Skip to content

Commit

Permalink
feat: Add option to disable SSL verification support for GitHub Ente…
Browse files Browse the repository at this point in the history
…rprise Server (#1216)

* Disable SSL verification support for GitHub Enterprise Server

* Terraform formatting

Close #1207

Co-authored-by: Niek Palm <npalm@users.noreply.github.com>

Co-authored-by: Niek Palm <npalm@users.noreply.github.com>
  • Loading branch information
axel3rd and npalm authored Oct 1, 2021
1 parent 150d227 commit 3c3ef19
Show file tree
Hide file tree
Showing 7 changed files with 18 additions and 1 deletion.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,7 @@ No requirements.
| enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
| environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
| ghes\_url | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no |
| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to `false` when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no |
| github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | <pre>object({<br> key_base64 = string<br> id = string<br> client_id = string<br> client_secret = string<br> webhook_secret = string<br> })</pre> | n/a | yes |
| idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | <pre>list(object({<br> cron = string<br> timeZone = string<br> idleCount = number<br> }))</pre> | `[]` | no |
| instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no |
Expand Down
3 changes: 2 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,8 @@ module "runners" {

runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns

ghes_url = var.ghes_url
ghes_url = var.ghes_url
ghes_ssl_verify = var.ghes_ssl_verify

kms_key_arn = var.kms_key_arn
}
Expand Down
1 change: 1 addition & 0 deletions modules/runners/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ resource "aws_launch_template" "runner" {
enable_cloudwatch_agent = var.enable_cloudwatch_agent
ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner[0].name : ""
ghes_url = var.ghes_url
ghes_ssl_verify = var.ghes_ssl_verify
install_config_runner = local.install_config_runner
}))

Expand Down
1 change: 1 addition & 0 deletions modules/runners/scale-down.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ resource "aws_lambda_function" "scale_down" {
RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes
SCALE_DOWN_CONFIG = jsonencode(var.idle_config)
GHES_URL = var.ghes_url
NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1
PARAMETER_GITHUB_APP_CLIENT_ID_NAME = var.github_app_parameters.client_id.name
PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = var.github_app_parameters.client_secret.name
PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
Expand Down
1 change: 1 addition & 0 deletions modules/runners/scale-up.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ resource "aws_lambda_function" "scale_up" {
ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners
ENVIRONMENT = var.environment
GHES_URL = var.ghes_url
NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1
RUNNER_EXTRA_LABELS = var.runner_extra_labels
RUNNER_GROUP_NAME = var.runner_group_name
RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count
Expand Down
6 changes: 6 additions & 0 deletions modules/runners/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,12 @@ variable "ghes_url" {
default = null
}

variable "ghes_ssl_verify" {
description = "GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure)."
type = bool
default = true
}

variable "lambda_subnet_ids" {
description = "List of subnets in which the lambda will be launched, the subnets needs to be subnets in the `vpc_id`."
type = list(string)
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,12 @@ variable "ghes_url" {
default = null
}

variable "ghes_ssl_verify" {
description = "GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure)."
type = bool
default = true
}

variable "lambda_subnet_ids" {
description = "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`."
type = list(string)
Expand Down

0 comments on commit 3c3ef19

Please sign in to comment.