Merge branch 'release/0.3.0'

Author: npalm

.ci/build.sh

@@ -1,10 +1,10 @@
 #!/usr/bin/env bash
 
-lambaSrcDirs=("modules/runner-binaries-syncer/lambdas/runner-binaries-syncer" "modules/runners/lambdas/scale-runners" "modules/webhook/lambdas/webhook")
-repoRoot=$(dirname "${BASH_SOURCE[0]}")/..
+lambdaSrcDirs=("modules/runner-binaries-syncer/lambdas/runner-binaries-syncer" "modules/runners/lambdas/runners" "modules/webhook/lambdas/webhook")
+repoRoot=$(dirname $(dirname $(realpath ${BASH_SOURCE[0]})))
 
-for lambdaDir in ${lambaSrcDirs[@]}; do
-    cd $repoRoot/${lambdaDir}
+for lambdaDir in ${lambdaSrcDirs[@]}; do
+    cd "$repoRoot/${lambdaDir}"
     docker build -t lambda -f ../../../../.ci/Dockerfile .
     docker create --name lambda lambda
     zipName=$(basename "$PWD")

.github/workflows/lambda-runner-binaries-syncer.yml

@@ -6,6 +6,7 @@ on:
   push:
     branches:
       - master
+      - develop
   pull_request:
     paths:
       - .github/workflows/lambda-runner-binaries-syncer.yml

.github/workflows/lambda-runners.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - master
+      - develop
   pull_request:
     paths:
       - .github/workflows/lambda-runners.yml

.github/workflows/lambda-webhook.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - master
+      - develop
   pull_request:
     paths:
       - .github/workflows/lambda-webhook.yml

.github/workflows/terraform.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - master
+      - develop
   pull_request:
     paths-ignore:
       - "modules/*/lambdas/**"

CHANGELOG.md

@@ -6,7 +6,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
-- Added the ability to pass in pre and post install scripts to the userdata script for the EC2 instances
+
+## [0.3.0] - 2020-08-06
+
+### Added
+
+- feat: Add support for ARM64 runners #102 @bdruth
+- feat: added variables in the root module to allow passing in pre and and post install #45 @jaydenrasmussen
+
+### Updated
+
+- fix: Build script not entering all the module directories (#103) @alonsohki
+- fix: Remove Orphan AWS runners (#79)
+- fix: documentation for downloading lambdas (#78) @@bendavies
+- fix: Rename variable and fix variables descriptions (#75) @bendavies @leoblanc
 
 ## [0.2.0] - 2020-06-15
 
@@ -31,7 +44,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - First release.
 
-[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.2.0..HEAD
+[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.3.0..HEAD
+[0.3.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.2.0..v0.3.0
 [0.2.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.1.0..v0.2.0
 [0.1.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.0.1..v0.1.0
 [0.0.1]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.0.1

README.md

@@ -58,6 +58,10 @@ Permission are managed on several places. Below the most important ones. For det
 
 Besides these permissions, the lambdas also need permission to CloudWatch (for logging and scheduling), SSM and S3. For more details about the required permissions see the [documentation](./modules/setup-iam-permissions/README.md) of the IAM module which uses permission boundaries.
 
+### ARM64 support via Graviton/Graviton2 instance-types
+
+When using the default example or top-level module, specifying an `instance_type` that matches a Graviton/Graviton 2 (ARM64) architecture (e.g. a1 or any 6th-gen `g` or `gd` type), the sub-modules will be automatically configured to provision with ARM64 AMIs and leverage GitHub's ARM64 action runner. See below for more details.
+
 ## Usages
 
 Examples are provided in [the example directory](examples/). Please ensure you have installed the following tools.
@@ -94,9 +98,9 @@ Go to GitHub and create a new app. Beware you can create apps your organization
 First you need to download the lambda releases. The lambda code is available as a GitHub release asset. Downloading can be done with the provided terraform module for example. Note that this requires `curl` to be installed on your machine. Create an empty workspace with the following terraform code:
 
 ```terraform
-module "github-runner_download-lambda" {
+module "lambdas" {
   source  = "philips-labs/github-runner/aws//modules/download-lambda"
-  version = "0.1.0"
+  version = "0.2.0"
 
   lambdas = [
     {
@@ -151,6 +155,8 @@ module "github-runner" {
 }
 ```
 
