Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add option to disable lambda to sync runner binaries #2314

Merged
merged 4 commits into from
Aug 15, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .editorconfig
Original file line number Diff line number Diff line change
@@ -1,2 +1,13 @@
# EditorConfig is awesome: https://EditorConfig.org

# top-most EditorConfig file
root = true

[*]
indent_style = space
indent_size = 2
tab_width = 2
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
1 change: 0 additions & 1 deletion .vscode/extensions.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
// Extension identifier format: ${publisher}.${name}. Example: vscode.csharp
"editorconfig.editorconfig",
"yzhang.markdown-all-in-one",
"sonarsource.sonarlint-vscode",
"hashicorp.terraform"
]
}
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -309,8 +309,7 @@ The example for [ephemeral runners](./examples/ephemeral) is based on the [defau

### Prebuilt Images

This module also allows you to run agents from a prebuilt AMI to gain faster startup times. You can find more information in [the image README.md](/images/README.md)

This module also allows you to run agents from a prebuilt AMI to gain faster startup times. You can find more information in [the image README.md](/images/README.md). When the GitHub runner is part of the AMI you can disable the binary syncer by setting `enable_runner_binaries_syncer = false`.

## Examples

Expand Down Expand Up @@ -407,6 +406,7 @@ In case the setup does not work as intended follow the trace of events:
| <a name="input_enable_job_queued_check"></a> [enable\_job\_queued\_check](#input\_enable\_job\_queued\_check) | Only scale if the job event received by the scale up lambda is is in the state queued. By default enabled for non ephemeral runners and disabled for ephemeral. Set this variable to overwrite the default behavior. | `bool` | `null` | no |
| <a name="input_enable_managed_runner_security_group"></a> [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
| <a name="input_enable_organization_runners"></a> [enable\_organization\_runners](#input\_enable\_organization\_runners) | Register runners to organization, instead of repo level | `bool` | `false` | no |
| <a name="input_enable_runner_binaries_syncer"></a> [enable\_runner\_binaries\_syncer](#input\_enable\_runner\_binaries\_syncer) | Option to disable the lambda to sync GitHub runner distribution, usefull when using a pre-build AMI. | `bool` | `true` | no |
| <a name="input_enable_runner_detailed_monitoring"></a> [enable\_runner\_detailed\_monitoring](#input\_enable\_runner\_detailed\_monitoring) | Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details. | `bool` | `false` | no |
| <a name="input_enable_ssm_on_runners"></a> [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
| <a name="input_enabled_userdata"></a> [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI. | `bool` | `true` | no |
Expand Down
7 changes: 5 additions & 2 deletions examples/prebuilt/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# Action runners deployment with prebuilt image

This module shows how to create GitHub action runners using a prebuilt AMI for the runners
This module shows how to create GitHub action runners using a prebuilt AMI for the runners.

- Configured to run with org level runners.
- GitHub runner binary syncer is not deployed.

## Usages

Expand Down Expand Up @@ -56,7 +59,7 @@ module "runners" {
...
# set the name of the ami to use
ami_filter = { name = ["github-runner-amzn2-x86_64-2021*"] }
# provide the owner id of
# provide the owner id of
ami_owners = ["<your owner id>"]

enabled_userdata = false
Expand Down
6 changes: 5 additions & 1 deletion examples/prebuilt/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ module "runners" {
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets

prefix = local.environment
prefix = local.environment
enable_organization_runners = false

github_app = {
key_base64 = var.github_app_key_base64
Expand All @@ -36,6 +37,9 @@ module "runners" {
ami_filter = { name = [var.ami_name_filter] }
ami_owners = [data.aws_caller_identity.current.account_id]

# disable binary syncer since github agent is already installed in the AMI.
enable_runner_binaries_syncer = false

# enable access to the runners via SSM
enable_ssm_on_runners = true

Expand Down
6 changes: 0 additions & 6 deletions examples/prebuilt/outputs.tf
Original file line number Diff line number Diff line change
@@ -1,9 +1,3 @@
output "runners" {
value = {
lambda_syncer_name = module.runners.binaries_syncer.lambda.function_name
}
}

output "webhook_endpoint" {
value = module.runners.webhook.endpoint
}
Expand Down
2 changes: 1 addition & 1 deletion images/linux-amzn2/github_agent.linux.pkr.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ packer {
variable "runner_version" {
description = "The version (no v prefix) of the runner software to install https://github.com/actions/runner/releases"
type = string
default = "2.286.1"
default = "2.295.0"
}

