From c7694a8406398f83d5fe8029ea8d6ac654f156c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9ril?= Date: Thu, 5 Sep 2019 17:37:28 +0100 Subject: [PATCH 1/7] Bump gitlab-runner to 12.2.0 (#128) --- variables.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/variables.tf b/variables.tf index cf6130f1c..165ea2a04 100644 --- a/variables.tf +++ b/variables.tf @@ -294,7 +294,7 @@ variable "cache_shared" { variable "gitlab_runner_version" { description = "Version of the GitLab runner." type = string - default = "12.1.0" + default = "12.2.0" } variable "enable_gitlab_runner_ssh_access" { @@ -366,7 +366,6 @@ variable "ami_owners" { default = ["amazon"] } - variable "runner_ami_filter" { description = "List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI." type = map(list(string)) From 8897639c5bda781bbfbc4468c43c54e9502a8d0b Mon Sep 17 00:00:00 2001 From: Hendrix Roa Date: Mon, 9 Sep 2019 15:02:31 -0400 Subject: [PATCH 2/7] Enable s3 encryption (#129) --- cache/main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cache/main.tf b/cache/main.tf index cfc718312..e87fdbf68 100644 --- a/cache/main.tf +++ b/cache/main.tf @@ -44,6 +44,14 @@ resource "aws_s3_bucket" "build_cache" { days = var.cache_expiration_days } } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } + } } data "template_file" "docker_machine_cache_policy" { From df714e05d87b69f841196216c5ae1c87e8f829d5 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Mon, 9 Sep 2019 21:33:13 +0200 Subject: [PATCH 3/7] Move ti github actions (#130) --- .github/workflows/verify.yml | 24 ++++++++++++++++++++++++ .travis.yml | 12 ------------ ci/bin/terraform.sh | 2 +- 3 files changed, 25 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/verify.yml delete mode 100644 .travis.yml diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml new file mode 100644 index 000000000..944ed41d5 --- /dev/null +++ b/.github/workflows/verify.yml @@ -0,0 +1,24 @@ +name: Verify +on: [push] + +jobs: + verify: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + - name: verify + run: | + ./ci/bin/install.sh + ./ci/bin/verify.sh + + verify-examples: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + - name: verify-examples + run: | + ./ci/bin/install.sh + ./ci/bin/verify-examples.sh + diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 28150f5ec..000000000 --- a/.travis.yml +++ /dev/null @@ -1,12 +0,0 @@ -dist: trusty -sudo: false - -install: - - ./ci/bin/install.sh - -jobs: - include: - - stage: verify - script: ./ci/bin/verify.sh - - stage: verify - script: ./ci/bin/verify-examples.sh examples diff --git a/ci/bin/terraform.sh b/ci/bin/terraform.sh index b425edb0e..5296ce347 100755 --- a/ci/bin/terraform.sh +++ b/ci/bin/terraform.sh @@ -3,7 +3,7 @@ TARGET_DIR=/opt PATH=${PATH}:${TARGET_DIR} -TERRAFORM_VERSION=${1:-"0.12.3"} +TERRAFORM_VERSION=${1:-"0.12.8"} OS=${2:-"linux"} TERRAFORM_URL="https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${OS}_amd64.zip" From 73b80d000cfef8f44942f5bd3af5eb45f300910b Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Mon, 9 Sep 2019 21:36:07 +0200 Subject: [PATCH 4/7] Add support for session manager (#121), limit chmod to bash shell (#126) (#127) * Add support for session manager (#121), limit chmod to bash shell (#126) * Update docs for support the session manager --- README.md | 15 +++++- _docs/README.md | 9 ++++ _docs/TF_MODULE.md | 3 +- examples/runner-default/README.md | 28 +++-------- examples/runner-default/_docs/README.md | 26 +++------- examples/runner-default/key.tf | 26 ---------- examples/runner-default/main.tf | 7 ++- examples/runner-docker/key.tf | 3 +- examples/runner-pre-registered/key.tf | 3 +- examples/runner-public/README.md | 2 +- examples/runner-public/_docs/README.md | 2 +- examples/runner-public/key.tf | 3 +- main.tf | 48 ++++++++++++++++++- policies/instance-session-manager-policy.json | 15 ++++++ .../service-linked-role-create-policy.json | 2 +- variables.tf | 6 +++ 16 files changed, 116 insertions(+), 82 deletions(-) delete mode 100644 examples/runner-default/key.tf create mode 100644 policies/instance-session-manager-policy.json diff --git a/README.md b/README.md index 99b03fcd0..05bcd6eb2 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,15 @@ Once you have created the parameter, you must remove the variable `runners_token Finally, the runner still supports the manual runner creation. No