+**ARM64** support: Specify an `a1` or `*6g*` (6th-gen Graviton2) instance type to stand up an ARM64 runner, otherwise the default is x86_64.
+
 2. Run terraform by using the following commands
 
 ```bash
@@ -223,58 +229,59 @@ The following sub modules are optional and are provided as example or utility:
 - _[download-lambda](./modules/download-lambda/README.md)_ - Utility module to download lambda artifacts from GitHub Release
 - _[setup-iam-permissions](./modules/setup-iam-permissions/README.md)_ - Example module to setup permission boundaries
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Requirements
+### ARM64 configuration for submodules
+
+When not using the top-level module and specifying an `a1` or `*6g*` (6th-gen Graviton2) `instance_type`, the `runner-binaries-syncer` and `runners` submodules need to be configured appropriately for pulling the ARM64 GitHub action runner binary and leveraging the arm64 AMI for the runners.
 
-No requirements.
+When configuring `runner-binaries-syncer`
 
-## Providers
+- _runner_architecture_ - set to `arm64`, defaults to `x64`
 
-| Name | Version |
-|------|---------|
-| aws | n/a |
-| random | n/a |
+When configuring `runners`
 
+- _ami_filter_ - set to `["amzn2-ami-hvm-2*-arm64-gp2"]`, defaults to `["amzn2-ami-hvm-2.*-x86_64-ebs"]`
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| aws\_region | AWS region. | `string` | n/a | yes |
-| enable\_organization\_runners | n/a | `bool` | n/a | yes |
-| encrypt\_secrets | Encrypt secret variables for lambda's such as secrets and private keys. | `bool` | `true` | no |
-| environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
-| github\_app | GitHub app parameters, see your github aapp. Ensure the key is base64 encoded. | <pre>object({<br>    key_base64     = string<br>    id             = string<br>    client_id      = string<br>    client_secret  = string<br>    webhook_secret = string<br>  })</pre> | n/a | yes |
-| instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no |
-| instance\_type | Instance type for the action runner. | `string` | `"m5.large"` | no |
-| kms\_key\_id | Custom KMS key to encrypted lambda secrets, if not provided and `encrypt_secrets` = `true` a KMS key will be created by the module. Secrets will be encrypted with a context `Environment = var.environment`. | `string` | `null` | no |
-| manage\_kms\_key | Let the module manage the KMS key. | `bool` | `true` | no |
-| minimum\_running\_time\_in\_minutes | The time an ec2 action runner should be running at minium before terminated if non busy. | `number` | `5` | no |
-| role\_path | The path that will be added to role path for created roles, if not set the environment name will be used. | `string` | `null` | no |
-| role\_permissions\_boundary | Permissions boundary that will be added to the created roles. | `string` | `null` | no |
-| runner\_as\_root | Run the action runner under the root user. | `bool` | `false` | no |
-| runner\_binaries\_syncer\_lambda\_timeout | Time out of the binaries sync lambda in seconds. | `number` | `300` | no |
-| runner\_binaries\_syncer\_lambda\_zip | File location of the binaries sync lambda zip file. | `string` | `null` | no |
-| runner\_extra\_labels | Extra labels for the runners (GitHub). Separate each label by a comma | `string` | `""` | no |
-| runners\_lambda\_zip | File location of the lambda zip file for scaling runners. | `string` | `null` | no |
-| runners\_maxiumum\_count | The maxiumum number of runners tha will be created. | `number` | `3` | no |
-| runners\_scale\_down\_lambda\_timeout | Time out for the scale up lambda in seconds. | `number` | `60` | no |
-| runners\_scale\_up\_lambda\_timeout | Time out for the scale down lambda in seconds. | `number` | `60` | no |
-| scale\_down\_schedule\_expression | Scheduler expression to check every x for scale down. | `string` | `"cron(*/5 * * * ? *)"` | no |
-| subnet\_ids | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | n/a | yes |
-| tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no |
-| userdata\_post\_install | Script to be ran after the GitHub Actions runner is installed on the EC2 instances | `string` | `""` | no |
-| userdata\_pre\_install | Script to be ran before the GitHub Actions runner is installed on the EC2 instances | `string` | `""` | no |
-| vpc\_id | The VPC for security groups of the action runners. | `string` | n/a | yes |
-| webhook\_lambda\_timeout | Time out of the webhook lambda in seconds. | `number` | `10` | no |
-| webhook\_lambda\_zip | File location of the wehbook lambda zip file. | `string` | `null` | no |
+|------|-------------|:----:|:-----:|:-----:|
+| aws\_region | AWS region. | string | n/a | yes |
+| enable\_organization\_runners |  | bool | n/a | yes |
+| encrypt\_secrets | Encrypt secret variables for lambda's such as secrets and private keys. | bool | `"true"` | no |
+| environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes |
+| github\_app | GitHub app parameters, see your github app. Ensure the key is base64 encoded. | object | n/a | yes |
+| instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | string | `"null"` | no |
+| instance\_type | Instance type for the action runner. | string | `"m5.large"` | no |
+| kms\_key\_id | Custom KMS key to encrypted lambda secrets, if not provided and `encrypt\_secrets` = `true` a KMS key will be created by the module. Secrets will be encrypted with a context `Environment = var.environment`. | string | `"null"` | no |
+| manage\_kms\_key | Let the module manage the KMS key. | bool | `"true"` | no |
+| minimum\_running\_time\_in\_minutes | The time an ec2 action runner should be running at minimum before terminated if non busy. | number | `"5"` | no |
+| role\_path | The path that will be added to role path for created roles, if not set the environment name will be used. | string | `"null"` | no |
+| role\_permissions\_boundary | Permissions boundary that will be added to the created roles. | string | `"null"` | no |
+| runner\_as\_root | Run the action runner under the root user. | bool | `"false"` | no |
+| runner\_binaries\_syncer\_lambda\_timeout | Time out of the binaries sync lambda in seconds. | number | `"300"` | no |
+| runner\_binaries\_syncer\_lambda\_zip | File location of the binaries sync lambda zip file. | string | `"null"` | no |
+| runner\_extra\_labels | Extra labels for the runners \(GitHub\). Separate each label by a comma | string | `""` | no |
+| runners\_lambda\_zip | File location of the lambda zip file for scaling runners. | string | `"null"` | no |
+| runners\_maximum\_count | The maximum number of runners that will be created. | number | `"3"` | no |
+| runners\_scale\_down\_lambda\_timeout | Time out for the scale up lambda in seconds. | number | `"60"` | no |
+| runners\_scale\_up\_lambda\_timeout | Time out for the scale down lambda in seconds. | number | `"60"` | no |
+| scale\_down\_schedule\_expression | Scheduler expression to check every x for scale down. | string | `"cron(*/5 * * * ? *)"` | no |
+| subnet\_ids | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc\_id`. | list(string) | n/a | yes |
+| tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | map(string) | `{}` | no |
+| userdata\_post\_install | Script to be ran after the GitHub Actions runner is installed on the EC2 instances | string | `""` | no |
+| userdata\_pre\_install | Script to be ran before the GitHub Actions runner is installed on the EC2 instances | string | `""` | no |
+| vpc\_id | The VPC for security groups of the action runners. | string | n/a | yes |
+| webhook\_lambda\_timeout | Time out of the webhook lambda in seconds. | number | `"10"` | no |
+| webhook\_lambda\_zip | File location of the webhook lambda zip file. | string | `"null"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| binaries\_syncer | n/a |
-| runners | n/a |
-| webhook | n/a |
+| binaries\_syncer |  |
+| runners |  |
+| webhook |  |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/.terraform-version

@@ -0,0 +1 @@
+0.12.29

examples/default/README.md

@@ -4,7 +4,7 @@ This modules shows how to create GitHub action runners. Lambda release will be d
 
 ## Usages
 
-Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](../../README.md). First download the Lambda releases from GitHub. Alternatively you can build the lamdas locally with Node or Docker, there is a simple build script in `<root>/.ci/build.sh`. In the `main.tf` you can simple remove the location of the lambda zip files, the default location will work in this case.
+Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](../../README.md). First download the Lambda releases from GitHub. Alternatively you can build the lambdas locally with Node or Docker, there is a simple build script in `<root>/.ci/build.sh`. In the `main.tf` you can simple remove the location of the lambda zip files, the default location will work in this case.
 
 ```bash
 cd lambdas-download

examples/default/main.tf

@@ -4,7 +4,7 @@ locals {
 }
 
 resource "random_password" "random" {
-  length = 32
+  length = 28
 }
 
 module "runners" {
@@ -27,14 +27,14 @@ module "runners" {
     webhook_secret = random_password.random.result
   }
 
-  webhook_lambda_zip                = "lambdas-download/webhook.zip"
-  runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
-  runners_lambda_zip                = "lambdas-download/runners.zip"
-  enable_organization_runners       = false
-  runner_extra_labels               = "default,example"
-
-  # disable KMS and ecnryption
-  # encrypt_secrets = false
-}
+  # webhook_lambda_zip                = "lambdas-download/webhook.zip"
+  # runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
+  # runners_lambda_zip                = "lambdas-download/runners.zip"
+  enable_organization_runners = false
+  runner_extra_labels         = "default,example"
 
+  # instance_type = "a1.large"
 
+  # disable KMS and encryption
+  # encrypt_secrets = true
+}