From c7b2f9a50fbfb672042bef5c1c59110c7aa86922 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Mon, 31 Mar 2025 22:39:15 +0200 Subject: [PATCH 01/20] feat: migrate launch template to use SSM for AMI lookup --- examples/default/.terraform.lock.hcl | 60 +++++++++---------- main.tf | 1 + modules/multi-runner/runners.tf | 1 + modules/multi-runner/variables.tf | 5 +- modules/runners/main.tf | 28 ++++++++- modules/runners/policies/lambda-scale-up.json | 9 +++ modules/runners/scale-up.tf | 1 + modules/runners/variables.tf | 6 ++ variables.tf | 12 +++- 9 files changed, 85 insertions(+), 38 deletions(-) diff --git a/examples/default/.terraform.lock.hcl b/examples/default/.terraform.lock.hcl index 045fb7350a..0e980ea45b 100644 --- a/examples/default/.terraform.lock.hcl +++ b/examples/default/.terraform.lock.hcl @@ -2,25 +2,25 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.82.1" - constraints = ">= 5.0.0, ~> 5.0, ~> 5.27" + version = "5.93.0" + constraints = ">= 5.0.0, ~> 5.0, ~> 5.27, ~> 5.77" hashes = [ - "h1:QTOtDMehUfiD3wDbbDuXYuTqGgLDkKK9Agkd5NCUEic=", - "zh:0fde8533282973f1f5d33b2c4f82d962a2c78860d39b42ac20a9ce399f06f62c", - "zh:1fd1a252bffe91668f35be8eac4e0a980f022120254eae1674c3c05049aff88a", - "zh:31bbd380cd7d74bf9a8c961fc64da4222bed40ffbdb27b011e637fa8b2d33641", - "zh:333ee400cf6f62fa199dc1270bf8efac6ffe56659f86918070b8351b8636e03b", - "zh:42ea9fee0a152d344d548eab43583299a13bcd73fae9e53e7e1a708720ac1315", - "zh:4b78f25a8cda3316eb56aa01909a403ec2f325a2eb0512c9a73966068c26cf29", - "zh:5e9cf9a275eda8f7940a41e32abe0b92ba76b5744def4af5124b343b5f33eb94", - "zh:6a46c8630c16b9e1338c2daed6006118db951420108b58b8b886403c69317439", - "zh:6efe11cf1a01f98a8d8043cdcd8c0ee5fe93a0e582c2b69ebb73ea073f5068c3", - "zh:88ab5c768c7d8133dab94eff48071e764424ad2b7cfeee5abe6d5bb16e4b85c6", + "h1:SbzGotY1leY5nnLo/PJOcwIlNTHdZpAErxJSrfr2tTg=", + "zh:00e1b15e6f02cdc788fe855232b63ccce6652930080eac3ba4b8a2e35db02b23", + "zh:3a77ee12e4f5ab2e7b320a0f507389c9171ab82c50d39ae7caa5a1fb2bd95cb3", + "zh:3e32d58e139d098d867eef37914fef01fffb08504d828e0f384c2ffc18d71f80", + "zh:41cf69a525f0fbe0fdb71d26be7ff5e20bb90ccdf5af32c83ed53f0ca2f071b5", + "zh:43055bdd0786855cf7242638a74b579f74f4f1a8e7c7e5e0e50230c8f6b908cb", + "zh:4ac4c29aa0de842ad91145c5a5fba21338531ffca13a510927d445e007a24938", + "zh:57e510498b3aeb6d6155c10fa195e1d5502e763899251057e59e73f653d1e262", + "zh:8f749645b27dba1a07d06aaf9d5596fc4213123f12f3808d68539e78ab16996e", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a614beb312574342b27dbc34d65b450997f63fa3e948d0d30f441e4f69337380", - "zh:c1f486e27130610a9b64cacb0bd928009c433d62b3be515488185e6467b4aa1f", - "zh:dccd166e89e1a02e7ce658df3c42d040edec4b09c6f7906aa5743938518148b1", - "zh:e75a3ae0fb42b7ea5a0bb5dffd8f8468004c9700fcc934eb04c264fda2ba9984", + "zh:aaca5934ac6273d48922ad7685c5fc2aa7ef5275346a9e70366b7a180a788d41", + "zh:b7585b720a97467302f2e29f0688a5a746778f7b73c30eb085c25831decba1e1", + "zh:c16ae0a46d796858c49a89dd90e5ca92f793e646474fadeafaf701def4a4aa83", + "zh:d66bdc9cd5108452d9dba44082e504ff5e3a3001c8f853bbcaff850cb2127a21", + "zh:ee1aec6c44b117a6c8b7159ee7dc82f1ddac6ba434b4e6c493717738326f0a99", + "zh:f0da48692e00ecacea72d7104714d9721f6be40ba094490c442bb3e68d2e2604", ] } @@ -65,21 +65,21 @@ provider "registry.terraform.io/hashicorp/null" { } provider "registry.terraform.io/hashicorp/random" { - version = "3.6.3" + version = "3.7.1" constraints = "~> 3.0" hashes = [ - "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", - "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", - "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", - "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", - "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", - "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", - "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", + "h1:t152MY0tQH4a8fLzTtEWx70ITd3azVOrFDn/pQblbto=", + "zh:3193b89b43bf5805493e290374cdda5132578de6535f8009547c8b5d7a351585", + "zh:3218320de4be943e5812ed3de995946056db86eb8d03aa3f074e0c7316599bef", + "zh:419861805a37fa443e7d63b69fb3279926ccf98a79d256c422d5d82f0f387d1d", + "zh:4df9bd9d839b8fc11a3b8098a604b9b46e2235eb65ef15f4432bde0e175f9ca6", + "zh:5814be3f9c9cc39d2955d6f083bae793050d75c572e70ca11ccceb5517ced6b1", + "zh:63c6548a06de1231c8ee5570e42ca09c4b3db336578ded39b938f2156f06dd2e", + "zh:697e434c6bdee0502cc3deb098263b8dcd63948e8a96d61722811628dce2eba1", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", - "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", - "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", - "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", - "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", + "zh:a0b8e44927e6327852bbfdc9d408d802569367f1e22a95bcdd7181b1c3b07601", + "zh:b7d3af018683ef22794eea9c218bc72d7c35a2b3ede9233b69653b3c782ee436", + "zh:d63b911d618a6fe446c65bfc21e793a7663e934b2fef833d42d3ccd38dd8d68d", + "zh:fa985cd0b11e6d651f47cff3055f0a9fd085ec190b6dbe99bf5448174434cdea", ] } diff --git a/main.tf b/main.tf index b9456c0a52..90bf9f6aec 100644 --- a/main.tf +++ b/main.tf @@ -180,6 +180,7 @@ module "runners" { runner_architecture = var.runner_architecture ami_filter = var.ami_filter ami_owners = var.ami_owners + ami_id_ssm_parameter_arn = var.ami_id_ssm_parameter_arn ami_id_ssm_parameter_name = var.ami_id_ssm_parameter_name ami_kms_key_arn = var.ami_kms_key_arn diff --git a/modules/multi-runner/runners.tf b/modules/multi-runner/runners.tf index 8fe23d506d..172bfbe596 100644 --- a/modules/multi-runner/runners.tf +++ b/modules/multi-runner/runners.tf @@ -28,6 +28,7 @@ module "runners" { runner_architecture = each.value.runner_config.runner_architecture ami_filter = each.value.runner_config.ami_filter ami_owners = each.value.runner_config.ami_owners + ami_id_ssm_parameter_arn = each.value.runner_config.ami_id_ssm_parameter_arn ami_id_ssm_parameter_name = each.value.runner_config.ami_id_ssm_parameter_name ami_kms_key_arn = each.value.runner_config.ami_kms_key_arn diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf index ff4419d4d9..c958389711 100644 --- a/modules/multi-runner/variables.tf +++ b/modules/multi-runner/variables.tf @@ -1,8 +1,8 @@ variable "github_app" { description = < Date: Mon, 31 Mar 2025 20:39:42 +0000 Subject: [PATCH 02/20] docs: auto update terraform docs --- README.md | 5 +++-- examples/default/README.md | 2 +- modules/multi-runner/README.md | 4 ++-- modules/runners/README.md | 2 ++ 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 67a7438819..66fc0c8208 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,8 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh) | [ami\_housekeeper\_lambda\_schedule\_expression](#input\_ami\_housekeeper\_lambda\_schedule\_expression) | Scheduler expression for action runner binary syncer. | `string` | `"rate(1 day)"` | no | | [ami\_housekeeper\_lambda\_timeout](#input\_ami\_housekeeper\_lambda\_timeout) | Time out of the lambda in seconds. | `number` | `300` | no | | [ami\_housekeeper\_lambda\_zip](#input\_ami\_housekeeper\_lambda\_zip) | File location of the lambda zip file. | `string` | `null` | no | -| [ami\_id\_ssm\_parameter\_name](#input\_ami\_id\_ssm\_parameter\_name) | Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | +| [ami\_id\_ssm\_parameter\_arn](#input\_ami\_id\_ssm\_parameter\_arn) | ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | +| [ami\_id\_ssm\_parameter\_name](#input\_ami\_id\_ssm\_parameter\_name) | (DEPRECATED) Variable is replaced by `ami_id_ssm_parameter_arn` Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | | [ami\_kms\_key\_arn](#input\_ami\_kms\_key\_arn) | Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI | `string` | `null` | no | | [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | 
[
  "amazon"
]
| no | | [associate\_public\_ipv4\_address](#input\_associate\_public\_ipv4\_address) | Associate public IPv4 with the runner. Only tested with IPv4 | `bool` | `false` | no | @@ -141,7 +142,7 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh) | [eventbridge](#input\_eventbridge) | Enable the use of EventBridge by the module. By enabling this feature events will be put on the EventBridge by the webhook instead of directly dispatching to queues for scaling.

`enable`: Enable the EventBridge feature.
`accept_events`: List can be used to only allow specific events to be putted on the EventBridge. By default all events, empty list will be be interpreted as all events. | 
object({
    enable        = optional(bool, true)
    accept_events = optional(list(string), null)
  })
| `{}` | no | | [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB. However if you are using Github Enterprise Cloud with data-residency (ghe.com), set the endpoint here. Example - https://companyname.ghe.com | `string` | `null` | no | -| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app.
You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.
If you chose to provide the configuration values directly here,
please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).
Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc). | 
object({
    key_base64 = optional(string)
    key_base64_ssm = optional(object({
      arn  = string
      name = string
    }))
    id = optional(string)
    id_ssm = optional(object({
      arn  = string
      name = string
    }))
    webhook_secret = optional(string)
    webhook_secret_ssm = optional(object({
      arn  = string
      name = string
    }))
  })
| n/a | yes | +| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app.
You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.
If you chose to provide the configuration values directly here,
please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).
Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc). | 
object({
    key_base64 = optional(string)
    key_base64_ssm = optional(object({
      arn  = string
      name = string
    }))
    id = optional(string)
    id_ssm = optional(object({
      arn  = string
      name = string
    }))
    webhook_secret = optional(string)
    webhook_secret_ssm = optional(object({
      arn  = string
      name = string
    }))
  })
| n/a | yes | | [idle\_config](#input\_idle\_config) | List of time periods, defined as a cron expression, to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | 
list(object({
    cron             = string
    timeZone         = string
    idleCount        = number
    evictionStrategy = optional(string, "oldest_first")
  }))
| `[]` | no | | [instance\_allocation\_strategy](#input\_instance\_allocation\_strategy) | The allocation strategy for spot instances. AWS recommends using `price-capacity-optimized` however the AWS default is `lowest-price`. | `string` | `"lowest-price"` | no | | [instance\_max\_spot\_price](#input\_instance\_max\_spot\_price) | Max price price for spot instances per hour. This variable will be passed to the create fleet as max spot price for the fleet. | `string` | `null` | no | diff --git a/examples/default/README.md b/examples/default/README.md index f3129d71bc..ae5f4230ea 100644 --- a/examples/default/README.md +++ b/examples/default/README.md @@ -42,7 +42,7 @@ terraform output -raw webhook_secret | Name | Version | |------|---------| -| [random](#provider\_random) | 3.6.3 | +| [random](#provider\_random) | 3.7.1 | ## Modules diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md index dca32e2662..974496a31e 100644 --- a/modules/multi-runner/README.md +++ b/modules/multi-runner/README.md @@ -131,7 +131,7 @@ module "multi-runner" { | [eventbridge](#input\_eventbridge) | Enable the use of EventBridge by the module. By enabling this feature events will be put on the EventBridge by the webhook instead of directly dispatching to queues for scaling. | 
object({
    enable        = optional(bool, true)
    accept_events = optional(list(string), [])
  })
| `{}` | no | | [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB. .However if you are using Github Enterprise Cloud with data-residency (ghe.com), set the endpoint here. Example - https://companyname.ghe.com\| | `string` | `null` | no | -| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app.
You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.
If you chose to provide the configuration values directly here,
please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).
Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc). | 
object({
    key_base64 = optional(string)
    key_base64_ssm = optional(object({
      arn  = string
      name = string
    }))
    id = optional(string)
    id_ssm = optional(object({
      arn  = string
      name = string
    }))
    webhook_secret = optional(string)
    webhook_secret_ssm = optional(object({
      arn  = string
      name = string
    }))
  })
| n/a | yes | +| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app.
You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.
If you chose to provide the configuration values directly here,
please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).
Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc). | 
object({
    key_base64 = optional(string)
    key_base64_ssm = optional(object({
      arn  = string
      name = string
    }))
    id = optional(string)
    id_ssm = optional(object({
      arn  = string
      name = string
    }))
    webhook_secret = optional(string)
    webhook_secret_ssm = optional(object({
      arn  = string
      name = string
    }))
  })
| n/a | yes | | [instance\_profile\_path](#input\_instance\_profile\_path) | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no | | [instance\_termination\_watcher](#input\_instance\_termination\_watcher) | Configuration for the spot termination watcher lambda function. This feature is Beta, changes will not trigger a major release as long in beta.