variable "region" {
Expand Down
11 changes: 8 additions & 3 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ locals {
"ghr:environment" = var.prefix
})

s3_action_runner_url = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key}"
github_app_parameters = {
id = module.ssm.parameters.github_app_id
key_base64 = module.ssm.parameters.github_app_key_base64
Expand Down Expand Up @@ -134,8 +133,11 @@ module "runners" {
prefix = var.prefix
tags = local.tags

s3_bucket_runner_binaries = module.runner_binaries.bucket
s3_location_runner_binaries = local.s3_action_runner_url
s3_runner_binaries = var.enable_runner_binaries_syncer ? {
arn = module.runner_binaries[0].bucket.arn
id = module.runner_binaries[0].bucket.id
key = module.runner_binaries[0].runner_distribution_object_key
} : null

runner_os = var.runner_os
instance_types = var.instance_types
Expand Down Expand Up @@ -169,6 +171,7 @@ module "runners" {
runner_additional_security_group_ids = var.runner_additional_security_group_ids
metadata_options = var.runner_metadata_options

enable_runner_binaries_syncer = var.enable_runner_binaries_syncer
lambda_s3_bucket = var.lambda_s3_bucket
runners_lambda_s3_key = var.runners_lambda_s3_key
runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
Expand Down Expand Up @@ -218,6 +221,8 @@ module "runners" {
}

module "runner_binaries" {
count = var.enable_runner_binaries_syncer ? 1 : 0

source = "./modules/runner-binaries-syncer"

aws_region = var.aws_region
Expand Down
4 changes: 2 additions & 2 deletions modules/runners/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@ yarn run dist
| <a name="input_enable_job_queued_check"></a> [enable\_job\_queued\_check](#input\_enable\_job\_queued\_check) | Only scale if the job event received by the scale up lambda is is in the state queued. By default enabled for non ephemeral runners and disabled for ephemeral. Set this variable to overwrite the default behavior. | `bool` | `null` | no |
| <a name="input_enable_managed_runner_security_group"></a> [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
| <a name="input_enable_organization_runners"></a> [enable\_organization\_runners](#input\_enable\_organization\_runners) | n/a | `bool` | n/a | yes |
| <a name="input_enable_runner_binaries_syncer"></a> [enable\_runner\_binaries\_syncer](#input\_enable\_runner\_binaries\_syncer) | Option to disable the lambda to sync GitHub runner distribution, usefull when using a pre-build AMI. | `bool` | `true` | no |
| <a name="input_enable_runner_detailed_monitoring"></a> [enable\_runner\_detailed\_monitoring](#input\_enable\_runner\_detailed\_monitoring) | Enable detailed monitoring for runners | `bool` | `false` | no |
| <a name="input_enable_ssm_on_runners"></a> [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes |
| <a name="input_enabled_userdata"></a> [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no |
Expand Down Expand Up @@ -180,8 +181,7 @@ yarn run dist
| <a name="input_runners_lambda_s3_key"></a> [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
| <a name="input_runners_lambda_s3_object_version"></a> [runners\_lambda\_s3\_object\_version](#input\_runners\_lambda\_s3\_object\_version) | S3 object version for runners lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no |
| <a name="input_runners_maximum_count"></a> [runners\_maximum\_count](#input\_runners\_maximum\_count) | The maximum number of runners that will be created. | `number` | `3` | no |
| <a name="input_s3_bucket_runner_binaries"></a> [s3\_bucket\_runner\_binaries](#input\_s3\_bucket\_runner\_binaries) | n/a | <pre>object({<br> arn = string<br> })</pre> | n/a | yes |
| <a name="input_s3_location_runner_binaries"></a> [s3\_location\_runner\_binaries](#input\_s3\_location\_runner\_binaries) | S3 location of runner distribution. | `string` | n/a | yes |
| <a name="input_s3_runner_binaries"></a> [s3\_runner\_binaries](#input\_s3\_runner\_binaries) | Bucket details for cached GitHub binary. | <pre>object({<br> arn = string<br> id = string<br> key = string<br> })</pre> | n/a | yes |
| <a name="input_scale_down_schedule_expression"></a> [scale\_down\_schedule\_expression](#input\_scale\_down\_schedule\_expression) | Scheduler expression to check every x for scale down. | `string` | `"cron(*/5 * * * ? *)"` | no |
| <a name="input_scale_up_reserved_concurrent_executions"></a> [scale\_up\_reserved\_concurrent\_executions](#input\_scale\_up\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `1` | no |
| <a name="input_sqs_build_queue"></a> [sqs\_build\_queue](#input\_sqs\_build\_queue) | SQS queue to consume accepted build events. | <pre>object({<br> arn = string<br> })</pre> | n/a | yes |
Expand Down
3 changes: 1 addition & 2 deletions modules/runners/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -122,11 +122,10 @@ resource "aws_launch_template" "runner" {
)
}


