From 938423643ca87a7a28c8269af8f3510b576511bc Mon Sep 17 00:00:00 2001
From: Jok <67024248+jokreliable@users.noreply.github.com>
Date: Fri, 18 Feb 2022 16:01:35 -0800
Subject: [PATCH 1/5] arn partition is not always aws
---
modules/runners/policies-runner.tf | 4 ++--
.../policies/service-linked-role-create-policy.json | 2 +-
modules/runners/pool.tf | 2 ++
modules/runners/pool/main.tf | 2 +-
modules/runners/pool/variables.tf | 6 ++++++
modules/runners/scale-down.tf | 2 +-
modules/runners/scale-up.tf | 4 ++--
modules/runners/variables.tf | 6 ++++++
modules/setup-iam-permissions/main.tf | 5 ++++-
.../policies/assume-role-for-account.json | 2 +-
modules/setup-iam-permissions/policies/boundary.json | 2 +-
.../policies/deploy-boundary.json | 10 +++++-----
modules/setup-iam-permissions/variables.tf | 6 ++++++
variables.tf | 6 ++++++
14 files changed, 44 insertions(+), 15 deletions(-)
diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
index dc90d47b0b..2e6351ac00 100644
--- a/modules/runners/policies-runner.tf
+++ b/modules/runners/policies-runner.tf
@@ -26,8 +26,8 @@ resource "aws_iam_role_policy" "ssm_parameters" {
role = aws_iam_role.runner.name
policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json",
{
- arn_ssm_parameters_prefix = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"
- arn_ssm_parameters_path = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"
+ arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"
+ arn_ssm_parameters_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*"
}
)
}
diff --git a/modules/runners/policies/service-linked-role-create-policy.json b/modules/runners/policies/service-linked-role-create-policy.json
index db6224d266..18a47d5104 100644
--- a/modules/runners/policies/service-linked-role-create-policy.json
+++ b/modules/runners/policies/service-linked-role-create-policy.json
@@ -4,7 +4,7 @@
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
- "Resource": "arn:aws:iam::*:role/aws-service-role/*"
+ "Resource": "arn:${aws_partition}:iam::*:role/aws-service-role/*"
}
]
}
diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf
index 235ee877dd..4ada24590f 100644
--- a/modules/runners/pool.tf
+++ b/modules/runners/pool.tf
@@ -43,4 +43,6 @@ module "pool" {
tags = local.tags
}
+ aws_partition = var.aws_partition
+
}
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
index 7de74454f7..4125228411 100644
--- a/modules/runners/pool/main.tf
+++ b/modules/runners/pool/main.tf
@@ -81,7 +81,7 @@ resource "aws_iam_role_policy" "pool_logging" {
resource "aws_iam_role_policy_attachment" "pool_vpc_execution_role" {
count = length(var.config.lambda.subnet_ids) > 0 ? 1 : 0
role = aws_iam_role.pool.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
data "aws_iam_policy_document" "lambda_assume_role_policy" {
diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf
index 66b8eeadc2..af919b4b1d 100644
--- a/modules/runners/pool/variables.tf
+++ b/modules/runners/pool/variables.tf
@@ -49,3 +49,9 @@ variable "config" {
role_path = string
})
}
+
+variable "aws_partition" {
+ description = "(optional) partition for the arn if not 'aws'"
+ type = string
+ default = "aws"
+}
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
index 44b2ae1749..49475fc244 100644
--- a/modules/runners/scale-down.tf
+++ b/modules/runners/scale-down.tf
@@ -97,5 +97,5 @@ resource "aws_iam_role_policy" "scale_down_logging" {
resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" {
count = length(var.lambda_subnet_ids) > 0 ? 1 : 0
role = aws_iam_role.scale_down.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
index 632439520e..5083ee154b 100644
--- a/modules/runners/scale-up.tf
+++ b/modules/runners/scale-up.tf
@@ -98,11 +98,11 @@ resource "aws_iam_role_policy" "service_linked_role" {
