From c50794eb9d878b921d411bc2e5e4047df4764d39 Mon Sep 17 00:00:00 2001 From: Stephen Bishtawi Date: Fri, 4 Oct 2019 13:19:30 -0700 Subject: [PATCH 01/14] Add option to limit docker machine ssh ingress access to only the runner --- main.tf | 26 ++++++++++++++++++++++++++ variables.tf | 12 ++++++------ 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index 3f7fb951a..df0cf7bf4 100644 --- a/main.tf +++ b/main.tf @@ -68,6 +68,8 @@ resource "aws_security_group_rule" "docker_machine_docker_self" { } resource "aws_security_group_rule" "docker_machine_ssh" { + count = var.docker_machine_ssh_restrict_ingress_to_runner ? 0 : 1 + type = "ingress" from_port = 22 to_port = 22 @@ -77,6 +79,30 @@ resource "aws_security_group_rule" "docker_machine_ssh" { security_group_id = aws_security_group.docker_machine.id } +resource "aws_security_group_rule" "docker_machine_ssh_runner" { + count = var.docker_machine_ssh_restrict_ingress_to_runner ? 1 : 0 + + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + source_security_group_id = aws_security_group.runner.id + + security_group_id = aws_security_group.docker_machine.id +} + +resource "aws_security_group_rule" "docker_machine_ssh_self" { + count = var.docker_machine_ssh_restrict_ingress_to_runner ? 1 : 0 + + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + self = true + + security_group_id = aws_security_group.docker_machine.id +} + resource "aws_security_group_rule" "out_all" { type = "egress" from_port = 0 diff --git a/variables.tf b/variables.tf index e7615e515..93fd2bfd6 100644 --- a/variables.tf +++ b/variables.tf @@ -309,18 +309,18 @@ variable "gitlab_runner_ssh_cidr_blocks" { default = ["0.0.0.0/0"] } -variable "docker_machine_docker_cidr_blocks" { - description = "List of CIDR blocks to allow Docker Access to the docker machine runner instance." - type = list(string) - default = ["0.0.0.0/0"] -} - variable "docker_machine_ssh_cidr_blocks" { description = "List of CIDR blocks to allow SSH Access to the docker machine runner instance." type = list(string) default = ["0.0.0.0/0"] } +variable "docker_machine_ssh_restrict_ingress_to_runner" { + description = "Instead of using cidr blocks to control docker machine SSH ingress access, limit access to only the runner via its security group" + type = bool + default = false +} + variable "enable_cloudwatch_logging" { description = "Boolean used to enable or disable the CloudWatch logging." type = bool From 5669fec09958065da40c9dff43954faddf6b5b80 Mon Sep 17 00:00:00 2001 From: Stephen Bishtawi Date: Mon, 7 Oct 2019 09:18:12 -0700 Subject: [PATCH 02/14] code cleanup --- main.tf | 16 ---------------- variables.tf | 12 ------------ 2 files changed, 28 deletions(-) diff --git a/main.tf b/main.tf index df0cf7bf4..25ae868a0 100644 --- a/main.tf +++ b/main.tf @@ -67,21 +67,7 @@ resource "aws_security_group_rule" "docker_machine_docker_self" { security_group_id = aws_security_group.docker_machine.id } -resource "aws_security_group_rule" "docker_machine_ssh" { - count = var.docker_machine_ssh_restrict_ingress_to_runner ? 0 : 1 - - type = "ingress" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.docker_machine_ssh_cidr_blocks - - security_group_id = aws_security_group.docker_machine.id -} - resource "aws_security_group_rule" "docker_machine_ssh_runner" { - count = var.docker_machine_ssh_restrict_ingress_to_runner ? 1 : 0 - type = "ingress" from_port = 22 to_port = 22 @@ -92,8 +78,6 @@ resource "aws_security_group_rule" "docker_machine_ssh_runner" { } resource "aws_security_group_rule" "docker_machine_ssh_self" { - count = var.docker_machine_ssh_restrict_ingress_to_runner ? 1 : 0 - type = "ingress" from_port = 22 to_port = 22 diff --git a/variables.tf b/variables.tf index 93fd2bfd6..1ec47e1f1 100644 --- a/variables.tf +++ b/variables.tf @@ -309,18 +309,6 @@ variable "gitlab_runner_ssh_cidr_blocks" { default = ["0.0.0.0/0"] } -variable "docker_machine_ssh_cidr_blocks" { - description = "List of CIDR blocks to allow SSH Access to the docker machine runner instance." - type = list(string) - default = ["0.0.0.0/0"] -} - -variable "docker_machine_ssh_restrict_ingress_to_runner" { - description = "Instead of using cidr blocks to control docker machine SSH ingress access, limit access to only the runner via its security group" - type = bool - default = false -} - variable "enable_cloudwatch_logging" { description = "Boolean used to enable or disable the CloudWatch logging." type = bool From 6eef43fe3275963686d2c4f8a39c31eb950184c3 Mon Sep 17 00:00:00 2001 From: Stephen Bishtawi Date: Mon, 7 Oct 2019 23:11:06 -0700 Subject: [PATCH 03/14] Support public IP addresses --- main.tf | 24 ++++++++++++++++++++++++ variables.tf | 12 ++++++++++++ 2 files changed, 36 insertions(+) diff --git a/main.tf b/main.tf index 25ae868a0..75352af1f 100644 --- a/main.tf +++ b/main.tf @@ -47,6 +47,18 @@ resource "aws_security_group" "docker_machine" { ) } +resource "aws_security_group_rule" "docker_machine_docker_external" { + count = var.runners_use_private_address ? 0 : 1 + + type = "ingress" + from_port = 2376 + to_port = 2376 + protocol = "tcp" + cidr_blocks = var.docker_machine_docker_cidr_blocks + + security_group_id = aws_security_group.docker_machine.id +} + resource "aws_security_group_rule" "docker_machine_docker_runner" { type = "ingress" from_port = 2376 @@ -67,6 +79,18 @@ resource "aws_security_group_rule" "docker_machine_docker_self" { security_group_id = aws_security_group.docker_machine.id } +resource "aws_security_group_rule" "docker_machine_ssh_external" { + count = var.runners_use_private_address ? 0 : 1 + + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = var.docker_machine_ssh_cidr_blocks + + security_group_id = aws_security_group.docker_machine.id +} + resource "aws_security_group_rule" "docker_machine_ssh_runner" { type = "ingress" from_port = 22 diff --git a/variables.tf b/variables.tf index 1ec47e1f1..922130029 100644 --- a/variables.tf +++ b/variables.tf @@ -309,6 +309,18 @@ variable "gitlab_runner_ssh_cidr_blocks" { default = ["0.0.0.0/0"] } +variable "docker_machine_docker_cidr_blocks" { + description = "List of CIDR blocks to allow Docker Access to the docker machine runner instance. Only relevant for public facing machines (when runners_use_private_address is false)." + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "docker_machine_ssh_cidr_blocks" { + description = "List of CIDR blocks to allow SSH Access to the docker machine runner instance. Only relevant for public facing machines (when runners_use_private_address is false)." + type = list(string) + default = ["0.0.0.0/0"] +} + variable "enable_cloudwatch_logging" { description = "Boolean used to enable or disable the CloudWatch logging." type = bool From 4ccf9311e167b794660d5ca45276ea71c0f4fa67 Mon Sep 17 00:00:00 2001 From: Stephen Bishtawi Date: Tue, 8 Oct 2019 09:42:49 -0700 Subject: [PATCH 04/14] Update --- main.tf | 27 ++------------------------- template/runner-config.tpl | 5 +++-- variables.tf | 12 ------------ 3 files changed, 5 insertions(+), 39 deletions(-) diff --git a/main.tf b/main.tf index 75352af1f..722eebaff 100644 --- a/main.tf +++ b/main.tf @@ -47,18 +47,6 @@ resource "aws_security_group" "docker_machine" { ) } -resource "aws_security_group_rule" "docker_machine_docker_external" { - count = var.runners_use_private_address ? 