You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[Encrypted via a module managed KMS key (default)](#encrypted-via-a-module-managed-kms-key-default)
15
+
-[Encrypted via a provided KMS key](#encrypted-via-a-provided-kms-key)
16
+
-[No encryption](#no-encryption)
13
17
-[Examples](#examples)
14
18
-[Sub modules](#sub-modules)
15
19
-[Requirements](#requirements)
@@ -42,6 +46,8 @@ Scaling down the runners is at the moment brute-forced, every configurable amoun
42
46
43
47
Downloading the GitHub Action Runner distribution can be occasionally slow (more than 10 minutes). Therefore a lambda is introduced that synchronizes the action runner binary from GitHub to an S3 bucket. The EC2 instance will fetch the distribution from the S3 bucket instead of the internet.
44
48
49
+
Secrets and private keys which are passed the Lambda's as environment variables are encrypted by default by a KMS key managed by the module. Alternatively you can pass your own KMS key. Encryption via KMS can be complete disabled by setting `encrypt_secrets` to `false`.
50
+
45
51
46
52
47
53
Permission are managed on several places. Below the most important ones. For details check the Terraform sources.
@@ -165,6 +171,37 @@ Go back to the GitHub App and update the following settings.
165
171
166
172
You are now ready to run action workloads on self hosted runner, remember builds will fail if there is no (offline) runner available with matching labels.
167
173
174
+
### Encryption
175
+
176
+
The module support 3 scenario's to manage environment secrets and private key of the Lambda functions.
177
+
178
+
#### Encrypted via a module managed KMS key (default)
179
+
180
+
This is the default, no additional configuration is required.
181
+
182
+
#### Encrypted via a provided KMS key
183
+
184
+
You have to create an configure you KMS key. The module will use the context with key: `Environment` and value `var.environment` as encryption context.
185
+
186
+
```HCL
187
+
resource "aws_kms_key" "github" {
188
+
is_enabled = true
189
+
}
190
+
191
+
module "runners" {
192
+
193
+
...
194
+
manage_kms_key = false
195
+
kms_key_id = aws_kms_key.github.key_id
196
+
...
197
+
198
+
```
199
+
200
+
#### No encryption
201
+
202
+
Not advised but you can disable the encryption as by setting the variable `encrypt_secrets` to `false`.
203
+
204
+
168
205
## Examples
169
206
170
207
Examples are located in the [examples](./examples) directory. The following examples are provided:
@@ -188,52 +225,54 @@ The following sub modules are optional and are provided as example or utility:
188
225
-_[setup-iam-permissions](./modules/setup-iam-permissions/README.md)_ - Example module to setup permission boundaries
189
226
190
227
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
191
-
192
228
## Requirements
193
229
194
230
No requirements.
195
231
196
232
## Providers
197
233
198
-
| Name | Version |
199
-
|------|-------|
200
-
| aws | n/a|
201
-
| random | n/a |
234
+
| Name | Version |
235
+
|------|---------|
236
+
| aws | n/a |
237
+
| random | n/a |
202
238
203
239
## Inputs
204
240
205
-
| Name | Description | Type | Default | Required |
| environment | A name that identifies the environment, used as prefix and for tagging. |`string`| n/a | yes |
210
-
| github_app | GitHub app parameters, see your github aapp. Ensure the key is base64 encoded. | <pre>object({<br> key_base64 = string<br> id = string<br> client_id = string<br> client_secret = string<br> webhook_secret = string<br> })</pre> | n/a | yes |
211
-
| instance_profile_path | The path that will be added to the instance_profile, if not set the environment name will be used. |`string`|`null`| no |
212
-
| minimum_running_time_in_minutes | The time an ec2 action runner should be running at minium before terminated if non busy. |`number`|`5`| no |
213
-
| role_path | The path that will be added to role path for created roles, if not set the environment name will be used. |`string`|`null`| no |
214
-
| role_permissions_boundary | Permissions boundary that will be added to the created roles. |`string`|`null`| no |
215
-
| runner_as_root | Run the action runner under the root user. |`bool`|`false`| no |
216
-
| runner_binaries_syncer_lambda_timeout | Time out of the binaries sync lambda in seconds. |`number`|`300`| no |