changes are required. Please keep in mind that this setup will be removed in future releases. +### Access runner instance + +A few option are provide the runner instance + +1. Provide a public ssh key to access the runner by setting \`\`. +2. Provide a EC2 key pair to access the runner by setting \`\`. +3. Access via the Session Manager (SSM) by setting `enable_runner_ssm_access` to `true`. The policy to allow access via SSM is not very restrictive. +4. By setting non of the above no keys or extra policies will be attached to the instance. You can still configure you own policies by attaching them to `runner_agent_role_arn`. + ### GitLab runner cache By default the module creates a a cache for the runner in S3. Old objects are automatically remove via a configurable life cycle policy on the bucket. @@ -237,17 +246,20 @@ terraform destroy | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no | +| enable\_runner\_ssm\_access | Add IAM policies to the runner agent instance to connect via the Session Manager. | bool | `"false"` | no | | enable\_runner\_user\_data\_trace\_log | Enable bash xtrace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token. | bool | `"false"` | no | +| enable\_schedule | Flag used to enable/disable auto scaling group schedule for the runner instance. | bool | `"false"` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `` | no | | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `` | no | -| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.1.0"` | no | +| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.2.0"` | no | | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `` | no | | runner\_ami\_filter | List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI. | map(list(string)) | `` | no | | runner\_ami\_owners | The list of owners used to select the AMI of Gitlab runner docker-machine instances. | list(string) | `` | no | | runner\_instance\_spot\_price | By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. | string | `""` | no | +| runner\_root\_block\_device | The EC2 instance root block device configuration. Takes the following keys: `delete_on_termination`, `volume_type`, `volume_size`, `iops` | map(string) | `` | no | | runners\_additional\_volumes | Additional volumes that will be used in the runner config.toml, e.g Docker socket | list | `` | no | | runners\_concurrent | Concurrent value for the runners, will be used in the runner config.toml. | number | `"10"` | no | | runners\_environment\_vars | Environment variables during build execution, e.g. KEY=Value, see runner-public example. Will be used in the runner config.toml | list(string) | `` | no | @@ -276,6 +288,7 @@ terraform destroy | runners\_shm\_size | shm_size for the runners, will be used in the runner config.toml | number | `"0"` | no | | runners\_token | Token for the runner, will be used in the runner config.toml. | string | `"__REPLACED_BY_USER_DATA__"` | no | | runners\_use\_private\_address | Restrict runners to the use of a private IP address | bool | `"true"` | no | +| schedule\_config | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable_schedule is set to true. | map | `` | no | | secure\_parameter\_store\_runner\_token\_key | The key name used store the Gitlab runner token in Secure Parameter Store | string | `"runner-token"` | no | | ssh\_key\_pair | Set this to use existing AWS key pair | string | `""` | no | | ssh\_public\_key | Public SSH key used for the GitLab runner EC2 instance. | string | `""` | no | diff --git a/_docs/README.md b/_docs/README.md index 3163b7d16..0dda80ff2 100644 --- a/_docs/README.md +++ b/_docs/README.md @@ -124,6 +124,15 @@ Once you have created the parameter, you must remove the variable `runners_token Finally, the runner still supports the manual runner creation. No changes are required. Please keep in mind that this setup will be removed in future releases. +### Access runner instance + +A few option are provide the runner instance +1. Provide a public ssh key to access the runner by setting ``. +2. Provide a EC2 key pair to access the runner by setting ``. +3. Access via the Session Manager (SSM) by setting `enable_runner_ssm_access` to `true`. The policy to allow access via SSM is not very restrictive. +4. By setting non of the above no keys or extra policies will be attached to the instance. You can still configure you own policies by