feat: Replace environment variable by prefix (#1858)

We're looking at using this module to deploy multiple sets of runner types (x86_64 and arm architectures) but within the same conceptual "environment".

We use the "Environment" tag throughout our tooling, but the constraints of using the "environment" variable for resource naming mean that we need to essentially supply different environment names (eg "env-amd64" and "env-arm64"), even though they are not in different environments.

We also use the dot character (".") in our environment names, which isn't allowed in some resource names (eg SQS queue name).

This PR replaces the "environmet" variable by "prefix" to prefix resources crated by the module. The prefix is also used to set the tag: "ghr:environment" with the value of prefix for lambda's to orchestrate the instnaces.

You can still set the tag "environment" to all resources via the AWS provider.


Co-authored-by: Niek Palm <[email protected]>

Author: surminus

examples/arm64/main.tf

@@ -19,7 +19,7 @@ module "runners" {
   vpc_id                          = module.vpc.vpc_id
   subnet_ids                      = module.vpc.private_subnets
 
-  environment = local.environment
+  prefix = local.environment
   tags = {
     Project = "ProjectX"
   }

examples/default/main.tf

@@ -19,7 +19,7 @@ module "runners" {
   vpc_id                          = module.vpc.vpc_id
   subnet_ids                      = module.vpc.private_subnets
 
-  environment = local.environment
+  prefix = local.environment
   tags = {
     Project = "ProjectX"
   }

examples/ephemeral/main.tf

@@ -16,7 +16,7 @@ module "runners" {
   vpc_id                          = module.vpc.vpc_id
   subnet_ids                      = module.vpc.private_subnets
 
-  environment = local.environment
+  prefix = local.environment
   tags = {
     Project = "ProjectX"
   }

examples/permissions-boundary/main.tf

@@ -35,7 +35,7 @@ module "runners" {
   subnet_ids  = module.vpc.private_subnets
   kms_key_arn = aws_kms_key.github.key_id
 
-  environment = local.environment
+  prefix = local.environment
   tags = {
     Project = "ProjectX"
   }

examples/prebuilt/main.tf

@@ -15,7 +15,7 @@ module "runners" {
   vpc_id                          = module.vpc.vpc_id
   subnet_ids                      = module.vpc.private_subnets
 
-  environment = local.environment
+  prefix = local.environment
 
   github_app = {
     key_base64     = var.github_app_key_base64

examples/ubuntu/main.tf

@@ -16,7 +16,7 @@ module "runners" {
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
 
-  environment = local.environment
+  prefix = local.environment
   tags = {
     Project = "ProjectX"
   }

examples/windows/main.tf

@@ -10,10 +10,10 @@ resource "random_id" "random" {
 module "runners" {
   source = "../../"
 
-  aws_region  = local.aws_region
-  vpc_id      = module.vpc.vpc_id
-  subnet_ids  = module.vpc.private_subnets
-  environment = local.environment
+  aws_region = local.aws_region
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+  prefix     = local.environment
 
   github_app = {
     key_base64     = var.github_app_key_base64

main.tf

@@ -1,7 +1,6 @@
 locals {
   tags = merge(var.tags, {
-    Environment       = var.environment,
-    "ghr:environment" = format("%s", var.environment)
+    "ghr:environment" = var.prefix
   })
 
   s3_action_runner_url = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key}"
@@ -50,7 +49,7 @@ resource "aws_sqs_queue_policy" "build_queue_policy" {
 }
 
 resource "aws_sqs_queue" "queued_builds" {
-  name                        = "${var.environment}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}"
+  name                        = "${var.prefix}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}"
   delay_seconds               = var.delay_webhook_event
   visibility_timeout_seconds  = var.runners_scale_up_lambda_timeout
   message_retention_seconds   = var.job_queue_retention_in_seconds
@@ -74,7 +73,7 @@ resource "aws_sqs_queue_policy" "build_queue_dlq_policy" {
 
 resource "aws_sqs_queue" "queued_builds_dlq" {
   count = var.redrive_build_queue.enabled ? 1 : 0
-  name  = "${var.environment}-queued-builds_dead_letter"
+  name  = "${var.prefix}-queued-builds_dead_letter"
 
   tags = var.tags
 }
@@ -83,7 +82,7 @@ module "ssm" {
   source = "./modules/ssm"
 
   kms_key_arn = var.kms_key_arn
-  environment = var.environment
+  prefix      = var.prefix
   github_app  = var.github_app
   tags        = local.tags
 }
@@ -92,7 +91,7 @@ module "webhook" {
   source = "./modules/webhook"
 
   aws_region  = var.aws_region
-  environment = var.environment
+  prefix      = var.prefix
   tags        = local.tags
   kms_key_arn = var.kms_key_arn
 