217
-
| runner_binaries_syncer_lambda_zip | File location of the binaries sync lambda zip file. |`string`|`null`| no |
218
-
| runner_extra_labels | Extra labels for the runners (GitHub). Separate each label by a comma |`string`|`""`| no |
219
-
| runners_lambda_zip | File location of the lambda zip file for scaling runners. |`string`|`null`| no |
220
-
| runners_maxiumum_count | The maxiumum number of runners tha will be created. |`number`|`3`| no |
221
-
| runners_scale_down_lambda_timeout | Time out for the scale up lambda in seconds. |`number`|`60`| no |
222
-
| runners_scale_up_lambda_timeout | Time out for the scale down lambda in seconds. |`number`|`60`| no |
223
-
| scale_down_schedule_expression | Scheduler expression to check every x for scale down. |`string`|`"cron(*/5 * * * ? *)"`| no |
224
-
| subnet_ids | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. |`list(string)`| n/a | yes |
225
-
| tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. |`map(string)`|`{}`| no |
226
-
| vpc_id | The VPC for security groups of the action runners. |`string`| n/a | yes |
227
-
| webhook_lambda_timeout | Time out of the webhook lambda in seconds. |`number`|`10`| no |
228
-
| webhook_lambda_zip | File location of the wehbook lambda zip file. |`string`|`null`| no |
241
+
| Name | Description | Type | Default | Required |
| encrypt\_secrets | Encrypt secret variables for lambda's such as secrets and private keys. |`bool`|`true`| no |
246
+
| environment | A name that identifies the environment, used as prefix and for tagging. |`string`| n/a | yes |
247
+
| github\_app | GitHub app parameters, see your github aapp. Ensure the key is base64 encoded. | <pre>object({<br> key_base64 = string<br> id = string<br> client_id = string<br> client_secret = string<br> webhook_secret = string<br> })</pre> | n/a | yes |
248
+
| instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. |`string`|`null`| no |
249
+
| kms\_key\_id | Custom KMS key to encrypted lambda secrets, if not provided and `encrypt_secrets` = `true` a KMS key will be created by the module. Secrets will be encrypted with a context `Environment = var.environment`. |`string`|`null`| no |
250
+
| manage\_kms\_key | Let the module manage the KMS key. |`bool`|`true`| no |
251
+
| minimum\_running\_time\_in\_minutes | The time an ec2 action runner should be running at minium before terminated if non busy. |`number`|`5`| no |
252
+
| role\_path | The path that will be added to role path for created roles, if not set the environment name will be used. |`string`|`null`| no |
253
+
| role\_permissions\_boundary | Permissions boundary that will be added to the created roles. |`string`|`null`| no |
254
+
| runner\_as\_root | Run the action runner under the root user. |`bool`|`false`| no |
255
+
| runner\_binaries\_syncer\_lambda\_timeout | Time out of the binaries sync lambda in seconds. |`number`|`300`| no |
256
+
| runner\_binaries\_syncer\_lambda\_zip | File location of the binaries sync lambda zip file. |`string`|`null`| no |
257
+
| runner\_extra\_labels | Extra labels for the runners (GitHub). Separate each label by a comma |`string`|`""`| no |
258
+
| runners\_lambda\_zip | File location of the lambda zip file for scaling runners. |`string`|`null`| no |
259
+
| runners\_maxiumum\_count | The maxiumum number of runners tha will be created. |`number`|`3`| no |
260
+
| runners\_scale\_down\_lambda\_timeout | Time out for the scale up lambda in seconds. |`number`|`60`| no |
261
+
| runners\_scale\_up\_lambda\_timeout | Time out for the scale down lambda in seconds. |`number`|`60`| no |
262
+
| scale\_down\_schedule\_expression | Scheduler expression to check every x for scale down. |`string`|`"cron(*/5 * * * ? *)"`| no |
263
+
| subnet\_ids | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. |`list(string)`| n/a | yes |
264
+
| tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. |`map(string)`|`{}`| no |
265
+
| vpc\_id | The VPC for security groups of the action runners. |`string`| n/a | yes |
266
+
| webhook\_lambda\_timeout | Time out of the webhook lambda in seconds. |`number`|`10`| no |
267
+
| webhook\_lambda\_zip | File location of the wehbook lambda zip file. |`string`|`null`| no |
0 commit comments