attaching them to `runner_agent_role_arn`. + + ### GitLab runner cache By default the module creates a a cache for the runner in S3. Old objects are automatically remove via a configurable life cycle policy on the bucket. diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md index d94575a38..27c6d6c11 100644 --- a/_docs/TF_MODULE.md +++ b/_docs/TF_MODULE.md @@ -24,12 +24,13 @@ | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no | +| enable\_runner\_ssm\_access | Add IAM policies to the runner agent instance to connect via the Session Manager. | bool | `"false"` | no | | enable\_runner\_user\_data\_trace\_log | Enable bash xtrace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token. | bool | `"false"` | no | | enable\_schedule | Flag used to enable/disable auto scaling group schedule for the runner instance. | bool | `"false"` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `` | no | | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `` | no | -| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.1.0"` | no | +| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.2.0"` | no | | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `` | no | diff --git a/examples/runner-default/README.md b/examples/runner-default/README.md index 09c64fed5..eef45930e 100644 --- a/examples/runner-default/README.md +++ b/examples/runner-default/README.md @@ -1,35 +1,19 @@ -# Example - Spot Runner - Public subnets +# Example - Spot Runner - Default -In this scenario the multiple runner agents can be created with different configuration by instantiating the module multiple times. Runners will scale automatically based on configuration. The S3 cache can be shared cross runners by managing the cache outside the module. - -![runners-cache](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-cache.png) +In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances). This examples shows: - - Usages of public subnets. - - Useages of multiple runner instances sharing a common cache. - - Overrides for tag naming. + - Usages of public / private VPC + - No SSH keys, you can log into the instance via SSM (Session Manager). - Registration via GitLab token. - Auto scaling using `docker+machine` executor. ![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png) -The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. - -➜ tmp cat terraform-aws-gitlab-runner/examples/runner-default/\_docs/README.md - -# Example - Spot Runner - Private subnet - -In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances). - -![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png) - -This examples shows: +## Prerequisite - - Usages of public / private subnets. - - Usages of runner of peak time mode configuration. - - Registration via GitLab token. - - Auto scaling using `docker+machine` executor. +The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. ## Inputs diff --git a/examples/runner-default/_docs/README.md b/examples/runner-default/_docs/README.md index 3a62425a1..f625b706d 100644 --- a/examples/runner-default/_docs/README.md +++ b/examples/runner-default/_docs/README.md @@ -1,30 +1,16 @@ -# Example - Spot Runner - Public subnets +# Example - Spot Runner - Default -In this scenario the multiple runner agents can be created with different configuration by instantiating the module multiple times. Runners will scale automatically based on configuration. The S3 cache can be shared cross runners by managing the cache outside the module. - -![runners-cache](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-cache.png) +In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances). This examples shows: -- Usages of public subnets. -- Useages of multiple runner instances sharing a common cache. -- Overrides for tag naming. +- Usages of public / private VPC +- No SSH keys, you can log into the instance via SSM (Session Manager). - Registration via GitLab token. - Auto scaling using `docker+machine` executor. - ![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png) -The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. - -➜ tmp cat terraform-aws-gitlab-runner/examples/runner-default/_docs/README.md -# Example - Spot Runner - Private subnet - -In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html) using spot instances. Runners will scale automatically based on configuration. The module creates by default a S3 cache that is shared cross runners (spot instances). -![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png) +## Prerequisite -This examples shows: -- Usages of public / private subnets. -- Usages of runner of peak time mode configuration. -- Registration via GitLab token. -- Auto scaling using `docker+machine` executor. +The Terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. diff --git a/examples/runner-default/key.tf b/examples/runner-default/key.tf deleted file mode 100644 index 27361eb5f..000000000 --- a/examples/runner-default/key.