0 : 1 - - type = "ingress" - from_port = 2376 - to_port = 2376 - protocol = "tcp" - cidr_blocks = var.docker_machine_docker_cidr_blocks - - security_group_id = aws_security_group.docker_machine.id -} - resource "aws_security_group_rule" "docker_machine_docker_runner" { type = "ingress" from_port = 2376 @@ -79,18 +67,6 @@ resource "aws_security_group_rule" "docker_machine_docker_self" { security_group_id = aws_security_group.docker_machine.id } -resource "aws_security_group_rule" "docker_machine_ssh_external" { - count = var.runners_use_private_address ? 0 : 1 - - type = "ingress" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.docker_machine_ssh_cidr_blocks - - security_group_id = aws_security_group.docker_machine.id -} - resource "aws_security_group_rule" "docker_machine_ssh_runner" { type = "ingress" from_port = 22 @@ -238,7 +214,8 @@ data "template_file" "runners" { runners_off_peak_periods_string = local.runners_off_peak_periods_string runners_root_size = var.runners_root_size runners_iam_instance_profile_name = var.runners_iam_instance_profile_name - runners_use_private_address = var.runners_use_private_address + runners_use_private_address_only = var.runners_use_private_address + runners_use_private_address = var.runners_use_private_address ? false : true runners_environment_vars = jsonencode(var.runners_environment_vars) runners_pre_build_script = var.runners_pre_build_script runners_post_build_script = var.runners_post_build_script diff --git a/template/runner-config.tpl b/template/runner-config.tpl index 877f365ae..8b868295d 100644 --- a/template/runner-config.tpl +++ b/template/runner-config.tpl @@ -21,7 +21,7 @@ check_interval = 0 volumes = ["/cache"${runners_additional_volumes}] shm_size = ${runners_shm_size} pull_policy = "${runners_pull_policy}" - [runners.docker.tmpfs] + [runners.docker.tmpfs] ${runners_volumes_tmpfs} [runners.docker.services_tmpfs] ${runners_services_volumes_tmpfs} @@ -45,7 +45,8 @@ check_interval = 0 "amazonec2-zone=${runners_aws_zone}", "amazonec2-vpc-id=${runners_vpc_id}", "amazonec2-subnet-id=${runners_subnet_id}", - "amazonec2-private-address-only=${runners_use_private_address}", + "amazonec2-private-address-only=${runners_use_private_address_only}", + "amazonec2-use-private-address=${runners_use_private_address}", "amazonec2-request-spot-instance=true", "amazonec2-spot-price=${runners_spot_price_bid}", "amazonec2-security-group=${runners_security_group_name}", diff --git a/variables.tf b/variables.tf index 922130029..1ec47e1f1 100644 --- a/variables.tf +++ b/variables.tf @@ -309,18 +309,6 @@ variable "gitlab_runner_ssh_cidr_blocks" { default = ["0.0.0.0/0"] } -variable "docker_machine_docker_cidr_blocks" { - description = "List of CIDR blocks to allow Docker Access to the docker machine runner instance. Only relevant for public facing machines (when runners_use_private_address is false)." - type = list(string) - default = ["0.0.0.0/0"] -} - -variable "docker_machine_ssh_cidr_blocks" { - description = "List of CIDR blocks to allow SSH Access to the docker machine runner instance. Only relevant for public facing machines (when runners_use_private_address is false)." - type = list(string) - default = ["0.0.0.0/0"] -} - variable "enable_cloudwatch_logging" { description = "Boolean used to enable or disable the CloudWatch logging." type = bool From cc4361fa5791728b26079ba1457624c9d89dc978 Mon Sep 17 00:00:00 2001 From: Stephen Bishtawi Date: Tue, 8 Oct 2019 09:52:40 -0700 Subject: [PATCH 05/14] cleanup --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 722eebaff..c34f9c902 100644 --- a/main.tf +++ b/main.tf @@ -215,7 +215,7 @@ data "template_file" "runners" { runners_root_size = var.runners_root_size runners_iam_instance_profile_name = var.runners_iam_instance_profile_name runners_use_private_address_only = var.runners_use_private_address - runners_use_private_address = var.runners_use_private_address ? false : true + runners_use_private_address = ! var.runners_use_private_address runners_environment_vars = jsonencode(var.runners_environment_vars) runners_pre_build_script = var.runners_pre_build_script runners_post_build_script = var.runners_post_build_script From 4ce2fd2fc77a093c997068d3fbeded2b774974f7 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Tue, 8 Oct 2019 20:37:36 +0200 Subject: [PATCH 06/14] Fixing Docker Machine Cerficiation Generation #143 (#145) Close #143 --- template/gitlab-runner.tpl | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/template/gitlab-runner.tpl b/template/gitlab-runner.tpl index 05960cb46..45c136dbb 100644 --- a/template/gitlab-runner.tpl +++ b/template/gitlab-runner.tpl @@ -23,7 +23,13 @@ curl --fail --retry 6 -L https://github.com/docker/machine/releases/download/v$ # Create a dummy machine so that the cert is generated properly # See: https://gitlab.com/gitlab-org/gitlab-runner/issues/3676 +# See: https://github.com/docker/machine/issues/3845#issuecomment-280389178 +export USER=root +export HOME=/root docker-machine create --driver none --url localhost dummy-machine +docker-machine rm -y dummy-machine +unset HOME +unset USER # Install jq if not exists if ! [ -x "$(command -v jq)" ]; then From 589ee22226973cd728b0b98d75ecf70ac0086f16 Mon Sep 17 00:00:00 2001 From: Alex Harvey Date: Wed, 9 Oct 2019 05:45:29 +1100 Subject: [PATCH 07/14] Remove docker_machine_user variable (#146) This was in the original version of the module and appears to be no longer used. --- variables.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/variables.tf b/variables.tf index e7615e515..6135db493 100644 --- a/variables.tf +++ b/variables.tf @@ -255,12 +255,6 @@ variable "runners_use_private_address" { default = true } -variable "docker_machine_user" { - description = "Username of the user used to create the spot instances that host docker-machine." - type = string - default = "docker-machine" -} - variable "cache_bucket_prefix" { description = "Prefix for s3 cache bucket name." type = string From 9b317d8f74246dabf7f100e4778b0fa400333a0a Mon Sep 17 00:00:00 2001 From: Alex Harvey Date: Wed, 9 Oct 2019 05:48:14 +1100 Subject: [PATCH 08/14] Delete unused create_runners_iam_instance_profile (#147) This variable appears to be no longer used anywhere. --- variables.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/variables.tf b/variables.tf index 6135db493..763abe037 100644 --- a/variables.tf +++ b/variables.tf @@ -189,12 +189,6 @@ variable "runners_root_size" { default = 16 } -variable "create_runners_iam_instance_profile" { - description = "Boolean to control the creation of the runners IAM instance profile" - type = bool - default = true -} - variable "runners_iam_instance_profile_name" { description = "IAM instance profile name of the runners, will be used in the runner config.toml" type = string From 3a9739607abc4cf397669d91bc473235694be0ff Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Tue, 8 Oct 2019 20:50:48 +0200 Subject: [PATCH 09/14] :pencil: update docs --- README.md | 94 ++++++++++++++++++++++++++++++++++++++++++++++ _docs/TF_MODULE.md | 94 ++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 4 +- 3 files changed, 190 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7bdfaef07..58b79f82f 100644 --- a/README.md +++ b/README.md @@ -220,3 +220,97 @@ To destroy runner: ``` sh terraform destroy ``` + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| allow\_iam\_service\_linked\_role\_creation | Boolean used to control attaching the policy to a runner instance to create service linked roles. | bool | `"true"` | no | +| ami\_filter | List of maps used to create the AMI filter for the Gitlab runner agent AMI. Currently Amazon Linux 2 `amzn2-ami-hvm-2.0.????????