[BRC-17316] Ensure third-party actions are pinned to a commit SHA

.github/workflows/terraform.yml

@@ -113,7 +113,7 @@ jobs:
           key: tflint-${{ hashFiles('.tflint.hcl') }}
       - if: contains(matrix.terraform, '1.3.')
         name: Setup TFLint
-        uses: terraform-linters/setup-tflint@v4
+        uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - if: contains(matrix.terraform, '1.3.')
@@ -171,7 +171,7 @@ jobs:
           key: tflint-${{ hashFiles('.tflint.hcl') }}
       - if: contains(matrix.terraform, '1.5.')
         name: Setup TFLint
-        uses: terraform-linters/setup-tflint@v4
+        uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - if: contains(matrix.terraform, '1.5.')

.nvmrc

@@ -0,0 +1 @@
+lts/*

examples/base/variables.tf

@@ -1,9 +1,11 @@
 variable "prefix" {
   description = "Prefix used for resource naming."
   type        = string
+  default     = "terraform-gha"
 }
 
 variable "aws_region" {
   description = "AWS region to create the VPC, assuming zones `a` and `b` exists."
   type        = string
+  default     = "us-east-2"
 }

examples/base/vpc.tf

@@ -3,11 +3,11 @@ module "vpc" {
   version = "5.0.0"
 
   name = "${var.prefix}-vpc"
-  cidr = "10.0.0.0/16"
+  cidr = "10.100.0.0/16"
 
   azs             = ["${var.aws_region}a", "${var.aws_region}b"]
-  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
-  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
+  private_subnets = ["10.100.1.0/24", "10.100.2.0/24"]
+  public_subnets  = ["10.100.101.0/24", "10.100.102.0/24"]
 
   enable_dns_hostnames    = true
   enable_nat_gateway      = true

examples/marklap-test/README.md

@@ -0,0 +1,76 @@
+# Amazon Linux X64 (default)
+
+This module shows how to create GitHub action runners. Lambda release will be downloaded from GitHub.
+
+## Usages
+
+Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](https://github.com/philips-labs/terraform-aws-github-runner). First download the Lambda releases from GitHub. Alternatively you can build the lambdas locally with Node or Docker, there is a simple build script in `<root>/.ci/build.sh`. In the `main.tf` you can simply remove the location of the lambda zip files, the default location will work in this case.
+
+> The default example assumes local built lambda's available. Ensure you have built the lambda's. Alternativly you can downlowd the lambda's. The version needs to be set to a GitHub release version, see https://github.com/philips-labs/terraform-aws-github-runner/releases
+
+```bash
+cd ../lambdas-download
+terraform init
+terraform apply -var=module_version=<VERSION>
+cd -
+```
+
+Before running Terraform, ensure the GitHub app is configured. See the [configuration details](https://github.com/philips-labs/terraform-aws-github-runner#usages) for more details.
+
+```bash
+terraform init
+terraform apply
+```
+
+The example will try to update the webhook of your GitHub. In case the update fails the apply will not fail. You can receive the webhook details by running:
+
+```bash
+terraform output -raw webhook_secret
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.27 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_base"></a> [base](#module\_base) | ../base | n/a |
+| <a name="module_runners"></a> [runners](#module\_runners) | ../../ | n/a |
+| <a name="module_webhook_github_app"></a> [webhook\_github\_app](#module\_webhook\_github\_app) | ../../modules/webhook-github-app | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [random_id.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region. | `string` | `"eu-west-1"` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment name, used as prefix. | `string` | `null` | no |
+| <a name="input_github_app"></a> [github\_app](#input\_github\_app) | GitHub for API usages. | <pre>object({<br/>    id         = string<br/>    key_base64 = string<br/>  })</pre> | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_runners"></a> [runners](#output\_runners) | n/a |
+| <a name="output_webhook_endpoint"></a> [webhook\_endpoint](#output\_webhook\_endpoint) | n/a |
+| <a name="output_webhook_secret"></a> [webhook\_secret](#output\_webhook\_secret) | n/a |
+<!-- END_TF_DOCS -->

