Merge branch 'release/4.5.0'

.github/workflows/verify.yml

@@ -0,0 +1,24 @@
+name: Verify
+on: [push]
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: verify
+      run: |
+        ./ci/bin/install.sh
+        ./ci/bin/verify.sh
+
+  verify-examples:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: verify-examples
+      run: |
+        ./ci/bin/install.sh
+        ./ci/bin/verify-examples.sh
+

CHANGELOG.md

@@ -5,6 +5,15 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 
+## Unrelease
+
+## 4.5.0 - 2019-09-09
+- Set docker machine version by default to 0.16.2 #131 @npalm
+- Add SSM session manager support #121 #126 @npalm
+- Move to github actions #130 @npalm
+- Enable s3 encryption #129 @hendrixra
+- Bump gitlab-runner to 12.2.0 #128 @mpsq
+
 ## 4.4.0 - 2019-08-21
 
 - Added
@@ -222,7 +231,8 @@ Module is available as Terraform 0.11 module, pin module to version 3.x. Please
 - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17.
 - Minor updates in the example
 
-[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.4.0...HEAD
+[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.5.0...HEAD
+[4.5.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.4.0...4.5.0
 [4.4.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.3.0...4.4.0
 [4.3.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.2.0...4.3.0
 [4.2.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.1.0...4.2.0

README.md

@@ -125,6 +125,15 @@ Once you have created the parameter, you must remove the variable `runners_token
 
 Finally, the runner still supports the manual runner creation. No changes are required. Please keep in mind that this setup will be removed in future releases.
 
+### Access runner instance
+
+A few option are provide the runner instance
+
+1.  Provide a public ssh key to access the runner by setting \`\`.
+2.  Provide a EC2 key pair to access the runner by setting \`\`.
+3.  Access via the Session Manager (SSM) by setting `enable_runner_ssm_access` to `true`. The policy to allow access via SSM is not very restrictive.
+4.  By setting non of the above no keys or extra policies will be attached to the instance. You can still configure you own policies by attaching them to `runner_agent_role_arn`.
+
 ### GitLab runner cache
 
 By default the module creates a a cache for the runner in S3. Old objects are automatically remove via a configurable life cycle policy on the bucket.
@@ -233,21 +242,24 @@ terraform destroy
 | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no |
 | docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `<list>` | no |
 | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no |
-| docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no |
+| docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no |
 | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no |
 | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no |
 | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no |
+| enable\_runner\_ssm\_access | Add IAM policies to the runner agent instance to connect via the Session Manager. | bool | `"false"` | no |
 | enable\_runner\_user\_data\_trace\_log | Enable bash xtrace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token. | bool | `"false"` | no |
+| enable\_schedule | Flag used to enable/disable auto scaling group schedule for the runner instance. | bool | `"false"` | no |
 | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes |
 | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `<map>` | no |
 | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `<list>` | no |
-| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.1.0"` | no |
+| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.2.0"` | no |
 | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no |
 | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no |
 | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `<map>` | no |
 | runner\_ami\_filter | List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI. | map(list(string)) | `<map>` | no |
 | runner\_ami\_owners | The list of owners used to select the AMI of Gitlab runner docker-machine instances. | list(string) | `<list>` | no |
 | runner\_instance\_spot\_price | By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. | string | `""` | no |
+| runner\_root\_block\_device | The EC2 instance root block device configuration. Takes the following keys: `delete_on_termination`, `volume_type`, `volume_size`, `iops` | map(string) | `<map>` | no |
 | runners\_additional\_volumes | Additional volumes that will be used in the runner config.toml, e.g Docker socket | list | `<list>` | no |
 | runners\_concurrent | Concurrent value for the runners, will be used in the runner config.toml. | number | `"10"` | no |
 | runners\_environment\_vars | Environment variables during build execution, e.g. KEY=Value, see runner-public example. Will be used in the runner config.toml | list(string) | `<list>` | no |
@@ -276,6 +288,7 @@ terraform destroy
 | runners\_shm\_size | shm_size for the runners, will be used in the runner config.toml | number | `"0"` | no |
 | runners\_token | Token for the runner, will be used in the runner config.toml. | string | `"__REPLACED_BY_USER_DATA__"` | no |
 | runners\_use\_private\_address | Restrict runners to the use of a private IP address | bool | `"true"` | no |
+| schedule\_config | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable_schedule is set to true. | map | `<map>` | no |
 | secure\_parameter\_store\_runner\_token\_key | The key name used store the Gitlab runner token in Secure Parameter Store | string | `"runner-token"` | no |
 | ssh\_key\_pair | Set this to use existing AWS key pair | string | `""` | no |
 | ssh\_public\_key | Public SSH key used for the GitLab runner EC2 instance. | string | `""` | no |

