feat(runners): allow to use a shared encrypted AMI

main.tf

@@ -202,6 +202,7 @@ module "runners" {
   ami_filter                = var.ami_filter
   ami_owners                = var.ami_owners
   ami_id_ssm_parameter_name = var.ami_id_ssm_parameter_name
+  ami_kms_key_arn           = var.ami_kms_key_arn
 
   sqs_build_queue                      = aws_sqs_queue.queued_builds
   github_app_parameters                = local.github_app_parameters

modules/multi-runner/runners.tf

@@ -29,6 +29,7 @@ module "runners" {
   ami_filter                = each.value.runner_config.ami_filter
   ami_owners                = each.value.runner_config.ami_owners
   ami_id_ssm_parameter_name = each.value.runner_config.ami_id_ssm_parameter_name
+  ami_kms_key_arn           = each.value.runner_config.ami_kms_key_arn
 
   sqs_build_queue                      = { "arn" : each.value.arn }
   github_app_parameters                = local.github_app_parameters

modules/multi-runner/variables.tf

@@ -39,6 +39,7 @@ variable "multi_runner_config" {
       ami_filter                              = optional(map(list(string)), null)
       ami_owners                              = optional(list(string), ["amazon"])
       ami_id_ssm_parameter_name               = optional(string, null)
+      ami_kms_key_arn                         = optional(string, "")
       create_service_linked_role_spot         = optional(bool, false)
       delay_webhook_event                     = optional(number, 30)
       disable_runner_autoupdate               = optional(bool, false)

modules/runners/main.tf

@@ -17,7 +17,6 @@ locals {
   userdata_template               = var.userdata_template == null ? local.default_userdata_template[var.runner_os] : var.userdata_template
   kms_key_arn                     = var.kms_key_arn != null ? var.kms_key_arn : ""
   s3_location_runner_distribution = var.enable_runner_binaries_syncer ? "s3://${var.s3_runner_binaries.id}/${var.s3_runner_binaries.key}" : ""
-
   default_ami = {
     "windows" = { name = ["Windows_Server-2022-English-Core-ContainersLatest-*"] }
     "linux"   = var.runner_architecture == "arm64" ? { name = ["amzn2-ami-kernel-5.*-hvm-*-arm64-gp2"] } : { name = ["amzn2-ami-kernel-5.*-hvm-*-x86_64-gp2"] }
@@ -38,7 +37,8 @@ locals {
     "linux"   = "${path.module}/templates/start-runner.sh"
   }
 
-  ami_filter = coalesce(var.ami_filter, local.default_ami[var.runner_os])
+  ami_kms_key_arn = var.ami_kms_key_arn != null ? var.ami_kms_key_arn : ""
+  ami_filter      = coalesce(var.ami_filter, local.default_ami[var.runner_os])
 
   enable_job_queued_check = var.enable_job_queued_check == null ? !var.enable_ephemeral_runners : var.enable_job_queued_check
 }

modules/runners/policies/lambda-scale-up.json

@@ -52,6 +52,17 @@
                 "kms:Decrypt"
             ],
             "Resource": "${kms_key_arn}"
+%{ endif ~}
+%{ if ami_kms_key_arn != "" ~}
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:DescribeKey",
+                "kms:ReEncrypt*",
+                "kms:Decrypt"
+            ],
+            "Resource": "${ami_kms_key_arn}"
 %{ endif ~}
         }
     ]

modules/runners/pool.tf

@@ -15,6 +15,7 @@ module "pool" {
     instance_target_capacity_type = var.instance_target_capacity_type
     instance_types                = var.instance_types
     kms_key_arn                   = local.kms_key_arn
+    ami_kms_key_arn               = local.ami_kms_key_arn
     lambda = {
       log_level                      = var.log_level
       log_type                       = var.log_type

modules/runners/pool/main.tf

@@ -72,6 +72,7 @@ resource "aws_iam_role_policy" "pool" {
     github_app_id_arn         = var.config.github_app_parameters.id.arn
     github_app_key_base64_arn = var.config.github_app_parameters.key_base64.arn
     kms_key_arn               = var.config.kms_key_arn
+    ami_kms_key_arn           = var.config.ami_kms_key_arn
   })
 }
 

modules/runners/pool/policies/lambda-pool.json

@@ -43,6 +43,17 @@
                 "kms:Decrypt"
             ],
             "Resource": "${kms_key_arn}"
+%{ endif ~}
+%{ if ami_kms_key_arn != "" ~}
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:DescribeKey",
+                "kms:ReEncrypt*",
+                "kms:Decrypt"
+            ],
+            "Resource": "${ami_kms_key_arn}"
 %{ endif ~}
         }
     ]

modules/runners/pool/variables.tf

@@ -51,6 +51,7 @@ variable "config" {
     }))
     role_permissions_boundary = string
     kms_key_arn               = string
+    ami_kms_key_arn           = string
     role_path                 = string
     ssm_token_path            = string
   })

modules/runners/scale-up.tf

@@ -88,6 +88,7 @@ resource "aws_iam_role_policy" "scale_up" {
     github_app_id_arn         = var.github_app_parameters.id.arn
     github_app_key_base64_arn = var.github_app_parameters.key_base64.arn
     kms_key_arn               = local.kms_key_arn
+    ami_kms_key_arn           = local.ami_kms_key_arn
   })
 }
 

modules/runners/variables.tf

@@ -142,6 +142,12 @@ variable "ami_id_ssm_parameter_name" {
   default     = null
 }
 
+variable "ami_kms_key_arn" {
+  description = "Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI"
+  type        = string
+  default     = null
+}
+
 variable "enable_userdata" {
   description = "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI"
   type        = bool

variables.tf

@@ -307,6 +307,12 @@ variable "ami_id_ssm_parameter_name" {
   default     = null
 }
 
+variable "ami_kms_key_arn" {
+  description = "Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI"
+  type        = string
+  default     = null
+}
+
 variable "lambda_s3_bucket" {
   description = "S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly."
   type        = string