-x86_64-ebs` looks to *not* be working for this configuration. | map(list(string)) | `` | no | +| ami\_owners | The list of owners used to select the AMI of Gitlab runner agent instances. | list(string) | `` | no | +| aws\_region | AWS region. | string | n/a | yes | +| aws\_zone | AWS availability zone (typically 'a', 'b', or 'c'). | string | `"a"` | no | +| cache\_bucket | Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared cache. To use the same cache cross multiple runners disable the cration of the cache and provice a policy and bucket name. See the public runner example for more details. | map | `` | no | +| cache\_bucket\_name\_include\_account\_id | Boolean to add current account ID to cache bucket name. | bool | `"true"` | no | +| cache\_bucket\_prefix | Prefix for s3 cache bucket name. | string | `""` | no | +| cache\_bucket\_versioning | Boolean used to enable versioning on the cache bucket, false by default. | bool | `"false"` | no | +| cache\_expiration\_days | Number of days before cache objects expires. | number | `"1"` | no | +| cache\_shared | Enables cache sharing between runners, false by default. | bool | `"false"` | no | +| docker\_machine\_docker\_cidr\_blocks | List of CIDR blocks to allow Docker Access to the docker machine runner instance. | list(string) | `` | no | +| docker\_machine\_instance\_type | Instance type used for the instances hosting docker-machine. | string | `"m5a.large"` | no | +| docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list(string) | `` | no | +| docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | +| docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | +| docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `` | no | +| docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no | +| enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | +| enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | +| enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no | +| enable\_runner\_ssm\_access | Add IAM policies to the runner agent instance to connect via the Session Manager. | bool | `"false"` | no | +| enable\_runner\_user\_data\_trace\_log | Enable bash xtrace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token. | bool | `"false"` | no | +| enable\_schedule | Flag used to enable/disable auto scaling group schedule for the runner instance. | bool | `"false"` | no | +| environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | +| gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `` | no | +| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `` | no | +| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.3.0"` | no | +| instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | +| instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | +| overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `` | no | +| runner\_ami\_filter | List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI. | map(list(string)) | `` | no | +| runner\_ami\_owners | The list of owners used to select the AMI of Gitlab runner docker-machine instances. | list(string) | `` | no | +| runner\_instance\_spot\_price | By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. | string | `""` | no | +| runner\_root\_block\_device | The EC2 instance root block device configuration. Takes the following keys: `delete_on_termination`, `volume_type`, `volume_size`, `iops` | map(string) | `` | no | +| runners\_additional\_volumes | Additional volumes that will be used in the runner config.toml, e.g Docker socket | list | `` | no | +| runners\_concurrent | Concurrent value for the runners, will be used in the runner config.toml. | number | `"10"` | no | +| runners\_environment\_vars | Environment variables during build execution, e.g. KEY=Value, see runner-public example. Will be used in the runner config.toml | list(string) | `` | no | +| runners\_executor | The executor to use. Currently supports `docker+machine` or `docker`. | string | `"docker+machine"` | no | +| runners\_gitlab\_url | URL of the GitLab instance to connect to. | string | n/a | yes | +| runners\_iam\_instance\_profile\_name | IAM instance profile name of the runners, will be used in the runner config.toml | string | `""` | no | +| runners\_idle\_count | Idle count of the runners, will be used in the runner config.toml. | number | `"0"` | no | +| runners\_idle\_time | Idle time of the runners, will be used in the runner config.toml. | number | `"600"` | no | +| runners\_image | Image to run builds, will be used in the runner config.toml | string | `"docker:18.03.1-ce"` | no | +| runners\_limit | Limit for the runners, will be used in the runner config.toml. | number | `"0"` | no | +| runners\_max\_builds | Max builds for each runner after which it will be removed, will be used in the runner config.toml. By default set to 0, no maxBuilds will be set in the configuration. | number | `"0"` | no | +| runners\_monitoring | Enable detailed cloudwatch monitoring for spot instances. | bool | `"false"` | no | +| runners\_name | Name of the runner, will be used in the runner config.toml. | string | n/a | yes | +| runners\_off\_peak\_idle\_count | Off peak idle count of the runners, will be used in the runner config.toml. | number | `"0"` | no | +| runners\_off\_peak\_idle\_time | Off peak idle time of the runners, will be used in the runner config.toml. | number | `"0"` | no | +| runners\_off\_peak\_periods | Off peak periods of the runners, will be used in the runner config.toml. | string | `""` | no | +| runners\_off\_peak\_timezone | Off peak idle time zone of the runners, will be used in the runner config.toml. | string | `""` | no | +| runners\_output\_limit | Sets the maximum build log size in kilobytes, by default set to 4096 (4MB) | number | `"4096"` | no | +| runners\_post\_build\_script | Commands to be executed on the Runner just after executing the build, but before executing after_script. | string | `""` | no | +| runners\_pre\_build\_script | Script to execute in the pipeline just before the build, will be used in the runner config.toml | string | `""` | no | +| runners\_pre\_clone\_script | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | string | `""` | no | +| runners\_privileged | Runners will run in privileged mode, will be used in the runner config.toml | bool | `"true"` | no | +| runners\_pull\_policy | pull_policy for the runners, will be used in the runner config.toml | string | `"always"` | no | +| runners\_request\_concurrency | Limit number of concurrent requests for new jobs from GitLab (default 1) | number | `"1"` | no | +| runners\_root\_size | Runner instance root size in GB. | number | `"16"` | no | +| runners\_services\_volumes\_tmpfs | Mount temporary file systems to service containers. Must consist of pairs of strings e.g. "/var/lib/mysql" = "rw,noexec", see example | list | `` | no | +| runners\_shm\_size | shm_size for the runners, will be used in the runner config.toml | number | `"0"` | no | +| runners\_token | Token for the runner, will be used in the runner config.toml. | string | `"__REPLACED_BY_USER_DATA__"` | no | +| runners\_use\_private\_address | Restrict runners to the use of a private IP address | bool | `"true"` | no | +| runners\_volumes\_tmpfs | Mount temporary file systems to the main containers. Must consist of pairs of strings e.g. "/var/lib/mysql" = "rw,noexec", see example | list | `` | no | +| schedule\_config | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable_schedule is set to true. | map | `` | no | +| secure\_parameter\_store\_runner\_token\_key | The key name used store the Gitlab runner token in Secure Parameter Store | string | `"runner-token"` | no | +| ssh\_key\_pair | Set this to use existing AWS key pair | string | `""` | no | +| ssh\_public\_key | Public SSH key used for the GitLab runner EC2 instance. | string | `""` | no | +| subnet\_id\_runners | List of subnets used for hosting the gitlab-runners. | string | n/a | yes | +| subnet\_ids\_gitlab\_runner | Subnet used for hosting the GitLab runner. | list(string) | n/a | yes | +| tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | map(string) | `` | no | +| userdata\_post\_install | User-data script snippet to insert after GitLab runner install | string | `""` | no | +| userdata\_pre\_install | User-data script snippet to insert before GitLab runner install | string | `""` | no | +| vpc\_id | The target VPC for the docker-machine and runner instances. | string | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| runner\_agent\_role\_arn | ARN of the role used for the ec2 instance for the GitLab runner agent. | +| runner\_agent\_role\_name | Name of the role used for the ec2 instance for the GitLab runner agent. | +| runner\_agent\_sg\_id | ID of the security group attached to the GitLab runner agent. | +| runner\_as\_group\_name | Name of the autoscaling group for the gitlab-runner instance | +| runner\_cache\_bucket\_arn | ARN of the S3 for the build cache. | +| runner\_cache\_bucket\_name | Name of the S3 for the build cache. | +| runner\_role\_arn | ARN of the role used for the docker machine runners. | +| runner\_role\_name | Name of the role used for the docker machine runners. | +| runner\_sg\_id | ID of the security group attached to the docker machine runners. | diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md index e69de29bb..2b9cc48e0 100644 --- a/_docs/TF_MODULE.md +++ b/_docs/TF_MODULE.md @@ -0,0 +1,94 @@ +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| allow\_iam\_service\_linked\_role\_creation | Boolean used to control attaching the policy to a runner instance to create service linked roles. | bool | `"true"` | no | +| ami\_filter | List of maps used to create the AMI filter for the Gitlab runner agent AMI. Currently Amazon Linux 2 `amzn2-ami-hvm-2.0.????????-x86_64-ebs` looks to *not* be working for this configuration. | map(list(string)) | `` | no | +| ami\_owners | The list of owners used to select the AMI of Gitlab runner agent instances. | list(string) | `` | no | +| aws\_region | AWS region. | string | n/a | yes | +| aws\_zone | AWS availability zone (typically 'a', 'b', or 'c'). | string | `"a"` | no | +| cache\_bucket | Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared cache. To use the same cache cross multiple runners disable the cration of the cache and provice a policy and bucket name. See the public runner example for more details. | map | `` | no | +| cache\_bucket\_name\_include\_account\_id | Boolean to add current account ID to cache bucket name. | bool | `"true"` | no | +| cache\_bucket\_prefix | Prefix for s3 cache bucket name. | string | `""` | no | +| cache\_bucket\_versioning | Boolean used to enable versioning on the cache bucket, false by default. | bool | `"false"` | no | +| cache\_expiration\_days | Number of days before cache objects expires. | number | `"1"` | no | +| cache\_shared | Enables cache sharing between runners, false by default. | bool | `"false"` | no | +| docker\_machine\_docker\_cidr\_blocks | List of CIDR blocks to allow Docker Access to the docker machine runner instance. | list(string) | `` | no | +| docker\_machine\_instance\_type | Instance type used for the instances hosting docker-machine. | string | `"m5a.large"` | no | +| docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list(string) | `` | no | +| docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | +| docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | +| docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `` | no | +| docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no | +| enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | +| enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | +| enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | bool | `"true"` | no | +| enable\_runner\_ssm\_access | Add IAM policies to the runner agent instance to connect via the Session Manager. | bool | `"false"` | no | +| enable\_runner\_user\_data\_trace\_log | Enable bash xtrace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token. | bool | `"false"` | no | +| enable\_schedule | Flag used to enable/disable auto scaling group schedule for the runner instance. | bool | `"false"` | no | +| environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | +| gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `` | no | +| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `` | no | +| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.3.0"` | no | +| instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | +| instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | +| overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `` | no | +| runner\_ami\_filter | List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI. | map(list(string)) | `` | no | +| runner\_ami\_owners | The list of owners used to select the AMI of Gitlab runner docker-machine instances. | list(string) | `` | no | +| runner\_instance\_spot\_price | By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. | string | `""` | no | +| runner\_root\_block\_device | The EC2 instance root block device configuration. Takes the following keys: `delete_on_termination`, `volume_type`, `volume_size`, `iops` | map(string) | `` | no | +| runners\_additional\_volumes | Additional volumes that will be used in the runner config.toml, e.g Docker socket | list | `` | no | +| runners\_concurrent | Concurrent value for the runners, will be used in the runner config.toml. | number | `"10"` | no | +| runners\_environment\_vars | Environment variables during build execution, e.g. KEY=Value, see runner-public