`enable`: Enable or disable the spot termination watcher.
`memory_size`: Memory size linit in MB of the lambda.
`s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.
`s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.
`timeout`: Time out of the lambda in seconds.
`zip`: File location of the lambda zip file. | 
object({
    enable = optional(bool, false)
    features = optional(object({
      enable_spot_termination_handler              = optional(bool, true)
      enable_spot_termination_notification_watcher = optional(bool, true)
    }), {})
    memory_size       = optional(number, null)
    s3_key            = optional(string, null)
    s3_object_version = optional(string, null)
    timeout           = optional(number, null)
    zip               = optional(string, null)
  })
| `{}` | no | | [key\_name](#input\_key\_name) | Key pair name | `string` | `null` | no | @@ -148,7 +148,7 @@ module "multi-runner" { | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no | | [matcher\_config\_parameter\_store\_tier](#input\_matcher\_config\_parameter\_store\_tier) | The tier of the parameter store for the matcher configuration. Valid values are `Standard`, and `Advanced`. | `string` | `"Standard"` | no | | [metrics](#input\_metrics) | Configuration for metrics created by the module, by default metrics are disabled to avoid additional costs. When metrics are enable all metrics are created unless explicit configured otherwise. | 
object({
    enable    = optional(bool, false)
    namespace = optional(string, "GitHub Runners")
    metric = optional(object({
      enable_github_app_rate_limit    = optional(bool, true)
      enable_job_retry                = optional(bool, true)
      enable_spot_termination_warning = optional(bool, true)
    }), {})
  })
| `{}` | no | -| [multi\_runner\_config](#input\_multi\_runner\_config) | multi\_runner\_config = {
runner\_config: {
runner\_os: "The EC2 Operating System type to use for action runner instances (linux,windows)."
runner\_architecture: "The platform architecture of the runner instance\_type."
runner\_metadata\_options: "(Optional) Metadata options for the ec2 runner instances."
ami\_filter: "(Optional) List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used."
ami\_owners: "(Optional) The list of owners used to select the AMI of action runner instances."
create\_service\_linked\_role\_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda.
credit\_specification: "(Optional) The credit specification of the runner instance\_type. Can be unset, `standard` or `unlimited`.
delay\_webhook\_event: "The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event."
disable\_runner\_autoupdate: "Disable the auto update of the github runner agent. Be aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"
ebs\_optimized: "The EC2 EBS optimized configuration."
enable\_ephemeral\_runners: "Enable ephemeral runners, runners will only be used once."
enable\_job\_queued\_check: "Enables JIT configuration for creating runners instead of registration token based registraton. JIT configuration will only be applied for ephemeral runners. By default JIT confiugration is enabled for ephemeral runners an can be disabled via this override. When running on GHES without support for JIT configuration this variable should be set to true for ephemeral runners."
enable\_on\_demand\_failover\_for\_errors: "Enable on-demand failover. For example to fall back to on demand when no spot capacity is available the variable can be set to `InsufficientInstanceCapacity`. When not defined the default behavior is to retry later."
enable\_organization\_runners: "Register runners to organization, instead of repo level"
enable\_runner\_binaries\_syncer: "Option to disable the lambda to sync GitHub runner distribution, useful when using a pre-build AMI."
enable\_ssm\_on\_runners: "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
enable\_userdata: "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI."
instance\_allocation\_strategy: "The allocation strategy for spot instances. AWS recommends to use `capacity-optimized` however the AWS default is `lowest-price`."
instance\_max\_spot\_price: "Max price price for spot intances per hour. This variable will be passed to the create fleet as max spot price for the fleet."
instance\_target\_capacity\_type: "Default lifecycle used for runner instances, can be either `spot` or `on-demand`."
instance\_types: "List of instance types for the action runner. Defaults are based on runner\_os (al2023 for linux and Windows Server Core for win)."
job\_queue\_retention\_in\_seconds: "The number of seconds the job is held in the queue before it is purged"
minimum\_running\_time\_in\_minutes: "The time an ec2 action runner should be running at minimum before terminated if not busy."
pool\_runner\_owner: "The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported."
runner\_additional\_security\_group\_ids: "List of additional security groups IDs to apply to the runner. If added outside the multi\_runner\_config block, the additional security group(s) will be applied to all runner configs. If added inside the multi\_runner\_config, the additional security group(s) will be applied to the individual runner."
runner\_as\_root: "Run the action runner under the root user. Variable `runner_run_as` will be ignored."
runner\_boot\_time\_in\_minutes: "The minimum time for an EC2 runner to boot and register as a runner."
runner\_disable\_default\_labels: "Disable default labels for the runners (os, architecture and `self-hosted`). If enabled, the runner will only have the extra labels provided in `runner_extra_labels`. In case you on own start script is used, this configuration parameter needs to be parsed via SSM."
runner\_extra\_labels: "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `multi_runner_config.matcherConfig.exactMatch`. GitHub read-only labels should not be provided."
runner\_group\_name: "Name of the runner group."
runner\_name\_prefix: "Prefix for the GitHub runner name."
runner\_run\_as: "Run the GitHub actions agent as user."
runners\_maximum\_count: "The maximum number of runners that will be created. Setting the variable to `-1` desiables the maximum check."
scale\_down\_schedule\_expression: "Scheduler expression to check every x for scale down."
scale\_up\_reserved\_concurrent\_executions: "Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations."
userdata\_template: "Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored."
enable\_jit\_config "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is avaialbe. In case you upgradeing from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."
enable\_runner\_detailed\_monitoring: "Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details."
enable\_cloudwatch\_agent: "Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`."
cloudwatch\_config: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
userdata\_pre\_install: "Script to be ran before the GitHub Actions runner is installed on the EC2 instances"
userdata\_post\_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"
runner\_hook\_job\_started: "Script to be ran in the runner environment at the beginning of every job"
runner\_hook\_job\_completed: "Script to be ran in the runner environment at the end of every job"
runner\_ec2\_tags: "Map of tags that will be added to the launch template instance tag specifications."
runner\_iam\_role\_managed\_policy\_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
vpc\_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`."
subnet\_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`."
idle\_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle."
runner\_log\_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
block\_device\_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."
job\_retry: "Experimental! Can be removed / changed without trigger a major release. Configure job retries. The configuration enables job retries (for ephemeral runners). After creating the insances a message will be published to a job retry queue. The job retry check lambda is checking after a delay if the job is queued. If not the message will be published again on the scale-up (build queue). Using this feature can impact the reate limit of the GitHub app."
pool\_config: "The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. Use `schedule_expression_timezone` to override the schedule time zone (defaults to UTC)."
}
matcherConfig: {
labelMatchers: "The list of list of labels supported by the runner configuration. `[[self-hosted, linux, x64, example]]`"
exactMatch: "If set to true all labels in the workflow job must match the GitHub labels (os, architecture and `self-hosted`). When false if __any__ workflow label matches it will trigger the webhook."
priority: "If set it defines the priority of the matcher, the matcher with the lowest priority will be evaluated first. Default is 999, allowed values 0-999."
}
redrive\_build\_queue: "Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries."
} | 
map(object({
    runner_config = object({
      runner_os           = string
      runner_architecture = string
      runner_metadata_options = optional(map(any), {
        instance_metadata_tags      = "enabled"
        http_endpoint               = "enabled"
        http_tokens                 = "required"
        http_put_response_hop_limit = 1
      })
      ami_filter                              = optional(map(list(string)), { state = ["available"] })
      ami_owners                              = optional(list(string), ["amazon"])
      ami_id_ssm_parameter_name               = optional(string, null)
      ami_kms_key_arn                         = optional(string, "")
      create_service_linked_role_spot         = optional(bool, false)
      credit_specification                    = optional(string, null)
      delay_webhook_event                     = optional(number, 30)
      disable_runner_autoupdate               = optional(bool, false)
      ebs_optimized                           = optional(bool, false)
      enable_ephemeral_runners                = optional(bool, false)
      enable_job_queued_check                 = optional(bool, null)
      enable_on_demand_failover_for_errors    = optional(list(string), [])
      enable_organization_runners             = optional(bool, false)
      enable_runner_binaries_syncer           = optional(bool, true)
      enable_ssm_on_runners                   = optional(bool, false)
      enable_userdata                         = optional(bool, true)
      instance_allocation_strategy            = optional(string, "lowest-price")
      instance_max_spot_price                 = optional(string, null)
      instance_target_capacity_type           = optional(string, "spot")
      instance_types                          = list(string)
      job_queue_retention_in_seconds          = optional(number, 86400)
      minimum_running_time_in_minutes         = optional(number, null)
      pool_runner_owner                       = optional(string, null)
      runner_as_root                          = optional(bool, false)
      runner_boot_time_in_minutes             = optional(number, 5)
      runner_disable_default_labels           = optional(bool, false)
      runner_extra_labels                     = optional(list(string), [])
      runner_group_name                       = optional(string, "Default")
      runner_name_prefix                      = optional(string, "")
      runner_run_as                           = optional(string, "ec2-user")
      runners_maximum_count                   = number
      runner_additional_security_group_ids    = optional(list(string), [])
      scale_down_schedule_expression          = optional(string, "cron(*/5 * * * ? *)")
      scale_up_reserved_concurrent_executions = optional(number, 1)
      userdata_template                       = optional(string, null)
      userdata_content                        = optional(string, null)
      enable_jit_config                       = optional(bool, null)
      enable_runner_detailed_monitoring       = optional(bool, false)
      enable_cloudwatch_agent                 = optional(bool, true)
      cloudwatch_config                       = optional(string, null)
      userdata_pre_install                    = optional(string, "")
      userdata_post_install                   = optional(string, "")
      runner_hook_job_started                 = optional(string, "")
      runner_hook_job_completed               = optional(string, "")
      runner_ec2_tags                         = optional(map(string), {})
      runner_iam_role_managed_policy_arns     = optional(list(string), [])
      vpc_id                                  = optional(string, null)
      subnet_ids                              = optional(list(string), null)
      idle_config = optional(list(object({
        cron             = string
        timeZone         = string
        idleCount        = number
        evictionStrategy = optional(string, "oldest_first")
      })), [])
      runner_log_files = optional(list(object({
        log_group_name   = string
        prefix_log_group = bool
        file_path        = string
        log_stream_name  = string
      })), null)
      block_device_mappings = optional(list(object({
        delete_on_termination = optional(bool, true)
        device_name           = optional(string, "/dev/xvda")
        encrypted             = optional(bool, true)
        iops                  = optional(number)
        kms_key_id            = optional(string)
        snapshot_id           = optional(string)
        throughput            = optional(number)
        volume_size           = number
        volume_type           = optional(string, "gp3")
        })), [{
        volume_size = 30
      }])
      pool_config = optional(list(object({
        schedule_expression          = string
        schedule_expression_timezone = optional(string)
        size                         = number
      })), [])
      job_retry = optional(object({
        enable             = optional(bool, false)
        delay_in_seconds   = optional(number, 300)
        delay_backoff      = optional(number, 2)
        lambda_memory_size = optional(number, 256)
        lambda_timeout     = optional(number, 30)
        max_attempts       = optional(number, 1)
      }), {})
    })
    matcherConfig = object({
      labelMatchers = list(list(string))
      exactMatch    = optional(bool, false)
      priority      = optional(number, 999)
    })
    redrive_build_queue = optional(object({
      enabled         = bool
      maxReceiveCount = number
      }), {
      enabled         = false
      maxReceiveCount = null
    })
  }))
| n/a | yes | +| [multi\_runner\_config](#input\_multi\_runner\_config) | multi\_runner\_config = {
runner\_config: {
runner\_os: "The EC2 Operating System type to use for action runner instances (linux,windows)."
runner\_architecture: "The platform architecture of the runner instance\_type."
runner\_metadata\_options: "(Optional) Metadata options for the ec2 runner instances."
ami\_filter: "(Optional) List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used."
ami\_owners: "(Optional) The list of owners used to select the AMI of action runner instances."
create\_service\_linked\_role\_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda.
credit\_specification: "(Optional) The credit specification of the runner instance\_type. Can be unset, `standard` or `unlimited`.
delay\_webhook\_event: "The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event."
disable\_runner\_autoupdate: "Disable the auto update of the github runner agent. Be aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"
ebs\_optimized: "The EC2 EBS optimized configuration."
enable\_ephemeral\_runners: "Enable ephemeral runners, runners will only be used once."
enable\_job\_queued\_check: "Enables JIT configuration for creating runners instead of registration token based registraton. JIT configuration will only be applied for ephemeral runners. By default JIT confiugration is enabled for ephemeral runners an can be disabled via this override. When running on GHES without support for JIT configuration this variable should be set to true for ephemeral runners."
enable\_on\_demand\_failover\_for\_errors: "Enable on-demand failover. For example to fall back to on demand when no spot capacity is available the variable can be set to `InsufficientInstanceCapacity`. When not defined the default behavior is to retry later."
enable\_organization\_runners: "Register runners to organization, instead of repo level"
enable\_runner\_binaries\_syncer: "Option to disable the lambda to sync GitHub runner distribution, useful when using a pre-build AMI."
enable\_ssm\_on\_runners: "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
enable\_userdata: "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI."
instance\_allocation\_strategy: "The allocation strategy for spot instances. AWS recommends to use `capacity-optimized` however the AWS default is `lowest-price`."
instance\_max\_spot\_price: "Max price price for spot intances per hour. This variable will be passed to the create fleet as max spot price for the fleet."
instance\_target\_capacity\_type: "Default lifecycle used for runner instances, can be either `spot` or `on-demand`."
instance\_types: "List of instance types for the action runner. Defaults are based on runner\_os (al2023 for linux and Windows Server Core for win)."
job\_queue\_retention\_in\_seconds: "The number of seconds the job is held in the queue before it is purged"
minimum\_running\_time\_in\_minutes: "The time an ec2 action runner should be running at minimum before terminated if not busy."
pool\_runner\_owner: "The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported."
runner\_additional\_security\_group\_ids: "List of additional security groups IDs to apply to the runner. If added outside the multi\_runner\_config block, the additional security group(s) will be applied to all runner configs. If added inside the multi\_runner\_config, the additional security group(s) will be applied to the individual runner."
runner\_as\_root: "Run the action runner under the root user. Variable `runner_run_as` will be ignored."
runner\_boot\_time\_in\_minutes: "The minimum time for an EC2 runner to boot and register as a runner."
runner\_disable\_default\_labels: "Disable default labels for the runners (os, architecture and `self-hosted`). If enabled, the runner will only have the extra labels provided in `runner_extra_labels`. In case you on own start script is used, this configuration parameter needs to be parsed via SSM."
runner\_extra\_labels: "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `multi_runner_config.matcherConfig.exactMatch`. GitHub read-only labels should not be provided."
runner\_group\_name: "Name of the runner group."
runner\_name\_prefix: "Prefix for the GitHub runner name."
runner\_run\_as: "Run the GitHub actions agent as user."
runners\_maximum\_count: "The maximum number of runners that will be created. Setting the variable to `-1` desiables the maximum check."
scale\_down\_schedule\_expression: "Scheduler expression to check every x for scale down."
scale\_up\_reserved\_concurrent\_executions: "Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations."
userdata\_template: "Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored."
enable\_jit\_config "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is avaialbe. In case you upgradeing from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."
enable\_runner\_detailed\_monitoring: "Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details."
enable\_cloudwatch\_agent: "Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`."
cloudwatch\_config: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
userdata\_pre\_install: "Script to be ran before the GitHub Actions runner is installed on the EC2 instances"
userdata\_post\_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"
runner\_hook\_job\_started: "Script to be ran in the runner environment at the beginning of every job"
runner\_hook\_job\_completed: "Script to be ran in the runner environment at the end of every job"
runner\_ec2\_tags: "Map of tags that will be added to the launch template instance tag specifications."
runner\_iam\_role\_managed\_policy\_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
vpc\_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`."
subnet\_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`."
idle\_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle."
runner\_log\_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
block\_device\_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."
job\_retry: "Experimental! Can be removed / changed without trigger a major release. Configure job retries. The configuration enables job retries (for ephemeral runners). After creating the insances a message will be published to a job retry queue. The job retry check lambda is checking after a delay if the job is queued. If not the message will be published again on the scale-up (build queue). Using this feature can impact the reate limit of the GitHub app."
pool\_config: "The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. Use `schedule_expression_timezone` to override the schedule time zone (defaults to UTC)."
}
matcherConfig: {
labelMatchers: "The list of list of labels supported by the runner configuration. `[[self-hosted, linux, x64, example]]`"
exactMatch: "If set to true all labels in the workflow job must match the GitHub labels (os, architecture and `self-hosted`). When false if __any__ workflow label matches it will trigger the webhook."
priority: "If set it defines the priority of the matcher, the matcher with the lowest priority will be evaluated first. Default is 999, allowed values 0-999."
}
redrive\_build\_queue: "Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries."
} | 
map(object({
    runner_config = object({
      runner_os           = string
      runner_architecture = string
      runner_metadata_options = optional(map(any), {
        instance_metadata_tags      = "enabled"
        http_endpoint               = "enabled"
        http_tokens                 = "required"
        http_put_response_hop_limit = 1
      })
      ami_filter                              = optional(map(list(string)), { state = ["available"] })
      ami_owners                              = optional(list(string), ["amazon"])
      ami_id_ssm_parameter_arn                = optional(string, null)
      ami_id_ssm_parameter_name               = optional(string, null)
      ami_kms_key_arn                         = optional(string, "")
      create_service_linked_role_spot         = optional(bool, false)
      credit_specification                    = optional(string, null)
      delay_webhook_event                     = optional(number, 30)
      disable_runner_autoupdate               = optional(bool, false)
      ebs_optimized                           = optional(bool, false)
      enable_ephemeral_runners                = optional(bool, false)
      enable_job_queued_check                 = optional(bool, null)
      enable_on_demand_failover_for_errors    = optional(list(string), [])
      enable_organization_runners             = optional(bool, false)
      enable_runner_binaries_syncer           = optional(bool, true)
      enable_ssm_on_runners                   = optional(bool, false)
      enable_userdata                         = optional(bool, true)
      instance_allocation_strategy            = optional(string, "lowest-price")
      instance_max_spot_price                 = optional(string, null)
      instance_target_capacity_type           = optional(string, "spot")
      instance_types                          = list(string)
      job_queue_retention_in_seconds          = optional(number, 86400)
      minimum_running_time_in_minutes         = optional(number, null)
      pool_runner_owner                       = optional(string, null)
      runner_as_root                          = optional(bool, false)
      runner_boot_time_in_minutes             = optional(number, 5)
      runner_disable_default_labels           = optional(bool, false)
      runner_extra_labels                     = optional(list(string), [])
      runner_group_name                       = optional(string, "Default")
      runner_name_prefix                      = optional(string, "")
      runner_run_as                           = optional(string, "ec2-user")
      runners_maximum_count                   = number
      runner_additional_security_group_ids    = optional(list(string), [])
      scale_down_schedule_expression          = optional(string, "cron(*/5 * * * ? *)")
      scale_up_reserved_concurrent_executions = optional(number, 1)
      userdata_template                       = optional(string, null)
      userdata_content                        = optional(string, null)
      enable_jit_config                       = optional(bool, null)
      enable_runner_detailed_monitoring       = optional(bool, false)
      enable_cloudwatch_agent                 = optional(bool, true)
      cloudwatch_config                       = optional(string, null)
      userdata_pre_install                    = optional(string, "")
      userdata_post_install                   = optional(string, "")
      runner_hook_job_started                 = optional(string, "")
      runner_hook_job_completed               = optional(string, "")
      runner_ec2_tags                         = optional(map(string), {})
      runner_iam_role_managed_policy_arns     = optional(list(string), [])
      vpc_id                                  = optional(string, null)
      subnet_ids                              = optional(list(string), null)
      idle_config = optional(list(object({
        cron             = string
        timeZone         = string
        idleCount        = number
        evictionStrategy = optional(string, "oldest_first")
      })), [])
      runner_log_files = optional(list(object({
        log_group_name   = string
        prefix_log_group = bool
        file_path        = string
        log_stream_name  = string
      })), null)
      block_device_mappings = optional(list(object({
        delete_on_termination = optional(bool, true)
        device_name           = optional(string, "/dev/xvda")
        encrypted             = optional(bool, true)
        iops                  = optional(number)
        kms_key_id            = optional(string)
        snapshot_id           = optional(string)
        throughput            = optional(number)
        volume_size           = number
        volume_type           = optional(string, "gp3")
        })), [{
        volume_size = 30
      }])
      pool_config = optional(list(object({
        schedule_expression          = string
        schedule_expression_timezone = optional(string)
        size                         = number
      })), [])
      job_retry = optional(object({
        enable             = optional(bool, false)
        delay_in_seconds   = optional(number, 300)
        delay_backoff      = optional(number, 2)
        lambda_memory_size = optional(number, 256)
        lambda_timeout     = optional(number, 30)
        max_attempts       = optional(number, 1)
      }), {})
    })
    matcherConfig = object({
      labelMatchers = list(list(string))
      exactMatch    = optional(bool, false)
      priority      = optional(number, 999)
    })
    redrive_build_queue = optional(object({
      enabled         = bool
      maxReceiveCount = number
      }), {
      enabled         = false
      maxReceiveCount = null
    })
  }))
| n/a | yes | | [pool\_lambda\_reserved\_concurrent\_executions](#input\_pool\_lambda\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `1` | no | | [pool\_lambda\_timeout](#input\_pool\_lambda\_timeout) | Time out for the pool lambda in seconds. | `number` | `60` | no | | [prefix](#input\_prefix) | The prefix used for naming resources | `string` | `"github-actions"` | no | diff --git a/modules/runners/README.md b/modules/runners/README.md index 2d8e11a0c3..fe668150b7 100644 --- a/modules/runners/README.md +++ b/modules/runners/README.md @@ -120,6 +120,7 @@ yarn run dist | [aws_ssm_parameter.disable_default_labels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.jit_config_enabled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.runner_agent_mode](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.runner_ami_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.runner_config_run_as](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.runner_enable_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.token_path](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | @@ -133,6 +134,7 @@ yarn run dist | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [ami\_filter](#input\_ami\_filter) | Map of lists used to create the AMI filter for the action runner AMI. | `map(list(string))` | 
{
  "state": [
    "available"
  ]
}
| no | +| [ami\_id\_ssm\_parameter\_arn](#input\_ami\_id\_ssm\_parameter\_arn) | ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | | [ami\_id\_ssm\_parameter\_name](#input\_ami\_id\_ssm\_parameter\_name) | Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | | [ami\_kms\_key\_arn](#input\_ami\_kms\_key\_arn) | Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI | `string` | `null` | no | | [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | 
[
  "amazon"
]
| no | From ae2e77e3410d7e4d59e9f2855356cecfb1a869ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Mar 2025 23:15:50 +0200 Subject: [PATCH 03/20] chore(lambda): bump vitest from 3.0.9 to 3.1.1 in /lambdas (#4516) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 3.0.9 to 3.1.1.
Release notes

Sourced from vitest's releases.