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "tls_private_key" "ssh" { - algorithm = "RSA" -} - -resource "local_file" "public_ssh_key" { - depends_on = [tls_private_key.ssh] - - content = tls_private_key.ssh.public_key_openssh - filename = var.public_ssh_key_filename -} - -resource "local_file" "private_ssh_key" { - depends_on = [tls_private_key.ssh] - - content = tls_private_key.ssh.private_key_pem - filename = var.private_ssh_key_filename -} - -resource "null_resource" "file_permission" { - depends_on = [local_file.private_ssh_key] - - provisioner "local-exec" { - command = format("chmod 600 %s", var.private_ssh_key_filename) - } -} - diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index b9f96c348..a4660b0f0 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -28,14 +28,13 @@ module "runner" { aws_region = var.aws_region environment = var.environment - ssh_public_key = local_file.public_ssh_key.content - vpc_id = module.vpc.vpc_id subnet_ids_gitlab_runner = module.vpc.private_subnets subnet_id_runners = element(module.vpc.private_subnets, 0) - runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url + runners_name = var.runner_name + runners_gitlab_url = var.gitlab_url + enable_runner_ssm_access = true docker_machine_spot_price_bid = "0.06" diff --git a/examples/runner-docker/key.tf b/examples/runner-docker/key.tf index 27361eb5f..2dcc51f3f 100644 --- a/examples/runner-docker/key.tf +++ b/examples/runner-docker/key.tf @@ -20,7 +20,8 @@ resource "null_resource" "file_permission" { depends_on = [local_file.private_ssh_key] provisioner "local-exec" { - command = format("chmod 600 %s", var.private_ssh_key_filename) + command = format("chmod 600 %s", var.private_ssh_key_filename) + interpreter = ["/bin/bash", "-c"] } } diff --git a/examples/runner-pre-registered/key.tf b/examples/runner-pre-registered/key.tf index 27361eb5f..2dcc51f3f 100644 --- a/examples/runner-pre-registered/key.tf +++ b/examples/runner-pre-registered/key.tf @@ -20,7 +20,8 @@ resource "null_resource" "file_permission" { depends_on = [local_file.private_ssh_key] provisioner "local-exec" { - command = format("chmod 600 %s", var.private_ssh_key_filename) + command = format("chmod 600 %s", var.private_ssh_key_filename) + interpreter = ["/bin/bash", "-c"] } } diff --git a/examples/runner-public/README.md b/examples/runner-public/README.md index 1bdaba8b3..44017fe64 100644 --- a/examples/runner-public/README.md +++ b/examples/runner-public/README.md @@ -7,7 +7,7 @@ In this scenario the multiple runner agents can be created with different config This examples shows: - Usages of public subnets. - - Useages of multiple runner instances sharing a common cache. + - Usages of multiple runner instances sharing a common cache. - Overrides for tag naming. - Registration via GitLab token. - Auto scaling using `docker+machine` executor. diff --git a/examples/runner-public/_docs/README.md b/examples/runner-public/_docs/README.md index 548d29b7d..74f978636 100644 --- a/examples/runner-public/_docs/README.md +++ b/examples/runner-public/_docs/README.md @@ -6,7 +6,7 @@ In this scenario the multiple runner agents can be created with different config This examples shows: - Usages of public subnets. -- Useages of multiple runner instances sharing a common cache. +- Usages of multiple runner instances sharing a common cache. - Overrides for tag naming. - Registration via GitLab token. - Auto scaling using `docker+machine` executor. diff --git a/examples/runner-public/key.tf b/examples/runner-public/key.tf index 27361eb5f..2dcc51f3f 100644 --- a/examples/runner-public/key.tf +++ b/examples/runner-public/key.tf @@ -20,7 +20,8 @@ resource "null_resource" "file_permission" { depends_on = [local_file.private_ssh_key] provisioner "local-exec" { - command = format("chmod 600 %s", var.private_ssh_key_filename) + command = format("chmod 600 %s", var.private_ssh_key_filename) + interpreter = ["/bin/bash", "-c"] } } diff --git a/main.tf b/main.tf index 96ddaf8ed..89b78f96d 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,5 @@ resource "aws_key_pair" "key" { - count = var.ssh_key_pair == "" ? 