example. Will be used in the runner config.toml | list(string) | `` | no | +| runners\_executor | The executor to use. Currently supports `docker+machine` or `docker`. | string | `"docker+machine"` | no | +| runners\_gitlab\_url | URL of the GitLab instance to connect to. | string | n/a | yes | +| runners\_iam\_instance\_profile\_name | IAM instance profile name of the runners, will be used in the runner config.toml | string | `""` | no | +| runners\_idle\_count | Idle count of the runners, will be used in the runner config.toml. | number | `"0"` | no | +| runners\_idle\_time | Idle time of the runners, will be used in the runner config.toml. | number | `"600"` | no | +| runners\_image | Image to run builds, will be used in the runner config.toml | string | `"docker:18.03.1-ce"` | no | +| runners\_limit | Limit for the runners, will be used in the runner config.toml. | number | `"0"` | no | +| runners\_max\_builds | Max builds for each runner after which it will be removed, will be used in the runner config.toml. By default set to 0, no maxBuilds will be set in the configuration. | number | `"0"` | no | +| runners\_monitoring | Enable detailed cloudwatch monitoring for spot instances. | bool | `"false"` | no | +| runners\_name | Name of the runner, will be used in the runner config.toml. | string | n/a | yes | +| runners\_off\_peak\_idle\_count | Off peak idle count of the runners, will be used in the runner config.toml. | number | `"0"` | no | +| runners\_off\_peak\_idle\_time | Off peak idle time of the runners, will be used in the runner config.toml. | number | `"0"` | no | +| runners\_off\_peak\_periods | Off peak periods of the runners, will be used in the runner config.toml. | string | `""` | no | +| runners\_off\_peak\_timezone | Off peak idle time zone of the runners, will be used in the runner config.toml. | string | `""` | no | +| runners\_output\_limit | Sets the maximum build log size in kilobytes, by default set to 4096 (4MB) | number | `"4096"` | no | +| runners\_post\_build\_script | Commands to be executed on the Runner just after executing the build, but before executing after_script. | string | `""` | no | +| runners\_pre\_build\_script | Script to execute in the pipeline just before the build, will be used in the runner config.toml | string | `""` | no | +| runners\_pre\_clone\_script | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | string | `""` | no | +| runners\_privileged | Runners will run in privileged mode, will be used in the runner config.toml | bool | `"true"` | no | +| runners\_pull\_policy | pull_policy for the runners, will be used in the runner config.toml | string | `"always"` | no | +| runners\_request\_concurrency | Limit number of concurrent requests for new jobs from GitLab (default 1) | number | `"1"` | no | +| runners\_root\_size | Runner instance root size in GB. | number | `"16"` | no | +| runners\_services\_volumes\_tmpfs | Mount temporary file systems to service containers. Must consist of pairs of strings e.g. "/var/lib/mysql" = "rw,noexec", see example | list | `` | no | +| runners\_shm\_size | shm_size for the runners, will be used in the runner config.toml | number | `"0"` | no | +| runners\_token | Token for the runner, will be used in the runner config.toml. | string | `"__REPLACED_BY_USER_DATA__"` | no | +| runners\_use\_private\_address | Restrict runners to the use of a private IP address | bool | `"true"` | no | +| runners\_volumes\_tmpfs | Mount temporary file systems to the main containers. Must consist of pairs of strings e.g. "/var/lib/mysql" = "rw,noexec", see example | list | `` | no | +| schedule\_config | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable_schedule is set to true. | map | `` | no | +| secure\_parameter\_store\_runner\_token\_key | The key name used store the Gitlab runner token in Secure Parameter Store | string | `"runner-token"` | no | +| ssh\_key\_pair | Set this to use existing AWS key pair | string | `""` | no | +| ssh\_public\_key | Public SSH key used for the GitLab runner EC2 instance. | string | `""` | no | +| subnet\_id\_runners | List of subnets used for hosting the gitlab-runners. | string | n/a | yes | +| subnet\_ids\_gitlab\_runner | Subnet used for hosting the GitLab runner. | list(string) | n/a | yes | +| tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | map(string) | `` | no | +| userdata\_post\_install | User-data script snippet to insert after GitLab runner install | string | `""` | no | +| userdata\_pre\_install | User-data script snippet to insert before GitLab runner install | string | `""` | no | +| vpc\_id | The target VPC for the docker-machine and runner instances. | string | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| runner\_agent\_role\_arn | ARN of the role used for the ec2 instance for the GitLab runner agent. | +| runner\_agent\_role\_name | Name of the role used for the ec2 instance for the GitLab runner agent. | +| runner\_agent\_sg\_id | ID of the security group attached to the GitLab runner agent. | +| runner\_as\_group\_name | Name of the autoscaling group for the gitlab-runner instance | +| runner\_cache\_bucket\_arn | ARN of the S3 for the build cache. | +| runner\_cache\_bucket\_name | Name of the S3 for the build cache. | +| runner\_role\_arn | ARN of the role used for the docker machine runners. | +| runner\_role\_name | Name of the role used for the docker machine runners. | +| runner\_sg\_id | ID of the security group attached to the docker machine runners. | + diff --git a/variables.tf b/variables.tf index 763abe037..7be437296 100644 --- a/variables.tf +++ b/variables.tf @@ -463,12 +463,12 @@ variable "enable_runner_ssm_access" { variable "runners_volumes_tmpfs" { description = "Mount temporary file systems to the main containers. Must consist of pairs of strings e.g. \"/var/lib/mysql\" = \"rw,noexec\", see example" - type = "list" + type = list default = [] } variable "runners_services_volumes_tmpfs" { description = "Mount temporary file systems to service containers. Must consist of pairs of strings e.g. \"/var/lib/mysql\" = \"rw,noexec\", see example" - type = "list" + type = list default = [] } From a916068e4aa10c9258970053efdc6dd26a785624 Mon Sep 17 00:00:00 2001 From: Stephen Date: Wed, 9 Oct 2019 13:08:52 -0700 Subject: [PATCH 10/14] Add option to limit docker machine ssh ingress access to only the runner (#142) * Add option to limit docker machine ssh ingress access to only the runner * code cleanup * Support public IP addresses * Update * cleanup --- main.tf | 25 ++++++++++++++++++------- template/runner-config.tpl | 5 +++-- variables.tf | 12 ------------ 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/main.tf b/main.tf index 3f7fb951a..c34f9c902 100644 --- a/main.tf +++ b/main.tf @@ -67,12 +67,22 @@ resource "aws_security_group_rule" "docker_machine_docker_self" { security_group_id = aws_security_group.docker_machine.id } -resource "aws_security_group_rule" "docker_machine_ssh" { - type = "ingress" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.docker_machine_ssh_cidr_blocks +resource "aws_security_group_rule" "docker_machine_ssh_runner" { + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + source_security_group_id = aws_security_group.runner.id + + security_group_id = aws_security_group.docker_machine.id +} + +resource "aws_security_group_rule" "docker_machine_ssh_self" { + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + self = true security_group_id = aws_security_group.docker_machine.id } @@ -204,7 +214,8 @@ data "template_file" "runners" { runners_off_peak_periods_string = local.runners_off_peak_periods_string runners_root_size = var.runners_root_size runners_iam_instance_profile_name = var.runners_iam_instance_profile_name - runners_use_private_address = var.runners_use_private_address + runners_use_private_address_only = var.runners_use_private_address + runners_use_private_address = ! var.runners_use_private_address runners_environment_vars = jsonencode(var.runners_environment_vars) runners_pre_build_script = var.runners_pre_build_script runners_post_build_script = var.runners_post_build_script diff --git a/template/runner-config.tpl b/template/runner-config.tpl index 877f365ae..8b868295d 100644 --- a/template/runner-config.tpl +++ b/template/runner-config.tpl @@ -21,7 +21,7 @@ check_interval = 0 volumes = ["/cache"${runners_additional_volumes}] shm_size = ${runners_shm_size} pull_policy = "${runners_pull_policy}" - [runners.docker.tmpfs] + [runners.docker.tmpfs] ${runners_volumes_tmpfs} [runners.docker.services_tmpfs] ${runners_services_volumes_tmpfs} @@ -45,7 +45,8 @@ check_interval = 0 "amazonec2-zone=${runners_aws_zone}", "amazonec2-vpc-id=${runners_vpc_id}", "amazonec2-subnet-id=${runners_subnet_id}", - "amazonec2-private-address-only=${runners_use_private_address}", + "amazonec2-private-address-only=${runners_use_private_address_only}", + "amazonec2-use-private-address=${runners_use_private_address}", "amazonec2-request-spot-instance=true", "amazonec2-spot-price=${runners_spot_price_bid}", "amazonec2-security-group=${runners_security_group_name}", diff --git a/variables.tf b/variables.tf index 7be437296..fcbd13690 100644 --- a/variables.tf +++ b/variables.tf @@ -297,18 +297,6 @@ variable "gitlab_runner_ssh_cidr_blocks" { default = ["0.0.0.0/0"] } -variable "docker_machine_docker_cidr_blocks" { - description = "List of CIDR blocks to allow Docker Access to the docker machine runner instance." - type = list(string) - default = ["0.0.0.0/0"] -} - -variable "docker_machine_ssh_cidr_blocks" { - description = "List of CIDR blocks to allow SSH Access to the docker machine runner instance." - type = list(string) - default = ["0.0.0.0/0"] -} - variable "enable_cloudwatch_logging" { description = "Boolean used to enable or disable the CloudWatch logging." type = bool From 979fba86b92ac14a6b329c97193d7bd76515b1ff Mon Sep 17 00:00:00 2001 From: Adrian Maceiras Date: Wed, 30 Oct 2019 17:40:09 -0500 Subject: [PATCH 11/14] fix type create cache bucket (#151) * fix type create cache bucket * generate docs --- README.md | 2 -- _docs/TF_MODULE.md | 2 -- cache/README.md | 2 +- cache/_docs/TF_MODULE.md | 2 +- cache/main.tf | 7 ++----- cache/variables.tf | 2 +- 6 files changed, 5 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 58b79f82f..2404b255e 100644 --- a/README.md +++ b/README.md @@ -236,12 +236,10 @@ terraform destroy | cache\_bucket\_versioning | Boolean used to enable versioning on the cache bucket, false by default. | bool | `"false"` | no | | cache\_expiration\_days | Number of days before cache objects expires. | number | `"1"` | no | | cache\_shared | Enables cache sharing between runners, false by default. | bool | `"false"` | no | -| docker\_machine\_docker\_cidr\_blocks | List of CIDR blocks to allow Docker Access to the docker machine runner instance. | list(string) | `` | no | | docker\_machine\_instance\_type | Instance type used for the instances hosting docker-machine. | string | `"m5a.large"` | no | | docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list(string) | `` | no | | docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | -| docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `` | no | | docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no | | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md index 2b9cc48e0..bbb32c3a5 100644 --- a/_docs/TF_MODULE.md +++ b/_docs/TF_MODULE.md @@ -13,12 +13,10 @@ | cache\_bucket\_versioning | Boolean used to enable versioning on the cache bucket, false by default. | bool | `"false"` | no | | cache\_expiration\_days | Number of days before cache objects expires. | number | `"1"` | no | | cache\_shared | Enables cache sharing between runners, false by default. | bool | `"false"` | no | -| docker\_machine\_docker\_cidr\_blocks | List of CIDR blocks to allow Docker Access to the docker machine runner instance. | list(string) | `` | no | | docker\_machine\_instance\_type | Instance type used for the instances hosting docker-machine. | string | `"m5a.large"` | no | | docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list(string) | `` | no | | docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | -| docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list(string) | `` | no | | docker\_machine\_version | Version of docker-machine. | string | `"0.16.2"` | no | | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | bool | `"true"` | no | | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | bool | `"false"` | no | diff --git a/cache/README.md b/cache/README.md index 036fbe73b..182f5a482 100644 --- a/cache/README.md +++ b/cache/README.md @@ -33,7 +33,7 @@ module "runner" { | cache\_bucket\_prefix | Prefix for s3 cache bucket name. | string | `""` | no | | cache\_bucket\_versioning | Boolean used to enable versioning on the cache bucket, false by default. | string | `"false"` | no | | cache\_expiration\_days | Number of days before cache objects expires. | number | `"1"` | no | -| create\_cache\_bucket | This module is by default included in the runner module. To disable the creation of the bucket this parameter can be disabled. | string | `"true"` | no | +| create\_cache\_bucket | This module is by default included in the runner module. To disable the creation of the bucket this parameter can be disabled. | bool | `"true"` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | map(string) | `` | no | diff --git a/cache/_docs/TF_MODULE.md b/cache/_docs/TF_MODULE.md index 421108a8a..067b6184b 100644 --- a/cache/_docs/TF_MODULE.md +++ b/cache/_docs/TF_MODULE.md @@ -6,7 +6,7 @@ | cache\_bucket\_prefix | Prefix for s3 cache bucket name. | string | `""` | no | | cache\_bucket\_versioning | Boolean used to enable versioning on the cache bucket, false by default. | string | `"false"` | no | | cache\_expiration\_days | Number of days before cache objects expires. | number | `"1"` | no | -| create\_cache\_bucket | This module is by default included in the runner module. To disable the creation of the bucket this parameter can be disabled. | string | `"true"` | no | +| create\_cache\_bucket | This module is by default included in the runner module. To disable the creation of the bucket this parameter can be disabled. | bool | `"true"` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | map(string) | `` | no | diff --git a/cache/main.tf b/cache/main.tf index e87fdbf68..4d2a95b01 100644 --- a/cache/main.tf +++ b/cache/main.tf @@ -1,6 +1,4 @@ -data "aws_caller_identity" "current" { - count = var.create_cache_bucket ? 