Create infra code for runenrs

Author: npalm

examples/default/main.tf

@@ -0,0 +1,24 @@
+locals {
+  environment = "test.default"
+  aws_region  = "eu-west-1"
+}
+
+resource "random_string" "random" {
+  length  = 24
+  special = false
+  upper   = false
+}
+
+module "runners" {
+  source = "../../modules/runners"
+
+  aws_region = local.aws_region
+  vpc_id     = module.vpc.vpc_id
+
+  environment = local.environment
+  tags = {
+    Project = "ProjectX"
+  }
+  distribution_bucket_name = random_string.random.result
+}
+

examples/default/outputs.tf

@@ -0,0 +1,8 @@
+output "runners" {
+  value = {
+    launch_template_name       = module.runners.launch_template.name
+    launch_template_id         = module.runners.launch_template.id
+    launch_template_version    = module.runners.launch_template.latest_version
+    action_runner_distribution = module.runners.s3_location_runner_distribution
+  }
+}

examples/default/providers.tf

@@ -0,0 +1,5 @@
+provider "aws" {
+  region  = local.aws_region
+  version = "2.59"
+}
+

examples/default/vpc.tf

@@ -0,0 +1,7 @@
+module "vpc" {
+  source = "git::https://github.com/philips-software/terraform-aws-vpc.git?ref=2.1.0"
+
+  environment = local.environment
+  aws_region  = local.aws_region
+}
+

modules/runners/main.tf

@@ -0,0 +1,116 @@
+
+resource "aws_resourcegroups_group" "resourcegroups_group" {
+  name = "${var.environment}-group"
+
+  resource_query {
+    query = <<-JSON
+{
+  "ResourceTypeFilters": [
+    "AWS::AllSupported"
+  ],
+  "TagFilters": [
+    {
+      "Key": "ResourceGroup",
+      "Values": ["${var.environment}"]
+    }
+  ]
+}
+  JSON
+  }
+}
+
+
+locals {
+  s3_location_runner_distribution = "s3://${aws_s3_bucket.action_dist.id}/${var.action_runner_dist_bucket_location}"
+}
+
+data "aws_ami" "runner" {
+  most_recent = "true"
+
+  dynamic "filter" {
+    for_each = var.ami_filter
+    content {
+      name   = filter.key
+      values = filter.value
+    }
+  }
+
+  owners = var.ami_owners
+}
+
+resource "aws_launch_template" "runner" {
+  name = "${var.environment}-action-runner"
+
+  dynamic "block_device_mappings" {
+    for_each = [var.block_device_mappings]
+    content {
+      device_name = "/dev/xvda"
+
+      ebs {
+        delete_on_termination = lookup(block_device_mappings.value, "delete_on_termination", true)
+        volume_type           = lookup(block_device_mappings.value, "volume_type", "gp2")
+        volume_size           = lookup(block_device_mappings.value, "volume_size", 30)
+        encrypted             = lookup(block_device_mappings.value, "encrypted", true)
+        iops                  = lookup(block_device_mappings.value, "iops", null)
+      }
+    }
+  }
+
+  iam_instance_profile {
+    name = aws_iam_instance_profile.runner.name
+  }
+
+  instance_initiated_shutdown_behavior = "terminate"
+
+  instance_market_options {
+    market_type = var.market_options
+  }
+
+  image_id      = data.aws_ami.runner.id
+  instance_type = var.instance_type
+
+  vpc_security_group_ids = [aws_security_group.runner_sg.id]
+
+  tag_specifications {
+    resource_type = "instance"
+    tags          = local.tags
+  }
+
+  user_data = base64encode(templatefile("${path.module}/templates/user-data.sh", {
+    environment                     = var.environment
+    s3_location_runner_distribution = local.s3_location_runner_distribution
+  }))
+}
+
+resource "aws_security_group" "runner_sg" {
+  name_prefix = "${var.environment}-github-actions-runner-sg"
+  description = "Github Actions Runner security group"
+
+  vpc_id = var.vpc_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = merge(
+    local.tags,
+    {
+      "Name" = format("%s", local.name_sg)
+    },
+  )
+}
+
+locals {
+  name_sg = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"]
+  tags = merge(
+    {
+      "Name" = format("%s", var.environment)
+    },
+    {
+      "Environment" = format("%s", var.environment)
+    },
+    var.tags,
+  )
+}

modules/runners/outputs.tf

@@ -0,0 +1,7 @@
+output "s3_location_runner_distribution" {
+  value = local.s3_location_runner_distribution
+}
+
+output "launch_template" {
+  value = aws_launch_template.runner
+}

modules/runners/policies.tf

@@ -0,0 +1,64 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_iam_role" "runner" {
+  name               = "${var.environment}-github-action-runners-runner-role"
+  assume_role_policy = templatefile("${path.module}/policies/instance-role-trust-policy.json", {})
+  tags               = local.tags
+}
+
+resource "aws_iam_instance_profile" "runner" {
+  name = "${var.environment}-github-action-runners-profile"
+  role = aws_iam_role.runner.name
+}
+
+resource "aws_iam_policy" "runner_session_manager_policy" {
+  name        = "${var.environment}-github-action-runners-session-manager"
+  path        = "/"
+  description = "Policy session manager."
+
+  policy = templatefile("${path.module}/policies/instance-session-manager-policy.json", {})
+}
+
+resource "aws_iam_role_policy_attachment" "runner_session_manager_policy" {
+  role       = aws_iam_role.runner.name
+  policy_arn = aws_iam_policy.runner_session_manager_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" {
+  role       = aws_iam_role.runner.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+resource "aws_iam_policy" "dist_bucket" {
+  name        = "${var.environment}-gh-distribution-bucket"
+  path        = "/"
+  description = "Policy for the runner to download the github action runner."
+
+  policy = templatefile("${path.module}/policies/instance-runner-s3-policy.json",
+    {
+      s3_arn = aws_s3_bucket.action_dist.arn
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "dist_bucket" {
+  role       = aws_iam_role.runner.name
+  policy_arn = aws_iam_policy.dist_bucket.arn
+}
+
+resource "aws_iam_policy" "ssm_parameters" {
+  name        = "${var.environment}-runner-ssm-parameters"
+  path        = "/"
+  description = "Policy for the runner to download the github action runner."
+
+  policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json",
+    {
+      arn_ssm_parameters = "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*"
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "ssm_parameters" {
+  role       = aws_iam_role.runner.name
+  policy_arn = aws_iam_policy.ssm_parameters.arn
+}

modules/runners/policies/instance-role-trust-policy.json

@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}

modules/runners/policies/instance-runner-s3-policy.json

@@ -0,0 +1,11 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "githubActionDist",
+      "Effect": "Allow",
+      "Action": ["s3:GetObject", "s3:GetObjectAcl"],
+      "Resource": ["${s3_arn}/*"]
+    }
+  ]
+}

modules/runners/policies/instance-session-manager-policy.json

@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssmmessages:CreateControlChannel",
+                "ssmmessages:CreateDataChannel",
+                "ssmmessages:OpenControlChannel",
+                "ssmmessages:OpenDataChannel"
+            ],
+            "Resource": "*"
+        }
+    ]
+}