1 : 0 + count = var.ssh_key_pair == "" && var.ssh_public_key != "" ? 1 : 0 key_name = "${var.environment}-gitlab-runner" public_key = var.ssh_public_key } @@ -258,9 +258,16 @@ data "aws_ami" "runner" { owners = var.ami_owners } +locals { + # Key magic, if public key is provided usthe public key, if key pair is proviced use key pair. Otherwise null + is_ssh_public_key = var.ssh_key_pair == "" && var.ssh_public_key != "" ? aws_key_pair.key[0].key_name : "" + is_key_pair_name = local.is_ssh_public_key != "" ? local.is_ssh_public_key : var.ssh_key_pair + key_pair_name = local.is_key_pair_name != "" ? local.is_key_pair_name : null +} + resource "aws_launch_configuration" "gitlab_runner_instance" { security_groups = [aws_security_group.runner.id] - key_name = var.ssh_key_pair == "" ? aws_key_pair.key[0].key_name : var.ssh_key_pair + key_name = local.key_pair_name image_id = data.aws_ami.runner.id user_data = data.template_file.user_data.rendered instance_type = var.instance_type @@ -343,6 +350,43 @@ resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" { policy_arn = aws_iam_policy.instance_docker_machine_policy.arn } +################################################################################ +### Policies for runner agent instance to allow connection via Session Manager +################################################################################ + +data "template_file" "instance_session_manager_policy" { + count = var.enable_runner_ssm_access ? 1 : 0 + + template = file( + "${path.module}/policies/instance-session-manager-policy.json", + ) +} + +resource "aws_iam_policy" "instance_session_manager_policy" { + count = var.enable_runner_ssm_access ? 1 : 0 + + name = "${var.environment}-session-manager" + path = "/" + description = "Policy session manager." + + policy = data.template_file.instance_session_manager_policy[0].rendered +} + +resource "aws_iam_role_policy_attachment" "instance_session_manager_policy" { + count = var.enable_runner_ssm_access ? 1 : 0 + + role = aws_iam_role.instance.name + policy_arn = aws_iam_policy.instance_session_manager_policy[0].arn +} + +resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" { + count = var.enable_runner_ssm_access ? 1 : 0 + + role = aws_iam_role.instance.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} + + ################################################################################ ### Policy for the docker machine instance to access cache ################################################################################ diff --git a/policies/instance-session-manager-policy.json b/policies/instance-session-manager-policy.json new file mode 100644 index 000000000..63ac8ca94 --- /dev/null +++ b/policies/instance-session-manager-policy.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/policies/service-linked-role-create-policy.json b/policies/service-linked-role-create-policy.json index db6224d26..d7b937203 100644 --- a/policies/service-linked-role-create-policy.json +++ b/policies/service-linked-role-create-policy.json @@ -7,4 +7,4 @@ "Resource": "arn:aws:iam::*:role/aws-service-role/*" } ] -} +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 165ea2a04..4507308e4 100644 --- a/variables.tf +++ b/variables.tf @@ -459,3 +459,9 @@ variable "runner_root_block_device" { type = map(string) default = {} } + +variable "enable_runner_ssm_access" { + description = "Add IAM policies to the runner agent instance to connect via the Session Manager." + type = bool + default = false +} From edf3afd0aae5fb0fc9d0e99dd60d6e8cee8e20df Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Mon, 9 Sep 2019 21:40:01 +0200 Subject: [PATCH 5/7] Update changelog, bump terraform version in examples --- CHANGELOG.md | 6 ++++++ examples/runner-default/.terraform-version | 2 +- examples/runner-docker/.terraform-version | 2 +- examples/runner-pre-registered/.terraform-version | 2 +- examples/runner-public/.terraform-version | 2 +- 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ef44baf7b..f5f1cea54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## Unrelease +- Add SSM session manager