1 : 0 -} +data "aws_caller_identity" "current" {} locals { tags = merge( @@ -13,7 +11,7 @@ locals { var.tags, ) - cache_bucket_name = var.cache_bucket_name_include_account_id ? "${var.cache_bucket_prefix}${data.aws_caller_identity.current[0].account_id}-gitlab-runner-cache" : "${var.cache_bucket_prefix}-gitlab-runner-cache" + cache_bucket_name = var.cache_bucket_name_include_account_id ? "${var.cache_bucket_prefix}${data.aws_caller_identity.current.account_id}-gitlab-runner-cache" : "${var.cache_bucket_prefix}-gitlab-runner-cache" } resource "aws_s3_bucket" "build_cache" { @@ -73,4 +71,3 @@ resource "aws_iam_policy" "docker_machine_cache" { policy = data.template_file.docker_machine_cache_policy[0].rendered } - diff --git a/cache/variables.tf b/cache/variables.tf index 37e5fb0be..5c88d0789 100644 --- a/cache/variables.tf +++ b/cache/variables.tf @@ -35,6 +35,6 @@ variable "tags" { variable "create_cache_bucket" { description = "This module is by default included in the runner module. To disable the creation of the bucket this parameter can be disabled." - type = string + type = bool default = true } From 1d36fa6566b8ac7f11783632086e42d945e01a14 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 1 Nov 2019 09:47:45 +0100 Subject: [PATCH 12/14] Upgrade gitlab runner version (#152) * Add option to limit docker machine ssh ingress access to only the runner * code cleanup * Support public IP addresses * Update * cleanup * Upgrade runner version to 12.4.1 --- README.md | 2 +- _docs/TF_MODULE.md | 2 +- variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2404b255e..771327a6e 100644 --- a/README.md +++ b/README.md @@ -250,7 +250,7 @@ terraform destroy | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `` | no | | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `` | no | -| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.3.0"` | no | +| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.4.1"` | no | | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `` | no | diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md index bbb32c3a5..f92002b09 100644 --- a/_docs/TF_MODULE.md +++ b/_docs/TF_MODULE.md @@ -27,7 +27,7 @@ | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `` | no | | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `` | no | -| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.3.0"` | no | +| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.4.1"` | no | | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `` | no | diff --git a/variables.tf b/variables.tf index fcbd13690..1bd0d4bda 100644 --- a/variables.tf +++ b/variables.tf @@ -282,7 +282,7 @@ variable "cache_shared" { variable "gitlab_runner_version" { description = "Version of the GitLab runner." type = string - default = "12.3.0" + default = "12.4.1" } variable "enable_gitlab_runner_ssh_access" { From a78d71c3399c9854058825e040510a1e584853a2 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 1 Nov 2019 12:33:50 +0100 Subject: [PATCH 13/14] Maintenance (#154) - Upgraded the runners (docker-machine) to ubuntu 18.04. You can stay on 16.04 by setting: `runner_ami_filter = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]` - Upgraded GitLab runner to 12.4.1 - Upgraded terraform version, vpc version and provider versions for the examples --- CHANGELOG.md | 18 +++++++++++++++++- README.md | 5 +++-- _docs/README.md | 6 ++++-- examples/runner-default/.terraform-version | 2 +- examples/runner-default/main.tf | 2 +- examples/runner-default/providers.tf | 6 +++--- examples/runner-docker/.terraform-version | 2 +- examples/runner-docker/main.tf | 2 +- examples/runner-docker/providers.tf | 6 +++--- .../runner-pre-registered/.terraform-version | 2 +- examples/runner-pre-registered/main.tf | 2 +- examples/runner-pre-registered/providers.tf | 6 +++--- examples/runner-public/.terraform-version | 2 +- examples/runner-public/main.tf | 2 +- examples/runner-public/providers.tf | 7 ++++--- variables.tf | 2 +- 16 files changed, 46 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17909fecb..8824095cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,23 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). -## Unrelease +## Unreleased + +- Upgraded the runners (docker-machine) to ubuntu 18.04. You can stay on 16.04 by setting: `runner_ami_filter = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]` +- Upgraded GitLab runner to 12.4.1 +- Upgraded terraform version, vpc version and provider versions for the examples. +- fix type create cache bucket #151 @geota +- Delete unused create_runners_iam_instance_profile #147 @alexharv07 +- Remove docker_machine_user variable #146 @alexharv074 +- Fixing Docker Machine certificate Generation #143 #145 @npalm @roock +- Add option to limit docker machine ssh ingress access to only the runner #142 @bishtawi + +## 4.7.0 - 2019-10-04 +- Add option for tmpfs #104 #141 #137 +- Lock down docker port access to only the runner security group #140 @bishtawi +- Add variable docker_machine_docker_cidr_blocks allowing docker ingress restriction #139 @bishtawi +- Adding outputs for agent and runner security groups #138 @hatemosphere + ## 4.6.0 - 2019-09-30 - Add access_level option to registration call in runner template #134 @willychenchen diff --git a/README.md b/README.md index 771327a6e..681e730bc 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.com/npalm/terraform-aws-gitlab-runner.svg?branch=master)](https://travis-ci.com/npalm/terraform-aws-gitlab-runner) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) +[![Terraform registry](https://img.shields.io/github/v/release/npalm/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/npalm/gitlab-runner/aws/) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Actions](https://github.com/npalm/terraform-aws-gitlab-runner/workflows/Verify/badge.svg)](https://github.com/npalm/terraform-aws-gitlab-runner/actions) # Terraform module for GitLab auto scaling runners on AWS spot instances @@ -161,7 +161,8 @@ Below a basic examples of usages of the module. The dependencies such as a VPC, ``` hcl module "runner" { - source = "../../" + # https://registry.terraform.io/modules/npalm/gitlab-runner/aws/ + source = "npalm/gitlab-runner/aws" aws_region = "eu-west-1" environment = "spot-runners" diff --git a/_docs/README.md b/_docs/README.md index 5b463fdd1..f3ada93b0 100644 --- a/_docs/README.md +++ b/_docs/README.md @@ -1,4 +1,5 @@ -[![Build Status](https://travis-ci.com/npalm/terraform-aws-gitlab-runner.svg?branch=master)](https://travis-ci.com/npalm/terraform-aws-gitlab-runner) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) +[![Terraform registry](https://img.shields.io/github/v/release/npalm/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/npalm/gitlab-runner/aws/) [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Actions](https://github.com/npalm/terraform-aws-gitlab-runner/workflows/Verify/badge.svg)](https://github.com/npalm/terraform-aws-gitlab-runner/actions) + # Terraform