diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml new file mode 100644 index 000000000..944ed41d5 --- /dev/null +++ b/.github/workflows/verify.yml @@ -0,0 +1,24 @@ +name: Verify +on: [push] + +jobs: + verify: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + - name: verify + run: | + ./ci/bin/install.sh + ./ci/bin/verify.sh + + verify-examples: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + - name: verify-examples + run: | + ./ci/bin/install.sh + ./ci/bin/verify-examples.sh + diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 28150f5ec..000000000 --- a/.travis.yml +++ /dev/null @@ -1,12 +0,0 @@ -dist: trusty -sudo: false - -install: - - ./ci/bin/install.sh - -jobs: - include: - - stage: verify - script: ./ci/bin/verify.sh - - stage: verify - script: ./ci/bin/verify-examples.sh examples diff --git a/CHANGELOG.md b/CHANGELOG.md index ef44baf7b..12c85baa6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,15 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## Unrelease + +## 4.5.0 - 2019-09-09 +- Set docker machine version by default to 0.16.2 #131 @npalm +- Add SSM session manager support #121 #126 @npalm +- Move to github actions #130 @npalm +- Enable s3 encryption #129 @hendrixra +- Bump gitlab-runner to 12.2.0 #128 @mpsq + ## 4.4.0 - 2019-08-21 - Added @@ -222,7 +231,8 @@ Module is available as Terraform 0.11 module, pin module to version 3.x. Please - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17. - Minor updates in the example -[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.4.0...HEAD +[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.5.0...HEAD +[4.5.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.4.0...4.5.0 [4.4.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.3.0...4.4.0 [4.3.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.2.0...4.3.0 [4.2.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.1.0...4.2.0 diff --git a/README.md b/README.md index 99b03fcd0..ce5807069 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,15 @@ Once you have created the parameter, you must remove the variable `runners_token Finally, the runner still supports the manual runner creation. No changes are required. Please keep in mind that this setup will be removed in future releases. +### Access runner instance + +A few option are provide the runner instance + +1. Provide a public ssh key to access the runner by setting \`\`. +2. Provide a EC2 key pair to access the runner by setting \`\`. +3. Access via the Session Manager (SSM) by setting `enable_runner_ssm_access` to `true`. The policy to allow access via SSM is not very restrictive. +4. By setting non of the above no keys or extra policies will be attached to the instance. You can still configure you own policies by attaching them to `runner_agent_role_arn`. + ### GitLab runner cache By default the module creates a a cache for the runner in S3. Old objects are automatically remove via a configurable life cycle policy on the bucket. @@ -233,21 +242,24 @@ terraform destroy | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | | docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `` | no | | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no | -| docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no | +| docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no | | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no | +| enable\_runner\_ssm\_access | Add IAM policies to the runner agent instance to connect via the Session Manager. | bool | `"false"` | no | | enable\_runner\_user\_data\_trace\_log | Enable bash xtrace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token. | bool | `"false"` | no | +| enable\_schedule | Flag used to enable/disable auto scaling group schedule for the runner instance. | bool | `"false"` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `` | no | | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `` | no | -| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.1.0"` | no | +| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.2.0"` | no | | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `` | no | | runner\_ami\_filter | List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI. | map(list(string)) | `` | no | | runner\_ami\_owners | The list of owners used to select the AMI of Gitlab runner docker-machine instances. | list(string) | `` | no | | runner\_instance\_spot\_price | By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. | string | `""` | no | +| runner\_root\_block\_device | The EC2 instance root block device configuration. Takes the following keys: `delete_on_termination`, `volume_type`, `volume_size`, `iops` | map(string) | `` | no | | runners\_additional\_volumes | Additional volumes that will be used in the runner config.toml, e.g Docker socket | list | `` | no | | runners\_concurrent | Concurrent value for the runners, will be used in the runner config.toml. | number | `"10"` | no | | runners\_environment\_vars | Environment variables during build execution, e.g. KEY=Value, see runner-public example. Will be used in the runner config.toml | list(string) | `` | no | @@ -276,6 +288,7 @@ terraform destroy | runners\_shm\_size | shm_size for the runners, will be used in the runner config.toml | number | `"0"` | no | | runners\_token | Token for the runner, will be used in the runner config.toml. | string | `"__REPLACED_BY_USER_DATA__"` | no | | runners\_use\_private\_address | Restrict runners to the use of a private IP address | bool | `"true"` | no | +| schedule\_config | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable_schedule is set to true. | map | `` | no | | secure\_parameter\_store\_runner\_token\_key | The key name used store the Gitlab runner token in Secure Parameter Store | string | `"runner-token"` | no | | ssh\_key\_pair | Set this to use existing AWS key pair | string | `""` | no | | ssh\_public\_key | Public SSH key used for the GitLab runner EC2 instance. | string | `""` | no | diff --git a/_docs/README.md b/_docs/README.md index 3163b7d16..0dda80ff2 100644 --- a/_docs/README.md +++ b/_docs/README.md @@ -124,6 +124,15 @@ Once you have created the parameter, you must remove the variable `runners_token Finally, the runner still supports the manual runner creation. No changes are required. Please keep in mind that this setup will be removed in future releases. +### Access runner instance + +A few option are provide the runner instance +1. Provide a public ssh key to access the runner by setting ``. +2. Provide a EC2 key pair to access the runner by setting ``. +3. Access via the Session Manager (SSM) by setting `enable_runner_ssm_access` to `true`. The policy to allow access via SSM is not very restrictive. +4. By setting non of the above no keys or extra policies will be attached to the instance. You can still configure you own policies by attaching them to `runner_agent_role_arn`. + + ### GitLab runner cache By default the module creates a a cache for the runner in S3. Old objects are automatically remove via a configurable life cycle policy on the bucket. diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md index d94575a38..3ca61edb8 100644 --- a/_docs/TF_MODULE.md +++ b/_docs/TF_MODULE.md @@ -20,16 +20,17 @@ | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | | docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `` | no | | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no | -| docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no | +| docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no | | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no | +| enable\_runner\_ssm\_access | Add IAM policies to the runner agent instance to connect via the Session Manager. | bool | `"false"` | no | | enable\_runner\_user\_data\_trace\_log | Enable bash xtrace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token. | bool | `"false"` | no | | enable\_schedule | Flag used to enable/disable auto scaling group schedule for the runner instance. | bool | `"false"` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `` | no | | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `` | no | -| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.1.0"` | no | +| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.2.0"` | no | | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `` | no | diff --git a/cache/main.tf b/cache/main.tf index cfc718312..e87fdbf68 100644 --- a/cache/main.tf +++ b/cache/main.tf @@ -44,6 +44,14 @@ resource "aws_s3_bucket" "build_cache" { days = var.cache_expiration_days } } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } + } } data "template_file" "docker_machine_cache_policy" { diff --git a/ci/bin/terraform.sh b/ci/bin/terraform.sh index b425edb0e..5296ce347 100755 --- a/ci/bin/terraform.sh +++ b/ci/bin/terraform.sh @@ -3,7 +3,7 @@ TARGET_DIR=/opt PATH=${PATH}:${TARGET_DIR} -TERRAFORM_VERSION=${1:-"0.12.3"} +TERRAFORM_VERSION=${1:-"0.12.8"} OS=${2:-"linux"} TERRAFORM_URL="https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${OS}_amd64.zip" diff --git a/examples/runner-default/.terraform-version b/examples/runner-default/.terraform-version index dabff2f13..7bfd8360b 100644 --- a/examples/runner-default/.terraform-version +++ b/examples/runner-default/.terraform-version @@ -1 +1 @@ -0.12.6 +0.12.8 diff --git a/examples/runner-default/README.md b/examples/runner-default/README.md index 09c64fed5..eef45930e 100644 --- a/examples/runner-default/README.md +++ b/examples/runner-default/README.md @@ -1,35 +1,19 @@ -# Example - Spot Runner - Public subnets +# Example - Spot Runner - Default -In this scenario the multiple runner agents can be created with different configuration by instantiating the module multiple times. Runners will scale automatically based on configuration. The S3 cache can be shared cross runners by managing the cache outside the module. - -![runners-cache](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-cache.png) +In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances). This examples shows: - - Usages of public subnets. - - Useages of multiple runner instances sharing a common cache. - - Overrides for tag naming. + - Usages of public / private VPC + - No SSH keys, you can log into the instance via SSM (Session Manager). - Registration via GitLab token. - Auto scaling using `docker+machine` executor. ![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png) -The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. - -➜ tmp cat terraform-aws-gitlab-runner/examples/runner-default/\_docs/README.md - -# Example - Spot Runner - Private subnet - -In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances). - -![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png) - -This examples shows: +## Prerequisite - - Usages of public / private subnets. - - Usages of runner of peak time mode configuration. - - Registration via GitLab token. - - Auto scaling using `docker+machine` executor. +The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. ## Inputs diff --git a/examples/runner-default/_docs/README.md b/examples/runner-default/_docs/README.md index 3a62425a1..f625b706d 100644 --- a/examples/runner-default/_docs/README.md +++ b/examples/runner-default/_docs/README.md @@ -1,30 +1,16 @@ -# Example - Spot Runner - Public subnets +# Example - Spot Runner - Default -In this scenario the multiple runner agents can be created with different configuration by instantiating the module multiple times. Runners will scale automatically based on configuration. The S3 cache can be shared cross runners by managing the cache outside the module. - -![runners-cache](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-cache.png) +In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances). This examples shows: -- Usages of public subnets. -- Useages of multiple runner instances sharing a common cache. -- Overrides for tag naming. +- Usages of public / private VPC +- No SSH keys, you can log into the instance via SSM (Session Manager). - Registration via GitLab token. - Auto scaling using `docker+machine` executor. - ![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png) -The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. - -➜ tmp cat terraform-aws-gitlab-runner/examples/runner-default/_docs/README.md -# Example - Spot Runner - Private subnet - -In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances). -![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png) +## Prerequisite -This examples shows: -- Usages of public / private subnets. -- Usages of runner of peak time mode configuration. -- Registration via GitLab token. -- Auto scaling using `docker+machine` executor. +The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. diff --git a/examples/runner-default/key.tf b/examples/runner-default/key.tf deleted file mode 100644 index 27361eb5f..000000000 --- a/examples/runner-default/key.