user_data = var.enabled_userdata ? base64encode(templatefile(local.userdata_template, {
pre_install = var.userdata_pre_install
install_runner = templatefile(local.userdata_install_runner[var.runner_os], {
S3_LOCATION_RUNNER_DISTRIBUTION = var.s3_location_runner_binaries
S3_LOCATION_RUNNER_DISTRIBUTION = var.enable_runner_binaries_syncer ? "s3://${var.s3_runner_binaries.id}/${var.s3_runner_binaries.key}" : ""
RUNNER_ARCHITECTURE = var.runner_architecture
})
post_install = var.userdata_post_install
Expand Down
4 changes: 3 additions & 1 deletion modules/runners/policies-runner.tf
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,13 @@ resource "aws_iam_role_policy" "ssm_parameters" {
}

resource "aws_iam_role_policy" "dist_bucket" {
count = var.enable_runner_binaries_syncer ? 1 : 0

name = "distribution-bucket"
role = aws_iam_role.runner.name
policy = templatefile("${path.module}/policies/instance-s3-policy.json",
{
s3_arn = var.s3_bucket_runner_binaries.arn
s3_arn = "${var.s3_runner_binaries.arn}/${var.s3_runner_binaries.key}"
}
)
}
Expand Down
2 changes: 1 addition & 1 deletion modules/runners/policies/instance-s3-policy.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"Sid": "githubActionDist",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:GetObjectAcl"],
"Resource": ["${s3_arn}/*"]
"Resource": ["${s3_arn}"]
}
]
}
18 changes: 11 additions & 7 deletions modules/runners/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -46,17 +46,15 @@ variable "prefix" {
default = "github-actions"
}

variable "s3_bucket_runner_binaries" {
variable "s3_runner_binaries" {
description = "Bucket details for cached GitHub binary."
type = object({
arn = string
id = string
key = string
})
}

variable "s3_location_runner_binaries" {
description = "S3 location of runner distribution."
type = string
}

variable "block_device_mappings" {
description = "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."
type = list(object({
Expand Down Expand Up @@ -566,4 +564,10 @@ variable "lambda_architecture" {
condition = contains(["arm64", "x86_64"], var.lambda_architecture)
error_message = "`lambda_architecture` value is not valid, valid values are: `arm64` and `x86_64`."
}
}
}

variable "enable_runner_binaries_syncer" {
description = "Option to disable the lambda to sync GitHub runner distribution, usefull when using a pre-build AMI."
type = bool
default = true
npalm marked this conversation as resolved.
Show resolved Hide resolved
}
12 changes: 6 additions & 6 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@ output "runners" {
}

output "binaries_syncer" {
value = {
lambda = module.runner_binaries.lambda
lambda_role = module.runner_binaries.lambda_role
location = local.s3_action_runner_url
bucket = module.runner_binaries.bucket
}
value = var.enable_runner_binaries_syncer ? {
lambda = module.runner_binaries[0].lambda
lambda_role = module.runner_binaries[0].lambda_role
location = "s3://${module.runner_binaries[0].bucket.id}/module.runner_binaries[0].bucket.key"
bucket = module.runner_binaries[0].bucket
} : null
}

output "webhook" {
Expand Down
8 changes: 7 additions & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -662,4 +662,10 @@ variable "lambda_architecture" {
condition = contains(["arm64", "x86_64"], var.lambda_architecture)
error_message = "`lambda_architecture` value is not valid, valid values are: `arm64` and `x86_64`."
}
}
}

variable "enable_runner_binaries_syncer" {
description = "Option to disable the lambda to sync GitHub runner distribution, usefull when using a pre-build AMI."
type = bool
default = true
}