cattle-ops · kayman-mk · May 22, 2023 · Mar 2, 2023 · Mar 16, 2023 · Mar 20, 2023
diff --git a/.cspell.json b/.cspell.json
@@ -2,8 +2,10 @@
   "version": "0.2",
   "language": "en",
   "words": [
+    "alltrue",
     "amazonec",
     "amannn",
+    "amazonec",
     "anytrue",
     "aquasecurity",
     "awscli",
@@ -16,14 +18,16 @@
     "codeowners",
     "companys",
     "concat",
+    "cpu",
+    "cpus",
+    "cpuset",
     "devskim",
     "dind",
     "endfor",
+    "filesha",
     "formatlist",
     "gitter",
-    "godotenv",
-    "golangci",
-    "gruntwork",
+    "glrunners",
     "instancelifecycle",
     "kics",
     "joho",
@@ -38,24 +42,31 @@
     "pylint",
     "pylintrc",
     "pyright",
+    "setsubtract",
     "shuf",
     "signoff",
     "signum",
     "stretchr",
+    "subkey",
     "substr",
+    "sysctl",
+    "sysctls",
     "templatefile",
     "terrascan",
     "terratest",
     "tfenv",
     "tflint",
     "tftpl",
     "tfsec",
+    "tftpl",
     "tfvars",
     "tmpfs",
     "trivy",
     "typecheck",
     "userdata",
-    "xanzy"
+    "userns",
+    "xanzy",
+    "xvda"
   ],
   "flagWords": []
 }
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,7 +31,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        terraform: [ 1.0.11, 1.3.9, latest ]
+        terraform: [ 1.3.9, latest ]
         example:
           [
             "runner-default",
@@ -137,7 +137,8 @@ jobs:
         run: tflint --init
 
       - name: Run TFLint
-        run: tflint
+        # assign necessary variables to avoid errors
+        run: "tflint --var='runner_instance={\"name_prefix\": \"a\", \"name\": \"b\"}'"
 
   tfsec:
     name: tfsec PR commenter

diff --git a/.mega-linter.yml b/.mega-linter.yml
@@ -4,6 +4,8 @@ DISABLE_LINTERS:
   - TERRAFORM_TFLINT
   # Super slow linter, but useful. We disable it here and run it in parallel to Megalinter saves some minutes.
   - TERRAFORM_KICS
+  # has issues with the Terraform code `optional` variable definitions: https://github.com/tenable/terrascan/issues/1532
+  - TERRAFORM_TERRASCAN
   # Nice linter to report CVEs and other cool stuff. But it reports problems with the Terraform code which can't be disabled by
   # configuration.
   - REPOSITORY_TRIVY

diff --git a/.terraform-version b/.terraform-version
@@ -1 +1 @@
-1.0.8
+1.3.0
diff --git a/README.md b/README.md
@@ -1,8 +1,9 @@
 <!-- First line should be a H1: Badges on top please! -->
-<!-- markdownlint-disable MD041 -->
+<!-- markdownlint-disable MD041/first-line-heading/first-line-h1 -->
 [![Terraform registry](https://img.shields.io/github/v/release/cattle-ops/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws/)
 [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 [![Actions](https://github.com/cattle-ops/terraform-aws-gitlab-runner/workflows/CI/badge.svg)](https://github.com/cattle-ops/terraform-aws-gitlab-runner/actions)
+<!-- markdownlint-enable MD041/first-line-heading/first-line-h1 -->
 
 # Terraform module for GitLab auto scaling runners on AWS spot instances <!-- omit in toc -->
 
@@ -385,13 +386,12 @@ module "runner" {
 
 Since spot instances can be taken over by AWS depending on the instance type and AZ you are using, you may want multiple instances
 types in multiple AZs. This is where spot fleets come in, when there is no capacity on one instance type and one AZ, AWS will take
-the next instance type and so on. This update has been possible since the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2)
-of docker-machine supports spot fleets.
+the next instance type and so on. This update has been possible since the
+[fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine supports spot fleets.
 
 We have seen that the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine this
-module is using consume more RAM using spot fleets.
-For comparison, if you launch 50 machines in the same time, it consumes ~1.2GB of RAM. In our case, we had to change the
-`instance_type` of the runner from `t3.micro` to `t3.small`.
+module is using consume more RAM using spot fleets. For comparison, if you launch 50 machines in the same time, it consumes
+~1.2GB of RAM. In our case, we had to change the `instance_type` of the runner from `t3.micro` to `t3.small`.
 