count = var.create_service_linked_role_spot ? 1 : 0
name = "${var.environment}-service_linked_role"
role = aws_iam_role.scale_up.name
- policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", {})
+ policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", {aws_partition = var.aws_partition})
}
resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" {
count = length(var.lambda_subnet_ids) > 0 ? 1 : 0
role = aws_iam_role.scale_up.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
index 1a4802a44d..10efb3bdf7 100644
--- a/modules/runners/variables.tf
+++ b/modules/runners/variables.tf
@@ -306,6 +306,12 @@ variable "create_service_linked_role_spot" {
default = false
}
+variable "aws_partition" {
+ description = "(optional) partition for the base arn if not 'aws'"
+ type = string
+ default = "aws"
+}
+
variable "runner_iam_role_managed_policy_arns" {
description = "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
type = list(string)
diff --git a/modules/setup-iam-permissions/main.tf b/modules/setup-iam-permissions/main.tf
index d06c0c7770..a577dfd482 100644
--- a/modules/setup-iam-permissions/main.tf
+++ b/modules/setup-iam-permissions/main.tf
@@ -5,7 +5,8 @@ resource "aws_iam_role" "deploy" {
permissions_boundary = aws_iam_policy.deploy_boundary.arn
assume_role_policy = templatefile("${path.module}/policies/assume-role-for-account.json", {
- account_id = var.account_id
+ account_id = var.account_id
+ aws_partition = var.aws_partition
})
}
@@ -16,6 +17,7 @@ resource "aws_iam_policy" "boundary" {
policy = templatefile("${path.module}/policies/boundary.json", {
role_namespace = var.namespaces.role_namespace
account_id = data.aws_caller_identity.current.account_id
+ aws_partition = var.aws_partition
})
}
@@ -44,5 +46,6 @@ resource "aws_iam_policy" "deploy_boundary" {
instance_profile_namespace = var.namespaces.instance_profile_namespace
boundary_namespace = var.namespaces.boundary_namespace
permission_boundary = aws_iam_policy.boundary.arn
+ aws_partition = var.aws_partition
})
}
diff --git a/modules/setup-iam-permissions/policies/assume-role-for-account.json b/modules/setup-iam-permissions/policies/assume-role-for-account.json
index d8300991a8..b6c51b5f96 100644
--- a/modules/setup-iam-permissions/policies/assume-role-for-account.json
+++ b/modules/setup-iam-permissions/policies/assume-role-for-account.json
@@ -3,7 +3,7 @@
"Statement": [
{
"Action": "sts:AssumeRole",
- "Principal": { "AWS": "arn:aws:iam::${account_id}:root" },
+ "Principal": { "AWS": "arn:${aws_partition}:iam::${account_id}:root" },
"Effect": "Allow",
"Sid": "",
"Condition": {
diff --git a/modules/setup-iam-permissions/policies/boundary.json b/modules/setup-iam-permissions/policies/boundary.json
index f336edadec..5e9363456a 100644
--- a/modules/setup-iam-permissions/policies/boundary.json
+++ b/modules/setup-iam-permissions/policies/boundary.json
@@ -21,7 +21,7 @@
"Sid": "RoleInNamespace",
"Effect": "Allow",
"Action": ["iam:PassRole"],
- "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*"
},
{
"Sid": "Decrypt",
diff --git a/modules/setup-iam-permissions/policies/deploy-boundary.json b/modules/setup-iam-permissions/policies/deploy-boundary.json
index 1b6f7fc8c8..e6111e5f19 100644
--- a/modules/setup-iam-permissions/policies/deploy-boundary.json
+++ b/modules/setup-iam-permissions/policies/deploy-boundary.json
@@ -10,7 +10,7 @@
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy"
],
- "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*",
+ "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "${permission_boundary}"
@@ -29,7 +29,7 @@
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy"
],
- "Resource": "arn:aws:iam::${account_id}:role/${role_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*"
},
{
"Sid": "PolicyInNamespace",
