners_pull_policies = local.runners_pull_policies runners_idle_count = var.runners_idle_count runners_idle_time = var.runners_idle_time runners_max_builds = local.runners_max_builds_string @@ -141,6 +132,7 @@ locals { runners_request_concurrency = var.runners_request_concurrency runners_output_limit = var.runners_output_limit runners_check_interval = var.runners_check_interval + runners_docker_options = local.runners_docker_options_toml runners_volumes_tmpfs = join("\n", [for v in var.runners_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_services_volumes_tmpfs = join("\n", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) runners_docker_services = local.runners_docker_services diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index de69a715d..540743aa4 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -28,3 +28,54 @@ sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" # PR #711 feat!: refactor Docker Machine autoscaling options # sed -i 's/runners_machine_autoscaling/runners_machine_autoscaling_options/g' "$converted_file" + +# +# PR #710 chore!: remove old variable `runners_pull_policy` +# +sed -i '/runners_pull_policy/d' "$converted_file" + +# +# PR #511 feat!: allow to set all docker options for the Executor +# +extracted_variables=$(grep -E '(runners_docker_runtime|runners_helper_image|runners_shm_size|runners_shm_size|runners_extra_hosts|runners_disable_cache|runners_image|runners_privileged)' "$converted_file") + +sed -i '/runners_image/d' "$converted_file" +sed -i '/runners_privileged/d' "$converted_file" +sed -i '/runners_disable_cache/d' "$converted_file" +sed -i '/runners_extra_hosts/d' "$converted_file" +sed -i '/runners_shm_size/d' "$converted_file" +sed -i '/runners_docker_runtime/d' "$converted_file" +sed -i '/runners_helper_image/d' "$converted_file" + +# content to be added to `volumes` +volumes=$(grep "runners_additional_volumes" "$converted_file" | cut -d '=' -f 2 | tr -d '[]') + +if [ -n "$volumes" ]; then + extracted_variables="$extracted_variables + volumes = [\"/cache\", $volumes]" +fi + +sed -i '/runners_additional_volumes/d' "$converted_file" + + +# rename the variables +extracted_variables=$(echo "$extracted_variables" | \ + sed 's/runners_image/image/g' | \ + sed 's/runners_privileged/privileged/g' | \ + sed 's/runners_disable_cache/disable_cache/g' | \ + sed 's/runners_extra_hosts/extra_hosts/g' | \ + sed 's/runners_shm_size/shm_size/g' | \ + sed 's/runners_docker_runtime/runtime/g' | \ + sed 's/runners_helper_image/helper_image/g' + ) + +# add new block runners_docker_options at the end +echo "$(head -n -1 "$converted_file") +runners_docker_options { + $extracted_variables +} +}" > x + +mv x "$converted_file" + +echo "Module call converted. Output: $converted_file" \ No newline at end of file diff --git a/template/runner-config.tftpl b/template/runner-config.tftpl index 021e0645a..7381062b8 100644 --- a/template/runner-config.tftpl +++ b/template/runner-config.tftpl @@ -18,22 +18,17 @@ listen_address = "${prometheus_listen_address}" request_concurrency = ${runners_request_concurrency} output_limit = ${runners_output_limit} limit = ${runners_limit} - [runners.docker] - tls_verify = false - image = "${runners_image}" - privileged = ${runners_privileged} - disable_cache = ${runners_disable_cache} - volumes = ["/cache"${runners_additional_volumes}] - extra_hosts = ${jsonencode(runners_extra_hosts)} - shm_size = ${runners_shm_size} - pull_policy = ${runners_pull_policies} - runtime = "${runners_docker_runtime}" - helper_image = "${runners_helper_image}" - ${runners_docker_services} + + ${runners_docker_options} + + ${runners_docker_services} + [runners.docker.tmpfs] ${runners_volumes_tmpfs} + [runners.docker.services_tmpfs] ${runners_services_volumes_tmpfs} + [runners.cache] Type = "s3" Shared = ${shared_cache} @@ -43,6 +38,7 @@ listen_address = "${prometheus_listen_address}" BucketName = "${bucket_name}" BucketLocation = "${aws_region}" Insecure = false + [runners.machine] IdleCount = ${runners_idle_count} IdleTime = ${runners_idle_time} diff --git a/template/runners_docker_options.tftpl b/template/runners_docker_options.tftpl new file mode 100644 index 000000000..2a4dcac4a --- /dev/null +++ b/template/runners_docker_options.tftpl @@ -0,0 +1,4 @@ + [runners.docker] +%{ for key, value in options ~} + ${key} = ${jsonencode(value)} +%{ endfor ~} diff --git a/variables.tf b/variables.tf index b4efcf66b..95050e844 100644 --- a/variables.tf +++ b/variables.tf @@ -206,64 +206,77 @@ variable "runners_max_builds" { default = 0 } -variable "runners_image" { - description = "Image to run builds, will be used in the runner config.toml" - type = string - default = "docker:18.03.1-ce" -} - -variable "runners_privileged" { - description = "Runners will run in privileged mode, will be used in the runner config.toml" - type = bool - default = true -} - -variable "runners_disable_cache" { - description = "Runners will not use local cache, will be used in the runner config.toml" - type = bool - default = false -} - variable "runners_add_dind_volumes" { description = "Add certificates and docker.sock to the volumes to support docker-in-docker (dind)" type = bool default = false } -variable "runners_additional_volumes" { - description = "Additional volumes that will be used in the runner config.toml, e.g Docker socket" - type = list(any) - default = [] -} - -variable "runners_extra_hosts" { - description = "Extra hosts that will be used in the runner config.toml, e.g other-host:127.0.0.1" - type = list(any) - default = [] -} - -variable "runners_shm_size" { - description = "shm_size for the runners, will be used in the runner config.toml" - type = number - default = 0 -} - -variable "runners_docker_runtime" { - description = "docker runtime for runners, will be used in the runner config.toml" - type = string - default = "" -} +variable "runners_docker_options" { + description = < Date: Wed, 3 May 2023 09:31:27 +0200 Subject: [PATCH 69/74] GROUP-VARIABLES --- locals.tf | 10 ---------- main.tf | 54 ++++++++++++++++++++++++++-------------------------- variables.tf | 4 ++-- 3 files changed, 29 insertions(+), 39 deletions(-) diff --git a/locals.tf b/locals.tf index a556bb1ad..179dcff95 100644 --- a/locals.tf +++ b/locals.tf @@ -61,16 +61,6 @@ locals { } ) - runners_docker_options_toml = templatefile("${path.module}/template/runners_docker_options.tftpl", { - options = merge({ - for key, value in var.runner_worker_docker_options : key => value if value != null && key != "volumes" - }, { - volumes = local.runners_volumes - }) - } - ) - - # Ensure max builds is optional runners_max_builds_string = var.runner_worker_docker_machine_instance.destroy_after_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runner_worker_docker_machine_instance.destroy_after_max_builds) diff --git a/main.tf b/main.tf index 52f6854c9..89e31d1f4 100644 --- a/main.tf +++ b/main.tf @@ -54,34 +54,34 @@ locals { template_gitlab_runner = templatefile("${path.module}/template/gitlab-runner.tftpl", { - gitlab_runner_version = var.runner_gitlab.runner_version - docker_machine_version = var.runner_install.docker_machine_version - docker_machine_download_url = var.runner_install.docker_machine_download_url - runners_config = local.template_runner_config - runners_userdata = var.runner_worker_docker_machine_instance.start_script - runners_executor = var.runner_worker.type - runners_install_amazon_ecr_credential_helper = var.runner_install.amazon_ecr_credential_helper - curl_cacert = length(var.runner_gitlab.certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" - pre_install_certificates = local.pre_install_certificates - pre_install = var.runner_install.pre_install_script - post_install = var.runner_install.post_install_script - runners_gitlab_url = var.runner_gitlab.url - runners_token = var.runner_gitlab.registration_token + gitlab_runner_version = var.runner_gitlab.runner_version + docker_machine_version = var.runner_install.docker_machine_version + docker_machine_download_url = var.runner_install.docker_machine_download_url + runners_config = local.template_runner_config + runners_userdata = var.runner_worker_docker_machine_instance.start_script + runners_executor = var.runner_worker.type + runners_install_amazon_ecr_credential_helper = var.runner_install.amazon_ecr_credential_helper + curl_cacert = length(var.runner_gitlab.certificate) > 0 ? "--cacert /etc/gitlab-runner/certs/gitlab.crt" : "" + pre_install_certificates = local.pre_install_certificates + pre_install = var.runner_install.pre_install_script + post_install = var.runner_install.post_install_script + runners_gitlab_url = var.runner_gitlab.url + runners_token = var.runner_gitlab.registration_token secure_parameter_store_gitlab_runner_registration_token_name = var.runner_gitlab_registration_token_secure_parameter_store_name - secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key - secure_parameter_store_runner_sentry_dsn = local.secure_parameter_store_runner_sentry_dsn - secure_parameter_store_region = data.aws_region.current.name - gitlab_runner_registration_token = lookup(var.runner_gitlab_registration_config, "registration_token", "__GITLAB_REGISTRATION_TOKEN_FROM_SSM__") - gitlab_runner_description = var.runner_gitlab_registration_config["description"] - gitlab_runner_tag_list = var.runner_gitlab_registration_config["tag_list"] - gitlab_runner_locked_to_project = var.runner_gitlab_registration_config["locked_to_project"] - gitlab_runner_run_untagged = var.runner_gitlab_registration_config["run_untagged"] - gitlab_runner_maximum_timeout = var.runner_gitlab_registration_config["maximum_timeout"] - gitlab_runner_access_level = lookup(var.runner_gitlab_registration_config, "access_level", "not_protected") - sentry_dsn = var.runner_manager.sentry_dsn - public_key = var.runner_worker_docker_machine_fleet.enable == true ? tls_private_key.fleet[0].public_key_openssh : "" - use_fleet = var.runner_worker_docker_machine_fleet.enable - private_key = var.runner_worker_docker_machine_fleet.enable == true ? tls_private_key.fleet[0].private_key_pem : "" + secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key + secure_parameter_store_runner_sentry_dsn = local.secure_parameter_store_runner_sentry_dsn + secure_parameter_store_region = data.aws_region.current.name + gitlab_runner_registration_token = lookup(var.runner_gitlab_registration_config, "registration_token", "__GITLAB_REGISTRATION_TOKEN_FROM_SSM__") + gitlab_runner_description = var.runner_gitlab_registration_config["description"] + gitlab_runner_tag_list = var.runner_gitlab_registration_config["tag_list"] + gitlab_runner_locked_to_project = var.runner_gitlab_registration_config["locked_to_project"] + gitlab_runner_run_untagged = var.runner_gitlab_registration_config["run_untagged"] + gitlab_runner_maximum_timeout = var.runner_gitlab_registration_config["maximum_timeout"] + gitlab_runner_access_level = lookup(var.runner_gitlab_registration_config, "access_level", "not_protected") + sentry_dsn = var.runner_manager.sentry_dsn + public_key = var.runner_worker_docker_machine_fleet.enable == true ? tls_private_key.fleet[0].public_key_openssh : "" + use_fleet = var.runner_worker_docker_machine_fleet.enable + private_key = var.runner_worker_docker_machine_fleet.enable == true ? tls_private_key.fleet[0].private_key_pem : "" }) template_runner_config = templatefile("${path.module}/template/runner-config.tftpl", diff --git a/variables.tf b/variables.tf index 65923669e..118a72328 100644 --- a/variables.tf +++ b/variables.tf @@ -739,8 +739,8 @@ variable "debug" { can potentially expose sensitive information. EOT type = object({ - trace_runner_user_data = optional(bool, false) - write_runner_config_to_file = optional(bool, false) + trace_runner_user_data = optional(bool, false) + write_runner_config_to_file = optional(bool, false) write_runner_user_data_to_file = optional(bool, false) }) default = {} From cd41f055e8cc300c0d743daf2ba475a878e5cf26 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Wed, 3 May 2023 09:32:57 +0200 Subject: [PATCH 70/74] GROUP-VARIABLES --- outputs.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/outputs.tf b/outputs.tf index e16e86f4b..81b0fa3b0 100644 --- a/outputs.tf +++ b/outputs.tf @@ -62,8 +62,3 @@ output "runner_config_toml_rendered" { description = "The rendered config.toml given to the Runner Manager." value = local.template_runner_config } - -output "runner_config_toml_rendered" { - description = "The rendered config.toml given to the Runner Manager." - value = local.template_runner_config -} From 60f3ba1957125f6cb115b39da0f4db8b0ac28b45 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Mon, 8 May 2023 20:34:23 +0200 Subject: [PATCH 71/74] reworked all `README.md` --- examples/runner-certificates/README.md | 43 +++++++++++++++----------- examples/runner-certificates/main.tf | 1 - examples/runner-multi-region/README.md | 38 ++++++++++++++++------- 3 files changed, 52 insertions(+), 30 deletions(-) diff --git a/examples/runner-certificates/README.md b/examples/runner-certificates/README.md index 57203aabc..f22f46a65 100644 --- a/examples/runner-certificates/README.md +++ b/examples/runner-certificates/README.md @@ -32,20 +32,24 @@ Create a PEM-encoded `.crt` file containing the public certificate of your Gitla ```hcl module { - ... + # ... # Public cert of my companys gitlab instance - agent_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt") - ... + runner_gitlab = { + certificate = file("${path.module}/my_gitlab_instance_cert.crt") + } + # ... } ``` Add your CA and intermediary certs to a second PEM-encoded `.crt` file. ```hcl module { - ... + # ... # Other public certs relating to my company. - agent_gitlab_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") - ... + runner_gitlab = { + ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt") + } + # ... } ``` @@ -62,11 +66,13 @@ For **user images**, you must: # ... # Mount EC2 host certs in docker so all user docker images can reference them. - runners_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"] - - # ... + runner_worker_docker_options = { + volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"] } - ``` + + # ... + } + ``` 2. Trust the certificates from within the user image. @@ -110,14 +116,15 @@ For **user images**, you must: module "runner" { # ... - runners_pre_build_script = < Date: Mon, 8 May 2023 20:35:41 +0200 Subject: [PATCH 72/74] change module source to `cattle-ops` --- migrations/migrate-to-7-0-0.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 0d12fed46..d73b7fd20 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -650,6 +650,9 @@ if [ -n "$extracted_variables" ]; then " > x && mv x "$converted_file" fi +# change the module source to cattle-ops +sed -i 's/npalm/cattle-ops/g' "$converted_file" + cat < Date: Thu, 11 May 2023 10:31:44 +0200 Subject: [PATCH 73/74] GROUP-VARIABLES --- migrations/migrate-to-7-0-0.sh | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 2e92cddcc..09189daff 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -1,9 +1,5 @@ #!/bin/sh -<<<<<<< HEAD set -u -======= -set -eu ->>>>>>> refactor-variables # # Precondition: The module call has been extracted to a separate file given in "$1". The code is well-formatted. @@ -29,11 +25,7 @@ sed -i '/asg_terminate_lifecycle_lambda_runtime/d' "$converted_file" sed -i '/asg_terminate_lifecycle_lambda_timeout/d' "$converted_file" # -<<<<<<< HEAD # PR #711 feat!: refactor Docker Machine autoscaling options -======= -# PR #711 feat!: refactor Docker Machine autoscaling options ->>>>>>> refactor-variables # sed -i 's/runners_machine_autoscaling/runners_machine_autoscaling_options/g' "$converted_file" @@ -45,11 +37,7 @@ sed -i '/runners_pull_policy/d' "$converted_file" # # PR #511 feat!: allow to set all docker options for the Executor # -<<<<<<< HEAD extracted_variables=$(grep -E '(runners_pull_policies|runners_docker_runtime|runners_helper_image|runners_shm_size|runners_shm_size|runners_extra_hosts|runners_disable_cache|runners_image|runners_privileged)' "$converted_file") -======= -extracted_variables=$(grep -E '(runners_docker_runtime|runners_helper_image|runners_shm_size|runners_shm_size|runners_extra_hosts|runners_disable_cache|runners_image|runners_privileged)' "$converted_file") ->>>>>>> refactor-variables sed -i '/runners_image/d' "$converted_file" sed -i '/runners_privileged/d' "$converted_file" @@ -58,10 +46,7 @@ sed -i '/runners_extra_hosts/d' "$converted_file" sed -i '/runners_shm_size/d' "$converted_file" sed -i '/runners_docker_runtime/d' "$converted_file" sed -i '/runners_helper_image/d' "$converted_file" -<<<<<<< HEAD sed -i '/runners_pull_policies/d' "$converted_file" -======= ->>>>>>> refactor-variables # content to be added to `volumes` volumes=$(grep "runners_additional_volumes" "$converted_file" | cut -d '=' -f 2 | tr -d '[]') @@ -676,18 +661,4 @@ EOT echo echo "Module call converted. Output: $converted_file" -======= - sed 's/runners_helper_image/helper_image/g' - ) -# add new block runners_docker_options at the end -echo "$(head -n -1 "$converted_file") -runners_docker_options { - $extracted_variables -} -}" > x - -mv x "$converted_file" - -echo "Module call converted. Output: $converted_file" ->>>>>>> refactor-variables From 48ebfee620635bcb0f566f804fe91a659d02f61c Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 11 May 2023 11:11:13 +0200 Subject: [PATCH 74/74] GROUP-VARIABLES --- migrations/migrate-to-7-0-0.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/migrations/migrate-to-7-0-0.sh b/migrations/migrate-to-7-0-0.sh index 09189daff..dadcc01b0 100755 --- a/migrations/migrate-to-7-0-0.sh +++ b/migrations/migrate-to-7-0-0.sh @@ -67,7 +67,6 @@ extracted_variables=$(echo "$extracted_variables" | \ sed 's/runners_extra_hosts/extra_hosts/g' | \ sed 's/runners_shm_size/shm_size/g' | \ sed 's/runners_docker_runtime/runtime/g' | \ -<<<<<<< HEAD sed 's/runners_helper_image/helper_image/g' | \ sed 's/runners_pull_policies/pull_policies/g' )