-
Notifications
You must be signed in to change notification settings - Fork 628
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add hooks for prebuilt images (AMI), including amazon linux pac…
…ker example (#1444) * Initial creation of runner image * Refactored startup script and added it to the per-boot folder * Make the runner location a variable So we can pass the runner version in at packer build time if we want to update the runner version. * Retrieve external config setting via tags Retrieve the required config via the instance tags so we dont have to pass in and set environment on the instance in an awkward way. * Enable tag based config Give the instance the permission to query its own tags and set the correct tags on the instance. * Add a CI job * Fix the CI build * Fix the formatting * Retain user_data provisioning and remove duplication refactored to make sure user_data continues to work with minimal breaking changes. Use a single set of scripts shared between image and user_data provisioning. * Fix interpolation issues in template file * fix build * Fix formatting * minor tweaks and fixes * Fixes from testing * Enable docker on boot * Add in output of start time for the runner * Scoop up the runner log * Add a powershell build script for windows users * Fix formatting * Use SSM parameters for configuration Its best practice to use SSM parameters for configuration of the runners. In adding this i have also added parameter path based config so its easy to extend in the future. * Make the SSM policy more specific * Update .github/workflows/packer-build.yml Co-authored-by: Niek Palm <npalm@users.noreply.github.com> * Added condition to the describe tags policy * Dont use templatefile on the tags policy Because of the use of ${} in the policy terraform is trying to replace it. * Added an option to turn off userdata scripting * Added/updated documentation * Revert policy as it has no effect on the permissions * Add reference to prebuilt images in the main readme * Add an example of deploying with prebuilt images * Update readme * Use current user as ami_owner * Update example to 5 secs * Updated ami name to include the arch * Fixed log file variable * Added explicit info about required settings to the readme * Change userdata_enabled to enabled_userdata Keep within existing naming convention Co-authored-by: Niek Palm <npalm@users.noreply.github.com>
- Loading branch information
1 parent
2f35251
commit d060e81
Showing
32 changed files
with
691 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
$TOP_DIR=$(git rev-parse --show-toplevel) | ||
$OUTPUT_DIR="$TOP_DIR/lambda_output" | ||
|
||
New-Item "$OUTPUT_DIR" -ItemType Directory -ErrorAction SilentlyContinue | ||
|
||
$env:DOCKER_BUILDKIT=1 | ||
docker build --no-cache --target=final --output=type=local,dest="$OUTPUT_DIR" -f "$TOP_DIR/.ci/Dockerfile" "$TOP_DIR" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
[*] | ||
end_of_line = lf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
name: "Packer checks" | ||
on: | ||
push: | ||
branches: | ||
- master | ||
- develop | ||
pull_request: | ||
paths: | ||
- "images/**" | ||
- ".github/workflows/packer-build.yml" | ||
|
||
env: | ||
AWS_REGION: eu-west-1 | ||
|
||
jobs: | ||
verify_packer: | ||
name: Verify packer | ||
runs-on: ubuntu-latest | ||
container: | ||
image: hashicorp/packer:1.7.8 | ||
defaults: | ||
run: | ||
working-directory: images/linux-amzn2 | ||
steps: | ||
- name: "Checkout" | ||
uses: actions/checkout@v2 | ||
|
||
- name: packer init | ||
run: packer init . | ||
|
||
- name: check terraform formatting | ||
run: packer fmt -recursive -check=true . | ||
|
||
- name: packer validate | ||
run: packer validate . |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
# Action runners deployment with prebuilt image | ||
|
||
This module shows how to create GitHub action runners using a prebuilt AMI for the runners | ||
|
||
## Usages | ||
|
||
Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](../../README.md). | ||
|
||
### Lambdas | ||
|
||
You can either download the released lambda code or build them locally yourself. | ||
|
||
First download the Lambda releases from GitHub. Ensure you have set the version in `lambdas-download/main.tf` for running the example. The version needs to be set to a GitHub release version, see https://github.com/philips-labs/terraform-aws-github-runner/releases | ||
|
||
```bash | ||
cd lambdas-download | ||
terraform init | ||
terraform apply | ||
cd .. | ||
``` | ||
|
||
Alternatively you can build the lambdas locally with Node or Docker, there is a simple build script in `<root>/.ci/build.sh`. In the `main.tf` you need to specify the build location for all of the zip files. | ||
|
||
```hcl | ||
webhook_lambda_zip = "../../lambda_output/webhook.zip" | ||
