Merge branch 'release/4.12.0'

cattle-ops · Mar 16, 2020 · 3195005 · 3195005
2 parents 4650a95 + 82ff83e
commit 3195005
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 
+## 4.12.0 - 2020-03-16
+- Add: Option for permissions boundary (#195) @mhulscher
+- Bugfix: Fix cancel spot instance script from destroy provisioners are deprecate
+- Change: Update default GitLab runner version to 12.8.0
+
 ## 4.11.1 - 2020-02-27
 - Bugfix: #187 - fix double comma in tag list for docker machine
 
@@ -279,7 +284,8 @@ Module is available as Terraform 0.11 module, pin module to version 3.x. Please
 - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17.
 - Minor updates in the example
 
-[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.11.1...HEAD
+[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.12.0...HEAD
+[4.12.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.12.0...4.11.1
 [4.11.1]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.11.1...4.11.0
 [4.11.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.11.0...4.10.0
 [4.10.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.10.0...4.9.0

diff --git a/README.md b/README.md
@@ -274,12 +274,13 @@ terraform destroy
 | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
 | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | `map(string)` | <pre>{<br>  "access_level": "",<br>  "description": "",<br>  "locked_to_project": "",<br>  "maximum_timeout": "",<br>  "registration_token": "",<br>  "run_untagged": "",<br>  "tag_list": ""<br>}</pre> | no |
 | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
-| gitlab\_runner\_version | Version of the GitLab runner. | `string` | `"12.7.1"` | no |
+| gitlab\_runner\_version | Version of the GitLab runner. | `string` | `"12.8.0"` | no |
 | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | `string` | `""` | no |
 | instance\_type | Instance type used for the GitLab runner. | `string` | `"t3.micro"` | no |
 | kms\_deletion\_window\_in\_days | Key rotation window, set to 0 for no rotation. Only used when `enable_kms` is set to `true`. | `number` | `7` | no |
 | kms\_key\_id | KMS key id to encrypted the CloudWatch logs. Ensure CloudWatch has access to the provided KMS key. | `string` | `""` | no |
 | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | `map(string)` | <pre>{<br>  "name_docker_machine_runners": "",<br>  "name_runner_agent_instance": "",<br>  "name_sg": ""<br>}</pre> | no |
+| permissions\_boundary | Name of permissions boundary policy to attach to AWS IAM roles | `string` | `""` | no |
 | runner\_ami\_filter | List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI. | `map(list(string))` | <pre>{<br>  "name": [<br>    "ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"<br>  ]<br>}</pre> | no |
 | runner\_ami\_owners | The list of owners used to select the AMI of Gitlab runner docker-machine instances. | `list(string)` | <pre>[<br>  "099720109477"<br>]</pre> | no |
 | runner\_instance\_ebs\_optimized | Enable the GitLab runner instance to be EBS-optimized. | `bool` | `true` | no |

diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md
@@ -40,12 +40,13 @@
 | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
 | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | `map(string)` | <pre>{<br>  "access_level": "",<br>  "description": "",<br>  "locked_to_project": "",<br>  "maximum_timeout": "",<br>  "registration_token": "",<br>  "run_untagged": "",<br>  "tag_list": ""<br>}</pre> | no |
 | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
-| gitlab\_runner\_version | Version of the GitLab runner. | `string` | `"12.7.1"` | no |
+| gitlab\_runner\_version | Version of the GitLab runner. | `string` | `"12.8.0"` | no |
 | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | `string` | `""` | no |
 | instance\_type | Instance type used for the GitLab runner. | `string` | `"t3.micro"` | no |
 | kms\_deletion\_window\_in\_days | Key rotation window, set to 0 for no rotation. Only used when `enable_kms` is set to `true`. | `number` | `7` | no |
 | kms\_key\_id | KMS key id to encrypted the CloudWatch logs. Ensure CloudWatch has access to the provided KMS key. | `string` | `""` | no |
 | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | `map(string)` | <pre>{<br>  "name_docker_machine_runners": "",<br>  "name_runner_agent_instance": "",<br>  "name_sg": ""<br>}</pre> | no |
+| permissions\_boundary | Name of permissions boundary policy to attach to AWS IAM roles | `string` | `""` | no |
 | runner\_ami\_filter | List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI. | `map(list(string))` | <pre>{<br>  "name": [<br>    "ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"<br>  ]<br>}</pre> | no |
 | runner\_ami\_owners | The list of owners used to select the AMI of Gitlab runner docker-machine instances. | `list(string)` | <pre>[<br>  "099720109477"<br>]</pre> | no |
 | runner\_instance\_ebs\_optimized | Enable the GitLab runner instance to be EBS-optimized. | `bool` | `true` | no |

diff --git a/ci/bin/cancel-spot-instances.sh b/ci/bin/cancel-spot-instances.sh
@@ -1,11 +1,14 @@
 #!/usr/bin/env sh
 