 #### Configuration example
 
@@ -685,7 +685,6 @@ Made with [contributors-img](https://contrib.rocks).
 | <a name="input_runners_pre_clone_script"></a> [runners\_pre\_clone\_script](#input\_runners\_pre\_clone\_script) | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | `string` | `"\"\""` | no |
 | <a name="input_runners_privileged"></a> [runners\_privileged](#input\_runners\_privileged) | Runners will run in privileged mode, will be used in the runner config.toml | `bool` | `true` | no |
 | <a name="input_runners_pull_policies"></a> [runners\_pull\_policies](#input\_runners\_pull\_policies) | pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies | `list(string)` | <pre>[<br>  "always"<br>]</pre> | no |
-| <a name="input_runners_pull_policy"></a> [runners\_pull\_policy](#input\_runners\_pull\_policy) | Deprecated! Use runners\_pull\_policies instead. pull\_policy for the runners, will be used in the runner config.toml | `string` | `""` | no |
 | <a name="input_runners_request_concurrency"></a> [runners\_request\_concurrency](#input\_runners\_request\_concurrency) | Limit number of concurrent requests for new jobs from GitLab (default 1). | `number` | `1` | no |
 | <a name="input_runners_request_spot_instance"></a> [runners\_request\_spot\_instance](#input\_runners\_request\_spot\_instance) | Whether or not to request spot instances via docker-machine | `bool` | `true` | no |
 | <a name="input_runners_root_size"></a> [runners\_root\_size](#input\_runners\_root\_size) | Runner instance root size in GB. | `number` | `16` | no |

diff --git a/examples/runner-certificates/README.md b/examples/runner-certificates/README.md
@@ -34,7 +34,7 @@ Create a PEM-encoded `.crt` file containing the public certificate of your Gitla
 module {
   ...
   # Public cert of my companys gitlab instance
-  runners_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt")
+  agent_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt")
   ...
 }
 ```
@@ -44,7 +44,7 @@ Add your CA and intermediary certs to a second PEM-encoded `.crt` file.
 module {
   ...
   # Other public certs relating to my company.
-  runners_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt")
+  agent_gitlab_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt")
   ...
 }
 ```
@@ -58,7 +58,7 @@ For **user images**, you must:
     The runner module can be configured to do this step. Configure the module like so:
 
     ```terraform
-    module {
+    module "runner" {
       # ...
 
       # Mount EC2 host certs in docker so all user docker images can reference them.
@@ -107,7 +107,7 @@ For **user images**, you must:
     This avoids maintaining the script in each pipeline file, but expects that all user images use the same OS.
 
     ```terraform
-    module {
+    module "runner" {
       # ...
 
       runners_pre_build_script = <<EOT

diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf
@@ -27,37 +27,37 @@ module "runner" {
   ###############################################
   # General
   ###############################################
-
-  runners_name       = var.runner_name
-  runners_gitlab_url = var.gitlab_url
-
-  runners_executor = "docker"
-
-  aws_region  = var.aws_region
   environment = var.environment
 
   ###############################################
   # Certificates
   ###############################################
 
   # Public cert of my companys gitlab instance
-  runners_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt")
-
   # Other public certs relating to my company.
-  runners_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt")
+  runner_gitlab = {
+    url            = var.gitlab_url
+    certificate    = file("${path.module}/my_gitlab_instance_cert.crt")
+    ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt")
+  }
 
   # Mount EC2 host certs in docker so all user docker images can reference them.
   # Each user image will need to do:
   # cp /etc/gitlab-runner/certs/* /usr/local/share/ca-certificates/
   # update-ca-certificates
   # Or similar OS-dependent commands. The above are an example for Ubuntu.
-  runners_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"]
+
+  runner_worker_docker_options = {
+    volumes = [
+      "/cache",
+      "/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"
+    ]
+  }
 
   ###############################################
   # Registration
   ###############################################
-
-  gitlab_runner_registration_config = {
+  runner_gitlab_registration_config = {
     registration_token = var.registration_token
     tag_list           = "docker_runner"
     description        = "runner docker - auto"
@@ -71,5 +71,11 @@ module "runner" {
   ###############################################
   vpc_id    = module.vpc.vpc_id
   subnet_id = element(module.vpc.public_subnets, 0)
+  runner_instance = {
+    name = var.runner_name
+  }
 
+  runner_worker = {
+    type = "docker"
+  }
 }
diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf
@@ -50,22 +50,26 @@ module "vpc_endpoints" {
 module "runner" {
   source = "../../"
 