_docs/README.md

@@ -124,6 +124,15 @@ Once you have created the parameter, you must remove the variable `runners_token
 
 Finally, the runner still supports the manual runner creation. No changes are required. Please keep in mind that this setup will be removed in future releases.
 
+### Access runner instance
+
+A few option are provide the runner instance
+1. Provide a public ssh key to access the runner by setting ``.
+2. Provide a EC2 key pair to access the runner by setting ``.
+3. Access via the Session Manager (SSM) by setting `enable_runner_ssm_access` to `true`. The policy to allow access via SSM is not very restrictive. 
+4. By setting non of the above no keys or extra policies will be attached to the instance. You can still configure you own policies by attaching them to `runner_agent_role_arn`.
+
+
 ### GitLab runner cache
 
 By default the module creates a a cache for the runner in S3. Old objects are automatically remove via a configurable life cycle policy on the bucket.

_docs/TF_MODULE.md

@@ -20,16 +20,17 @@
 | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no |
 | docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `<list>` | no |
 | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no |
-| docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no |
+| docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no |
 | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no |
 | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no |
 | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no |
+| enable\_runner\_ssm\_access | Add IAM policies to the runner agent instance to connect via the Session Manager. | bool | `"false"` | no |
 | enable\_runner\_user\_data\_trace\_log | Enable bash xtrace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token. | bool | `"false"` | no |
 | enable\_schedule | Flag used to enable/disable auto scaling group schedule for the runner instance. | bool | `"false"` | no |
 | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes |
 | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `<map>` | no |
 | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `<list>` | no |
-| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.1.0"` | no |
+| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.2.0"` | no |
 | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no |
 | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no |
 | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `<map>` | no |

cache/main.tf

@@ -44,6 +44,14 @@ resource "aws_s3_bucket" "build_cache" {
       days = var.cache_expiration_days
     }
   }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
 }
 
 data "template_file" "docker_machine_cache_policy" {

ci/bin/terraform.sh

@@ -3,7 +3,7 @@
 TARGET_DIR=/opt
 PATH=${PATH}:${TARGET_DIR}
 
-TERRAFORM_VERSION=${1:-"0.12.3"}
+TERRAFORM_VERSION=${1:-"0.12.8"}
 OS=${2:-"linux"}
 TERRAFORM_URL="https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${OS}_amd64.zip"
 

examples/runner-default/.terraform-version

@@ -1 +1 @@
-0.12.6
+0.12.8

examples/runner-default/README.md

@@ -1,35 +1,19 @@
-# Example - Spot Runner - Public subnets
+# Example - Spot Runner - Default
 
-In this scenario the multiple runner agents can be created with different configuration by instantiating the module multiple times. Runners will scale automatically based on configuration. The S3 cache can be shared cross runners by managing the cache outside the module.
-
-![runners-cache](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-cache.png)
+In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances).
 
 This examples shows:
 
-  - Usages of public subnets.
-  - Useages of multiple runner instances sharing a common cache.
-  - Overrides for tag naming.
+  - Usages of public / private VPC
+  - No SSH keys, you can log into the instance via SSM (Session Manager).
   - Registration via GitLab token.
   - Auto scaling using `docker+machine` executor.
 
 ![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png)
 
-The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version.
-
-➜ tmp cat terraform-aws-gitlab-runner/examples/runner-default/\_docs/README.md
-
-# Example - Spot Runner - Private subnet
-
-In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances).
-
-![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png)
-
-This examples shows:
+## Prerequisite
 
-  - Usages of public / private subnets.
-  - Usages of runner of peak time mode configuration.
-  - Registration via GitLab token.
-  - Auto scaling using `docker+machine` executor.
+The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version.
 
 ## Inputs
 

examples/runner-default/_docs/README.md

@@ -1,30 +1,16 @@
-# Example - Spot Runner - Public subnets
+# Example - Spot Runner - Default
 
-In this scenario the multiple runner agents can be created with different configuration by instantiating the module multiple times. Runners will scale automatically based on configuration. The S3 cache can be shared cross runners by managing the cache outside the module.
-
-![runners-cache](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-cache.png)
+In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances).
 
 This examples shows:
-- Usages of public subnets.
-- Useages of multiple runner instances sharing a common cache.
-- Overrides for tag naming.
+- Usages of public / private VPC
+- No SSH keys, you can log into the instance via SSM (Session Manager).
 - Registration via GitLab token.
 - Auto scaling using `docker+machine` executor.
 
-
 ![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png)
 
-The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version.
-
-➜  tmp cat terraform-aws-gitlab-runner/examples/runner-default/_docs/README.md
-# Example - Spot Runner - Private subnet
-
-In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances).
 
-![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png)
+## Prerequisite
 
-This examples shows:
-- Usages of public / private subnets.
-- Usages of runner of peak time mode configuration.
-- Registration via GitLab token.
-- Auto scaling using `docker+machine` executor.
+The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version.

examples/runner-default/main.tf

@@ -28,14 +28,13 @@ module "runner" {
   aws_region  = var.aws_region
   environment = var.environment
 
-  ssh_public_key = local_file.public_ssh_key.content
-
   vpc_id                   = module.vpc.vpc_id
   subnet_ids_gitlab_runner = module.vpc.private_subnets
   subnet_id_runners        = element(module.vpc.private_subnets, 0)
 
-  runners_name       = var.runner_name
-  runners_gitlab_url = var.gitlab_url
+  runners_name             = var.runner_name
+  runners_gitlab_url       = var.gitlab_url
+  enable_runner_ssm_access = true
 
   docker_machine_spot_price_bid = "0.06"
 

examples/runner-docker/.terraform-version

@@ -1 +1 @@
-0.12.6
+0.12.8

examples/runner-docker/key.tf

@@ -20,7 +20,8 @@ resource "null_resource" "file_permission" {
   depends_on = [local_file.private_ssh_key]
 
   provisioner "local-exec" {
-    command = format("chmod 600 %s", var.private_ssh_key_filename)
+    command     = format("chmod 600 %s", var.private_ssh_key_filename)
+    interpreter = ["/bin/bash", "-c"]
   }
 }
 

examples/runner-pre-registered/.terraform-version

@@ -1 +1 @@
-0.12.3
+0.12.8

examples/runner-pre-registered/key.tf

@@ -20,7 +20,8 @@ resource "null_resource" "file_permission" {
   depends_on = [local_file.private_ssh_key]
 
   provisioner "local-exec" {
-    command = format("chmod 600 %s", var.private_ssh_key_filename)
+    command     = format("chmod 600 %s", var.private_ssh_key_filename)
+    interpreter = ["/bin/bash", "-c"]
   }
 }
 

examples/runner-public/.terraform-version

@@ -1 +1 @@
-0.12.6
+0.12.8

examples/runner-public/README.md

@@ -7,7 +7,7 @@ In this scenario the multiple runner agents can be created with different config
 This examples shows:
 
   - Usages of public subnets.
-  - Useages of multiple runner instances sharing a common cache.
+  - Usages of multiple runner instances sharing a common cache.
   - Overrides for tag naming.
   - Registration via GitLab token.
   - Auto scaling using `docker+machine` executor.

examples/runner-public/_docs/README.md

@@ -6,7 +6,7 @@ In this scenario the multiple runner agents can be created with different config
 
 This examples shows:
 - Usages of public subnets.
-- Useages of multiple runner instances sharing a common cache.
+- Usages of multiple runner instances sharing a common cache.
 - Overrides for tag naming.
 - Registration via GitLab token.
 - Auto scaling using `docker+machine` executor.