examples/marklap-test/main.tf

@@ -0,0 +1,176 @@
+locals {
+  environment = var.environment != null ? var.environment : "default"
+  aws_region  = var.aws_region
+}
+
+resource "random_id" "random" {
+  byte_length = 20
+}
+
+module "base" {
+  source = "../base"
+
+  prefix     = local.environment
+  aws_region = local.aws_region
+}
+
+module "runners" {
+  source                          = "../../"
+  create_service_linked_role_spot = true
+  aws_region                      = local.aws_region
+  vpc_id                          = module.base.vpc.vpc_id
+  subnet_ids                      = module.base.vpc.private_subnets
+
+  prefix = local.environment
+  tags = {
+    Project = "ProjectX"
+  }
+
+  github_app = {
+    key_base64     = var.github_app.key_base64
+    id             = var.github_app.id
+    webhook_secret = random_id.random.hex
+  }
+
+  # configure the block device mappings, default for Amazon Linux2
+  # block_device_mappings = [{
+  #   device_name           = "/dev/xvda"
+  #   delete_on_termination = true
+  #   volume_type           = "gp3"
+  #   volume_size           = 10
+  #   encrypted             = true
+  #   iops                  = null
+  # }]
+
+  # When not explicitly set lambda zip files are grapped from the module requiring lambda build.
+  # Alternatively you can set the path to the lambda zip files here.
+  #
+  # For example grab zip files via lambda_download
+  # webhook_lambda_zip                = "../lambdas-download/webhook.zip"
+  # runner_binaries_syncer_lambda_zip = "../lambdas-download/runner-binaries-syncer.zip"
+  # runners_lambda_zip                = "../lambdas-download/runners.zip"
+  webhook_lambda_zip                = "./webhook.zip"
+  runners_lambda_zip                = "./runners.zip"
+  runner_binaries_syncer_lambda_zip = "./runner-binaries-syncer.zip"
+  ami_housekeeper_lambda_zip        = "./ami-housekeeper.zip"
+
+  enable_organization_runners = true
+  runner_extra_labels         = ["terraformgha"]
+
+  # enable access to the runners via SSM
+  enable_ssm_on_runners = true
+
+  # use S3 or KMS SSE to runners S3 bucket
+  # runner_binaries_s3_sse_configuration = {
+  #   rule = {
+  #     apply_server_side_encryption_by_default = {
+  #       sse_algorithm = "AES256"
+  #     }
+  #   }
+  # }
+
+  # enable S3 versioning for runners S3 bucket
+  # runner_binaries_s3_versioning = "Enabled"
+
+  # Uncommet idle config to have idle runners from 9 to 5 in time zone Amsterdam
+  # idle_config = [{
+  #   cron      = "* * 9-17 * * *"
+  #   timeZone  = "Europe/Amsterdam"
+  #   idleCount = 1
+  # }]
+
+  # Let the module manage the service linked role
+  # create_service_linked_role_spot = true
+
+  instance_types = ["m7a.large", "m5.large"]
+
+  # override delay of events in seconds
+  delay_webhook_event   = 5
+  runners_maximum_count = 2
+
+  # set up a fifo queue to remain order
+  enable_fifo_build_queue = true
+
+  # override scaling down
+  scale_down_schedule_expression = "cron(* * * * ? *)"
+
+  enable_user_data_debug_logging_runner = true
+
+  # prefix GitHub runners with the environment name
+  runner_name_prefix = "${local.environment}_"
+
+  # webhook supports two modes, either direct or via the eventbridge, uncomment to enable eventbridge
+  # eventbridge = {
+  #   enable = true
+  #   # adjust the allow events to only allow specific events, like workflow_job
+  #   # allowed_events = ['workflow_job']
+  # }
+
+  # Enable debug logging for the lambda functions
+  # log_level = "debug"
+
+  # tracing_config = {
+  #   mode                  = "Active"
+  #   capture_error         = true
+  #   capture_http_requests = true
+  # }
+
+  enable_ami_housekeeper = true
+  ami_housekeeper_cleanup_config = {
+    ssmParameterNames = ["*/ami-id"]
+    minimumDaysOld    = 10
+    amiFilters = [
+      {
+        Name   = "name"
+        Values = ["*al2023*"]
+      }
+    ]
+  }
+
+  instance_termination_watcher = {
+    enable = true
+    zip    = "./termination-watcher.zip"
+  }
+
+  # enable metric creation  (experimental)
+  # metrics = {
+  #   enable = true
+  #   metric = {
+  #     enable_spot_termination_warning = true
+  #     enable_job_retry                = false
+  #     enable_github_app_rate_limit    = false
+  #   }
+  # }
+
+  # enable job_retry feature. Be careful with this feature, it can lead to you hitting API rate limits.
+  # job_retry = {
+  #   enable           = true
+  #   max_attempts     = 1
+  #   delay_in_seconds = 180
+  # }
+
+  # enable CMK instead of aws managed key for encryptions
+  # kms_key_arn = aws_kms_key.github.arn
+}
+
+module "webhook_github_app" {
+  source     = "../../modules/webhook-github-app"
+  depends_on = [module.runners]
+
+  github_app = {
+    key_base64     = var.github_app.key_base64
+    id             = var.github_app.id
+    webhook_secret = random_id.random.hex
+  }
+  webhook_endpoint = module.runners.webhook.endpoint
+}
+
+# enable CMK instead of aws managed key for encryptions
+# resource "aws_kms_key" "github" {
+#   is_enabled = true
+# }
+
+# resource "aws_kms_alias" "github" {
+#   name          = "alias/github/action-runners"
+#   target_key_id = aws_kms_key.github.key_id
+# }