-hash jq aws &>/dev/null || { echo >&2 "I require jq and AWS CLI but one or both is not installed.  Aborting."; exit 1; }
+hash jq aws &>/dev/null || {
+    echo >&2 "I require jq and AWS CLI but one or both is not installed.  Aborting."
+    exit 1
+}
 
 SPOT_REQUESTS=$(aws ec2 describe-spot-instance-requests --filters "Name=state,Values=active,open" | jq -r '[ .SpotInstanceRequests[] | select( .LaunchSpecification.IamInstanceProfile.Name | contains("'$1'")) ]')
 
 # It's possible there's no spot requests to cancel, so be safe.
-if ["$SPOT_REQUESTS" != "[]"]
+if ["$SPOT_REQUESTS" != "[]"]; then
     echo $SPOT_REQUESTS | jq -r '.[].InstanceId' | xargs aws ec2 terminate-instances --instance-ids
     echo $SPOT_REQUESTS | jq -r '.[].SpotInstanceRequestId' | xargs aws ec2 cancel-spot-instance-requests --spot-instance-request-ids
 else

diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf
@@ -25,6 +25,8 @@ module "runner" {
   aws_region  = var.aws_region
   environment = var.environment
 
+  ssh_public_key = local_file.public_ssh_key.content
+
   runners_use_private_address = false
   enable_eip                  = true
 

diff --git a/main.tf b/main.tf
@@ -114,13 +114,21 @@ resource "aws_ssm_parameter" "runner_registration_token" {
 
 resource "null_resource" "remove_runner" {
   depends_on = [aws_ssm_parameter.runner_registration_token]
+  triggers = {
+    script                                  = "${path.module}/bin/remove-runner.sh"
+    aws_region                              = var.aws_region
+    runners_gitlab_url                      = var.runners_gitlab_url
+    secure_parameter_store_runner_token_key = local.secure_parameter_store_runner_token_key
+  }
+
   provisioner "local-exec" {
     when       = destroy
     on_failure = continue
-    command    = "${path.module}/bin/remove-runner.sh ${var.aws_region} ${var.runners_gitlab_url} ${local.secure_parameter_store_runner_token_key}"
+    command    = "${self.triggers.script} ${self.triggers.aws_region} ${self.triggers.runners_gitlab_url} ${self.triggers.secure_parameter_store_runner_token_key}"
   }
 }
 
+
 data "template_file" "user_data" {
   template = file("${path.module}/template/user-data.tpl")
 
@@ -397,8 +405,9 @@ data "template_file" "instance_role_trust_policy" {
 }
 
 resource "aws_iam_role" "instance" {
-  name               = "${var.environment}-instance-role"
-  assume_role_policy = data.template_file.instance_role_trust_policy.rendered
+  name                 = "${var.environment}-instance-role"
+  assume_role_policy   = data.template_file.instance_role_trust_policy.rendered
+  permissions_boundary = var.permissions_boundary == "" ? null : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}"
 }
 
 ################################################################################
@@ -478,8 +487,9 @@ data "template_file" "dockermachine_role_trust_policy" {
 }
 
 resource "aws_iam_role" "docker_machine" {
-  name               = "${var.environment}-docker-machine-role"
-  assume_role_policy = data.template_file.dockermachine_role_trust_policy.rendered
+  name                 = "${var.environment}-docker-machine-role"
+  assume_role_policy   = data.template_file.dockermachine_role_trust_policy.rendered
+  permissions_boundary = var.permissions_boundary == "" ? null : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}"
 }
 
 resource "aws_iam_instance_profile" "docker_machine" {

diff --git a/variables.tf b/variables.tf
@@ -300,7 +300,7 @@ variable "cache_shared" {
 variable "gitlab_runner_version" {
   description = "Version of the GitLab runner."
   type        = string
-  default     = "12.7.1"
+  default     = "12.8.0"
 }
 
 variable "enable_gitlab_runner_ssh_access" {
@@ -526,3 +526,9 @@ variable "enable_forced_updates" {
   default     = false
   type        = bool
 }
+
+variable "permissions_boundary" {
+  description = "Name of permissions boundary policy to attach to AWS IAM roles"
+  default     = ""
+  type        = string
+}