runner_binaries_syncer_lambda_zip = "../../lambda_output/runner-binaries-syncer.zip" | ||
runners_lambda_zip = "../../lambda_output/runners.zip" | ||
``` | ||
|
||
### GitHub App Configuration | ||
|
||
Before running Terraform, ensure the GitHub app is configured. See the [configuration details](../../README.md#usages) for more details. | ||
|
||
### Packer Image | ||
|
||
You will need to build your image. This example deployment uses the image example in `/images/linux-amz2`. You must build this image with packer in your AWS account first. Once you have built this you need to provider your owner ID as a variable | ||
|
||
## Deploy | ||
|
||
To use your image in the terraform modules you will need to set some values on the module. | ||
|
||
Assuming you have built the `linux-amzn2` image which has a pre-defined AMI name in the following format `github-runner-amzn2-x86_64-YYYYMMDDhhmm` you can use the following values. | ||
|
||
```hcl | ||
module "runners" { | ||
... | ||
# set the name of the ami to use | ||
ami_filter = { name = ["github-runner-amzn2-x86_64-2021*"] } | ||
# provide the owner id of | ||
ami_owners = ["<your owner id>"] | ||
enabled_userdata = false | ||
... | ||
} | ||
``` | ||
|
||
If your owner is the same as the account you are logging into then you can use `aws_caller_identity` to retrieve it dynamically. | ||
|
||
```hcl | ||
data "aws_caller_identity" "current" {} | ||
module "runners" { | ||
... | ||
ami_owners = [data.aws_caller_identity.current.account_id] | ||
... | ||
} | ||
``` | ||
|
||
You can then deploy the terraform | ||
|
||
```bash | ||
terraform init | ||
terraform apply | ||
``` | ||
|
||
You can receive the webhook details by running: | ||
|
||
```bash | ||
terraform output -raw webhook_secret | ||
``` | ||
|
||
Be-aware some shells will print some end of line character `%`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
locals { | ||
version = "<REPLACE_BY_GITHUB_RELEASE_VERSION>" | ||
} | ||
|
||
module "lambdas" { | ||
source = "../../../modules/download-lambda" | ||
lambdas = [ | ||
{ | ||
name = "webhook" | ||
tag = local.version | ||
}, | ||
{ | ||
name = "runners" | ||
tag = local.version | ||
}, | ||
{ | ||
name = "runner-binaries-syncer" | ||
tag = local.version | ||
} | ||
] | ||
} | ||
|
||
output "files" { | ||
value = module.lambdas.files | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
locals { | ||
environment = "prebuilt" | ||
aws_region = "eu-west-1" | ||
} | ||
|
||
resource "random_password" "random" { | ||
length = 28 | ||
} | ||
|
||
data "aws_caller_identity" "current" {} | ||
|
||
module "runners" { | ||
source = "../../" | ||
create_service_linked_role_spot = true | ||
aws_region = local.aws_region | ||
vpc_id = module.vpc.vpc_id | ||
subnet_ids = module.vpc.private_subnets | ||
|
||
environment = local.environment | ||
|
||
github_app = { | ||
key_base64 = var.github_app_key_base64 | ||
id = var.github_app_id | ||
webhook_secret = random_password.random.result | ||
} | ||
|
||
webhook_lambda_zip = "../../lambda_output/webhook.zip" | ||
runner_binaries_syncer_lambda_zip = "../../lambda_output/runner-binaries-syncer.zip" | ||
runners_lambda_zip = "../../lambda_output/runners.zip" | ||
|
||
runner_extra_labels = "default,example" | ||
|
||
# configure your pre-built AMI | ||
enabled_userdata = false | ||
ami_filter = { name = ["github-runner-amzn2-x86_64-2021*"] } | ||
ami_owners = [data.aws_caller_identity.current.account_id] | ||
|
||
# enable access to the runners via SSM | ||
enable_ssm_on_runners = true | ||
|
||
# override delay of events in seconds | ||
delay_webhook_event = 5 | ||
|
||
# override scaling down | ||
scale_down_schedule_expression = "cron(* * * * ? *)" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
output "runners" { | ||
value = { | ||
lambda_syncer_name = module.runners.binaries_syncer.lambda.function_name | ||
} | ||
} | ||
|
||
output "webhook_endpoint" { | ||
value = module.runners.webhook.endpoint | ||
} | ||
|
||
output "webhook_secret" { | ||
sensitive = true | ||
value = random_password.random.result | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
provider "aws" { | ||
region = local.aws_region | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
|
||
variable "github_app_key_base64" {} | ||
|
||
variable "github_app_id" {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 3.27" | ||
} | ||
local = { | ||
source = "hashicorp/local" | ||
} | ||
random = { | ||
source = "hashicorp/random" | ||
} | ||
} | ||
required_version = ">= 0.14" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
module "vpc" { | ||
source = "git::https://github.com/philips-software/terraform-aws-vpc.git?ref=2.2.0" | ||
|
||
environment = local.environment | ||
aws_region = local.aws_region | ||
create_private_hosted_zone = false | ||
} |
Oops, something went wrong.