@@ -42,7 +42,7 @@
"iam:GetPolicyVersion",
"iam:SetDefaultPolicyVersion"
],
- "Resource": "arn:aws:iam::${account_id}:policy/${policy_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:policy/${policy_namespace}/*"
},
{
"Sid": "InstanceProfileInNamespace",
@@ -54,7 +54,7 @@
"iam:AddRoleToInstanceProfile",
"iam:GetInstanceProfile"
],
- "Resource": "arn:aws:iam::${account_id}:instance-profile/${instance_profile_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:instance-profile/${instance_profile_namespace}/*"
},
{
"Sid": "IamListActions",
@@ -78,7 +78,7 @@
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
- "Resource": "arn:aws:iam::${account_id}:policy/${boundary_namespace}/*"
+ "Resource": "arn:${aws_partition}:iam::${account_id}:policy/${boundary_namespace}/*"
},
{
"Sid": "Services",
diff --git a/modules/setup-iam-permissions/variables.tf b/modules/setup-iam-permissions/variables.tf
index 32e514a0bb..8d2b9cf47b 100644
--- a/modules/setup-iam-permissions/variables.tf
+++ b/modules/setup-iam-permissions/variables.tf
@@ -18,3 +18,9 @@ variable "account_id" {
type = string
}
+
+variable "aws_partition" {
+ description = "(optional) partition in the arn namespace if not aws"
+ type = string
+ default = "aws"
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index a6e635fe08..263a14f042 100644
--- a/variables.tf
+++ b/variables.tf
@@ -585,3 +585,9 @@ variable "pool_config" {
}))
default = []
}
+
+variable "aws_partition" {
+ descrdescription = "(optiona) partition in the arn namespace to use if not 'aws'"
+ type = string
+ default = "aws"
+}
\ No newline at end of file
From 9b5074b4067f1c89cb49771d97c5bb70834b9a57 Mon Sep 17 00:00:00 2001
From: Jok <67024248+jokreliable@users.noreply.github.com>
Date: Fri, 18 Feb 2022 16:41:49 -0800
Subject: [PATCH 2/5] correct typo
---
variables.tf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/variables.tf b/variables.tf
index 263a14f042..221caf05f9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -587,7 +587,7 @@ variable "pool_config" {
}
variable "aws_partition" {
- descrdescription = "(optiona) partition in the arn namespace to use if not 'aws'"
+ description = "(optiona) partition in the arn namespace to use if not 'aws'"
type = string
default = "aws"
-}
\ No newline at end of file
+}
From b2da529eea013e320550280802aa708365d7fe5e Mon Sep 17 00:00:00 2001
From: Jok <67024248+jokreliable@users.noreply.github.com>
Date: Fri, 18 Feb 2022 17:10:49 -0800
Subject: [PATCH 3/5] missed a variable handoff
---
main.tf | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/main.tf b/main.tf
index c71d73aa79..92dfeccceb 100644
--- a/main.tf
+++ b/main.tf
@@ -83,11 +83,12 @@ module "webhook" {
module "runners" {
source = "./modules/runners"
- aws_region = var.aws_region
- vpc_id = var.vpc_id
- subnet_ids = var.subnet_ids
- environment = var.environment
- tags = local.tags
+ aws_region = var.aws_region
+ aws_partition = var.aws_partition
+ vpc_id = var.vpc_id
+ subnet_ids = var.subnet_ids
+ environment = var.environment
+ tags = local.tags
s3_bucket_runner_binaries = module.runner_binaries.bucket
s3_location_runner_binaries = local.s3_action_runner_url
From 51668a83a52a7d4543e2b8f887b292c4574c155a Mon Sep 17 00:00:00 2001
From: Jok <67024248+jokreliable@users.noreply.github.com>
Date: Mon, 21 Feb 2022 18:59:21 -0800
Subject: [PATCH 4/5] missing CR at the end
---
modules/setup-iam-permissions/variables.tf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/setup-iam-permissions/variables.tf b/modules/setup-iam-permissions/variables.tf
index 8d2b9cf47b..a67d56648c 100644
--- a/modules/setup-iam-permissions/variables.tf
+++ b/modules/setup-iam-permissions/variables.tf
@@ -23,4 +23,4 @@ variable "aws_partition" {
description = "(optional) partition in the arn namespace if not aws"