@@ -127,7 +126,7 @@ module "runners" {
   aws_partition = var.aws_partition
   vpc_id        = var.vpc_id
   subnet_ids    = var.subnet_ids
-  environment   = var.environment
+  prefix        = var.prefix
   tags          = local.tags
 
   s3_bucket_runner_binaries   = module.runner_binaries.bucket
@@ -214,11 +213,11 @@ module "runners" {
 module "runner_binaries" {
   source = "./modules/runner-binaries-syncer"
 
-  aws_region  = var.aws_region
-  environment = var.environment
-  tags        = local.tags
+  aws_region = var.aws_region
+  prefix     = var.prefix
+  tags       = local.tags
 
-  distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}"
+  distribution_bucket_name = "${var.prefix}-dist-${random_string.random.result}"
 
   runner_os                        = var.runner_os
   runner_architecture              = var.runner_architecture
@@ -244,10 +243,10 @@ module "runner_binaries" {
 }
 
 resource "aws_resourcegroups_group" "resourcegroups_group" {
-  name = "${var.environment}-group"
+  name = "${var.prefix}-group"
   resource_query {
     query = templatefile("${path.module}/templates/resource-group.json", {
-      environment = var.environment
+      environment = var.prefix
     })
   }
 }

modules/runner-binaries-syncer/runner-binaries-syncer.tf

@@ -1,6 +1,6 @@
 locals {
   lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/runner-binaries-syncer/runner-binaries-syncer.zip" : var.lambda_zip
-  role_path  = var.role_path == null ? "/${var.environment}/" : var.role_path
+  role_path  = var.role_path == null ? "/${var.prefix}/" : var.role_path
   gh_binary_os_label = {
     windows = "win",
     linux   = "linux"
@@ -13,7 +13,7 @@ resource "aws_lambda_function" "syncer" {
   s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
   filename          = var.lambda_s3_bucket == null ? local.lambda_zip : null
   source_code_hash  = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
-  function_name     = "${var.environment}-syncer"
+  function_name     = "${var.prefix}-syncer"
   role              = aws_iam_role.syncer_lambda.arn
   handler           = "index.handler"
   runtime           = "nodejs14.x"
@@ -63,7 +63,7 @@ resource "aws_cloudwatch_log_group" "syncer" {
 }
 
 resource "aws_iam_role" "syncer_lambda" {
-  name                 = "${var.environment}-action-syncer-lambda-role"
+  name                 = "${var.prefix}-action-syncer-lambda-role"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
   permissions_boundary = var.role_permissions_boundary
@@ -92,7 +92,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
 }
 
 resource "aws_iam_role_policy" "lambda_logging" {
-  name = "${var.environment}-lambda-logging-policy-syncer"
+  name = "${var.prefix}-lambda-logging-policy-syncer"
   role = aws_iam_role.syncer_lambda.id
 
   policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
@@ -101,7 +101,7 @@ resource "aws_iam_role_policy" "lambda_logging" {
 }
 
 resource "aws_iam_role_policy" "syncer" {
-  name = "${var.environment}-lambda-syncer-s3-policy"
+  name = "${var.prefix}-lambda-syncer-s3-policy"
   role = aws_iam_role.syncer_lambda.id
 
   policy = templatefile("${path.module}/policies/lambda-syncer.json", {
@@ -110,7 +110,7 @@ resource "aws_iam_role_policy" "syncer" {
 }
 
 resource "aws_cloudwatch_event_rule" "syncer" {
-  name                = "${var.environment}-syncer-rule"
+  name                = "${var.prefix}-syncer-rule"
   schedule_expression = var.lambda_schedule_expression
   tags                = var.tags
 }

modules/runner-binaries-syncer/variables.tf

@@ -12,6 +12,18 @@ variable "tags" {
 variable "environment" {
   description = "A name that identifies the environment, used as prefix and for tagging."
   type        = string
+  default     = null
+
+  validation {
+    condition     = var.environment == null
+    error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value."
+  }
+}
+
+variable "prefix" {
+  description = "The prefix used for naming resources"
+  type        = string
+  default     = "github-actions"
 }
 
 variable "distribution_bucket_name" {