support #121 #126 @npalm +- Move to github actions #130 @npalm +- Enable s3 encryption #129 @hendrixra +- Bump gitlab-runner to 12.2.0 #128 @mpsq + ## 4.4.0 - 2019-08-21 - Added diff --git a/examples/runner-default/.terraform-version b/examples/runner-default/.terraform-version index dabff2f13..7bfd8360b 100644 --- a/examples/runner-default/.terraform-version +++ b/examples/runner-default/.terraform-version @@ -1 +1 @@ -0.12.6 +0.12.8 diff --git a/examples/runner-docker/.terraform-version b/examples/runner-docker/.terraform-version index dabff2f13..7bfd8360b 100644 --- a/examples/runner-docker/.terraform-version +++ b/examples/runner-docker/.terraform-version @@ -1 +1 @@ -0.12.6 +0.12.8 diff --git a/examples/runner-pre-registered/.terraform-version b/examples/runner-pre-registered/.terraform-version index aa22d3ce3..7bfd8360b 100644 --- a/examples/runner-pre-registered/.terraform-version +++ b/examples/runner-pre-registered/.terraform-version @@ -1 +1 @@ -0.12.3 +0.12.8 diff --git a/examples/runner-public/.terraform-version b/examples/runner-public/.terraform-version index dabff2f13..7bfd8360b 100644 --- a/examples/runner-public/.terraform-version +++ b/examples/runner-public/.terraform-version @@ -1 +1 @@ -0.12.6 +0.12.8 From 7a25799f6544c93498664553710c941d992583a8 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Mon, 9 Sep 2019 21:52:21 +0200 Subject: [PATCH 6/7] Set docker machine version by default to 0.16.2 (#131) * Set docker machine version by default to 0.16.2 * update docs --- CHANGELOG.md | 1 + README.md | 2 +- _docs/TF_MODULE.md | 2 +- variables.tf | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5f1cea54..b48459a10 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## Unrelease +- Set docker machine version by default to 0.16.2 #131 @npalm - Add SSM session manager support #121 #126 @npalm - Move to github actions #130 @npalm - Enable s3 encryption #129 @hendrixra diff --git a/README.md b/README.md index 05bcd6eb2..ce5807069 100644 --- a/README.md +++ b/README.md @@ -242,7 +242,7 @@ terraform destroy | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | | docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `` | no | | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no | -| docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no | +| docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no | | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no | diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md index 27c6d6c11..3ca61edb8 100644 --- a/_docs/TF_MODULE.md +++ b/_docs/TF_MODULE.md @@ -20,7 +20,7 @@ | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | | docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `` | no | | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no | -| docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no | +| docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no | | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no | diff --git a/variables.tf b/variables.tf index 4507308e4..b64691493 100644 --- a/variables.tf +++ b/variables.tf @@ -68,7 +68,7 @@ variable "docker_machine_spot_price_bid" { variable "docker_machine_version" { description = "Version of docker-machine." type = string - default = "0.16.1" + default = "0.16.2" } variable "runners_name" { From 9fb5ce3b41449c184a787b68f321fd6dbf6457b9 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Mon, 9 Sep 2019 22:35:55 +0200 Subject: [PATCH 7/7] Release 4.5.0 --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b48459a10..12c85baa6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## Unrelease + +## 4.5.0 - 2019-09-09 - Set docker machine version by default to 0.16.2 #131 @npalm - Add SSM session manager support #121 #126 @npalm - Move to github actions #130 @npalm @@ -229,7 +231,8 @@ Module is available as Terraform 0.11 module, pin module to version 3.x. Please - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17. - Minor updates in the example -[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.4.0...HEAD +[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.5.0...HEAD +[4.5.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.4.0...4.5.0 [4.4.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.3.0...4.4.0 [4.3.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.2.0...4.3.0 [4.2.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.1.0...4.2.0