type = string
default = "aws"
-}
\ No newline at end of file
+}
From edc4f1c55ab0940a83fbaaf73ec9262b72b99d68 Mon Sep 17 00:00:00 2001
From: Jok <67024248+jokreliable@users.noreply.github.com>
Date: Mon, 21 Feb 2022 19:19:27 -0800
Subject: [PATCH 5/5] updates to formatting and docs from tflint and
terraform-docs
---
README.md | 5 +++--
modules/runner-binaries-syncer/README.md | 2 +-
modules/runners/README.md | 5 +++--
modules/runners/scale-up.tf | 2 +-
modules/setup-iam-permissions/README.md | 1 +
variables.tf | 4 ++--
6 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/README.md b/README.md
index 5510563df5..2440132b99 100644
--- a/README.md
+++ b/README.md
@@ -395,6 +395,7 @@ In case the setup does not work as intended follow the trace of events:
|------|-------------|------|---------|:--------:|
| [ami\_filter](#input\_ami\_filter) | List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used. | `map(list(string))` | `null` | no |
| [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | [
"amazon"
]
| no |
+| [aws\_partition](#input\_aws\_partition) | (optiona) partition in the arn namespace to use if not 'aws' | `string` | `"aws"` | no |
| [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
| [block\_device\_mappings](#input\_block\_device\_mappings) | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops` | `map(string)` | `{}` | no |
| [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no |
@@ -402,7 +403,7 @@ In case the setup does not work as intended follow the trace of events:
| [delay\_webhook\_event](#input\_delay\_webhook\_event) | The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event. | `number` | `30` | no |
| [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no |
| [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no |
-| [enable\_managed\_runner\_security\_group](#inputenable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
+| [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
| [enable\_organization\_runners](#input\_enable\_organization\_runners) | Register runners to organization, instead of repo level | `bool` | `false` | no |
| [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
| [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no |
@@ -454,7 +455,7 @@ In case the setup does not work as intended follow the trace of events:
| [runner\_iam\_role\_managed\_policy\_arns](#input\_runner\_iam\_role\_managed\_policy\_arns) | Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role | `list(string)` | `[]` | no |
| [runner\_log\_files](#input\_runner\_log\_files) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | list(object({
log_group_name = string
prefix_log_group = bool
file_path = string
log_stream_name = string
})) | `null` | no |
| [runner\_metadata\_options](#input\_runner\_metadata\_options) | Metadata options for the ec2 runner instances. | `map(any)` | {
"http_endpoint": "enabled",
"http_put_response_hop_limit": 1,
"http_tokens": "optional"
} | no |
-| [runner\_os](#input\_runner\_os) | The Operating System to use for GitHub Actions Runners (linux,win) | `string` | `"linux"` | no |
+| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no |
| [runner\_run\_as](#input\_runner\_run\_as) | Run the GitHub actions agent as user. | `string` | `"ec2-user"` | no |
| [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
| [runners\_lambda\_s3\_object\_version](#input\_runners\_lambda\_s3\_object\_version) | S3 object version for runners lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no |
diff --git a/modules/runner-binaries-syncer/README.md b/modules/runner-binaries-syncer/README.md
index de7e67aa49..f67060d82e 100644
--- a/modules/runner-binaries-syncer/README.md
+++ b/modules/runner-binaries-syncer/README.md
@@ -92,7 +92,7 @@ No modules.