v3.1.1

   🐞 Bug Fixes

    View changes on GitHub

v3.1.0

🚀 Features

🐞 Bug Fixes

🏎 Performance

... (truncated)

Commits
  • a9d36c7 chore: release v3.1.1
  • 69ca425 fix(reporter): print test only once in the verbose mode (#7738)
  • b166efa fix(reporter): report tests in correct order (#7752)
  • b8eda4b chore: release v3.1.0
  • 938da77 fix (ui): rerun individually tests with special chars in name (#7707)
  • 7883acd feat: use providers request interception for module mocking (#7576)
  • a7ecd0f refactor: remove direct imports from rollup (#7751)
  • 5659a0e feat: Added vitest-browser-lit to vitest init browser and docs (#7705)
  • 2702cf4 fix: fix vm tests flakiness (#7741)
  • 12762ea perf(browser): fork jest-dom instead of bundling it (#7605)
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=vitest&package-manager=npm_and_yarn&previous-version=3.0.9&new-version=3.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- lambdas/package.json | 2 +- lambdas/yarn.lock | 122 +++++++++++++++++++++---------------------- 2 files changed, 62 insertions(+), 62 deletions(-) diff --git a/lambdas/package.json b/lambdas/package.json index 8ade102a39..e69232a9c5 100644 --- a/lambdas/package.json +++ b/lambdas/package.json @@ -40,7 +40,7 @@ "ts-node-dev": "^2.0.0", "typescript": "^5.8.2", "vite": "^6.2.4", - "vitest": "^3.0.9" + "vitest": "^3.1.1" }, "packageManager": "yarn@4.3.1" } diff --git a/lambdas/yarn.lock b/lambdas/yarn.lock index 31b12d5957..2f8c635438 100644 --- a/lambdas/yarn.lock +++ b/lambdas/yarn.lock @@ -5357,15 +5357,15 @@ __metadata: languageName: node linkType: hard -"@vitest/expect@npm:3.0.9": - version: 3.0.9 - resolution: "@vitest/expect@npm:3.0.9" +"@vitest/expect@npm:3.1.1": + version: 3.1.1 + resolution: "@vitest/expect@npm:3.1.1" dependencies: - "@vitest/spy": "npm:3.0.9" - "@vitest/utils": "npm:3.0.9" + "@vitest/spy": "npm:3.1.1" + "@vitest/utils": "npm:3.1.1" chai: "npm:^5.2.0" tinyrainbow: "npm:^2.0.0" - checksum: 10c0/4e5eef8fbc9c3e47f3fb69dbbd5b51aabdf1b6de2f781556d37d79731678fc83cf4a01d146226b12a27df051a4110153a6172506c9c74ae08e5b924a9c947f08 + checksum: 10c0/ef4528d0ebb89eb3cc044cf597d051c35df8471bb6ba4029e9b3412aa69d0d85a0ce4eb49531fc78fe1ebd97e6428260463068cc96a8d8c1a80150dedfd1ab3a languageName: node linkType: hard @@ -5393,11 +5393,11 @@ __metadata: languageName: node linkType: hard -"@vitest/mocker@npm:3.0.9": - version: 3.0.9 - resolution: "@vitest/mocker@npm:3.0.9" +"@vitest/mocker@npm:3.1.1": + version: 3.1.1 + resolution: "@vitest/mocker@npm:3.1.1" dependencies: - "@vitest/spy": "npm:3.0.9" + "@vitest/spy": "npm:3.1.1" estree-walker: "npm:^3.0.3" magic-string: "npm:^0.30.17" peerDependencies: @@ -5408,7 +5408,7 @@ __metadata: optional: true vite: optional: true - checksum: 10c0/9083a83902ca550cf004413b9fc87c8367a789e18a3c5a61e63c72810f9153e7d1c100c66f0b0656ea1035a700a373d5b78b49de0963ab62333c720aeec9f1b3 + checksum: 10c0/9264558809e2d7c77ae9ceefad521dc5f886a567aaf0bdd021b73089b8906ffd92c893f3998d16814f38fc653c7413836f508712355c87749a0e86c7d435eec1 languageName: node linkType: hard @@ -5430,33 +5430,33 @@ __metadata: languageName: node linkType: hard -"@vitest/pretty-format@npm:3.0.9, @vitest/pretty-format@npm:^3.0.9": - version: 3.0.9 - resolution: "@vitest/pretty-format@npm:3.0.9" +"@vitest/pretty-format@npm:3.1.1, @vitest/pretty-format@npm:^3.1.1": + version: 3.1.1 + resolution: "@vitest/pretty-format@npm:3.1.1" dependencies: tinyrainbow: "npm:^2.0.0" - checksum: 10c0/56ae7b1f14df2905b3205d4e121727631c4938ec44f76c1e9fa49923919010378f0dad70b1d277672f3ef45ddf6372140c8d1da95e45df8282f70b74328fce47 + checksum: 10c0/540cd46d317fc80298c93b185f3fb48dfe90eaaa3942fd700fde6e88d658772c01b56ad5b9b36e4ac368a02e0fc8e0dc72bbdd6dd07a5d75e89ef99c8df5ba6e languageName: node linkType: hard -"@vitest/runner@npm:3.0.9": - version: 3.0.9 - resolution: "@vitest/runner@npm:3.0.9" +"@vitest/runner@npm:3.1.1": + version: 3.1.1 + resolution: "@vitest/runner@npm:3.1.1" dependencies: - "@vitest/utils": "npm:3.0.9" + "@vitest/utils": "npm:3.1.1" pathe: "npm:^2.0.3" - checksum: 10c0/b276f238a16a6d02bb244f655d9cd8db8cce4708a6267cc48476a785ca8887741c440ae27b379a5bbbb6fe4f9f12675f13da0270253043195defd7a36bf15114 + checksum: 10c0/35a541069c3c94a2dd02fca2d70cc8d5e66ba2e891cfb80da354174f510aeb96774ffb34fff39cecde9d5c969be4dd20e240a900beb9b225b7512a615ecc5503 languageName: node linkType: hard -"@vitest/snapshot@npm:3.0.9": - version: 3.0.9 - resolution: "@vitest/snapshot@npm:3.0.9" +"@vitest/snapshot@npm:3.1.1": + version: 3.1.1 + resolution: "@vitest/snapshot@npm:3.1.1" dependencies: - "@vitest/pretty-format": "npm:3.0.9" + "@vitest/pretty-format": "npm:3.1.1" magic-string: "npm:^0.30.17" pathe: "npm:^2.0.3" - checksum: 10c0/8298caa334d357cb22b1946cbebedb22f04d38fe080d6da7445873221fe6f89c2b82fe4f368d9eb8a62a77bd76d1b4234595bb085279d48130f09ba6b2e18637 + checksum: 10c0/43e5fc5db580f20903eb1493d07f08752df8864f7b9b7293a202b2ffe93d8c196a5614d66dda096c6bacc16e12f1836f33ba41898812af6d32676d1eb501536a languageName: node linkType: hard @@ -5478,12 +5478,12 @@ __metadata: languageName: node linkType: hard -"@vitest/spy@npm:3.0.9": - version: 3.0.9 - resolution: "@vitest/spy@npm:3.0.9" +"@vitest/spy@npm:3.1.1": + version: 3.1.1 + resolution: "@vitest/spy@npm:3.1.1" dependencies: tinyspy: "npm:^3.0.2" - checksum: 10c0/993085dbaf9e651ca9516f88e440424d29279def998186628a1ebcab5558a3045fee8562630608f58303507135f6f3bf9970f65639f3b9baa8bf86cab3eb4742 + checksum: 10c0/896659d4b42776cfa2057a1da2c33adbd3f2ebd28005ca606d1616d08d2e726dc1460fb37f1ea7f734756b5bccf926c7165f410e63f0a3b8d992eb5489528b08 languageName: node linkType: hard @@ -5509,14 +5509,14 @@ __metadata: languageName: node linkType: hard -"@vitest/utils@npm:3.0.9": - version: 3.0.9 - resolution: "@vitest/utils@npm:3.0.9" +"@vitest/utils@npm:3.1.1": + version: 3.1.1 + resolution: "@vitest/utils@npm:3.1.1" dependencies: - "@vitest/pretty-format": "npm:3.0.9" + "@vitest/pretty-format": "npm:3.1.1" loupe: "npm:^3.1.3" tinyrainbow: "npm:^2.0.0" - checksum: 10c0/b966dfb3b926ee9bea59c1fb297abc67adaa23a8a582453ee81167b238446394693617a5e0523eb2791d6983173ef1c07bf28a76bd5a63b49a100610ed6b6a6c + checksum: 10c0/a9cfe0c0f095b58644ce3ba08309de5be8564c10dad9e62035bd378e60b2834e6a256e6e4ded7dcf027fdc2371301f7965040ad3e6323b747d5b3abbb7ceb0d6 languageName: node linkType: hard @@ -7140,10 +7140,10 @@ __metadata: languageName: node linkType: hard -"expect-type@npm:^1.1.0": - version: 1.2.0 - resolution: "expect-type@npm:1.2.0" - checksum: 10c0/6069e1980bf16b9385646800e23499c1447df636c433014f6bbabe4bb0e20bd0033f30d38a6f9ae0938b0203a9e870cc82cdfd74b7c837b480cefb8e8240d8e8 +"expect-type@npm:^1.2.0": + version: 1.2.1 + resolution: "expect-type@npm:1.2.1" + checksum: 10c0/b775c9adab3c190dd0d398c722531726cdd6022849b4adba19dceab58dda7e000a7c6c872408cd73d665baa20d381eca36af4f7b393a4ba60dd10232d1fb8898 languageName: node linkType: hard @@ -8477,7 +8477,7 @@ __metadata: ts-node-dev: "npm:^2.0.0" typescript: "npm:^5.8.2" vite: "npm:^6.2.4" - vitest: "npm:^3.0.9" + vitest: "npm:^3.1.1" languageName: unknown linkType: soft @@ -10256,7 +10256,7 @@ __metadata: languageName: node linkType: hard -"std-env@npm:^3.8.0": +"std-env@npm:^3.8.0, std-env@npm:^3.8.1": version: 3.8.1 resolution: "std-env@npm:3.8.1" checksum: 10c0/e9b19cca6bc6f06f91607db5b636662914ca8ec9efc525a99da6ec7e493afec109d3b017d21d9782b4369fcfb2891c7c4b4e3c60d495fdadf6861ce434e07bf8 @@ -10942,9 +10942,9 @@ __metadata: languageName: node linkType: hard -"vite-node@npm:3.0.9": - version: 3.0.9 - resolution: "vite-node@npm:3.0.9" +"vite-node@npm:3.1.1": + version: 3.1.1 + resolution: "vite-node@npm:3.1.1" dependencies: cac: "npm:^6.7.14" debug: "npm:^4.4.0" @@ -10953,7 +10953,7 @@ __metadata: vite: "npm:^5.0.0 || ^6.0.0" bin: vite-node: vite-node.mjs - checksum: 10c0/97768a64182832c1ae1797667920fec002d283506b628b684df707fc453c6bf58719029c52c7a4cdf98f5a5a44769036126efdb8192d4040ba3d39f271aa338b + checksum: 10c0/15ee73c472ae00f042a7cee09a31355d2c0efbb2dab160377545be9ba4b980a5f4cb2841b98319d87bedf630bbbb075e6b40796b39f65610920cf3fde66fdf8d languageName: node linkType: hard @@ -11061,36 +11061,36 @@ __metadata: languageName: node linkType: hard -"vitest@npm:^3.0.9": - version: 3.0.9 - resolution: "vitest@npm:3.0.9" - dependencies: - "@vitest/expect": "npm:3.0.9" - "@vitest/mocker": "npm:3.0.9" - "@vitest/pretty-format": "npm:^3.0.9" - "@vitest/runner": "npm:3.0.9" - "@vitest/snapshot": "npm:3.0.9" - "@vitest/spy": "npm:3.0.9" - "@vitest/utils": "npm:3.0.9" +"vitest@npm:^3.1.1": + version: 3.1.1 + resolution: "vitest@npm:3.1.1" + dependencies: + "@vitest/expect": "npm:3.1.1" + "@vitest/mocker": "npm:3.1.1" + "@vitest/pretty-format": "npm:^3.1.1" + "@vitest/runner": "npm:3.1.1" + "@vitest/snapshot": "npm:3.1.1" + "@vitest/spy": "npm:3.1.1" + "@vitest/utils": "npm:3.1.1" chai: "npm:^5.2.0" debug: "npm:^4.4.0" - expect-type: "npm:^1.1.0" + expect-type: "npm:^1.2.0" magic-string: "npm:^0.30.17" pathe: "npm:^2.0.3" - std-env: "npm:^3.8.0" + std-env: "npm:^3.8.1" tinybench: "npm:^2.9.0" tinyexec: "npm:^0.3.2" tinypool: "npm:^1.0.2" tinyrainbow: "npm:^2.0.0" vite: "npm:^5.0.0 || ^6.0.0" - vite-node: "npm:3.0.9" + vite-node: "npm:3.1.1" why-is-node-running: "npm:^2.3.0" peerDependencies: "@edge-runtime/vm": "*" "@types/debug": ^4.1.12 "@types/node": ^18.0.0 || ^20.0.0 || >=22.0.0 - "@vitest/browser": 3.0.9 - "@vitest/ui": 3.0.9 + "@vitest/browser": 3.1.1 + "@vitest/ui": 3.1.1 happy-dom: "*" jsdom: "*" peerDependenciesMeta: @@ -11110,7 +11110,7 @@ __metadata: optional: true bin: vitest: vitest.mjs - checksum: 10c0/5bcd25cab1681f3a968a6483cd5fe115791bc02769bd73bc680bf40153474391a03a6329781b0fb0b8c2f95c82eb342a972bd5132d9bd0d4be92977af19574d0 + checksum: 10c0/680f31d2a7ca59509f837acdbacd9dff405e1b00c606d7cd29717127c6b543f186055854562c2604f74c5cd668b70174968d28feb4ed948a7e013c9477a68d50 languageName: node linkType: hard From afca3171a0a678f19a1961bbce7fde9b5c5c69cd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Mar 2025 23:16:13 +0200 Subject: [PATCH 04/20] chore(lambda): bump eslint-plugin-prettier from 5.2.3 to 5.2.5 in /lambdas (#4515) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.2.3 to 5.2.5.
Release notes

Sourced from eslint-plugin-prettier's releases.

v5.2.5

Patch Changes

v5.2.4

Patch Changes

Changelog

Sourced from eslint-plugin-prettier's changelog.

