fix: Remove runner agents if provider assumed a role (#401)

kayman-mk · web-flow · commit 97676039b2aa · 2021-11-12T17:35:52.000+01:00
* Integrate the removal script into Terraform

* Reference variables from trigger only

* Format code

* Always read the token
diff --git a/bin/remove-runner.sh b/bin/remove-runner.sh
diff --git a/main.tf b/main.tf
@@ -21,19 +21,26 @@ resource "aws_ssm_parameter" "runner_registration_token" {
   }
 }
 
+# to read the current token for the null_resource. aws_ssm_parameter.runner_registration_token.value is never updated!
+data "aws_ssm_parameter" "current_runner_registration_token" {
+  depends_on = [aws_ssm_parameter.runner_registration_token]
+
+  name = local.secure_parameter_store_runner_token_key
+}
+
 resource "null_resource" "remove_runner" {
   depends_on = [aws_ssm_parameter.runner_registration_token]
+
   triggers = {
-    script                                  = "${path.module}/bin/remove-runner.sh"
-    aws_region                              = var.aws_region
-    runners_gitlab_url                      = var.runners_gitlab_url
-    secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key
+    aws_region                = var.aws_region
+    runners_gitlab_url        = var.runners_gitlab_url
+    runner_registration_token = data.aws_ssm_parameter.current_runner_registration_token.value
   }
 
   provisioner "local-exec" {
     when       = destroy
     on_failure = continue
-    command    = "${self.triggers.script} ${self.triggers.aws_region} ${self.triggers.runners_gitlab_url} ${self.triggers.secure_parameter_store_runner_token_key}"
+    command    = "curl -sS --request DELETE \"${self.triggers.runners_gitlab_url}/api/v4/runners\" --form \"token=${self.triggers.runner_registration_token}\""
   }
 }
 
diff --git a/versions.tf b/versions.tf
@@ -1,10 +1,12 @@
 terraform {
   required_version = ">= 0.13.0"
+
   required_providers {
     aws = {
       version = ">= 3.35.0"
       source  = "hashicorp/aws"
     }
+
     null = {
       source = "hashicorp/null"
     }

Original file line number	Diff line number	Diff line change
`@@ -21,19 +21,26 @@ resource "aws_ssm_parameter" "runner_registration_token" {`
`21`	`21`	`}`
`22`	`22`	`}`
`23`	`23`
	`24`	`+# to read the current token for the null_resource. aws_ssm_parameter.runner_registration_token.value is never updated!`
	`25`	`+data "aws_ssm_parameter" "current_runner_registration_token" {`
	`26`	`+ depends_on = [aws_ssm_parameter.runner_registration_token]`
	`27`	`+`
	`28`	`+ name = local.secure_parameter_store_runner_token_key`
	`29`	`+}`
	`30`	`+`
`24`	`31`	`resource "null_resource" "remove_runner" {`
`25`	`32`	`depends_on = [aws_ssm_parameter.runner_registration_token]`
	`33`	`+`
`26`	`34`	`triggers = {`
`27`		`- script = "${path.module}/bin/remove-runner.sh"`
`28`		`- aws_region = var.aws_region`
`29`		`- runners_gitlab_url = var.runners_gitlab_url`
`30`		`- secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key`
	`35`	`+ aws_region = var.aws_region`
	`36`	`+ runners_gitlab_url = var.runners_gitlab_url`
	`37`	`+ runner_registration_token = data.aws_ssm_parameter.current_runner_registration_token.value`
`31`	`38`	`}`
`32`	`39`
`33`	`40`	`provisioner "local-exec" {`
`34`	`41`	`when = destroy`
`35`	`42`	`on_failure = continue`
`36`		`- command = "${self.triggers.script} ${self.triggers.aws_region} ${self.triggers.runners_gitlab_url} ${self.triggers.secure_parameter_store_runner_token_key}"`
	`43`	`+ command = "curl -sS --request DELETE \"${self.triggers.runners_gitlab_url}/api/v4/runners\" --form \"token=${self.triggers.runner_registration_token}\""`
`37`	`44`	`}`
`38`	`45`	`}`
`39`	`46`
Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,12 @@`
`1`	`1`	`terraform {`
`2`	`2`	`required_version = ">= 0.13.0"`
	`3`	`+`
`3`	`4`	`required_providers {`
`4`	`5`	`aws = {`
`5`	`6`	`version = ">= 3.35.0"`
`6`	`7`	`source = "hashicorp/aws"`
`7`	`8`	`}`
	`9`	`+`
`8`	`10`	`null = {`
`9`	`11`	`source = "hashicorp/null"`
`10`	`12`	`}`