| [role\_permissions\_boundary](#input\_role\_permissions\_boundary) | Permissions boundary that will be added to the created role for the lambda. | `string` | `null` | no |
| [runner\_allow\_prerelease\_binaries](#input\_runner\_allow\_prerelease\_binaries) | Allow the runners to update to prerelease binaries. | `bool` | `false` | no |
| [runner\_architecture](#input\_runner\_architecture) | The platform architecture of the runner instance\_type. | `string` | `"x64"` | no |
-| [runner\_os](#input\_runner\_os) | The operating system for the runner instance (linux, win), defaults to 'linux' | `string` | `"linux"` | no |
+| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no |
| [server\_side\_encryption\_configuration](#input\_server\_side\_encryption\_configuration) | Map containing server-side encryption configuration. | `any` | `{}` | no |
| [syncer\_lambda\_s3\_key](#input\_syncer\_lambda\_s3\_key) | S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
| [syncer\_lambda\_s3\_object\_version](#input\_syncer\_lambda\_s3\_object\_version) | S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no |
diff --git a/modules/runners/README.md b/modules/runners/README.md
index 9150f51c6d..37218d545d 100644
--- a/modules/runners/README.md
+++ b/modules/runners/README.md
@@ -115,6 +115,7 @@ yarn run dist
|------|-------------|------|---------|:--------:|
| [ami\_filter](#input\_ami\_filter) | Map of lists used to create the AMI filter for the action runner AMI. | `map(list(string))` | `null` | no |
| [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of action runner instances. | `list(string)` | [
"amazon"
]
| no |
+| [aws\_partition](#input\_aws\_partition) | (optional) partition for the base arn if not 'aws' | `string` | `"aws"` | no |
| [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
| [block\_device\_mappings](#input\_block\_device\_mappings) | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops` | `map(string)` | `{}` | no |
| [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no |
@@ -122,7 +123,7 @@ yarn run dist
| [egress\_rules](#input\_egress\_rules) | List of egress rules for the GitHub runner instances. | list(object({
cidr_blocks = list(string)
ipv6_cidr_blocks = list(string)
prefix_list_ids = list(string)
from_port = number
protocol = string
security_groups = list(string)
self = bool
to_port = number
description = string
})) | [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": null,
"from_port": 0,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": null,
"protocol": "-1",
"security_groups": null,
"self": null,
"to_port": 0
}
]
| no |
| [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no |
| [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no |
-| [enable\_managed\_runner\_security\_group](#inputenable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
+| [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
| [enable\_organization\_runners](#input\_enable\_organization\_runners) | n/a | `bool` | n/a | yes |
| [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes |
| [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no |
@@ -167,7 +168,7 @@ yarn run dist
| [runner\_group\_name](#input\_runner\_group\_name) | Name of the runner group. | `string` | `"Default"` | no |
| [runner\_iam\_role\_managed\_policy\_arns](#input\_runner\_iam\_role\_managed\_policy\_arns) | Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role | `list(string)` | `[]` | no |
| [runner\_log\_files](#input\_runner\_log\_files) | (optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream. | list(object({
log_group_name = string
prefix_log_group = bool
file_path = string
log_stream_name = string
})) | `null` | no |
-| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,win). | `string` | `"linux"` | no |
+| [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no |
| [runner\_run\_as](#input\_runner\_run\_as) | Run the GitHub actions agent as user. | `string` | `"ec2-user"` | no |
| [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
| [runners\_lambda\_s3\_object\_version](#input\_runners\_lambda\_s3\_object\_version) | S3 object version for runners lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no |
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
index 5083ee154b..3ccbf9ab20 100644
--- a/modules/runners/scale-up.tf
+++ b/modules/runners/scale-up.tf
@@ -98,7 +98,7 @@ resource "aws_iam_role_policy" "service_linked_role" {
count = var.create_service_linked_role_spot ? 1 : 0
name = "${var.environment}-service_linked_role"
role = aws_iam_role.scale_up.name
- policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", {aws_partition = var.aws_partition})
+ policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition })
}
resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" {
diff --git a/modules/setup-iam-permissions/README.md b/modules/setup-iam-permissions/README.md
index c0e78f7638..b66adb7e50 100644
--- a/modules/setup-iam-permissions/README.md
+++ b/modules/setup-iam-permissions/README.md
@@ -70,6 +70,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [account\_id](#input\_account\_id) | The module allows to switch to the created role from the provided account id. | `string` | n/a | yes |
+| [aws\_partition](#input\_aws\_partition) | (optional) partition in the arn namespace if not aws | `string` | `"aws"` | no |
| [environment](#input\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
| [namespaces](#input\_namespaces) | The role will be only allowed to create roles, policies and instance profiles in the given namespace / path. All policies in the boundaries namespace cannot be modified by this role. | object({
boundary_namespace = string
role_namespace = string
policy_namespace = string
instance_profile_namespace = string
}) | n/a | yes |
diff --git a/variables.tf b/variables.tf
index 221caf05f9..8f8cee0940 100644
--- a/variables.tf
+++ b/variables.tf
@@ -588,6 +588,6 @@ variable "pool_config" {
variable "aws_partition" {
description = "(optiona) partition in the arn namespace to use if not 'aws'"
- type = string
- default = "aws"
+ type = string
+ default = "aws"
}