5.2.5

Patch Changes

5.2.4

Patch Changes

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=eslint-plugin-prettier&package-manager=npm_and_yarn&previous-version=5.2.3&new-version=5.2.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- lambdas/package.json | 2 +- lambdas/yarn.lock | 34 +++++++++++++++++----------------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/lambdas/package.json b/lambdas/package.json index e69232a9c5..dac0c35165 100644 --- a/lambdas/package.json +++ b/lambdas/package.json @@ -33,7 +33,7 @@ "@vitest/coverage-v8": "^3.0.8", "chalk": "^5.4.1", "eslint": "^8.57.1", - "eslint-plugin-prettier": "5.2.3", + "eslint-plugin-prettier": "5.2.5", "nx": "20.6.4", "prettier": "^3.5.3", "ts-node": "^10.9.2", diff --git a/lambdas/yarn.lock b/lambdas/yarn.lock index 2f8c635438..89acbb6cc3 100644 --- a/lambdas/yarn.lock +++ b/lambdas/yarn.lock @@ -3885,10 +3885,10 @@ __metadata: languageName: node linkType: hard -"@pkgr/core@npm:^0.1.0": - version: 0.1.1 - resolution: "@pkgr/core@npm:0.1.1" - checksum: 10c0/3f7536bc7f57320ab2cf96f8973664bef624710c403357429fbf680a5c3b4843c1dbd389bb43daa6b1f6f1f007bb082f5abcb76bb2b5dc9f421647743b71d3d8 +"@pkgr/core@npm:^0.2.0": + version: 0.2.0 + resolution: "@pkgr/core@npm:0.2.0" + checksum: 10c0/29cb9c15f4788096b8b8b786b19c75b6398b6afe814a97189922c3046d8acb5d24f1217fd2537c3f8e42c04e48d572295e7ee56d77964ddc932c44eb5a615931 languageName: node linkType: hard @@ -6965,23 +6965,23 @@ __metadata: languageName: node linkType: hard -"eslint-plugin-prettier@npm:5.2.3": - version: 5.2.3 - resolution: "eslint-plugin-prettier@npm:5.2.3" +"eslint-plugin-prettier@npm:5.2.5": + version: 5.2.5 + resolution: "eslint-plugin-prettier@npm:5.2.5" dependencies: prettier-linter-helpers: "npm:^1.0.0" - synckit: "npm:^0.9.1" + synckit: "npm:^0.10.2" peerDependencies: "@types/eslint": ">=8.0.0" eslint: ">=8.0.0" - eslint-config-prettier: "*" + eslint-config-prettier: ">= 7.0.0 <10.0.0 || >=10.1.0" prettier: ">=3.0.0" peerDependenciesMeta: "@types/eslint": optional: true eslint-config-prettier: optional: true - checksum: 10c0/60d9c03491ec6080ac1d71d0bee1361539ff6beb9b91ac98cfa7176c9ed52b7dbe7119ebee5b441b479d447d17d802a4a492ee06095ef2f22c460e3dd6459302 + checksum: 10c0/b88d4ecfccfdea786aa8c2df8c6b52754070fec48ef5df0dcd325daf7cbe01730a96fb6a8c5ae0ddd173472b43704d6452169b058284e842dfee5894172f310b languageName: node linkType: hard @@ -8470,7 +8470,7 @@ __metadata: "@vitest/coverage-v8": "npm:^3.0.8" chalk: "npm:^5.4.1" eslint: "npm:^8.57.1" - eslint-plugin-prettier: "npm:5.2.3" + eslint-plugin-prettier: "npm:5.2.5" nx: "npm:20.6.4" prettier: "npm:^3.5.3" ts-node: "npm:^10.9.2" @@ -10389,13 +10389,13 @@ __metadata: languageName: node linkType: hard -"synckit@npm:^0.9.1": - version: 0.9.1 - resolution: "synckit@npm:0.9.1" +"synckit@npm:^0.10.2": + version: 0.10.3 + resolution: "synckit@npm:0.10.3" dependencies: - "@pkgr/core": "npm:^0.1.0" - tslib: "npm:^2.6.2" - checksum: 10c0/d8b89e1bf30ba3ffb469d8418c836ad9c0c062bf47028406b4d06548bc66af97155ea2303b96c93bf5c7c0f0d66153a6fbd6924c76521b434e6a9898982abc2e + "@pkgr/core": "npm:^0.2.0" + tslib: "npm:^2.8.1" + checksum: 10c0/9855d10231ae9b69c3aa08d46c96bd4befdcac33da44e29fb80e5c1430e453b5a33b8c073cdd25cfe9578f1d625c7d60c394ece1e202237116c1484def614041 languageName: node linkType: hard From 0d0161becec37136a2286a8153c349cecee7897b Mon Sep 17 00:00:00 2001 From: "runners-releaser[bot]" <194412594+runners-releaser[bot]@users.noreply.github.com> Date: Mon, 31 Mar 2025 23:19:56 +0200 Subject: [PATCH 05/20] chore(main): release 6.4.2 (#4518) :robot: I have created a release *beep* *boop* --- ## [6.4.2](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.4.1...v6.4.2) (2025-03-31) ### Bug Fixes * **lambda:** bump @octokit/webhooks from 13.7.5 to 13.8.0 in /lambdas in the octokit group ([#4514](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4514)) ([1f1da77](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/1f1da77a73ea418d196c01379475570e920ddce6)) * **lambda:** bump the aws group in /lambdas with 3 updates ([#4513](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4513)) ([ecf9a77](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/ecf9a7764d9052e76669861032c820fb0d5e7918)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com> --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 699a746588..dce7b9e111 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [6.4.2](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.4.1...v6.4.2) (2025-03-31) + + +### Bug Fixes + +* **lambda:** bump @octokit/webhooks from 13.7.5 to 13.8.0 in /lambdas in the octokit group ([#4514](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4514)) ([1f1da77](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/1f1da77a73ea418d196c01379475570e920ddce6)) +* **lambda:** bump the aws group in /lambdas with 3 updates ([#4513](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4513)) ([ecf9a77](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/ecf9a7764d9052e76669861032c820fb0d5e7918)) + ## [6.4.1](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.4.0...v6.4.1) (2025-03-28) From ada0b63c67e1c0c828f9f6f2ff098000413e25fd Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Tue, 1 Apr 2025 22:33:20 +0200 Subject: [PATCH 06/20] add deprecation output --- examples/default/outputs.tf | 5 ++++ examples/multi-runner/outputs.tf | 6 +++++ examples/test/main.tf | 43 ++++++++++++++++++++++++++++++++ modules/multi-runner/outputs.tf | 11 ++++++++ outputs.tf | 7 ++++++ 5 files changed, 72 insertions(+) create mode 100644 examples/test/main.tf diff --git a/examples/default/outputs.tf b/examples/default/outputs.tf index c50214f566..fb9dccc223 100644 --- a/examples/default/outputs.tf +++ b/examples/default/outputs.tf @@ -13,3 +13,8 @@ output "webhook_secret" { value = random_id.random.hex } +output "deprecated_variables_warning" { + value = join("", [ + module.runners.deprecated_variables_warning, + ]) +} diff --git a/examples/multi-runner/outputs.tf b/examples/multi-runner/outputs.tf index 1feaf2e671..8a1c330077 100644 --- a/examples/multi-runner/outputs.tf +++ b/examples/multi-runner/outputs.tf @@ -6,3 +6,9 @@ output "webhook_secret" { sensitive = true value = random_id.random.hex } + +output "deprecated_variables_warning" { + value = join("", [ + module.runners.deprecated_variables_warning, + ]) +} diff --git a/examples/test/main.tf b/examples/test/main.tf new file mode 100644 index 0000000000..4762670703 --- /dev/null +++ b/examples/test/main.tf @@ -0,0 +1,43 @@ +# data "aws_ami" "runner" { +# most_recent = "true" + +# dynamic "filter" { +# for_each = local.ami_filter +# content { +# name = filter.key +# values = filter.value +# } +# } + +# owners = var.ami_owners +# } + +# lookup ami default owner Amazon, default ami Amazon linux + +variable "ami_owners" { + type = list(string) + default = ["amazon"] +} + +variable "ami_filter" { + type = map(list(string)) + default = { name = ["al2023-ami-2023.*-kernel-6.*-x86_64"] } +} + +data "aws_ami" "runner" { + most_recent = "true" + + dynamic "filter" { + for_each = var.ami_filter + content { + name = filter.key + values = filter.value + } + } + + owners = var.ami_owners +} + +output "ami_id" { + value = data.aws_ami.runner +} diff --git a/modules/multi-runner/outputs.tf b/modules/multi-runner/outputs.tf index 7ce7171faf..a461c935d6 100644 --- a/modules/multi-runner/outputs.tf +++ b/modules/multi-runner/outputs.tf @@ -67,3 +67,14 @@ output "instance_termination_handler" { lambda_role = module.instance_termination_watcher[0].spot_termination_handler.lambda_role } : null } + +output "deprecated_variables_warning" { + description = "Warning for deprecated variables usage" + value = join("", [ + for key, runner_config in var.multi_runner_config : ( + try(runner_config.ami_id_ssm_parameter_name, null) != null ? + "DEPRECATION WARNING: The variable 'ami_id_ssm_parameter_name' in runner '${key}' is deprecated and will be removed in a future version. Please use 'ami_id_ssm_parameter_arn' instead.\n" : + "" + ) + ]) +} diff --git a/outputs.tf b/outputs.tf index fdf4a37801..e9f098c105 100644 --- a/outputs.tf +++ b/outputs.tf @@ -75,3 +75,10 @@ output "instance_termination_handler" { lambda_role = module.instance_termination_watcher[0].spot_termination_handler.lambda_role } : null } + +output "deprecated_variables_warning" { + description = "Warning for deprecated variables usage" + value = join("", [ + var.ami_id_ssm_parameter_name != null ? "DEPRECATION WARNING: The variable 'ami_id_ssm_parameter_name' is deprecated and will be removed in a future version. Please use 'ami_id_ssm_parameter_arn' instead.\n" : "", + ]) +} From cb534c637288054bc3be77ae83506edda0d18bdb Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Tue, 1 Apr 2025 23:31:41 +0200 Subject: [PATCH 07/20] add example to use a public parameter --- examples/multi-runner/main.tf | 10 +++++ .../templates/runner-configs/linux-x64.yaml | 1 + examples/test/main.tf | 43 ------------------- 3 files changed, 11 insertions(+), 43 deletions(-) delete mode 100644 examples/test/main.tf diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf index 74cb5efa21..9f8597d8fb 100644 --- a/examples/multi-runner/main.tf +++ b/examples/multi-runner/main.tf @@ -1,7 +1,16 @@ +data "aws_ssm_parameter" "al2023_arm" { + name = "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64" +} + locals { environment = var.environment != null ? var.environment : "multi-runner" aws_region = var.aws_region + # create map only with amazon linux 2023 x64 ami id + ssm_ami_ids = { + "linux-x64" = data.aws_ssm_parameter.al2023_arm.arn + } + # Load runner configurations from Yaml files multi_runner_config_files = { for c in fileset("${path.module}/templates/runner-configs", "*.yaml") : @@ -19,6 +28,7 @@ locals { { subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null vpc_id = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null + ami_id_ssm_parameter_arn = lookup(local.ssm_ami_ids, k, null) != null ? local.ssm_ami_ids[k] : null } ) } diff --git a/examples/multi-runner/templates/runner-configs/linux-x64.yaml b/examples/multi-runner/templates/runner-configs/linux-x64.yaml index bc3527baca..b2422f59b7 100644 --- a/examples/multi-runner/templates/runner-configs/linux-x64.yaml +++ b/examples/multi-runner/templates/runner-configs/linux-x64.yaml @@ -14,6 +14,7 @@ runner_config: instance_types: - m5ad.large - m5a.large + ami_id_ssm_parameter_arn: ${ami_id_ssm_parameter_arn} runners_maximum_count: 1 enable_ephemeral_runners: true enable_on_demand_failover_for_errors: ['InsufficientInstanceCapacity'] diff --git a/examples/test/main.tf b/examples/test/main.tf deleted file mode 100644 index 4762670703..0000000000 --- a/examples/test/main.tf +++ /dev/null @@ -1,43 +0,0 @@ -# data "aws_ami" "runner" { -# most_recent = "true" - -# dynamic "filter" { -# for_each = local.ami_filter -# content { -# name = filter.key -# values = filter.value -# } -# } - -# owners = var.ami_owners -# } - -# lookup ami default owner Amazon, default ami Amazon linux - -variable "ami_owners" { - type = list(string) - default = ["amazon"] -} - -variable "ami_filter" { - type = map(list(string)) - default = { name = ["al2023-ami-2023.*-kernel-6.*-x86_64"] } -} - -data "aws_ami" "runner" { - most_recent = "true" - - dynamic "filter" { - for_each = var.ami_filter - content { - name = filter.key - values = filter.value - } - } - - owners = var.ami_owners -} - -output "ami_id" { - value = data.aws_ami.runner -} From b7d21c97570f81b27e82b4876ce6f1176ce3a7b6 Mon Sep 17 00:00:00 2001 From: github-aws-runners-pr|bot Date: Tue, 1 Apr 2025 21:32:28 +0000 Subject: [PATCH 08/20] docs: auto update terraform docs --- README.md | 1 + examples/default/README.md | 1 + examples/multi-runner/README.md | 3 +++ modules/multi-runner/README.md | 1 + 4 files changed, 6 insertions(+) diff --git a/README.md b/README.md index 66fc0c8208..557f85c2aa 100644 --- a/README.md +++ b/README.md @@ -240,6 +240,7 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh) | Name | Description | |------|-------------| | [binaries\_syncer](#output\_binaries\_syncer) | n/a | +| [deprecated\_variables\_warning](#output\_deprecated\_variables\_warning) | Warning for deprecated variables usage | | [instance\_termination\_handler](#output\_instance\_termination\_handler) | n/a | | [instance\_termination\_watcher](#output\_instance\_termination\_watcher) | n/a | | [queues](#output\_queues) | SQS queues. | diff --git a/examples/default/README.md b/examples/default/README.md index ae5f4230ea..fb14cf7b10 100644 --- a/examples/default/README.md +++ b/examples/default/README.md @@ -70,6 +70,7 @@ terraform output -raw webhook_secret | Name | Description | |------|-------------| +| [deprecated\_variables\_warning](#output\_deprecated\_variables\_warning) | n/a | | [runners](#output\_runners) | n/a | | [webhook\_endpoint](#output\_webhook\_endpoint) | n/a | | [webhook\_secret](#output\_webhook\_secret) | n/a | diff --git a/examples/multi-runner/README.md b/examples/multi-runner/README.md index 0a4bb295e1..67cd7eb58f 100644 --- a/examples/multi-runner/README.md +++ b/examples/multi-runner/README.md @@ -60,6 +60,7 @@ terraform output -raw webhook_secret | Name | Version | |------|---------| +| [aws](#provider\_aws) | 5.82.1 | | [random](#provider\_random) | 3.6.3 | ## Modules @@ -75,6 +76,7 @@ terraform output -raw webhook_secret | Name | Type | |------|------| | [random_id.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [aws_ssm_parameter.al2023_arm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -88,6 +90,7 @@ terraform output -raw webhook_secret | Name | Description | |------|-------------| +| [deprecated\_variables\_warning](#output\_deprecated\_variables\_warning) | n/a | | [webhook\_endpoint](#output\_webhook\_endpoint) | n/a | | [webhook\_secret](#output\_webhook\_secret) | n/a | diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md index 974496a31e..baa46a524e 100644 --- a/modules/multi-runner/README.md +++ b/modules/multi-runner/README.md @@ -192,6 +192,7 @@ module "multi-runner" { | Name | Description | |------|-------------| | [binaries\_syncer\_map](#output\_binaries\_syncer\_map) | n/a | +| [deprecated\_variables\_warning](#output\_deprecated\_variables\_warning) | Warning for deprecated variables usage | | [instance\_termination\_handler](#output\_instance\_termination\_handler) | n/a | | [instance\_termination\_watcher](#output\_instance\_termination\_watcher) | n/a | | [runners\_map](#output\_runners\_map) | n/a | From 5b84e61de1c227d6eff7ee2f6e20d1bc3ef7ceb6 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Tue, 1 Apr 2025 23:52:58 +0200 Subject: [PATCH 09/20] format --- examples/multi-runner/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf index 9f8597d8fb..47cfe3e1d3 100644 --- a/examples/multi-runner/main.tf +++ b/examples/multi-runner/main.tf @@ -26,8 +26,8 @@ locals { runner_config = merge( v.runner_config, { - subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null - vpc_id = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null + subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null + vpc_id = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null ami_id_ssm_parameter_arn = lookup(local.ssm_ami_ids, k, null) != null ? local.ssm_ami_ids[k] : null } ) From 4f4b84590da514aa5a714200c6d9a5d4a9fe0b7f Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Wed, 2 Apr 2025 23:11:33 +0200 Subject: [PATCH 10/20] add example --- examples/multi-runner/main.tf | 35 ++++++++++++++++--- .../templates/runner-configs/linux-arm64.yaml | 1 + 2 files changed, 31 insertions(+), 5 deletions(-) diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf index 47cfe3e1d3..459612ec2c 100644 --- a/examples/multi-runner/main.tf +++ b/examples/multi-runner/main.tf @@ -1,14 +1,38 @@ -data "aws_ssm_parameter" "al2023_arm" { +# The module provides several ways to chose the AMI ID for the runners. The recommended way is to use the SSM parameter ARN. +# The default is (still) a build in filter that creates internally an SSM parameter for the AMI ID. +# +# Here we show two other options +# 1. Use the SSM parameter ARN directly via a public available SSM parameter +# 2. Use the SSM parameter ARN via a private SSM parameter injected to the module +# 3. Other runners like ubuntu, windows, etc. are using the build in one parameter. + +data "aws_ssm_parameter" "al2023_x64" { name = "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64" } +data "aws_ssm_parameter" "al2023_arm64" { + name = "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-arm64" +} + +resource "aws_ssm_parameter" "al2023_arm64" { + name = local.al2023_arm64_name + type = "String" + data_type = "aws:ec2:image" + value = data.aws_ssm_parameter.al2023_arm64.value +} + +data "aws_caller_identity" "current" {} + locals { environment = var.environment != null ? var.environment : "multi-runner" aws_region = var.aws_region - # create map only with amazon linux 2023 x64 ami id - ssm_ami_ids = { - "linux-x64" = data.aws_ssm_parameter.al2023_arm.arn + # create map only with amazon linux 2023 x64 and arm64 to overwrite the default + al2023_arm64_name = "/examples/multi-runner/aws-github-runners/ami/amazon-linux-2023-arm64" + ssm_ami_arns = { + "linux-x64" = data.aws_ssm_parameter.al2023_x64.arn + # construct the arn to avoid terraform count errors + "linux-arm64" = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter${local.al2023_arm64_name}" } # Load runner configurations from Yaml files @@ -17,6 +41,7 @@ locals { trimsuffix(c, ".yaml") => yamldecode(file("${path.module}/templates/runner-configs/${c}")) } + multi_runner_config = { for k, v in local.multi_runner_config_files : @@ -28,7 +53,7 @@ locals { { subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null vpc_id = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null - ami_id_ssm_parameter_arn = lookup(local.ssm_ami_ids, k, null) != null ? local.ssm_ami_ids[k] : null + ami_id_ssm_parameter_arn = lookup(local.ssm_ami_arns, k, null) != null ? local.ssm_ami_arns[k] : null } ) } diff --git a/examples/multi-runner/templates/runner-configs/linux-arm64.yaml b/examples/multi-runner/templates/runner-configs/linux-arm64.yaml index 42902ee0dd..fea41abad6 100644 --- a/examples/multi-runner/templates/runner-configs/linux-arm64.yaml +++ b/examples/multi-runner/templates/runner-configs/linux-arm64.yaml @@ -15,6 +15,7 @@ runner_config: instance_types: - t4g.large - c6g.large + ami_id_ssm_parameter_arn: ${ami_id_ssm_parameter_arn} runners_maximum_count: 1 delay_webhook_event: 0 scale_down_schedule_expression: cron(* * * * ? *) From e1db2c523821a54ee7145241851aeaaa91c1eb4a Mon Sep 17 00:00:00 2001 From: github-aws-runners-pr|bot Date: Wed, 2 Apr 2025 21:11:56 +0000 Subject: [PATCH 11/20] docs: auto update terraform docs --- examples/multi-runner/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/multi-runner/README.md b/examples/multi-runner/README.md index 67cd7eb58f..3185036e19 100644 --- a/examples/multi-runner/README.md +++ b/examples/multi-runner/README.md @@ -75,8 +75,11 @@ terraform output -raw webhook_secret | Name | Type | |------|------| +| [aws_ssm_parameter.al2023_arm64](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [random_id.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | -| [aws_ssm_parameter.al2023_arm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_ssm_parameter.al2023_arm64](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [aws_ssm_parameter.al2023_x64](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs From 9a3ec9b7654d5dc6a4626ab730bafc00c84c3aaa Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 4 Apr 2025 14:17:40 +0200 Subject: [PATCH 12/20] grant permision to pool lambda for fetching ami paramater --- examples/default/main.tf | 9 +++++++++ modules/runners/pool.tf | 1 + modules/runners/pool/main.tf | 1 + modules/runners/pool/policies/lambda-pool.json | 9 +++++++++ modules/runners/pool/variables.tf | 1 + 5 files changed, 21 insertions(+) diff --git a/examples/default/main.tf b/examples/default/main.tf index 42608fae40..911de75437 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -141,6 +141,15 @@ module "runners" { # enable CMK instead of aws managed key for encryptions # kms_key_arn = aws_kms_key.github.arn + + # pool_runner_owner = "philips-test-runners" + # pool_config = [{ + # size = 1 + # schedule_expression = "cron(0/3 14 * * ? *)" # every 3 minutes between 14:00 and 15:00 + # schedule_expression_timezone = "Europe/Amsterdam" + + # }] + } module "webhook_github_app" { diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf index 16a13aeccd..f305100ecf 100644 --- a/modules/runners/pool.tf +++ b/modules/runners/pool.tf @@ -17,6 +17,7 @@ module "pool" { instance_types = var.instance_types kms_key_arn = local.kms_key_arn ami_kms_key_arn = local.ami_kms_key_arn + ami_id_ssm_parameter_arn = local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami_id_ssm_parameter_arn lambda = { log_level = var.log_level logging_retention_in_days = var.logging_retention_in_days diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf index 364d315439..fafafc7790 100644 --- a/modules/runners/pool/main.tf +++ b/modules/runners/pool/main.tf @@ -91,6 +91,7 @@ resource "aws_iam_role_policy" "pool" { github_app_key_base64_arn = var.config.github_app_parameters.key_base64.arn kms_key_arn = var.config.kms_key_arn ami_kms_key_arn = var.config.ami_kms_key_arn + ssm_ami_id_parameter_arn = var.config.ami_id_ssm_parameter_arn }) } diff --git a/modules/runners/pool/policies/lambda-pool.json b/modules/runners/pool/policies/lambda-pool.json index f8e3f39a23..b0360a825c 100644 --- a/modules/runners/pool/policies/lambda-pool.json +++ b/modules/runners/pool/policies/lambda-pool.json @@ -39,6 +39,15 @@ "${arn_ssm_parameters_path_config}/*" ] }, + { + "Effect": "Allow", + "Action": [ + "ssm:GetParameters" + ], + "Resource": [ + "${ssm_ami_id_parameter_arn}" + ] + }, { "Effect": "Allow", "Action": [ diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf index baf9746bbb..f1e841cde6 100644 --- a/modules/runners/pool/variables.tf +++ b/modules/runners/pool/variables.tf @@ -57,6 +57,7 @@ variable "config" { role_permissions_boundary = string kms_key_arn = string ami_kms_key_arn = string + ami_id_ssm_parameter_arn = string role_path = string ssm_token_path = string ssm_config_path = string From 89f5e962085f118926627d2c084b0a01db63a837 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 4 Apr 2025 16:04:58 +0200 Subject: [PATCH 13/20] refactor to ami ojbject --- .../templates/runner-configs/linux-arm64.yaml | 3 +- .../runner-configs/linux-x64-ubuntu.yaml | 15 +++++----- .../templates/runner-configs/linux-x64.yaml | 3 +- .../templates/runner-configs/windows-x64.yaml | 11 ++++---- main.tf | 1 + modules/multi-runner/runners.tf | 1 + modules/multi-runner/variables.tf | 16 +++++++++++ modules/runners/main.tf | 16 ++++++++--- modules/runners/variables.tf | 22 +++++++++++---- variables.tf | 28 +++++++++++++------ 10 files changed, 85 insertions(+), 31 deletions(-) diff --git a/examples/multi-runner/templates/runner-configs/linux-arm64.yaml b/examples/multi-runner/templates/runner-configs/linux-arm64.yaml index fea41abad6..0c6cae01b5 100644 --- a/examples/multi-runner/templates/runner-configs/linux-arm64.yaml +++ b/examples/multi-runner/templates/runner-configs/linux-arm64.yaml @@ -15,7 +15,8 @@ runner_config: instance_types: - t4g.large - c6g.large - ami_id_ssm_parameter_arn: ${ami_id_ssm_parameter_arn} + ami: + id_ssm_parameter_arn: ${ami_id_ssm_parameter_arn} runners_maximum_count: 1 delay_webhook_event: 0 scale_down_schedule_expression: cron(* * * * ? *) diff --git a/examples/multi-runner/templates/runner-configs/linux-x64-ubuntu.yaml b/examples/multi-runner/templates/runner-configs/linux-x64-ubuntu.yaml index 4b555d194c..a296e8606e 100644 --- a/examples/multi-runner/templates/runner-configs/linux-x64-ubuntu.yaml +++ b/examples/multi-runner/templates/runner-configs/linux-x64-ubuntu.yaml @@ -22,13 +22,14 @@ runner_config: delay_webhook_event: 0 scale_down_schedule_expression: cron(* * * * ? *) userdata_template: ./templates/user-data.sh - ami_owners: - - "099720109477" # Canonical's Amazon account ID - ami_filter: - name: - - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-* - state: - - available + ami: + owners: + - "099720109477" # Canonical's Amazon account ID + filter: + name: + - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-* + state: + - available block_device_mappings: - device_name: /dev/sda1 delete_on_termination: true diff --git a/examples/multi-runner/templates/runner-configs/linux-x64.yaml b/examples/multi-runner/templates/runner-configs/linux-x64.yaml index b2422f59b7..146c340836 100644 --- a/examples/multi-runner/templates/runner-configs/linux-x64.yaml +++ b/examples/multi-runner/templates/runner-configs/linux-x64.yaml @@ -14,7 +14,8 @@ runner_config: instance_types: - m5ad.large - m5a.large - ami_id_ssm_parameter_arn: ${ami_id_ssm_parameter_arn} + ami: + id_ssm_parameter_arn: ${ami_id_ssm_parameter_arn} runners_maximum_count: 1 enable_ephemeral_runners: true enable_on_demand_failover_for_errors: ['InsufficientInstanceCapacity'] diff --git a/examples/multi-runner/templates/runner-configs/windows-x64.yaml b/examples/multi-runner/templates/runner-configs/windows-x64.yaml index fdf8be6533..0bd3486a42 100644 --- a/examples/multi-runner/templates/runner-configs/windows-x64.yaml +++ b/examples/multi-runner/templates/runner-configs/windows-x64.yaml @@ -15,8 +15,9 @@ runner_config: delay_webhook_event: 5 scale_down_schedule_expression: cron(* * * * ? *) runner_boot_time_in_minutes: 20 - ami_filter: - name: - - Windows_Server-2022-English-Full-ECS_Optimized-* - state: - - available + ami: + filter: + name: + - Windows_Server-2022-English-Full-ECS_Optimized-* + state: + - available diff --git a/main.tf b/main.tf index 90bf9f6aec..35b65ea76d 100644 --- a/main.tf +++ b/main.tf @@ -178,6 +178,7 @@ module "runners" { block_device_mappings = var.block_device_mappings runner_architecture = var.runner_architecture + ami = var.ami ami_filter = var.ami_filter ami_owners = var.ami_owners ami_id_ssm_parameter_arn = var.ami_id_ssm_parameter_arn diff --git a/modules/multi-runner/runners.tf b/modules/multi-runner/runners.tf index 172bfbe596..6ac8b25367 100644 --- a/modules/multi-runner/runners.tf +++ b/modules/multi-runner/runners.tf @@ -26,6 +26,7 @@ module "runners" { block_device_mappings = each.value.runner_config.block_device_mappings runner_architecture = each.value.runner_config.runner_architecture + ami = each.value.runner_config.ami ami_filter = each.value.runner_config.ami_filter ami_owners = each.value.runner_config.ami_owners ami_id_ssm_parameter_arn = each.value.runner_config.ami_id_ssm_parameter_arn diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf index c958389711..dcc5079b3f 100644 --- a/modules/multi-runner/variables.tf +++ b/modules/multi-runner/variables.tf @@ -65,6 +65,22 @@ variable "multi_runner_config" { http_tokens = "required" http_put_response_hop_limit = 1 }) + ami = optional(object({ + filter = optional(map(list(string)), { state = ["available"] }) + owners = optional(list(string), ["amazon"]) + id_ssm_parameter_name = optional(string, null) + id_ssm_parameter_arn = optional(string, null) + kms_key_arn = optional(string, null) + }), null) + # Deprecated: Use ami object instead + ami = optional(object({ + filter = optional(map(list(string)), { state = ["available"] }) + owners = optional(list(string), ["amazon"]) + id_ssm_parameter_name = optional(string, null) + id_ssm_parameter_arn = optional(string, null) + kms_key_arn = optional(string, null) + }), null) + # Deprecated: Use ami object instead ami_filter = optional(map(list(string)), { state = ["available"] }) ami_owners = optional(list(string), ["amazon"]) ami_id_ssm_parameter_arn = optional(string, null) diff --git a/modules/runners/main.tf b/modules/runners/main.tf index de832f2a05..8f92a52cd9 100644 --- a/modules/runners/main.tf +++ b/modules/runners/main.tf @@ -37,9 +37,17 @@ locals { "linux" = "${path.module}/templates/start-runner.sh" } - ami_kms_key_arn = var.ami_kms_key_arn != null ? var.ami_kms_key_arn : "" - ami_filter = merge(local.default_ami[var.runner_os], var.ami_filter) - ami_id_ssm_module_managed = var.ami_id_ssm_parameter_arn == null + # Handle AMI configuration from either the new object or old variables + ami_config = var.ami != null ? var.ami : { + filter = var.ami_filter + owners = var.ami_owners + id_ssm_parameter_name = var.ami_id_ssm_parameter_name + id_ssm_parameter_arn = var.ami_id_ssm_parameter_arn + kms_key_arn = var.ami_kms_key_arn + } + ami_kms_key_arn = local.ami_config.kms_key_arn != null ? local.ami_config.kms_key_arn : "" + ami_filter = merge(local.default_ami[var.runner_os], local.ami_config.filter) + ami_id_ssm_module_managed = local.ami_config.id_ssm_parameter_arn == null enable_job_queued_check = var.enable_job_queued_check == null ? !var.enable_ephemeral_runners : var.enable_job_queued_check @@ -82,7 +90,7 @@ data "aws_ami" "runner" { } } - owners = var.ami_owners + owners = local.ami_config.owners } resource "aws_ssm_parameter" "runner_ami_id" { diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index 6802c9adf1..93050e5f1f 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -1,3 +1,15 @@ +variable "ami" { + description = "AMI configuration for the action runner instances" + type = object({ + filter = optional(map(list(string)), { state = ["available"] }) + owners = optional(list(string), ["amazon"]) + id_ssm_parameter_name = optional(string, null) + id_ssm_parameter_arn = optional(string, null) + kms_key_arn = optional(string, null) + }) + default = null +} + variable "aws_region" { description = "AWS region." type = string @@ -114,7 +126,7 @@ variable "instance_types" { } variable "ami_filter" { - description = "Map of lists used to create the AMI filter for the action runner AMI." + description = "[DEPRECATED: Use ami.filter] Map of lists used to create the AMI filter for the action runner AMI." type = map(list(string)) default = { state = ["available"] } validation { @@ -125,25 +137,25 @@ variable "ami_filter" { } variable "ami_owners" { - description = "The list of owners used to select the AMI of action runner instances." + description = "[DEPRECATED: Use ami.owners] The list of owners used to select the AMI of action runner instances." type = list(string) default = ["amazon"] } variable "ami_id_ssm_parameter_arn" { - description = "ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter" + description = "[DEPRECATED: Use ami.id_ssm_parameter_arn] ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter" type = string default = null } variable "ami_id_ssm_parameter_name" { - description = "Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter" + description = "[DEPRECATED: Use ami.id_ssm_parameter_name] Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter" type = string default = null } variable "ami_kms_key_arn" { - description = "Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI" + description = "[DEPRECATED: Use ami.kms_key_arn] Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI" type = string default = null } diff --git a/variables.tf b/variables.tf index 2330978b05..6354f0dbec 100644 --- a/variables.tf +++ b/variables.tf @@ -366,37 +366,49 @@ variable "block_device_mappings" { }] } +variable "ami" { + description = "AMI configuration for the action runner instances" + type = object({ + filter = optional(map(list(string)), { state = ["available"] }) + owners = optional(list(string), ["amazon"]) + id_ssm_parameter_name = optional(string, null) + id_ssm_parameter_arn = optional(string, null) + kms_key_arn = optional(string, null) + }) + default = null +} + variable "ami_filter" { - description = "Map of lists used to create the AMI filter for the action runner AMI." + description = "[DEPRECATED: Use ami.filter] Map of lists used to create the AMI filter for the action runner AMI." type = map(list(string)) default = { state = ["available"] } validation { # check the availability of the AMI condition = contains(keys(var.ami_filter), "state") - error_message = "The \"ami_filter\" variable must contain the \"state\" key with the value \"available\"." + error_message = "The AMI filter must contain the state filter." } } variable "ami_owners" { - description = "The list of owners used to select the AMI of action runner instances." + description = "[DEPRECATED: Use ami.owners] The list of owners that should be used to find the AMI." type = list(string) default = ["amazon"] } -variable "ami_id_ssm_parameter_arn" { - description = "ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter" +variable "ami_id_ssm_parameter_name" { + description = "[DEPRECATED: Use ami.id_ssm_parameter_name] String used to construct the SSM parameter name used to resolve the latest AMI ID for the runner instances. The SSM parameter should be of type String and contain a valid AMI ID. The default behavior is to use the latest Ubuntu 22.04 AMI." type = string default = null } -variable "ami_id_ssm_parameter_name" { - description = "(DEPRECATED) Variable is replaced by `ami_id_ssm_parameter_arn` Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter" +variable "ami_id_ssm_parameter_arn" { + description = "[DEPRECATED: Use ami.id_ssm_parameter_arn] Arn of the SSM parameter used to resolve the AMI ID for the runner instances. The SSM parameter should be of type String and contain a valid AMI ID." type = string default = null } variable "ami_kms_key_arn" { - description = "Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI" + description = "[DEPRECATED: Use ami.kms_key_arn] Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI" type = string default = null } From f3e6cb4f4a1a6949d41a6a12f673116c9518d47f Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 4 Apr 2025 19:06:43 +0200 Subject: [PATCH 14/20] remove arn from top level --- examples/multi-runner/main.tf | 7 ++++++- main.tf | 1 - modules/multi-runner/outputs.tf | 2 +- modules/multi-runner/runners.tf | 2 -- modules/multi-runner/variables.tf | 1 - modules/runners/main.tf | 4 ++-- modules/runners/pool.tf | 2 +- modules/runners/scale-up.tf | 2 +- modules/runners/variables.tf | 6 ------ outputs.tf | 2 +- variables.tf | 6 ------ 11 files changed, 12 insertions(+), 23 deletions(-) diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf index 459612ec2c..d94cf7be46 100644 --- a/examples/multi-runner/main.tf +++ b/examples/multi-runner/main.tf @@ -53,7 +53,12 @@ locals { { subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null vpc_id = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null - ami_id_ssm_parameter_arn = lookup(local.ssm_ami_arns, k, null) != null ? local.ssm_ami_arns[k] : null + ami = merge( + v.runner_config.ami, + { + id_ssm_parameter_arn = lookup(local.ssm_ami_arns, k, null) != null ? local.ssm_ami_arns[k] : null + } + ) } ) } diff --git a/main.tf b/main.tf index 35b65ea76d..008cc4ac4e 100644 --- a/main.tf +++ b/main.tf @@ -181,7 +181,6 @@ module "runners" { ami = var.ami ami_filter = var.ami_filter ami_owners = var.ami_owners - ami_id_ssm_parameter_arn = var.ami_id_ssm_parameter_arn ami_id_ssm_parameter_name = var.ami_id_ssm_parameter_name ami_kms_key_arn = var.ami_kms_key_arn diff --git a/modules/multi-runner/outputs.tf b/modules/multi-runner/outputs.tf index a461c935d6..07614b568c 100644 --- a/modules/multi-runner/outputs.tf +++ b/modules/multi-runner/outputs.tf @@ -73,7 +73,7 @@ output "deprecated_variables_warning" { value = join("", [ for key, runner_config in var.multi_runner_config : ( try(runner_config.ami_id_ssm_parameter_name, null) != null ? - "DEPRECATION WARNING: The variable 'ami_id_ssm_parameter_name' in runner '${key}' is deprecated and will be removed in a future version. Please use 'ami_id_ssm_parameter_arn' instead.\n" : + "DEPRECATION WARNING: The variable 'ami_id_ssm_parameter_name' in runner '${key}' is deprecated and will be removed in a future version. Please use 'ami.id_ssm_parameter_arn' instead.\n" : "" ) ]) diff --git a/modules/multi-runner/runners.tf b/modules/multi-runner/runners.tf index 6ac8b25367..0d27faae0f 100644 --- a/modules/multi-runner/runners.tf +++ b/modules/multi-runner/runners.tf @@ -29,8 +29,6 @@ module "runners" { ami = each.value.runner_config.ami ami_filter = each.value.runner_config.ami_filter ami_owners = each.value.runner_config.ami_owners - ami_id_ssm_parameter_arn = each.value.runner_config.ami_id_ssm_parameter_arn - ami_id_ssm_parameter_name = each.value.runner_config.ami_id_ssm_parameter_name ami_kms_key_arn = each.value.runner_config.ami_kms_key_arn sqs_build_queue = { "arn" : each.value.arn, "url" : each.value.url } diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf index dcc5079b3f..3bf485018d 100644 --- a/modules/multi-runner/variables.tf +++ b/modules/multi-runner/variables.tf @@ -83,7 +83,6 @@ variable "multi_runner_config" { # Deprecated: Use ami object instead ami_filter = optional(map(list(string)), { state = ["available"] }) ami_owners = optional(list(string), ["amazon"]) - ami_id_ssm_parameter_arn = optional(string, null) ami_id_ssm_parameter_name = optional(string, null) ami_kms_key_arn = optional(string, "") create_service_linked_role_spot = optional(bool, false) diff --git a/modules/runners/main.tf b/modules/runners/main.tf index 8f92a52cd9..5ed3fb25aa 100644 --- a/modules/runners/main.tf +++ b/modules/runners/main.tf @@ -42,7 +42,7 @@ locals { filter = var.ami_filter owners = var.ami_owners id_ssm_parameter_name = var.ami_id_ssm_parameter_name - id_ssm_parameter_arn = var.ami_id_ssm_parameter_arn + id_ssm_parameter_arn = null kms_key_arn = var.ami_kms_key_arn } ami_kms_key_arn = local.ami_config.kms_key_arn != null ? local.ami_config.kms_key_arn : "" @@ -170,7 +170,7 @@ resource "aws_launch_template" "runner" { } instance_initiated_shutdown_behavior = "terminate" - image_id = "resolve:ssm:${local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami_id_ssm_parameter_arn}" + image_id = "resolve:ssm:${local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami.id_ssm_parameter_arn}" key_name = var.key_name ebs_optimized = var.ebs_optimized diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf index f305100ecf..2762008ebf 100644 --- a/modules/runners/pool.tf +++ b/modules/runners/pool.tf @@ -17,7 +17,7 @@ module "pool" { instance_types = var.instance_types kms_key_arn = local.kms_key_arn ami_kms_key_arn = local.ami_kms_key_arn - ami_id_ssm_parameter_arn = local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami_id_ssm_parameter_arn + ami_id_ssm_parameter_arn = local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami.id_ssm_parameter_arn lambda = { log_level = var.log_level logging_retention_in_days = var.logging_retention_in_days diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index 6fc601bc06..ad96c496a4 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -119,7 +119,7 @@ resource "aws_iam_role_policy" "scale_up" { ssm_config_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter${var.ssm_paths.root}/${var.ssm_paths.config}" kms_key_arn = local.kms_key_arn ami_kms_key_arn = local.ami_kms_key_arn - ssm_ami_id_parameter_arn = local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami_id_ssm_parameter_arn + ssm_ami_id_parameter_arn = local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami.id_ssm_parameter_arn }) } diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index 93050e5f1f..e526a12993 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -142,12 +142,6 @@ variable "ami_owners" { default = ["amazon"] } -variable "ami_id_ssm_parameter_arn" { - description = "[DEPRECATED: Use ami.id_ssm_parameter_arn] ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter" - type = string - default = null -} - variable "ami_id_ssm_parameter_name" { description = "[DEPRECATED: Use ami.id_ssm_parameter_name] Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter" type = string diff --git a/outputs.tf b/outputs.tf index e9f098c105..c1424aab77 100644 --- a/outputs.tf +++ b/outputs.tf @@ -79,6 +79,6 @@ output "instance_termination_handler" { output "deprecated_variables_warning" { description = "Warning for deprecated variables usage" value = join("", [ - var.ami_id_ssm_parameter_name != null ? "DEPRECATION WARNING: The variable 'ami_id_ssm_parameter_name' is deprecated and will be removed in a future version. Please use 'ami_id_ssm_parameter_arn' instead.\n" : "", + var.ami_id_ssm_parameter_name != null ? "DEPRECATION WARNING: The variable 'ami_id_ssm_parameter_name' is deprecated and will be removed in a future version. Please use 'ami.id_ssm_parameter_arn' instead.\n" : "", ]) } diff --git a/variables.tf b/variables.tf index 6354f0dbec..f13c6509d7 100644 --- a/variables.tf +++ b/variables.tf @@ -401,12 +401,6 @@ variable "ami_id_ssm_parameter_name" { default = null } -variable "ami_id_ssm_parameter_arn" { - description = "[DEPRECATED: Use ami.id_ssm_parameter_arn] Arn of the SSM parameter used to resolve the AMI ID for the runner instances. The SSM parameter should be of type String and contain a valid AMI ID." - type = string - default = null -} - variable "ami_kms_key_arn" { description = "[DEPRECATED: Use ami.kms_key_arn] Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI" type = string From a8c7b5892c45af5b44fe572267d0d37a14a724cc Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 4 Apr 2025 19:06:54 +0200 Subject: [PATCH 15/20] formatting --- examples/multi-runner/main.tf | 4 ++-- main.tf | 2 +- modules/multi-runner/runners.tf | 10 +++++----- modules/multi-runner/variables.tf | 20 ++++++++++---------- modules/runners/main.tf | 4 ++-- modules/runners/variables.tf | 10 +++++----- variables.tf | 10 +++++----- 7 files changed, 30 insertions(+), 30 deletions(-) diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf index d94cf7be46..a2dc6981ff 100644 --- a/examples/multi-runner/main.tf +++ b/examples/multi-runner/main.tf @@ -51,8 +51,8 @@ locals { runner_config = merge( v.runner_config, { - subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null - vpc_id = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null + subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null + vpc_id = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null ami = merge( v.runner_config.ami, { diff --git a/main.tf b/main.tf index 008cc4ac4e..759b8169f6 100644 --- a/main.tf +++ b/main.tf @@ -178,7 +178,7 @@ module "runners" { block_device_mappings = var.block_device_mappings runner_architecture = var.runner_architecture - ami = var.ami + ami = var.ami ami_filter = var.ami_filter ami_owners = var.ami_owners ami_id_ssm_parameter_name = var.ami_id_ssm_parameter_name diff --git a/modules/multi-runner/runners.tf b/modules/multi-runner/runners.tf index 0d27faae0f..9f5d1bb456 100644 --- a/modules/multi-runner/runners.tf +++ b/modules/multi-runner/runners.tf @@ -25,11 +25,11 @@ module "runners" { instance_max_spot_price = each.value.runner_config.instance_max_spot_price block_device_mappings = each.value.runner_config.block_device_mappings - runner_architecture = each.value.runner_config.runner_architecture - ami = each.value.runner_config.ami - ami_filter = each.value.runner_config.ami_filter - ami_owners = each.value.runner_config.ami_owners - ami_kms_key_arn = each.value.runner_config.ami_kms_key_arn + runner_architecture = each.value.runner_config.runner_architecture + ami = each.value.runner_config.ami + ami_filter = each.value.runner_config.ami_filter + ami_owners = each.value.runner_config.ami_owners + ami_kms_key_arn = each.value.runner_config.ami_kms_key_arn sqs_build_queue = { "arn" : each.value.arn, "url" : each.value.url } github_app_parameters = local.github_app_parameters diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf index 3bf485018d..86cbe05df4 100644 --- a/modules/multi-runner/variables.tf +++ b/modules/multi-runner/variables.tf @@ -66,19 +66,19 @@ variable "multi_runner_config" { http_put_response_hop_limit = 1 }) ami = optional(object({ - filter = optional(map(list(string)), { state = ["available"] }) - owners = optional(list(string), ["amazon"]) - id_ssm_parameter_name = optional(string, null) - id_ssm_parameter_arn = optional(string, null) - kms_key_arn = optional(string, null) + filter = optional(map(list(string)), { state = ["available"] }) + owners = optional(list(string), ["amazon"]) + id_ssm_parameter_name = optional(string, null) + id_ssm_parameter_arn = optional(string, null) + kms_key_arn = optional(string, null) }), null) # Deprecated: Use ami object instead ami = optional(object({ - filter = optional(map(list(string)), { state = ["available"] }) - owners = optional(list(string), ["amazon"]) - id_ssm_parameter_name = optional(string, null) - id_ssm_parameter_arn = optional(string, null) - kms_key_arn = optional(string, null) + filter = optional(map(list(string)), { state = ["available"] }) + owners = optional(list(string), ["amazon"]) + id_ssm_parameter_name = optional(string, null) + id_ssm_parameter_arn = optional(string, null) + kms_key_arn = optional(string, null) }), null) # Deprecated: Use ami object instead ami_filter = optional(map(list(string)), { state = ["available"] }) diff --git a/modules/runners/main.tf b/modules/runners/main.tf index 5ed3fb25aa..b3bf224434 100644 --- a/modules/runners/main.tf +++ b/modules/runners/main.tf @@ -42,8 +42,8 @@ locals { filter = var.ami_filter owners = var.ami_owners id_ssm_parameter_name = var.ami_id_ssm_parameter_name - id_ssm_parameter_arn = null - kms_key_arn = var.ami_kms_key_arn + id_ssm_parameter_arn = null + kms_key_arn = var.ami_kms_key_arn } ami_kms_key_arn = local.ami_config.kms_key_arn != null ? local.ami_config.kms_key_arn : "" ami_filter = merge(local.default_ami[var.runner_os], local.ami_config.filter) diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index e526a12993..8e7062fa0a 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -1,11 +1,11 @@ variable "ami" { description = "AMI configuration for the action runner instances" type = object({ - filter = optional(map(list(string)), { state = ["available"] }) - owners = optional(list(string), ["amazon"]) - id_ssm_parameter_name = optional(string, null) - id_ssm_parameter_arn = optional(string, null) - kms_key_arn = optional(string, null) + filter = optional(map(list(string)), { state = ["available"] }) + owners = optional(list(string), ["amazon"]) + id_ssm_parameter_name = optional(string, null) + id_ssm_parameter_arn = optional(string, null) + kms_key_arn = optional(string, null) }) default = null } diff --git a/variables.tf b/variables.tf index f13c6509d7..eb41a8e0b1 100644 --- a/variables.tf +++ b/variables.tf @@ -369,11 +369,11 @@ variable "block_device_mappings" { variable "ami" { description = "AMI configuration for the action runner instances" type = object({ - filter = optional(map(list(string)), { state = ["available"] }) - owners = optional(list(string), ["amazon"]) - id_ssm_parameter_name = optional(string, null) - id_ssm_parameter_arn = optional(string, null) - kms_key_arn = optional(string, null) + filter = optional(map(list(string)), { state = ["available"] }) + owners = optional(list(string), ["amazon"]) + id_ssm_parameter_name = optional(string, null) + id_ssm_parameter_arn = optional(string, null) + kms_key_arn = optional(string, null) }) default = null } From f540417997da9a418e72e6a344352c3074f98d80 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 4 Apr 2025 22:26:12 +0200 Subject: [PATCH 16/20] cleanup --- examples/multi-runner/main.tf | 4 ++-- .../templates/runner-configs/windows-x64.yaml | 11 +++++----- examples/prebuilt/main.tf | 4 ---- modules/multi-runner/outputs.tf | 17 ++++++++++---- modules/multi-runner/variables.tf | 20 +++++------------ modules/runners/main.tf | 9 ++++---- modules/runners/variables.tf | 22 ++++++++++++++----- outputs.tf | 10 +++++++-- variables.tf | 22 ++++++++++++++----- 9 files changed, 70 insertions(+), 49 deletions(-) diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf index a2dc6981ff..acbcdb8081 100644 --- a/examples/multi-runner/main.tf +++ b/examples/multi-runner/main.tf @@ -53,12 +53,12 @@ locals { { subnet_ids = lookup(v.runner_config, "subnet_ids", null) != null ? [module.base.vpc.private_subnets[0]] : null vpc_id = lookup(v.runner_config, "vpc_id", null) != null ? module.base.vpc.vpc_id : null - ami = merge( + ami = contains(keys(v.runner_config), "ami") ? merge( v.runner_config.ami, { id_ssm_parameter_arn = lookup(local.ssm_ami_arns, k, null) != null ? local.ssm_ami_arns[k] : null } - ) + ) : null } ) } diff --git a/examples/multi-runner/templates/runner-configs/windows-x64.yaml b/examples/multi-runner/templates/runner-configs/windows-x64.yaml index 0bd3486a42..fdf8be6533 100644 --- a/examples/multi-runner/templates/runner-configs/windows-x64.yaml +++ b/examples/multi-runner/templates/runner-configs/windows-x64.yaml @@ -15,9 +15,8 @@ runner_config: delay_webhook_event: 5 scale_down_schedule_expression: cron(* * * * ? *) runner_boot_time_in_minutes: 20 - ami: - filter: - name: - - Windows_Server-2022-English-Full-ECS_Optimized-* - state: - - available + ami_filter: + name: + - Windows_Server-2022-English-Full-ECS_Optimized-* + state: + - available diff --git a/examples/prebuilt/main.tf b/examples/prebuilt/main.tf index 5e5f23703c..dbfbdf9523 100644 --- a/examples/prebuilt/main.tf +++ b/examples/prebuilt/main.tf @@ -45,10 +45,6 @@ module "runners" { ami_filter = { name = [var.ami_name_filter], state = ["available"] } ami_owners = [data.aws_caller_identity.current.account_id] - # Look up runner AMI ID from an AWS SSM parameter (overrides ami_filter at instance launch time) - # NOTE: the parameter must be managed outside of this module (e.g. in a runner AMI build workflow) - # ami_id_ssm_parameter_name = "my-runner-ami-id" - # disable binary syncer since github agent is already installed in the AMI. enable_runner_binaries_syncer = false diff --git a/modules/multi-runner/outputs.tf b/modules/multi-runner/outputs.tf index 07614b568c..2f2b1d3458 100644 --- a/modules/multi-runner/outputs.tf +++ b/modules/multi-runner/outputs.tf @@ -69,12 +69,21 @@ output "instance_termination_handler" { } output "deprecated_variables_warning" { - description = "Warning for deprecated variables usage" + description = "Warning for deprecated variables usage. These variables will be removed in a future release. Please migrate to using the consolidated 'ami' object in each runner configuration." value = join("", [ for key, runner_config in var.multi_runner_config : ( - try(runner_config.ami_id_ssm_parameter_name, null) != null ? - "DEPRECATION WARNING: The variable 'ami_id_ssm_parameter_name' in runner '${key}' is deprecated and will be removed in a future version. Please use 'ami.id_ssm_parameter_arn' instead.\n" : - "" + join("", [ + # Show object migration warning only when ami is null and old variables are used + try(runner_config.runner_config.ami, null) == null ? ( + (try(runner_config.runner_config.ami_filter, { state = ["available"] }) != { state = ["available"] } || + try(runner_config.runner_config.ami_owners, ["amazon"]) != ["amazon"] || + try(runner_config.runner_config.ami_kms_key_arn, "") != "") ? + "DEPRECATION WARNING: Runner '${key}' is using deprecated AMI variables (ami_filter, ami_owners, ami_kms_key_arn). These variables will be removed in a future version. Please migrate to using the consolidated 'ami' object.\n" : "" + ) : "", + # Always show warning for ami_id_ssm_parameter_name to migrate to ami_id_ssm_parameter_arn + try(runner_config.runner_config.ami_id_ssm_parameter_name, null) != null ? + "DEPRECATION WARNING: Runner '${key}' is using deprecated variable 'ami_id_ssm_parameter_name'. Please use 'ami.id_ssm_parameter_arn' instead.\n" : "" + ]) ) ]) } diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf index 86cbe05df4..b138205459 100644 --- a/modules/multi-runner/variables.tf +++ b/modules/multi-runner/variables.tf @@ -66,20 +66,11 @@ variable "multi_runner_config" { http_put_response_hop_limit = 1 }) ami = optional(object({ - filter = optional(map(list(string)), { state = ["available"] }) - owners = optional(list(string), ["amazon"]) - id_ssm_parameter_name = optional(string, null) - id_ssm_parameter_arn = optional(string, null) - kms_key_arn = optional(string, null) - }), null) - # Deprecated: Use ami object instead - ami = optional(object({ - filter = optional(map(list(string)), { state = ["available"] }) - owners = optional(list(string), ["amazon"]) - id_ssm_parameter_name = optional(string, null) - id_ssm_parameter_arn = optional(string, null) - kms_key_arn = optional(string, null) - }), null) + filter = optional(map(list(string)), { state = ["available"] }) + owners = optional(list(string), ["amazon"]) + id_ssm_parameter_arn = optional(string, null) + kms_key_arn = optional(string, null) + }), null) # Defaults to null, in which case the module falls back to individual AMI variables (deprecated) # Deprecated: Use ami object instead ami_filter = optional(map(list(string)), { state = ["available"] }) ami_owners = optional(list(string), ["amazon"]) @@ -187,6 +178,7 @@ variable "multi_runner_config" { runner_os: "The EC2 Operating System type to use for action runner instances (linux,windows)." runner_architecture: "The platform architecture of the runner instance_type." runner_metadata_options: "(Optional) Metadata options for the ec2 runner instances." + ami: "(Optional) AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place." ami_filter: "(Optional) List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used." ami_owners: "(Optional) The list of owners used to select the AMI of action runner instances." create_service_linked_role_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda. diff --git a/modules/runners/main.tf b/modules/runners/main.tf index b3bf224434..5baaa09672 100644 --- a/modules/runners/main.tf +++ b/modules/runners/main.tf @@ -39,11 +39,10 @@ locals { # Handle AMI configuration from either the new object or old variables ami_config = var.ami != null ? var.ami : { - filter = var.ami_filter - owners = var.ami_owners - id_ssm_parameter_name = var.ami_id_ssm_parameter_name - id_ssm_parameter_arn = null - kms_key_arn = var.ami_kms_key_arn + filter = var.ami_filter + owners = var.ami_owners + id_ssm_parameter_arn = null + kms_key_arn = var.ami_kms_key_arn } ami_kms_key_arn = local.ami_config.kms_key_arn != null ? local.ami_config.kms_key_arn : "" ami_filter = merge(local.default_ami[var.runner_os], local.ami_config.filter) diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index 8e7062fa0a..f70e80b9cc 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -1,11 +1,21 @@ variable "ami" { - description = "AMI configuration for the action runner instances" + description = < Date: Fri, 4 Apr 2025 20:27:01 +0000 Subject: [PATCH 17/20] docs: auto update terraform docs --- README.md | 12 ++++++------ modules/multi-runner/README.md | 4 ++-- modules/runners/README.md | 10 +++++----- modules/runners/pool/README.md | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 557f85c2aa..e264bdc3d5 100644 --- a/README.md +++ b/README.md @@ -106,17 +106,17 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh) | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [ami\_filter](#input\_ami\_filter) | Map of lists used to create the AMI filter for the action runner AMI. | `map(list(string))` | 
{
  "state": [
    "available"
  ]
}
| no | +| [ami](#input\_ami) | AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place.