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "tls_private_key" "ssh" { - algorithm = "RSA" -} - -resource "local_file" "public_ssh_key" { - depends_on = [tls_private_key.ssh] - - content = tls_private_key.ssh.public_key_openssh - filename = var.public_ssh_key_filename -} - -resource "local_file" "private_ssh_key" { - depends_on = [tls_private_key.ssh] - - content = tls_private_key.ssh.private_key_pem - filename = var.private_ssh_key_filename -} - -resource "null_resource" "file_permission" { - depends_on = [local_file.private_ssh_key] - - provisioner "local-exec" { - command = format("chmod 600 %s", var.private_ssh_key_filename) - } -} - diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index b9f96c348..a4660b0f0 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -28,14 +28,13 @@ module "runner" { aws_region = var.aws_region environment = var.environment - ssh_public_key = local_file.public_ssh_key.content - vpc_id = module.vpc.vpc_id subnet_ids_gitlab_runner = module.vpc.private_subnets subnet_id_runners = element(module.vpc.private_subnets, 0) - runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + runners_name = var.runner_name + runners_gitlab_url = var.gitlab_url + enable_runner_ssm_access = true docker_machine_spot_price_bid = "0.06" diff --git a/examples/runner-docker/.terraform-version b/examples/runner-docker/.terraform-version index dabff2f13..7bfd8360b 100644 --- a/examples/runner-docker/.terraform-version +++ b/examples/runner-docker/.terraform-version @@ -1 +1 @@ -0.12.6 +0.12.8 diff --git a/examples/runner-docker/key.tf b/examples/runner-docker/key.tf index 27361eb5f..2dcc51f3f 100644 --- a/examples/runner-docker/key.tf +++ b/examples/runner-docker/key.tf @@ -20,7 +20,8 @@ resource "null_resource" "file_permission" { depends_on = [local_file.private_ssh_key] provisioner "local-exec" { - command = format("chmod 600 %s", var.private_ssh_key_filename) + command = format("chmod 600 %s", var.private_ssh_key_filename) + interpreter = ["/bin/bash", "-c"] } } diff --git a/examples/runner-pre-registered/.terraform-version b/examples/runner-pre-registered/.terraform-version index aa22d3ce3..7bfd8360b 100644 --- a/examples/runner-pre-registered/.terraform-version +++ b/examples/runner-pre-registered/.terraform-version @@ -1 +1 @@ -0.12.3 +0.12.8 diff --git a/examples/runner-pre-registered/key.tf b/examples/runner-pre-registered/key.tf index 27361eb5f..2dcc51f3f 100644 --- a/examples/runner-pre-registered/key.tf +++ b/examples/runner-pre-registered/key.tf @@ -20,7 +20,8 @@ resource "null_resource" "file_permission" { depends_on = [local_file.private_ssh_key] provisioner "local-exec" { - command = format("chmod 600 %s", var.private_ssh_key_filename) + command = format("chmod 600 %s", var.private_ssh_key_filename) + interpreter = ["/bin/bash", "-c"] } } diff --git a/examples/runner-public/.terraform-version b/examples/runner-public/.terraform-version index dabff2f13..7bfd8360b 100644 --- a/examples/runner-public/.terraform-version +++ b/examples/runner-public/.terraform-version @@ -1 +1 @@ -0.12.6 +0.12.8 diff --git a/examples/runner-public/README.md b/examples/runner-public/README.md index 1bdaba8b3..44017fe64 100644 --- a/examples/runner-public/README.md +++ b/examples/runner-public/README.md @@ -7,7 +7,7 @@ In this scenario the multiple runner agents can be created with different config This examples shows: - Usages of public subnets. - - Useages of multiple runner instances sharing a common cache. + - Usages of multiple runner instances sharing a common cache. - Overrides for tag naming. - Registration via GitLab token. - Auto scaling using `docker+machine` executor. diff --git a/examples/runner-public/_docs/README.md b/examples/runner-public/_docs/README.md index 548d29b7d..74f978636 100644 --- a/examples/runner-public/_docs/README.md +++ b/examples/runner-public/_docs/README.md @@ -6,7 +6,7 @@ In this scenario the multiple runner agents can be created with different config This examples shows: - Usages of public subnets. -- Useages of multiple runner instances sharing a common cache. +- Usages of multiple runner instances sharing a common cache. - Overrides for tag naming. - Registration via GitLab token. - Auto scaling using `docker+machine` executor. diff --git a/examples/runner-public/key.tf b/examples/runner-public/key.tf index 27361eb5f..2dcc51f3f 100644 --- a/examples/runner-public/key.tf +++ b/examples/runner-public/key.tf @@ -20,7 +20,8 @@ resource "null_resource" "file_permission" { depends_on = [local_file.private_ssh_key] provisioner "local-exec" { - command = format("chmod 600 %s", var.private_ssh_key_filename) + command = format("chmod 600 %s", var.private_ssh_key_filename) + interpreter = ["/bin/bash", "-c"] } } diff --git a/main.tf b/main.tf index 96ddaf8ed..89b78f96d 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,5 @@ resource "aws_key_pair" "key" { - count = var.ssh_key_pair == "" ? 