-  aws_region  = var.aws_region
   environment = var.environment
 
-  vpc_id              = module.vpc.vpc_id
-  subnet_id           = element(module.vpc.private_subnets, 0)
-  metrics_autoscaling = ["GroupDesiredCapacity", "GroupInServiceCapacity"]
+  vpc_id    = module.vpc.vpc_id
+  subnet_id = element(module.vpc.private_subnets, 0)
 
-  runners_name             = var.runner_name
-  runners_gitlab_url       = var.gitlab_url
-  enable_runner_ssm_access = true
+  runner_instance = {
+    collect_autoscaling_metrics = ["GroupDesiredCapacity", "GroupInServiceCapacity"]
+    name                        = var.runner_name
+    ssm_access                  = true
+  }
 
-  gitlab_runner_security_group_ids = [data.aws_security_group.default.id]
+  runner_networking = {
+    allow_incoming_ping_security_group_ids = [data.aws_security_group.default.id]
+  }
 
-  docker_machine_spot_price_bid = "on-demand-price"
+  runner_gitlab = {
+    url = var.gitlab_url
+  }
 
-  gitlab_runner_registration_config = {
+  runner_gitlab_registration_config = {
     registration_token = var.registration_token
     tag_list           = "docker_spot_runner"
     description        = "runner default - auto"
@@ -74,46 +78,49 @@ module "runner" {
     maximum_timeout    = "3600"
   }
 
-  tags = {
-    "tf-aws-gitlab-runner:example"           = "runner-default"
-    "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes"
+  runner_worker_gitlab_pipeline = {
+    pre_build_script  = <<EOT
+        '''
+        echo 'multiline 1'
+        echo 'multiline 2'
+        '''
+        EOT
+    post_build_script = "\"echo 'single line'\""
   }
 
-  runners_privileged         = "true"
-  runners_additional_volumes = ["/certs/client"]
+  runner_worker_docker_options = {
+    privileged = "true"
+    volumes    = ["/cache", "/certs/client"]
+  }
 
-  runners_volumes_tmpfs = [
+  runner_worker_docker_volumes_tmpfs = [
     {
       volume  = "/var/opt/cache",
       options = "rw,noexec"
     }
   ]
 
-  runners_services_volumes_tmpfs = [
+  runner_worker_docker_services_volumes_tmpfs = [
     {
       volume  = "/var/lib/mysql",
       options = "rw,noexec"
     }
   ]
 
-  # working 9 to 5 :)
-  runners_machine_autoscaling = [
+  runner_worker_docker_machine_autoscaling_options = [
+    # working 9 to 5 :)
     {
-      periods    = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""]
+      periods    = ["* * 0-9,17-23 * * mon-fri *", "* * * * * sat,sun *"]
       idle_count = 0
       idle_time  = 60
       timezone   = var.timezone
     }
   ]
 
-  runners_pre_build_script = <<EOT
-  '''
-  echo 'multiline 1'
-  echo 'multiline 2'
-  '''
-  EOT
-
-  runners_post_build_script = "\"echo 'single line'\""
+  tags = {
+    "tf-aws-gitlab-runner:example"           = "runner-default"
+    "tf-aws-gitlab-runner:instancelifecycle" = "spot:yes"
+  }
 
   # Uncomment the HCL code below to configure a docker service so that registry mirror is used in auto-devops jobs
   # See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27171 and https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#the-service-in-the-gitlab-runner-configuration-file
@@ -139,7 +146,7 @@ module "runner" {
   #
   # If not using an official docker image for your job, you may need to specify `DOCKER_HOST: tcp://docker:2375`
   ## UNCOMMENT 6 LINES BELOW
-  # runners_docker_services = [{
+  # runner_worker_docker_services = [{
   #   name       = "docker:20.10.16-dind"
   #   alias      = "docker"
   #   command    = ["--registry-mirror", "https://mirror.gcr.io"]
@@ -149,7 +156,8 @@ module "runner" {
 
   # Example how to configure runners, to utilize EC2 user-data feature
   # example template, creates (configurable) swap file for the runner
-  # runners_userdata = templatefile("${path.module}/../../templates/swap.tpl", {
-  #   swap_size = "512"
-  # })
+  # runner_worker_docker_machine_instance = {
+  #   start_script = templatefile("${path.module}/../../templates/swap.tpl", {
+  # swap_size = "512"
+  # }
 }