feat: Support multi-region deployments (#437)

* fix: add override for IAM objects name to all IAM resources

* fix: input variable for IAM object name override in cache module

* chore: update comment

* chore: revert unnecessary name changes

* chore: fix typo in description of overrides variable

* feat: add example for multi-region deployment

* docs: update readme

* docs: fix typo

* chore: apply review changes

* feat: remove protected runner setting from configuration

Author: fkurz

.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
       fail-fast: false
       matrix:
         terraform: [0.13.0, 0.14.0, 0.15.0, 1.0.8]
-        example: ["runner-default", "runner-docker", "runner-pre-registered", "runner-public"]
+        example: ["runner-default", "runner-docker", "runner-multi-region", "runner-pre-registered", "runner-public"]
     defaults:
       run:
         working-directory: examples/${{ matrix.example }}

README.md

@@ -32,6 +32,7 @@ overrides  = {
   name_sg                     = ""
   name_runner_agent_instance  = "Gitlab Runner Agent"
   name_docker_machine_runners = "Gitlab Runner Terraform"
+  name_iam_objects = "gitlab-runner"
 }
 
 //this doesn't work
@@ -171,6 +172,8 @@ By default the module creates a a cache for the runner in S3. Old objects are au
 
 Creation of the bucket can be disabled and managed outside this module. A good use case is for sharing the cache across multiple runners. For this purpose the cache is implemented as a sub module. For more details see the [cache module](https://github.com/npalm/terraform-aws-gitlab-runner/tree/develop/cache). An example implementation of this use case can be found in the [runner-public](https://github.com/npalm/terraform-aws-gitlab-runner/tree/__GIT_REF__/examples/runner-public) example.
 
+
+
 ## Usage
 
 ### Configuration
@@ -185,7 +188,7 @@ runner_token = "RUNNER_TOKEN"
 
 The base image used to host the GitLab Runner agent is the latest available Amazon Linux 2 HVM EBS AMI. In previous versions of this module a hard coded list of AMIs per region was provided. This list has been replaced by a search filter to find the latest AMI. Setting the filter to `amzn2-ami-hvm-2.0.20200207.1-x86_64-ebs` will allow you to version lock the target AMI.
 
-### Usage module
+### Scenario: Basic usage
 
 Below is a basic examples of usages of the module. Regarding the dependencies such as a VPC and SSH keys, have a look at the [default example](https://github.com/npalm/terraform-aws-gitlab-runner/tree/develop/examples/runner-default).
 