module for GitLab auto scaling runners on AWS spot instances @@ -160,7 +161,8 @@ Below a basic examples of usages of the module. The dependencies such as a VPC, ``` hcl module "runner" { - source = "../../" + # https://registry.terraform.io/modules/npalm/gitlab-runner/aws/ + source = "npalm/gitlab-runner/aws" aws_region = "eu-west-1" environment = "spot-runners" diff --git a/examples/runner-default/.terraform-version b/examples/runner-default/.terraform-version index 7bfd8360b..32ffda3c9 100644 --- a/examples/runner-default/.terraform-version +++ b/examples/runner-default/.terraform-version @@ -1 +1 @@ -0.12.8 +0.12.13 diff --git a/examples/runner-default/main.tf b/examples/runner-default/main.tf index 7313e3f1a..4c5941bed 100644 --- a/examples/runner-default/main.tf +++ b/examples/runner-default/main.tf @@ -4,7 +4,7 @@ data "aws_availability_zones" "available" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "2.5" + version = "2.17" name = "vpc-${var.environment}" cidr = "10.0.0.0/16" diff --git a/examples/runner-default/providers.tf b/examples/runner-default/providers.tf index 4a40aee9b..c9a901037 100644 --- a/examples/runner-default/providers.tf +++ b/examples/runner-default/providers.tf @@ -1,6 +1,6 @@ provider "aws" { region = var.aws_region - version = "2.18" + version = "2.34" } provider "template" { @@ -8,7 +8,7 @@ provider "template" { } provider "local" { - version = "1.2.2" + version = "1.4" } provider "null" { @@ -16,6 +16,6 @@ provider "null" { } provider "tls" { - version = "2.0.1" + version = "2.1.1" } diff --git a/examples/runner-docker/.terraform-version b/examples/runner-docker/.terraform-version index 7bfd8360b..13d57bb72 100644 --- a/examples/runner-docker/.terraform-version +++ b/examples/runner-docker/.terraform-version @@ -1 +1 @@ -0.12.8 +0.12.13 \ No newline at end of file diff --git a/examples/runner-docker/main.tf b/examples/runner-docker/main.tf index fd9637546..dc98df1f4 100644 --- a/examples/runner-docker/main.tf +++ b/examples/runner-docker/main.tf @@ -4,7 +4,7 @@ data "aws_availability_zones" "available" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "2.5" + version = "2.17" name = "vpc-${var.environment}" cidr = "10.1.0.0/16" diff --git a/examples/runner-docker/providers.tf b/examples/runner-docker/providers.tf index 4a40aee9b..c9a901037 100644 --- a/examples/runner-docker/providers.tf +++ b/examples/runner-docker/providers.tf @@ -1,6 +1,6 @@ provider "aws" { region = var.aws_region - version = "2.18" + version = "2.34" } provider "template" { @@ -8,7 +8,7 @@ provider "template" { } provider "local" { - version = "1.2.2" + version = "1.4" } provider "null" { @@ -16,6 +16,6 @@ provider "null" { } provider "tls" { - version = "2.0.1" + version = "2.1.1" } diff --git a/examples/runner-pre-registered/.terraform-version b/examples/runner-pre-registered/.terraform-version index 7bfd8360b..13d57bb72 100644 --- a/examples/runner-pre-registered/.terraform-version +++ b/examples/runner-pre-registered/.terraform-version @@ -1 +1 @@ -0.12.8 +0.12.13 \ No newline at end of file diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf index 6dccfbb4f..2f9d9d9b0 100644 --- a/examples/runner-pre-registered/main.tf +++ b/examples/runner-pre-registered/main.tf @@ -4,7 +4,7 @@ data "aws_availability_zones" "available" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "2.5.0" + version = "2.17" name = "vpc-${var.environment}" cidr = "10.0.0.0/16" diff --git a/examples/runner-pre-registered/providers.tf b/examples/runner-pre-registered/providers.tf index 4a40aee9b..c9a901037 100644 --- a/examples/runner-pre-registered/providers.tf +++ b/examples/runner-pre-registered/providers.tf @@ -1,6 +1,6 @@ provider "aws" { region = var.aws_region - version = "2.18" + version = "2.34" } provider "template" { @@ -8,7 +8,7 @@ provider "template" { } provider "local" { - version = "1.2.2" + version = "1.4" } provider "null" { @@ -16,6 +16,6 @@ provider "null" { } provider "tls" { - version = "2.0.1" + version = "2.1.1" } diff --git a/examples/runner-public/.terraform-version b/examples/runner-public/.terraform-version index 7bfd8360b..13d57bb72 100644 --- a/examples/runner-public/.terraform-version +++ b/examples/runner-public/.terraform-version @@ -1 +1 @@ -0.12.8 +0.12.13 \ No newline at end of file diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf index a1726e932..d3c5dda31 100644 --- a/examples/runner-public/main.tf +++ b/examples/runner-public/main.tf @@ -4,7 +4,7 @@ data "aws_availability_zones" "available" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "2.5" + version = "2.17" name = "vpc-${var.environment}" cidr = "10.1.0.0/16" diff --git a/examples/runner-public/providers.tf b/examples/runner-public/providers.tf index b59416f28..c9a901037 100644 --- a/examples/runner-public/providers.tf +++ b/examples/runner-public/providers.tf @@ -1,6 +1,6 @@ provider "aws" { region = var.aws_region - version = "2.18" + version = "2.34" } provider "template" { @@ -8,7 +8,7 @@ provider "template" { } provider "local" { - version = "1.2.2" + version = "1.4" } provider "null" { @@ -16,5 +16,6 @@ provider "null" { } provider "tls" { - version = "2.0.1" + version = "2.1.1" } + diff --git a/variables.tf b/variables.tf index 1bd0d4bda..e97d0c4b8 100644 --- a/variables.tf +++ b/variables.tf @@ -353,7 +353,7 @@ variable "runner_ami_filter" { type = map(list(string)) default = { - name = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] + name = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"] } } From b5a0b38ab6618dca53e06ad67d9d6a247a7a9953 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 1 Nov 2019 12:35:13 +0100 Subject: [PATCH 14/14] Release 4.8.0 --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8824095cd..0d3fbf0ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,9 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## Unreleased +## 4.8.0 - 2019-11-01 - Upgraded the runners (docker-machine) to ubuntu 18.04. You can stay on 16.04 by setting: `runner_ami_filter = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]` - Upgraded GitLab runner to 12.4.1 -- Upgraded terraform version, vpc version and provider versions for the examples. +- Upgraded terraform version, vpc version and provider versions for the examples - fix type create cache bucket #151 @geota - Delete unused create_runners_iam_instance_profile #147 @alexharv07 - Remove docker_machine_user variable #146 @alexharv074 @@ -251,7 +252,9 @@ Module is available as Terraform 0.11 module, pin module to version 3.x. Please - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17. - Minor updates in the example -[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.6.0...HEAD +[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.6=8.0...HEAD +[4.8.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.7.0...4.8.0 +[4.7.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.6.0...4.7.0 [4.6.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.5.0...4.6.0 [4.5.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.4.0...4.5.0 [4.4.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.3.0...4.4.0