Parameters:
- `filter`: Map of lists to filter AMIs by various criteria (e.g., { name = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-*"], state = ["available"] })
- `owners`: List of AMI owners to limit the search. Common values: ["amazon"], ["self"], or specific AWS account IDs
- `id_ssm_parameter_name`: Name of an SSM parameter containing the AMI ID. If specified, this overrides the AMI filter
- `id_ssm_parameter_arn`: ARN of an SSM parameter containing the AMI ID. If specified, this overrides both AMI filter and parameter name
- `kms_key_arn`: Optional KMS key ARN if the AMI is encrypted with a customer managed key

Defaults to null, in which case the module falls back to individual AMI variables (deprecated). | 
object({
    filter               = optional(map(list(string)), { state = ["available"] })
    owners               = optional(list(string), ["amazon"])
    id_ssm_parameter_arn = optional(string, null)
    kms_key_arn          = optional(string, null)
  })
| `null` | no | +| [ami\_filter](#input\_ami\_filter) | [DEPRECATED: Use ami.filter] Map of lists used to create the AMI filter for the action runner AMI. | `map(list(string))` | 
{
  "state": [
    "available"
  ]
}
| no | | [ami\_housekeeper\_cleanup\_config](#input\_ami\_housekeeper\_cleanup\_config) | Configuration for AMI cleanup.

