Merge branch 'release/v0.7.0' into master

Author: npalm

CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+
+## [0.7.0] - 2020-12-04
+### Changed
+- Small clarifications in the README #368 @lrytz
+
+### Added
+- Allow operator to pass in a list of managed IAM policy ARNs for the runner role #361 @jpalomaki
+- expand options for sourcing lambda to include S3 #292 @eky5006 
+
 ## [0.6.0] - 2020-10-10
 
 ### Added
@@ -30,6 +39,7 @@ terraform import module.runners.module.runners.aws_cloudwatch_log_group.scale_up
 terraform import module.runners.module.runners.aws_cloudwatch_log_group.scale_down "/aws/lambda/default-scale-down"
 terraform import module.runners.module.webhook.aws_cloudwatch_log_group.webhook "/aws/lambda/default-webhook"
 ```
+- feat: Expose ami-filters and user-data template file location to users to allow use of custom AMIs
 
 - feat: Added option to binaries syncer to upgrade to pre-releases, preventing any auto-updating on startup. Option `runner_allow_prerelease_binaries` is disabled by default. (#141, #165) @sjagoe
 
@@ -80,7 +90,8 @@ terraform import module.runners.module.webhook.aws_cloudwatch_log_group.webhook
 
 - First release.
 
-[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.6.0..HEAD
+[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.7.0..HEAD
+[0.7.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.6.0..v0.7.0
 [0.6.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.5.0..v0.6.0
 [0.5.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.4.0..v0.5.0
 [0.4.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.3.0..v0.4.0

CONTRIBUTING.md

@@ -52,6 +52,7 @@ If your issue appears to be a bug, and hasn't been reported, open a new issue. H
 **If you get help, help others. Good karma rulez!**
 
 ### Submitting a Merge Request
+
 Before you submit your merge request consider the following guidelines:
 
 * Make your changes in a new git branch:
@@ -63,6 +64,7 @@ Before you submit your merge request consider the following guidelines:
 * Create your patch, **including appropriate test cases**.
 * Run the test suite and ensure that all tests pass.
 * Add a line in the CHANGELOG.md under Unreleased. This will be used form generating the release notes.
+* Install [pre-commit hooks](https://pre-commit.com/). The hooks runs some basic checks and update the docs. The commit will run the hooks, you can invoke the hooks manually `pre-commit run --all-files` as well.
 * Commit your changes using a descriptive commit message.
 
     ```shell

README.md

@@ -3,15 +3,15 @@ module "lambdas" {
   lambdas = [
     {
       name = "webhook"
-      tag  = "v0.6.0"
+      tag  = "v0.7.0"
     },
     {
       name = "runners"
-      tag  = "v0.6.0"
+      tag  = "v0.7.0"
     },
     {
       name = "runner-binaries-syncer"
-      tag  = "v0.6.0"
+      tag  = "v0.7.0"
     }
   ]
 }

examples/default/lambdas-download/main.tf

@@ -45,4 +45,7 @@ module "runners" {
 
   # disable KMS and encryption
   # encrypt_secrets = false
+
+  # Let the module manage the service linked role
+  # create_service_linked_role_spot = true
 }

examples/default/main.tf

@@ -3,15 +3,15 @@ module "lambdas" {
   lambdas = [
     {
       name = "webhook"
-      tag  = "v0.6.0"
+      tag  = "v0.7.0"
     },
     {
       name = "runners"
-      tag  = "v0.6.0"
+      tag  = "v0.7.0"
     },
     {
       name = "runner-binaries-syncer"
-      tag  = "v0.6.0"
+      tag  = "v0.7.0"
     }
   ]
 }

examples/permissions-boundary/lambdas-download/main.tf

@@ -0,0 +1,21 @@
+# Action runners deployment ubuntu example
+
+This modules shows how to create GitHub action runners using an Ubuntu AMI. Lambda release will be downloaded from GitHub.
+
+## Usages
+
+Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](../../README.md). First download the Lambda releases from GitHub. Alternatively you can build the lambdas locally with Node or Docker, there is a simple build script in `<root>/.ci/build.sh`. In the `main.tf` you can simple remove the location of the lambda zip files, the default location will work in this case.
+
+```bash
+cd lambdas-download
+terraform init
+terraform apply
+cd ..
+```
+
+Before running Terraform, ensure the GitHub app is configured.
+
+```bash
+terraform init
+terraform apply
+```

examples/ubuntu/README.md

@@ -0,0 +1,21 @@
+module "lambdas" {
+  source = "../../../modules/download-lambda"
+  lambdas = [
+    {
+      name = "webhook"
+      tag  = "v0.5.0"
+    },
+    {
+      name = "runners"
+      tag  = "v0.5.0"
+    },
+    {
+      name = "runner-binaries-syncer"
+      tag  = "v0.5.0"
+    }
+  ]
+}
+
+output "files" {
+  value = module.lambdas.files
+}

examples/ubuntu/lambdas-download/main.tf

@@ -0,0 +1,61 @@
+locals {
+  environment = "ubuntu"
+  aws_region  = "eu-west-1"
+}
+
+resource "random_password" "random" {
+  length = 28
+}
+
+module "runners" {
+  source = "../../"
+
+  aws_region = local.aws_region
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  environment = local.environment
+  tags = {
+    Project = "ProjectX"
+  }
+
+  github_app = {
+    key_base64     = var.github_app_key_base64
+    id             = var.github_app_id
+    client_id      = var.github_app_client_id
+    client_secret  = var.github_app_client_secret
+    webhook_secret = random_password.random.result
+  }
+
+  webhook_lambda_zip                = "lambdas-download/webhook.zip"
+  runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
+  runners_lambda_zip                = "lambdas-download/runners.zip"
+
+  enable_organization_runners = false
+  runner_extra_labels         = "ubuntu,example"
+
+  # enable access to the runners via SSM
+  enable_ssm_on_runners = true
+
+  userdata_template = "./templates/user-data.sh"
+  ami_owners        = ["099720109477"] # Canonical's Amazon account ID
+
+  ami_filter = {
+    name = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+  }
+
+  block_device_mappings = {
+    # Set the block device name for Ubuntu root device
+    device_name = "/dev/sda1"
+  }
+
+  # Uncommet idle config to have idle runners from 9 to 5 in time zone Amsterdam
+  # idle_config = [{
+  #   cron      = "* * 9-17 * * *"
+  #   timeZone  = "Europe/Amsterdam"
+  #   idleCount = 1
+  # }]
+
+  # disable KMS and encryption
+  # encrypt_secrets = false
+}

examples/ubuntu/main.tf

@@ -0,0 +1,12 @@
+output "runners" {
+  value = {
+    lambda_syncer_name = module.runners.binaries_syncer.lambda.function_name
+  }
+}
+
+output "webhook" {
+  value = {
+    secret   = random_password.random.result
+    endpoint = module.runners.webhook.endpoint
+  }
+}