1 : 0 + count = var.ssh_key_pair == "" && var.ssh_public_key != "" ? 1 : 0 key_name = "${var.environment}-gitlab-runner" public_key = var.ssh_public_key } @@ -258,9 +258,16 @@ data "aws_ami" "runner" { owners = var.ami_owners } +locals { + # Key magic, if public key is provided usthe public key, if key pair is proviced use key pair. Otherwise null + is_ssh_public_key = var.ssh_key_pair == "" && var.ssh_public_key != "" ? aws_key_pair.key[0].key_name : "" + is_key_pair_name = local.is_ssh_public_key != "" ? local.is_ssh_public_key : var.ssh_key_pair + key_pair_name = local.is_key_pair_name != "" ? local.is_key_pair_name : null +} + resource "aws_launch_configuration" "gitlab_runner_instance" { security_groups = [aws_security_group.runner.id] - key_name = var.ssh_key_pair == "" ? aws_key_pair.key[0].key_name : var.ssh_key_pair + key_name = local.key_pair_name image_id = data.aws_ami.runner.id user_data = data.template_file.user_data.rendered instance_type = var.instance_type @@ -343,6 +350,43 @@ resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { policy_arn = aws_iam_policy.instance_docker_machine_policy.arn } +################################################################################ +### Policies for runner agent instance to allow connection via Session Manager +################################################################################ + +data "template_file" "instance_session_manager_policy" { + count = var.enable_runner_ssm_access ? 1 : 0 + + template = file( + "${path.module}/policies/instance-session-manager-policy.json", + ) +} + +resource "aws_iam_policy" "instance_session_manager_policy" { + count = var.enable_runner_ssm_access ? 1 : 0 + + name = "${var.environment}-session-manager" + path = "/" + description = "Policy session manager." + + policy = data.template_file.instance_session_manager_policy[0].rendered +} + +resource "aws_iam_role_policy_attachment" "instance_session_manager_policy" { + count = var.enable_runner_ssm_access ? 1 : 0 + + role = aws_iam_role.instance.name + policy_arn = aws_iam_policy.instance_session_manager_policy[0].arn +} + +resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" { + count = var.enable_runner_ssm_access ? 1 : 0 + + role = aws_iam_role.instance.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} + + ################################################################################ ### Policy for the docker machine instance to access cache ################################################################################ diff --git a/policies/instance-session-manager-policy.json b/policies/instance-session-manager-policy.json new file mode 100644 index 000000000..63ac8ca94 --- /dev/null +++ b/policies/instance-session-manager-policy.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/policies/service-linked-role-create-policy.json b/policies/service-linked-role-create-policy.json index db6224d26..d7b937203 100644 --- a/policies/service-linked-role-create-policy.json +++ b/policies/service-linked-role-create-policy.json @@ -7,4 +7,4 @@ "Resource": "arn:aws:iam::*:role/aws-service-role/*" } ] -} +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index cf6130f1c..b64691493 100644 --- a/variables.tf +++ b/variables.tf @@ -68,7 +68,7 @@ variable "docker_machine_spot_price_bid" { variable "docker_machine_version" { description = "Version of docker-machine." type = string - default = "0.16.1" + default = "0.16.2" } variable "runners_name" { @@ -294,7 +294,7 @@ variable "cache_shared" { variable "gitlab_runner_version" { description = "Version of the GitLab runner." type = string - default = "12.1.0" + default = "12.2.0" } variable "enable_gitlab_runner_ssh_access" { @@ -366,7 +366,6 @@ variable "ami_owners" { default = ["amazon"] } - variable "runner_ami_filter" { description = "List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI." type = map(list(string)) @@ -460,3 +459,9 @@ variable "runner_root_block_device" { type = map(string) default = {} } + +variable "enable_runner_ssm_access" { + description = "Add IAM policies to the runner agent instance to connect via the Session Manager." + type = bool + default = false +}