`amiFilters` - Filters to use when searching for AMIs to cleanup. Default filter for images owned by the account and that are available.
`dryRun` - If true, no AMIs will be deregistered. Default false.
`launchTemplateNames` - Launch template names to use when searching for AMIs to cleanup. Default no launch templates.
`maxItems` - The maximum numer of AMI's tha will be queried for cleanup. Default no maximum.
`minimumDaysOld` - Minimum number of days old an AMI must be to be considered for cleanup. Default 30.
`ssmParameterNames` - SSM parameter names to use when searching for AMIs to cleanup. This parameter should be set when using SSM to configure the AMI to use. Default no SSM parameters. | 
object({
    amiFilters = optional(list(object({
      Name   = string
      Values = list(string)
      })),
      [{
        Name : "state",
        Values : ["available"],
        },
        {
          Name : "image-type",
          Values : ["machine"],
      }]
    )
    dryRun              = optional(bool, false)
    launchTemplateNames = optional(list(string))
    maxItems            = optional(number)
    minimumDaysOld      = optional(number, 30)
    ssmParameterNames   = optional(list(string))
  })
| `{}` | no | | [ami\_housekeeper\_lambda\_s3\_key](#input\_ami\_housekeeper\_lambda\_s3\_key) | S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas. | `string` | `null` | no | | [ami\_housekeeper\_lambda\_s3\_object\_version](#input\_ami\_housekeeper\_lambda\_s3\_object\_version) | S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket. | `string` | `null` | no | | [ami\_housekeeper\_lambda\_schedule\_expression](#input\_ami\_housekeeper\_lambda\_schedule\_expression) | Scheduler expression for action runner binary syncer. | `string` | `"rate(1 day)"` | no | | [ami\_housekeeper\_lambda\_timeout](#input\_ami\_housekeeper\_lambda\_timeout) | Time out of the lambda in seconds. | `number` | `300` | no | | [ami\_housekeeper\_lambda\_zip](#input\_ami\_housekeeper\_lambda\_zip) | File location of the lambda zip file. | `string` | `null` | no | -| [ami\_id\_ssm\_parameter\_arn](#input\_ami\_id\_ssm\_parameter\_arn) | ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | -| [ami\_id\_ssm\_parameter\_name](#input\_ami\_id\_ssm\_parameter\_name) | (DEPRECATED) Variable is replaced by `ami_id_ssm_parameter_arn` Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | -| [ami\_kms\_key\_arn](#input\_ami\_kms\_key\_arn) | Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI | `string` | `null` | no | -| [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | 
[
  "amazon"
]
| no | +| [ami\_id\_ssm\_parameter\_name](#input\_ami\_id\_ssm\_parameter\_name) | [DEPRECATED: Use ami.id\_ssm\_parameter\_name] String used to construct the SSM parameter name used to resolve the latest AMI ID for the runner instances. The SSM parameter should be of type String and contain a valid AMI ID. The default behavior is to use the latest Ubuntu 22.04 AMI. | `string` | `null` | no | +| [ami\_kms\_key\_arn](#input\_ami\_kms\_key\_arn) | [DEPRECATED: Use ami.kms\_key\_arn] Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI | `string` | `null` | no | +| [ami\_owners](#input\_ami\_owners) | [DEPRECATED: Use ami.owners] The list of owners that should be used to find the AMI. | `list(string)` | 
[
  "amazon"
]
| no | | [associate\_public\_ipv4\_address](#input\_associate\_public\_ipv4\_address) | Associate public IPv4 with the runner. Only tested with IPv4 | `bool` | `false` | no | | [aws\_partition](#input\_aws\_partition) | (optiona) partition in the arn namespace to use if not 'aws' | `string` | `"aws"` | no | | [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes | @@ -240,7 +240,7 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh) | Name | Description | |------|-------------| | [binaries\_syncer](#output\_binaries\_syncer) | n/a | -| [deprecated\_variables\_warning](#output\_deprecated\_variables\_warning) | Warning for deprecated variables usage | +| [deprecated\_variables\_warning](#output\_deprecated\_variables\_warning) | Warning for deprecated variables usage. These variables will be removed in a future release. Please migrate to using the consolidated 'ami' object. | | [instance\_termination\_handler](#output\_instance\_termination\_handler) | n/a | | [instance\_termination\_watcher](#output\_instance\_termination\_watcher) | n/a | | [queues](#output\_queues) | SQS queues. | diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md index baa46a524e..c43d00e245 100644 --- a/modules/multi-runner/README.md +++ b/modules/multi-runner/README.md @@ -148,7 +148,7 @@ module "multi-runner" { | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no | | [matcher\_config\_parameter\_store\_tier](#input\_matcher\_config\_parameter\_store\_tier) | The tier of the parameter store for the matcher configuration. Valid values are `Standard`, and `Advanced`. | `string` | `"Standard"` | no | | [metrics](#input\_metrics) | Configuration for metrics created by the module, by default metrics are disabled to avoid additional costs. When metrics are enable all metrics are created unless explicit configured otherwise. | 
object({
    enable    = optional(bool, false)
    namespace = optional(string, "GitHub Runners")
    metric = optional(object({
      enable_github_app_rate_limit    = optional(bool, true)
      enable_job_retry                = optional(bool, true)
      enable_spot_termination_warning = optional(bool, true)
    }), {})
  })
| `{}` | no | -| [multi\_runner\_config](#input\_multi\_runner\_config) | multi\_runner\_config = {
runner\_config: {
runner\_os: "The EC2 Operating System type to use for action runner instances (linux,windows)."
runner\_architecture: "The platform architecture of the runner instance\_type."
runner\_metadata\_options: "(Optional) Metadata options for the ec2 runner instances."
ami\_filter: "(Optional) List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used."
ami\_owners: "(Optional) The list of owners used to select the AMI of action runner instances."
create\_service\_linked\_role\_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda.
credit\_specification: "(Optional) The credit specification of the runner instance\_type. Can be unset, `standard` or `unlimited`.
delay\_webhook\_event: "The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event."
disable\_runner\_autoupdate: "Disable the auto update of the github runner agent. Be aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"
ebs\_optimized: "The EC2 EBS optimized configuration."
enable\_ephemeral\_runners: "Enable ephemeral runners, runners will only be used once."
enable\_job\_queued\_check: "Enables JIT configuration for creating runners instead of registration token based registraton. JIT configuration will only be applied for ephemeral runners. By default JIT confiugration is enabled for ephemeral runners an can be disabled via this override. When running on GHES without support for JIT configuration this variable should be set to true for ephemeral runners."
enable\_on\_demand\_failover\_for\_errors: "Enable on-demand failover. For example to fall back to on demand when no spot capacity is available the variable can be set to `InsufficientInstanceCapacity`. When not defined the default behavior is to retry later."
enable\_organization\_runners: "Register runners to organization, instead of repo level"
enable\_runner\_binaries\_syncer: "Option to disable the lambda to sync GitHub runner distribution, useful when using a pre-build AMI."
enable\_ssm\_on\_runners: "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
enable\_userdata: "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI."
instance\_allocation\_strategy: "The allocation strategy for spot instances. AWS recommends to use `capacity-optimized` however the AWS default is `lowest-price`."
instance\_max\_spot\_price: "Max price price for spot intances per hour. This variable will be passed to the create fleet as max spot price for the fleet."
instance\_target\_capacity\_type: "Default lifecycle used for runner instances, can be either `spot` or `on-demand`."
instance\_types: "List of instance types for the action runner. Defaults are based on runner\_os (al2023 for linux and Windows Server Core for win)."
job\_queue\_retention\_in\_seconds: "The number of seconds the job is held in the queue before it is purged"
minimum\_running\_time\_in\_minutes: "The time an ec2 action runner should be running at minimum before terminated if not busy."
pool\_runner\_owner: "The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported."
runner\_additional\_security\_group\_ids: "List of additional security groups IDs to apply to the runner. If added outside the multi\_runner\_config block, the additional security group(s) will be applied to all runner configs. If added inside the multi\_runner\_config, the additional security group(s) will be applied to the individual runner."
runner\_as\_root: "Run the action runner under the root user. Variable `runner_run_as` will be ignored."
runner\_boot\_time\_in\_minutes: "The minimum time for an EC2 runner to boot and register as a runner."
runner\_disable\_default\_labels: "Disable default labels for the runners (os, architecture and `self-hosted`). If enabled, the runner will only have the extra labels provided in `runner_extra_labels`. In case you on own start script is used, this configuration parameter needs to be parsed via SSM."
runner\_extra\_labels: "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `multi_runner_config.matcherConfig.exactMatch`. GitHub read-only labels should not be provided."
runner\_group\_name: "Name of the runner group."
runner\_name\_prefix: "Prefix for the GitHub runner name."
runner\_run\_as: "Run the GitHub actions agent as user."
runners\_maximum\_count: "The maximum number of runners that will be created. Setting the variable to `-1` desiables the maximum check."
scale\_down\_schedule\_expression: "Scheduler expression to check every x for scale down."
scale\_up\_reserved\_concurrent\_executions: "Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations."
userdata\_template: "Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored."
enable\_jit\_config "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is avaialbe. In case you upgradeing from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."
enable\_runner\_detailed\_monitoring: "Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details."
enable\_cloudwatch\_agent: "Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`."
cloudwatch\_config: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
userdata\_pre\_install: "Script to be ran before the GitHub Actions runner is installed on the EC2 instances"
userdata\_post\_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"
runner\_hook\_job\_started: "Script to be ran in the runner environment at the beginning of every job"
runner\_hook\_job\_completed: "Script to be ran in the runner environment at the end of every job"
runner\_ec2\_tags: "Map of tags that will be added to the launch template instance tag specifications."
runner\_iam\_role\_managed\_policy\_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
vpc\_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`."
subnet\_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`."
idle\_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle."
runner\_log\_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
block\_device\_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."
job\_retry: "Experimental! Can be removed / changed without trigger a major release. Configure job retries. The configuration enables job retries (for ephemeral runners). After creating the insances a message will be published to a job retry queue. The job retry check lambda is checking after a delay if the job is queued. If not the message will be published again on the scale-up (build queue). Using this feature can impact the reate limit of the GitHub app."
pool\_config: "The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. Use `schedule_expression_timezone` to override the schedule time zone (defaults to UTC)."
}
matcherConfig: {
labelMatchers: "The list of list of labels supported by the runner configuration. `[[self-hosted, linux, x64, example]]`"
exactMatch: "If set to true all labels in the workflow job must match the GitHub labels (os, architecture and `self-hosted`). When false if __any__ workflow label matches it will trigger the webhook."
priority: "If set it defines the priority of the matcher, the matcher with the lowest priority will be evaluated first. Default is 999, allowed values 0-999."
}
redrive\_build\_queue: "Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries."
} | 
map(object({
    runner_config = object({
      runner_os           = string
      runner_architecture = string
      runner_metadata_options = optional(map(any), {
        instance_metadata_tags      = "enabled"
        http_endpoint               = "enabled"
        http_tokens                 = "required"
        http_put_response_hop_limit = 1
      })
      ami_filter                              = optional(map(list(string)), { state = ["available"] })
      ami_owners                              = optional(list(string), ["amazon"])
      ami_id_ssm_parameter_arn                = optional(string, null)
      ami_id_ssm_parameter_name               = optional(string, null)
      ami_kms_key_arn                         = optional(string, "")
      create_service_linked_role_spot         = optional(bool, false)
      credit_specification                    = optional(string, null)
      delay_webhook_event                     = optional(number, 30)
      disable_runner_autoupdate               = optional(bool, false)
      ebs_optimized                           = optional(bool, false)
      enable_ephemeral_runners                = optional(bool, false)
      enable_job_queued_check                 = optional(bool, null)
      enable_on_demand_failover_for_errors    = optional(list(string), [])
      enable_organization_runners             = optional(bool, false)
      enable_runner_binaries_syncer           = optional(bool, true)
      enable_ssm_on_runners                   = optional(bool, false)
      enable_userdata                         = optional(bool, true)
      instance_allocation_strategy            = optional(string, "lowest-price")
      instance_max_spot_price                 = optional(string, null)
      instance_target_capacity_type           = optional(string, "spot")
      instance_types                          = list(string)
      job_queue_retention_in_seconds          = optional(number, 86400)
      minimum_running_time_in_minutes         = optional(number, null)
      pool_runner_owner                       = optional(string, null)
      runner_as_root                          = optional(bool, false)
      runner_boot_time_in_minutes             = optional(number, 5)
      runner_disable_default_labels           = optional(bool, false)
      runner_extra_labels                     = optional(list(string), [])
      runner_group_name                       = optional(string, "Default")
      runner_name_prefix                      = optional(string, "")
      runner_run_as                           = optional(string, "ec2-user")
      runners_maximum_count                   = number
      runner_additional_security_group_ids    = optional(list(string), [])
      scale_down_schedule_expression          = optional(string, "cron(*/5 * * * ? *)")
      scale_up_reserved_concurrent_executions = optional(number, 1)
      userdata_template                       = optional(string, null)
      userdata_content                        = optional(string, null)
      enable_jit_config                       = optional(bool, null)
      enable_runner_detailed_monitoring       = optional(bool, false)
      enable_cloudwatch_agent                 = optional(bool, true)
      cloudwatch_config                       = optional(string, null)
      userdata_pre_install                    = optional(string, "")
      userdata_post_install                   = optional(string, "")
      runner_hook_job_started                 = optional(string, "")
      runner_hook_job_completed               = optional(string, "")
      runner_ec2_tags                         = optional(map(string), {})
      runner_iam_role_managed_policy_arns     = optional(list(string), [])
      vpc_id                                  = optional(string, null)
      subnet_ids                              = optional(list(string), null)
      idle_config = optional(list(object({
        cron             = string
        timeZone         = string
        idleCount        = number
        evictionStrategy = optional(string, "oldest_first")
      })), [])
      runner_log_files = optional(list(object({
        log_group_name   = string
        prefix_log_group = bool
        file_path        = string
        log_stream_name  = string
      })), null)
      block_device_mappings = optional(list(object({
        delete_on_termination = optional(bool, true)
        device_name           = optional(string, "/dev/xvda")
        encrypted             = optional(bool, true)
        iops                  = optional(number)
        kms_key_id            = optional(string)
        snapshot_id           = optional(string)
        throughput            = optional(number)
        volume_size           = number
        volume_type           = optional(string, "gp3")
        })), [{
        volume_size = 30
      }])
      pool_config = optional(list(object({
        schedule_expression          = string
        schedule_expression_timezone = optional(string)
        size                         = number
      })), [])
      job_retry = optional(object({
        enable             = optional(bool, false)
        delay_in_seconds   = optional(number, 300)
        delay_backoff      = optional(number, 2)
        lambda_memory_size = optional(number, 256)
        lambda_timeout     = optional(number, 30)
        max_attempts       = optional(number, 1)
      }), {})
    })
    matcherConfig = object({
      labelMatchers = list(list(string))
      exactMatch    = optional(bool, false)
      priority      = optional(number, 999)
    })
    redrive_build_queue = optional(object({
      enabled         = bool
      maxReceiveCount = number
      }), {
      enabled         = false
      maxReceiveCount = null
    })
  }))
| n/a | yes | +| [multi\_runner\_config](#input\_multi\_runner\_config) | multi\_runner\_config = {
runner\_config: {
runner\_os: "The EC2 Operating System type to use for action runner instances (linux,windows)."
runner\_architecture: "The platform architecture of the runner instance\_type."
runner\_metadata\_options: "(Optional) Metadata options for the ec2 runner instances."
ami: "(Optional) AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place."
ami\_filter: "(Optional) List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used."
ami\_owners: "(Optional) The list of owners used to select the AMI of action runner instances."
create\_service\_linked\_role\_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda.
credit\_specification: "(Optional) The credit specification of the runner instance\_type. Can be unset, `standard` or `unlimited`.
delay\_webhook\_event: "The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event."
disable\_runner\_autoupdate: "Disable the auto update of the github runner agent. Be aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"
ebs\_optimized: "The EC2 EBS optimized configuration."
enable\_ephemeral\_runners: "Enable ephemeral runners, runners will only be used once."
enable\_job\_queued\_check: "Enables JIT configuration for creating runners instead of registration token based registraton. JIT configuration will only be applied for ephemeral runners. By default JIT confiugration is enabled for ephemeral runners an can be disabled via this override. When running on GHES without support for JIT configuration this variable should be set to true for ephemeral runners."
enable\_on\_demand\_failover\_for\_errors: "Enable on-demand failover. For example to fall back to on demand when no spot capacity is available the variable can be set to `InsufficientInstanceCapacity`. When not defined the default behavior is to retry later."
enable\_organization\_runners: "Register runners to organization, instead of repo level"
enable\_runner\_binaries\_syncer: "Option to disable the lambda to sync GitHub runner distribution, useful when using a pre-build AMI."
enable\_ssm\_on\_runners: "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
enable\_userdata: "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI."
instance\_allocation\_strategy: "The allocation strategy for spot instances. AWS recommends to use `capacity-optimized` however the AWS default is `lowest-price`."
instance\_max\_spot\_price: "Max price price for spot intances per hour. This variable will be passed to the create fleet as max spot price for the fleet."
instance\_target\_capacity\_type: "Default lifecycle used for runner instances, can be either `spot` or `on-demand`."
instance\_types: "List of instance types for the action runner. Defaults are based on runner\_os (al2023 for linux and Windows Server Core for win)."
job\_queue\_retention\_in\_seconds: "The number of seconds the job is held in the queue before it is purged"
minimum\_running\_time\_in\_minutes: "The time an ec2 action runner should be running at minimum before terminated if not busy."
pool\_runner\_owner: "The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported."
runner\_additional\_security\_group\_ids: "List of additional security groups IDs to apply to the runner. If added outside the multi\_runner\_config block, the additional security group(s) will be applied to all runner configs. If added inside the multi\_runner\_config, the additional security group(s) will be applied to the individual runner."
runner\_as\_root: "Run the action runner under the root user. Variable `runner_run_as` will be ignored."
runner\_boot\_time\_in\_minutes: "The minimum time for an EC2 runner to boot and register as a runner."
runner\_disable\_default\_labels: "Disable default labels for the runners (os, architecture and `self-hosted`). If enabled, the runner will only have the extra labels provided in `runner_extra_labels`. In case you on own start script is used, this configuration parameter needs to be parsed via SSM."
runner\_extra\_labels: "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `multi_runner_config.matcherConfig.exactMatch`. GitHub read-only labels should not be provided."
runner\_group\_name: "Name of the runner group."
runner\_name\_prefix: "Prefix for the GitHub runner name."
runner\_run\_as: "Run the GitHub actions agent as user."
runners\_maximum\_count: "The maximum number of runners that will be created. Setting the variable to `-1` desiables the maximum check."
scale\_down\_schedule\_expression: "Scheduler expression to check every x for scale down."
scale\_up\_reserved\_concurrent\_executions: "Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations."
userdata\_template: "Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored."
enable\_jit\_config "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is avaialbe. In case you upgradeing from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."
enable\_runner\_detailed\_monitoring: "Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details."
enable\_cloudwatch\_agent: "Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`."
cloudwatch\_config: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
userdata\_pre\_install: "Script to be ran before the GitHub Actions runner is installed on the EC2 instances"
userdata\_post\_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"
runner\_hook\_job\_started: "Script to be ran in the runner environment at the beginning of every job"
runner\_hook\_job\_completed: "Script to be ran in the runner environment at the end of every job"
runner\_ec2\_tags: "Map of tags that will be added to the launch template instance tag specifications."
runner\_iam\_role\_managed\_policy\_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
vpc\_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`."
subnet\_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`."
idle\_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle."
runner\_log\_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
block\_device\_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."
job\_retry: "Experimental! Can be removed / changed without trigger a major release. Configure job retries. The configuration enables job retries (for ephemeral runners). After creating the insances a message will be published to a job retry queue. The job retry check lambda is checking after a delay if the job is queued. If not the message will be published again on the scale-up (build queue). Using this feature can impact the reate limit of the GitHub app."
pool\_config: "The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. Use `schedule_expression_timezone` to override the schedule time zone (defaults to UTC)."
}
matcherConfig: {
labelMatchers: "The list of list of labels supported by the runner configuration. `[[self-hosted, linux, x64, example]]`"
exactMatch: "If set to true all labels in the workflow job must match the GitHub labels (os, architecture and `self-hosted`). When false if __any__ workflow label matches it will trigger the webhook."
priority: "If set it defines the priority of the matcher, the matcher with the lowest priority will be evaluated first. Default is 999, allowed values 0-999."
}
redrive\_build\_queue: "Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries."
} | 
map(object({
    runner_config = object({
      runner_os           = string
      runner_architecture = string
      runner_metadata_options = optional(map(any), {
        instance_metadata_tags      = "enabled"
        http_endpoint               = "enabled"
        http_tokens                 = "required"
        http_put_response_hop_limit = 1
      })
      ami = optional(object({
        filter               = optional(map(list(string)), { state = ["available"] })
        owners               = optional(list(string), ["amazon"])
        id_ssm_parameter_arn = optional(string, null)
        kms_key_arn          = optional(string, null)
      }), null) # Defaults to null, in which case the module falls back to individual AMI variables (deprecated)
      # Deprecated: Use ami object instead
      ami_filter                              = optional(map(list(string)), { state = ["available"] })
      ami_owners                              = optional(list(string), ["amazon"])
      ami_id_ssm_parameter_name               = optional(string, null)
      ami_kms_key_arn                         = optional(string, "")
      create_service_linked_role_spot         = optional(bool, false)
      credit_specification                    = optional(string, null)
      delay_webhook_event                     = optional(number, 30)
      disable_runner_autoupdate               = optional(bool, false)
      ebs_optimized                           = optional(bool, false)
      enable_ephemeral_runners                = optional(bool, false)
      enable_job_queued_check                 = optional(bool, null)
      enable_on_demand_failover_for_errors    = optional(list(string), [])
      enable_organization_runners             = optional(bool, false)
      enable_runner_binaries_syncer           = optional(bool, true)
      enable_ssm_on_runners                   = optional(bool, false)
      enable_userdata                         = optional(bool, true)
      instance_allocation_strategy            = optional(string, "lowest-price")
      instance_max_spot_price                 = optional(string, null)
      instance_target_capacity_type           = optional(string, "spot")
      instance_types                          = list(string)
      job_queue_retention_in_seconds          = optional(number, 86400)
      minimum_running_time_in_minutes         = optional(number, null)
      pool_runner_owner                       = optional(string, null)
      runner_as_root                          = optional(bool, false)
      runner_boot_time_in_minutes             = optional(number, 5)
      runner_disable_default_labels           = optional(bool, false)
      runner_extra_labels                     = optional(list(string), [])
      runner_group_name                       = optional(string, "Default")
      runner_name_prefix                      = optional(string, "")
      runner_run_as                           = optional(string, "ec2-user")
      runners_maximum_count                   = number
      runner_additional_security_group_ids    = optional(list(string), [])
      scale_down_schedule_expression          = optional(string, "cron(*/5 * * * ? *)")
      scale_up_reserved_concurrent_executions = optional(number, 1)
      userdata_template                       = optional(string, null)
      userdata_content                        = optional(string, null)
      enable_jit_config                       = optional(bool, null)
      enable_runner_detailed_monitoring       = optional(bool, false)
      enable_cloudwatch_agent                 = optional(bool, true)
      cloudwatch_config                       = optional(string, null)
      userdata_pre_install                    = optional(string, "")
      userdata_post_install                   = optional(string, "")
      runner_hook_job_started                 = optional(string, "")
      runner_hook_job_completed               = optional(string, "")
      runner_ec2_tags                         = optional(map(string), {})
      runner_iam_role_managed_policy_arns     = optional(list(string), [])
      vpc_id                                  = optional(string, null)
      subnet_ids                              = optional(list(string), null)
      idle_config = optional(list(object({
        cron             = string
        timeZone         = string
        idleCount        = number
        evictionStrategy = optional(string, "oldest_first")
      })), [])
      runner_log_files = optional(list(object({
        log_group_name   = string
        prefix_log_group = bool
        file_path        = string
        log_stream_name  = string
      })), null)
      block_device_mappings = optional(list(object({
        delete_on_termination = optional(bool, true)
        device_name           = optional(string, "/dev/xvda")
        encrypted             = optional(bool, true)
        iops                  = optional(number)
        kms_key_id            = optional(string)
        snapshot_id           = optional(string)
        throughput            = optional(number)
        volume_size           = number
        volume_type           = optional(string, "gp3")
        })), [{
        volume_size = 30
      }])
      pool_config = optional(list(object({
        schedule_expression          = string
        schedule_expression_timezone = optional(string)
        size                         = number
      })), [])
      job_retry = optional(object({
        enable             = optional(bool, false)
        delay_in_seconds   = optional(number, 300)
        delay_backoff      = optional(number, 2)
        lambda_memory_size = optional(number, 256)
        lambda_timeout     = optional(number, 30)
        max_attempts       = optional(number, 1)
      }), {})
    })
    matcherConfig = object({
      labelMatchers = list(list(string))
      exactMatch    = optional(bool, false)
      priority      = optional(number, 999)
    })
    redrive_build_queue = optional(object({
      enabled         = bool
      maxReceiveCount = number
      }), {
      enabled         = false
      maxReceiveCount = null
    })
  }))
| n/a | yes | | [pool\_lambda\_reserved\_concurrent\_executions](#input\_pool\_lambda\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `1` | no | | [pool\_lambda\_timeout](#input\_pool\_lambda\_timeout) | Time out for the pool lambda in seconds. | `number` | `60` | no | | [prefix](#input\_prefix) | The prefix used for naming resources | `string` | `"github-actions"` | no | @@ -192,7 +192,7 @@ module "multi-runner" { | Name | Description | |------|-------------| | [binaries\_syncer\_map](#output\_binaries\_syncer\_map) | n/a | -| [deprecated\_variables\_warning](#output\_deprecated\_variables\_warning) | Warning for deprecated variables usage | +| [deprecated\_variables\_warning](#output\_deprecated\_variables\_warning) | Warning for deprecated variables usage. These variables will be removed in a future release. Please migrate to using the consolidated 'ami' object in each runner configuration. | | [instance\_termination\_handler](#output\_instance\_termination\_handler) | n/a | | [instance\_termination\_watcher](#output\_instance\_termination\_watcher) | n/a | | [runners\_map](#output\_runners\_map) | n/a | diff --git a/modules/runners/README.md b/modules/runners/README.md index fe668150b7..f7dd7ecb88 100644 --- a/modules/runners/README.md +++ b/modules/runners/README.md @@ -133,11 +133,11 @@ yarn run dist | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [ami\_filter](#input\_ami\_filter) | Map of lists used to create the AMI filter for the action runner AMI. | `map(list(string))` | 
{
  "state": [
    "available"
  ]
}
| no | -| [ami\_id\_ssm\_parameter\_arn](#input\_ami\_id\_ssm\_parameter\_arn) | ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | -| [ami\_id\_ssm\_parameter\_name](#input\_ami\_id\_ssm\_parameter\_name) | Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | -| [ami\_kms\_key\_arn](#input\_ami\_kms\_key\_arn) | Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI | `string` | `null` | no | -| [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | 
[
  "amazon"
]
| no | +| [ami](#input\_ami) | AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place.

