Merge branch 'release/4.14.0'

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 
+## 4.14.0 - 2020-04094
+- Add: Allow traffic from a list of security group IDs (#207) by @fliphess
+- Bugfix: Fix missing policy for existing cache (#208, #206)
+
+
 ## 4.13.0 - 2020-03-26
 - Add: variables `cache_lifecycle_prefix` and `cache_lifecycle_clear` to increase flexibility of the cache usages.
 - Add: Parametrize the AWS ARN for policies (#203) @ericamador
@@ -291,7 +296,9 @@ Module is available as Terraform 0.11 module, pin module to version 3.x. Please
 - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17.
 - Minor updates in the example
 
-[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.12.0...HEAD
+[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.14.0...HEAD
+[4.13.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.14.0...4.13.0
+[4.13.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.13.0...4.12.0
 [4.12.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.12.0...4.11.1
 [4.11.1]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.11.1...4.11.0
 [4.11.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.11.0...4.10.0

_docs/TF_MODULE.md

@@ -40,7 +40,8 @@
 | enable\_schedule | Flag used to enable/disable auto scaling group schedule for the runner instance. | `bool` | `false` | no |
 | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
 | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | `map(string)` | <pre>{<br>  "access_level": "",<br>  "description": "",<br>  "locked_to_project": "",<br>  "maximum_timeout": "",<br>  "registration_token": "",<br>  "run_untagged": "",<br>  "tag_list": ""<br>}</pre> | no |
-| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | `list(string)` | <pre>[<br>]</pre> | no |
+| gitlab\_runner\_security\_group\_ids | List of security group IDs to allow Access to the gitlab runner instances. | `list(string)` | <pre>[<br>]</pre>` | no |
 | gitlab\_runner\_version | Version of the GitLab runner. | `string` | `"12.8.0"` | no |
 | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | `string` | `""` | no |
 | instance\_type | Instance type used for the GitLab runner. | `string` | `"t3.micro"` | no |

examples/runner-default/_docs/README.md

@@ -7,6 +7,7 @@ This examples shows:
 - No SSH keys, you can log into the instance via SSM (Session Manager).
 - Registration via GitLab token.
 - Auto scaling using `docker+machine` executor.
+- Addtional security groups that are allowed access to the runner agent
 
 ![runners-default](https://github.com/npalm/assets/raw/master/images/terraform-aws-gitlab-runner/runner-default.png)
 

examples/runner-default/main.tf

@@ -2,6 +2,10 @@ data "aws_availability_zones" "available" {
   state = "available"
 }
 
+data "aws_security_group" "default" {
+  name = "default"
+}
+
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "2.21"
@@ -37,6 +41,8 @@ module "runner" {
   enable_runner_ssm_access = true
   enable_eip               = true
 
+  gitlab_runner_security_group_ids = [data.aws_security_group.default.id]
+
   docker_machine_spot_price_bid = "0.06"
 
   gitlab_runner_registration_config = {

main.tf

@@ -6,133 +6,6 @@ resource "aws_key_pair" "key" {
   public_key = var.ssh_public_key
 }
 
-resource "aws_security_group" "runner" {
-  name_prefix = "${var.environment}-security-group"
-  vpc_id      = var.vpc_id
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = merge(
-    local.tags,
-    {
-      "Name" = format("%s", local.name_sg)
-    },
-  )
-}
-
-resource "aws_security_group_rule" "runner_ssh" {
-  count = var.enable_gitlab_runner_ssh_access ? 1 : 0
-
-  type        = "ingress"
-  from_port   = 22
-  to_port     = 22
-  protocol    = "tcp"
-  cidr_blocks = var.gitlab_runner_ssh_cidr_blocks
-
-  security_group_id = aws_security_group.runner.id
-}
-
-resource "aws_security_group_rule" "runner_ping" {
-  count = var.enable_ping ? 1 : 0
-
-  type        = "ingress"
-  from_port   = -1
-  to_port     = -1
-  protocol    = "icmp"
-  cidr_blocks = var.gitlab_runner_ssh_cidr_blocks
-
-  security_group_id = aws_security_group.runner.id
-}
-
-resource "aws_security_group" "docker_machine" {
-  name_prefix = "${var.environment}-docker-machine"
-  vpc_id      = var.vpc_id
-
-  tags = merge(
-    local.tags,
-    {
-      "Name" = format("%s", local.name_sg)
-    },
-  )
-}
-
-resource "aws_security_group_rule" "docker_machine_docker_runner" {
-  type                     = "ingress"
-  from_port                = 2376
-  to_port                  = 2376
-  protocol                 = "tcp"
-  source_security_group_id = aws_security_group.runner.id
-
-  security_group_id = aws_security_group.docker_machine.id
-}
-
-resource "aws_security_group_rule" "docker_machine_docker_self" {
-  type      = "ingress"
-  from_port = 2376
-  to_port   = 2376
-  protocol  = "tcp"
-  self      = true
-
-  security_group_id = aws_security_group.docker_machine.id
-}
-
-resource "aws_security_group_rule" "docker_machine_ssh_runner" {
-  type                     = "ingress"
-  from_port                = 22
-  to_port                  = 22
-  protocol                 = "tcp"
-  source_security_group_id = aws_security_group.runner.id
-
-  security_group_id = aws_security_group.docker_machine.id
-}
-
-resource "aws_security_group_rule" "docker_machine_ping_runner" {
-  count                    = var.enable_ping ? 1 : 0
-  type                     = "ingress"
-  from_port                = -1
-  to_port                  = -1
-  protocol                 = "icmp"
-  source_security_group_id = aws_security_group.runner.id
-
-  security_group_id = aws_security_group.docker_machine.id
-}
-
-resource "aws_security_group_rule" "docker_machine_ssh_self" {
-  type      = "ingress"
-  from_port = 22
-  to_port   = 22
-  protocol  = "tcp"
-  self      = true
-
-  security_group_id = aws_security_group.docker_machine.id
-}
-
-resource "aws_security_group_rule" "docker_machine_ping_self" {
-  count     = var.enable_ping ? 1 : 0
-  type      = "ingress"
-  from_port = -1
-  to_port   = -1
-  protocol  = "icmp"
-  self      = true
-
-  security_group_id = aws_security_group.docker_machine.id
-}
-
-resource "aws_security_group_rule" "out_all" {
-  type        = "egress"
-  from_port   = 0
-  to_port     = 65535
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
-
-  security_group_id = aws_security_group.docker_machine.id
-}
-
 # Parameter value is managed by the user-data script of the gitlab runner instance
 resource "aws_ssm_parameter" "runner_registration_token" {
   name  = local.secure_parameter_store_runner_token_key
@@ -451,7 +324,7 @@ resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed"
 ### Policy for the docker machine instance to access cache
 ################################################################################
 resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" {
-  count      = var.cache_bucket["create"] ? 1 : 0
+  count      = var.cache_bucket["create"] || var.cache_bucket["policy"] != "" ? 1 : 0
   role       = aws_iam_role.instance.name
   policy_arn = local.bucket_policy
 }