@@ -218,6 +221,46 @@ module "runner" {
 }
 ```
 
+### Scenario: Multi-region deployment
+
+Name clashes due to multi-region deployments for global AWS ressources create by this module (IAM, S3) can be avoided by including a distinguishing region specific prefix via the _cache_bucket_prefix_ string respectively via _name_iam_objects_ in the _overrides_ map. A simple example for this would be to set _region-specific-prefix_ to the AWS region the module is deployed to.
+
+
+
+```hcl
+module "runner" {
+  # https://registry.terraform.io/modules/npalm/gitlab-runner/aws/
+  source  = "npalm/gitlab-runner/aws"
+
+  aws_region  = "eu-west-1"
+  environment = "spot-runners"
+
+  ssh_public_key = local_file.public_ssh_key.content
+
+  vpc_id                   = module.vpc.vpc_id
+  subnet_ids_gitlab_runner = module.vpc.private_subnets
+  subnet_id_runners        = element(module.vpc.private_subnets, 0)
+
+  runners_name       = "docker-default"
+  runners_gitlab_url = "https://gitlab.com"
+
+  gitlab_runner_registration_config = {
+    registration_token = "my-token
+    tag_list           = "docker"
+    description        = "runner default"
+    locked_to_project  = "true"
+    run_untagged       = "false"
+    maximum_timeout    = "3600"
+  }
+  
+  overrides = {
+    name_iam_objects = "<region-specific-prefix>-gitlab-runner-iam"
+  }
+  
+  cache_bucket_prefix = "<region-specific-prefix>"
+}
+```
+
 ## Examples
 
 A few [examples](https://github.com/npalm/terraform-aws-gitlab-runner/tree/develop/examples/) are provided. Use the following steps to deploy. Ensure your AWS and Terraform environment is set up correctly. All commands below should be run from the `terraform-aws-gitlab-runner/examples/<example-dir>` directory.
@@ -396,7 +439,7 @@ terraform destroy
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | KMS key id to encrypted the CloudWatch logs. Ensure CloudWatch has access to the provided KMS key. | `string` | `""` | no |
 | <a name="input_log_group_name"></a> [log\_group\_name](#input\_log\_group\_name) | Option to override the default name (`environment`) of the log group, requires `enable_cloudwatch_logging = true`. | `string` | `null` | no |
 | <a name="input_metrics_autoscaling"></a> [metrics\_autoscaling](#input\_metrics\_autoscaling) | A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances. | `list(string)` | `null` | no |
-| <a name="input_overrides"></a> [overrides](#input\_overrides) | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | `map(string)` | <pre>{<br>  "name_docker_machine_runners": "",<br>  "name_iam_objects": "",<br>  "name_runner_agent_instance": "",<br>  "name_sg": ""<br>}</pre> | no |
+| <a name="input_overrides"></a> [overrides](#input\_overrides) | This map provides the possibility to override some defaults. <br>The following attributes are supported: <br>  * `name_sg` set the name prefix and overwrite the `Name` tag for all security groups created by this module. <br>  * `name_runner_agent_instance` set the name prefix and override the `Name` tag for the EC2 gitlab runner instances defined in the auto launch configuration. <br>  * `name_docker_machine_runners` override the `Name` tag of EC2 instances created by the runner agent. <br>  * `name_iam_objects` set the name prefix of all AWS IAM resources created by this module. | `map(string)` | <pre>{<br>  "name_docker_machine_runners": "",<br>  "name_iam_objects": "",<br>  "name_runner_agent_instance": "",<br>  "name_sg": ""<br>}</pre> | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | Name of permissions boundary policy to attach to AWS IAM roles | `string` | `""` | no |
 | <a name="input_role_tags"></a> [role\_tags](#input\_role\_tags) | Map of tags that will be added to the role created. Useful for tag based authorization. | `map(string)` | `{}` | no |
 | <a name="input_runner_agent_uses_private_address"></a> [runner\_agent\_uses\_private\_address](#input\_runner\_agent\_uses\_private\_address) | Restrict the runner agent to the use of a private IP address. If `runner_agent_uses_private_address` is set to `false` it will override the `runners_use_private_address` for the agent. | `bool` | `true` | no |

examples/runner-multi-region/README.md

@@ -0,0 +1,84 @@
+# Example - Spot Runner - Multi-region
+
+In this scenario, we create multiple runner agents similarly to the _runner-public_ example but in different regions. Runners can be created with different configuration by instantiating the module multiple times. Runners will scale automatically based on configuration. The S3 cache can be shared cross runners by managing the cache outside the module.
+
+![runners-cache](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-cache.png)
+
+This examples shows:
+
+  - Multi-region deployment.
+  - Usages of public subnets.
+  - Usages of multiple runner instances sharing a common cache.
+  - Overrides for tag naming.
+  - Registration via GitLab token.
+  - Auto scaling using `docker+machine` executor.
+
+Note that global AWS resources like IAM policies and S3 buckets must be unique across regions.
+To duplicate the Gitlab runner deployment to multiple regions, we therefore have to use the name overrides for the IAM resources (_overrides.name_iam_objects_) respectively for the S3 cache bucket (_cache_bucket_prefix_) in the modules _runner_main_region_ and _runner_alternate_region_.
+
+```hcl
+# examples/runner-multi-region/main.tf
+# ...
+
+module "runner_main_region" {
+  # ...
+  
+  overrides = {
+    name_sg                     = "my-security-group"
+    name_runner_agent_instance  = "my-runner-agent"
+    name_docker_machine_runners = "my-runners-dm"
+    name_iam_objects            = local.name_iam_objects_main_region # <--
+  }
+
+  # ...
+
+  cache_bucket_prefix                  = local.cache_bucket_prefix_main_region # <--
+  cache_bucket_name_include_account_id = false
+}
+
+# ...
+
+module "runner_alternate_region" {
+  # ...
+  
+  overrides = {
+    name_sg                     = "my-security-group"
+    name_runner_agent_instance  = "my-runner-agent"
+    name_docker_machine_runners = "my-runners-dm"
+    name_iam_objects            = local.name_iam_objects_alternate_region # <--
+  }
+
+  # ...
+
+  cache_bucket_prefix                  = local.cache_bucket_prefix_alternate_region # <--
+  cache_bucket_name_include_account_id = false
+}
+```
+
+## Prerequisite
+
+The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | 2.56 |
+| local | 1.4 |
+| null | 2.1.2 |
+| tls | 2.1.1 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| aws\_main\_region | Main AWS region to deploy to. | `string` | `"eu-west-1"` | no |
+| aws\_alternate\_region | Main AWS region to deploy to. | `string` | `"eu-central-1"` | no |
+| environment | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"runner-public"` | no |
+| gitlab\_url | URL of the gitlab instance to connect to. | `string` | `"https://gitlab.com"` | no |
+| registration\_token | n/a | `any` | n/a | yes |
+| runner\_name | Name of the runner, will be used in the runner config.toml | `string` | `"public-auto"` | no |
+
+## Outputs
+
+No output.

examples/runner-multi-region/_docs/README.md

@@ -0,0 +1,18 @@
+# Example - Spot Runner - Public subnets
+
+In this scenario the multiple runner agents can be created with different configuration by instantiating the module multiple times. Runners will scale automatically based on configuration. The S3 cache can be shared cross runners by managing the cache outside the module.
+
+![runners-cache](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-cache.png)
+
+This examples shows:
+- Usages of public subnets.
+- Usages of multiple runner instances sharing a common cache.
+- Overrides for tag naming.
+- Registration via GitLab token.
+- Auto scaling using `docker+machine` executor.
+- Register runner as [protected](https://docs.gitlab.com/ee/ci/runners/configure_runners.html#prevent-runners-from-revealing-sensitive-information). 
+
+
+## Prerequisite
+
+The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version.

examples/runner-multi-region/_docs/TF_MODULE.md

@@ -0,0 +1,25 @@
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | 2.56 |
+| local | 1.4 |
+| null | 2.1.2 |
+| tls | 2.1.1 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| aws\_region | AWS region. | `string` | `"eu-west-1"` | no |
+| environment | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"runner-public"` | no |
+| gitlab\_url | URL of the gitlab instance to connect to. | `string` | `"https://gitlab.com"` | no |
+| private\_ssh\_key\_filename | n/a | `string` | `"generated/id_rsa"` | no |
+| public\_ssh\_key\_filename | n/a | `string` | `"generated/id_rsa.pub"` | no |
+| registration\_token | n/a | `any` | n/a | yes |
+| runner\_name | Name of the runner, will be used in the runner config.toml | `string` | `"public-auto"` | no |
+
+## Outputs
+
+No output.
+

examples/runner-multi-region/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  name_iam_objects_main_region         = "${var.aws_main_region}-my-runner-iam-objects"
+  cache_bucket_prefix_main_region      = "${var.aws_main_region}-my-runner-cache-bucket"
+  name_iam_objects_alternate_region    = "${var.aws_alternate_region}-my-runner-iam-objects"
+  cache_bucket_prefix_alternate_region = "${var.aws_alternate_region}-my-runner-cache-bucket"
+}

examples/runner-multi-region/main.tf

@@ -0,0 +1,131 @@
+data "aws_availability_zones" "available_main_region" {
+  state = "available"
+}
+
+module "vpc_main_region" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.70"
+
+  name = "vpc-${var.environment}"
+  cidr = "10.1.0.0/16"
+
+  azs            = [data.aws_availability_zones.available_main_region.names[0]]
+  public_subnets = ["10.1.101.0/24"]
+
+  map_public_ip_on_launch = "false"
+
+  tags = {
+    Environment = var.environment
+  }
+}
+
+module "runner_main_region" {
+  source = "../../"
+
+  aws_region  = var.aws_main_region
+  environment = var.environment
+
+  runners_use_private_address = false
+
+  vpc_id    = module.vpc_main_region.vpc_id
+  subnet_id = element(module.vpc_main_region.public_subnets, 0)
+
+  docker_machine_spot_price_bid = "on-demand-price"
+
+  runners_name             = var.runner_name
+  runners_gitlab_url       = var.gitlab_url
+  runners_environment_vars = ["KEY=Value", "FOO=bar"]
+
+  runners_privileged         = "false"
+  runners_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"]
+
+  gitlab_runner_registration_config = {
+    registration_token = var.registration_token
+    tag_list           = "docker_spot_runner"
+    description        = "runner public - auto"
+    locked_to_project  = "false"
+    run_untagged       = "false"
+    maximum_timeout    = "3600"
+  }
+
+  overrides = {
+    name_sg                     = "my-security-group"
+    name_runner_agent_instance  = "my-runner-agent"
+    name_docker_machine_runners = "my-runners-dm"
+    name_iam_objects            = local.name_iam_objects_main_region
+  }
+
+  cache_shared = "true"
+
+  cache_bucket_prefix                  = local.cache_bucket_prefix_main_region
+  cache_bucket_name_include_account_id = false
+}
+
+module "vpc_alternate_region" {
+  providers = {
+    aws = aws.alternate_region
+  }
+
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.70"
+
+  name = "vpc-${var.environment}"
+  cidr = "10.1.0.0/16"
+
+  # Have to construct the zone names here because the data source always uses the main region
+  azs            = ["${var.aws_alternate_region}a", "${var.aws_alternate_region}b", "${var.aws_alternate_region}c"]
+  public_subnets = ["10.1.101.0/24"]
+
+  map_public_ip_on_launch = "false"
+
+  tags = {
+    Environment = var.environment
+  }
+}
+
+module "runner_alternate_region" {
+  providers = {
+    aws = aws.alternate_region
+  }
+
+  source = "../../"
+
+  aws_region  = var.aws_alternate_region
+  environment = var.environment
+
+  runners_use_private_address = false
+
+  vpc_id    = module.vpc_alternate_region.vpc_id
+  subnet_id = element(module.vpc_alternate_region.public_subnets, 0)
+
+  docker_machine_spot_price_bid = "on-demand-price"
+
+  runners_name             = var.runner_name
+  runners_gitlab_url       = var.gitlab_url
+  runners_environment_vars = ["KEY=Value", "FOO=bar"]
+
+  runners_privileged         = "false"
+  runners_additional_volumes = ["/var/run/docker.sock:/var/run/docker.sock"]
+
+  gitlab_runner_registration_config = {
+    registration_token = var.registration_token
+    tag_list           = "docker_spot_runner"
+    description        = "runner public - auto"
+    locked_to_project  = "true"
+    run_untagged       = "false"
+    maximum_timeout    = "3600"
+    access_level       = "ref_protected"
+  }
+
+  overrides = {
+    name_sg                     = "my-security-group"
+    name_runner_agent_instance  = "my-runner-agent"
+    name_docker_machine_runners = "my-runners-dm"
+    name_iam_objects            = local.name_iam_objects_alternate_region
+  }
+
+  cache_shared = "true"
+
+  cache_bucket_prefix                  = local.cache_bucket_prefix_alternate_region
+  cache_bucket_name_include_account_id = false
+}

examples/runner-multi-region/providers.tf

@@ -0,0 +1,16 @@
+provider "aws" {
+  region = var.aws_main_region
+}
+
+provider "aws" {
+  region = var.aws_alternate_region
+  alias  = "alternate_region"
+}
+
+provider "local" {}
+
+provider "null" {}
+
+provider "tls" {}
+
+provider "random" {}