Parameters:
- `filter`: Map of lists to filter AMIs by various criteria (e.g., { name = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-*"], state = ["available"] })
- `owners`: List of AMI owners to limit the search. Common values: ["amazon"], ["self"], or specific AWS account IDs
- `id_ssm_parameter_name`: Name of an SSM parameter containing the AMI ID. If specified, this overrides the AMI filter
- `id_ssm_parameter_arn`: ARN of an SSM parameter containing the AMI ID. If specified, this overrides both AMI filter and parameter name
- `kms_key_arn`: Optional KMS key ARN if the AMI is encrypted with a customer managed key

Defaults to null, in which case the module falls back to individual AMI variables (deprecated). | 
object({
    filter               = optional(map(list(string)), { state = ["available"] })
    owners               = optional(list(string), ["amazon"])
    id_ssm_parameter_arn = optional(string, null)
    kms_key_arn          = optional(string, null)
  })
| `null` | no | +| [ami\_filter](#input\_ami\_filter) | [DEPRECATED: Use ami.filter] Map of lists used to create the AMI filter for the action runner AMI. | `map(list(string))` | 
{
  "state": [
    "available"
  ]
}
| no | +| [ami\_id\_ssm\_parameter\_name](#input\_ami\_id\_ssm\_parameter\_name) | [DEPRECATED: Use ami.id\_ssm\_parameter\_name] Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no | +| [ami\_kms\_key\_arn](#input\_ami\_kms\_key\_arn) | [DEPRECATED: Use ami.kms\_key\_arn] Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI | `string` | `null` | no | +| [ami\_owners](#input\_ami\_owners) | [DEPRECATED: Use ami.owners] The list of owners used to select the AMI of action runner instances. | `list(string)` | 
[
  "amazon"
]
| no | | [associate\_public\_ipv4\_address](#input\_associate\_public\_ipv4\_address) | Associate public IPv4 with the runner. Only tested with IPv4 | `bool` | `false` | no | | [aws\_partition](#input\_aws\_partition) | (optional) partition for the base arn if not 'aws' | `string` | `"aws"` | no | | [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes | diff --git a/modules/runners/pool/README.md b/modules/runners/pool/README.md index cffad1213a..e780505c1a 100644 --- a/modules/runners/pool/README.md +++ b/modules/runners/pool/README.md @@ -48,7 +48,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_partition](#input\_aws\_partition) | (optional) partition for the arn if not 'aws' | `string` | `"aws"` | no | -| [config](#input\_config) | Lookup details in parent module. | 
object({
    lambda = object({
      log_level                      = string
      logging_retention_in_days      = number
      logging_kms_key_id             = string
      reserved_concurrent_executions = number
      s3_bucket                      = string
      s3_key                         = string
      s3_object_version              = string
      security_group_ids             = list(string)
      runtime                        = string
      architecture                   = string
      memory_size                    = number
      timeout                        = number
      zip                            = string
      subnet_ids                     = list(string)
    })
    tags = map(string)
    ghes = object({
      url        = string
      ssl_verify = string
    })
    github_app_parameters = object({
      key_base64 = map(string)
      id         = map(string)
    })
    subnet_ids = list(string)
    runner = object({
      disable_runner_autoupdate            = bool
      ephemeral                            = bool
      enable_jit_config                    = bool
      enable_on_demand_failover_for_errors = list(string)
      boot_time_in_minutes                 = number
      labels                               = list(string)
      launch_template = object({
        name = string
      })
      group_name  = string
      name_prefix = string
      pool_owner  = string
      role = object({
        arn = string
      })
    })
    instance_types                = list(string)
    instance_target_capacity_type = string
    instance_allocation_strategy  = string
    instance_max_spot_price       = string
    prefix                        = string
    pool = list(object({
      schedule_expression          = string
      schedule_expression_timezone = string
      size                         = number
    }))
    role_permissions_boundary            = string
    kms_key_arn                          = string
    ami_kms_key_arn                      = string
    role_path                            = string
    ssm_token_path                       = string
    ssm_config_path                      = string
    ami_id_ssm_parameter_name            = string
    ami_id_ssm_parameter_read_policy_arn = string
    arn_ssm_parameters_path_config       = string
    lambda_tags                          = map(string)
    user_agent                           = string
  })
| n/a | yes | +| [config](#input\_config) | Lookup details in parent module. | 
object({
    lambda = object({
      log_level                      = string
      logging_retention_in_days      = number
      logging_kms_key_id             = string
      reserved_concurrent_executions = number
      s3_bucket                      = string
      s3_key                         = string
      s3_object_version              = string
      security_group_ids             = list(string)
      runtime                        = string
      architecture                   = string
      memory_size                    = number
      timeout                        = number
      zip                            = string
      subnet_ids                     = list(string)
    })
    tags = map(string)
    ghes = object({
      url        = string
      ssl_verify = string
    })
    github_app_parameters = object({
      key_base64 = map(string)
      id         = map(string)
    })
    subnet_ids = list(string)
    runner = object({
      disable_runner_autoupdate            = bool
      ephemeral                            = bool
      enable_jit_config                    = bool
      enable_on_demand_failover_for_errors = list(string)
      boot_time_in_minutes                 = number
      labels                               = list(string)
      launch_template = object({
        name = string
      })
      group_name  = string
      name_prefix = string
      pool_owner  = string
      role = object({
        arn = string
      })
    })
    instance_types                = list(string)
    instance_target_capacity_type = string
    instance_allocation_strategy  = string
    instance_max_spot_price       = string
    prefix                        = string
    pool = list(object({
      schedule_expression          = string
      schedule_expression_timezone = string
      size                         = number
    }))
    role_permissions_boundary            = string
    kms_key_arn                          = string
    ami_kms_key_arn                      = string
    ami_id_ssm_parameter_arn             = string
    role_path                            = string
    ssm_token_path                       = string
    ssm_config_path                      = string
    ami_id_ssm_parameter_name            = string
    ami_id_ssm_parameter_read_policy_arn = string
    arn_ssm_parameters_path_config       = string
    lambda_tags                          = map(string)
    user_agent                           = string
  })
| n/a | yes | | [tracing\_config](#input\_tracing\_config) | Configuration for lambda tracing. | 
object({
    mode                  = optional(string, null)
    capture_http_requests = optional(bool, false)
    capture_error         = optional(bool, false)
  })
| `{}` | no | ## Outputs From 3f9ade04412c4722a6bc7963c711f438f3f12e43 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 4 Apr 2025 22:37:41 +0200 Subject: [PATCH 18/20] update docs --- docs/configuration.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docs/configuration.md b/docs/configuration.md index 39240b24d9..bcf6d13aa1 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -163,6 +163,42 @@ The option `job_retry.delay_in_seconds` is the delay before the job status is ch This module also allows you to run agents from a prebuilt AMI to gain faster startup times. The module provides several examples to build your own custom AMI. To remove old images, an [AMI housekeeper module](modules/public/ami-housekeeper.md) can be used. See the [AMI examples](ami-examples/index.md) for more details. +## AMI Configuration + +By default, the module will automatically select appropriate AMI images: +- For Linux x64: Amazon Linux 2023 x86_64 +- For Linux ARM64: Amazon Linux 2023 ARM64 +- For Windows: Windows Server 2022 English Full ECS Optimized + +However, you can override these defaults using the `ami` object in two ways: + +1. **Using AMI Filters** + +You can define filters and owners to look up an AMI. The module will store the AMI ID in an SSM parameter that is managed by the module. + +```hcl +ami = { + filter = { + name = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-*"] + state = ["available"] + } + owners = ["amazon"] +} +``` + +2. **Using SSM Parameter** + +Provide a parameter in SSM that contains the AMI ID. The parameter should be of type `String` and the module will grant the required lambdas access to this parameter. + +```hcl +ami = { + id_ssm_parameter_arn = "arn:aws:ssm:region:account:parameter/path/to/ami/parameter" +} +``` + +> **Note:** The old way of configuring AMIs using individual variables (`ami_filter`, `ami_owners`, `ami_kms_key_arn`) is deprecated and will be removed in a future version. It is recommended to migrate to the new consolidated `ami` object. + + ## Logging The module uses [AWS Lambda Powertools](https://awslabs.github.io/aws-lambda-powertools-typescript/latest/) for logging. By default the log level is set to `info`, by setting the log level to `debug` the incoming events of the Lambda are logged as well. From 193febd8a67433abc37aa2dd9262e7c92e4f2ff7 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 4 Apr 2025 23:14:08 +0200 Subject: [PATCH 19/20] fix deprecation waring --- examples/default/main.tf | 8 -------- modules/runners/pool/main.tf | 12 ++++++------ 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/examples/default/main.tf b/examples/default/main.tf index 911de75437..ca04eca78c 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -142,14 +142,6 @@ module "runners" { # enable CMK instead of aws managed key for encryptions # kms_key_arn = aws_kms_key.github.arn - # pool_runner_owner = "philips-test-runners" - # pool_config = [{ - # size = 1 - # schedule_expression = "cron(0/3 14 * * ? *)" # every 3 minutes between 14:00 and 15:00 - # schedule_expression_timezone = "Europe/Amsterdam" - - # }] - } module "webhook_github_app" { diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf index fafafc7790..a10bdd042a 100644 --- a/modules/runners/pool/main.tf +++ b/modules/runners/pool/main.tf @@ -189,15 +189,15 @@ resource "aws_iam_role" "scheduler" { permissions_boundary = var.config.role_permissions_boundary assume_role_policy = data.aws_iam_policy_document.scheduler_assume.json - - inline_policy { - name = "terraform" - policy = data.aws_iam_policy_document.scheduler.json - } - tags = var.config.tags } +resource "aws_iam_role_policy" "scheduler" { + name = "terraform" + role = aws_iam_role.scheduler.name + policy = data.aws_iam_policy_document.scheduler.json +} + resource "aws_scheduler_schedule" "pool" { for_each = { for i, v in var.config.pool : i => v } From 8e3d9432007930213e947b7365fa388a664ed57b Mon Sep 17 00:00:00 2001 From: github-aws-runners-pr|bot Date: Fri, 4 Apr 2025 21:15:41 +0000 Subject: [PATCH 20/20] docs: auto update terraform docs --- modules/runners/pool/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/runners/pool/README.md b/modules/runners/pool/README.md index e780505c1a..4ed0f3f056 100644 --- a/modules/runners/pool/README.md +++ b/modules/runners/pool/README.md @@ -33,6 +33,7 @@ No modules. | [aws_iam_role_policy.pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.pool_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.pool_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.scheduler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy_attachment.ami_id_ssm_parameter_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.pool_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_lambda_function.pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |