();
+ const invalidMessages: string[] = [];
+ for (const payload of payloads) {
+ const { eventType, messageId, repositoryName, repositoryOwner } = payload;
+ if (ephemeralEnabled && eventType !== 'workflow_job') {
+ logger.warn(
+ 'Event is not supported in combination with ephemeral runners. Please ensure you have enabled workflow_job events.',
+ { eventType, messageId },
+ );
+
+ invalidMessages.push(messageId);
+
+ continue;
+ }
+
+ if (!isValidRepoOwnerTypeIfOrgLevelEnabled(payload, enableOrgLevel)) {
+ logger.warn(
+ `Repository does not belong to a GitHub organization and organization runners are enabled. This is not supported. Not scaling up for this event. Not throwing error to prevent re-queueing and just ignoring the event.`,
+ {
+ repository: `${repositoryOwner}/${repositoryName}`,
+ messageId,
+ },
+ );
+
+ continue;
+ }
+
+ const key = enableOrgLevel ? payload.repositoryOwner : `${payload.repositoryOwner}/${payload.repositoryName}`;
+
+ let entry = validMessages.get(key);
+
+ // If we've not seen this owner/repo before, we'll need to create a GitHub
+ // client for it.
+ if (entry === undefined) {
+ const installationId = await getInstallationId(githubAppClient, enableOrgLevel, payload);
+ const ghAuth = await createGithubInstallationAuth(installationId, ghesApiUrl);
+ const githubInstallationClient = await createOctokitClient(ghAuth.token, ghesApiUrl);
+
+ entry = {
+ messages: [],
+ githubInstallationClient,
+ };
+
+ validMessages.set(key, entry);
+ }
+
+ entry.messages.push(payload);
}
- const ephemeral = ephemeralEnabled && payload.eventType === 'workflow_job';
const runnerType = enableOrgLevel ? 'Org' : 'Repo';
- const runnerOwner = enableOrgLevel ? payload.repositoryOwner : `${payload.repositoryOwner}/${payload.repositoryName}`;
addPersistentContextToChildLogger({
runner: {
+ ephemeral: ephemeralEnabled,
type: runnerType,
- owner: runnerOwner,
namePrefix: runnerNamePrefix,
- },
- github: {
- event: payload.eventType,
- workflow_job_id: payload.id.toString(),
+ n_events: Array.from(validMessages.values()).reduce((acc, group) => acc + group.messages.length, 0),
},
});
- logger.info(`Received event`);
+ logger.info(`Received events`);
- const { ghesApiUrl, ghesBaseUrl } = getGitHubEnterpriseApiUrl();
+ for (const [group, { githubInstallationClient, messages }] of validMessages.entries()) {
+ // Work out how much we want to scale up by.
+ let scaleUp = 0;
- const installationId = await getInstallationId(ghesApiUrl, enableOrgLevel, payload);
- const ghAuth = await createGithubInstallationAuth(installationId, ghesApiUrl);
- const githubInstallationClient = await createOctokitClient(ghAuth.token, ghesApiUrl);
+ for (const message of messages) {
+ const messageLogger = logger.createChild({
+ persistentKeys: {
+ eventType: message.eventType,
+ group,
+ messageId: message.messageId,
+ repository: `${message.repositoryOwner}/${message.repositoryName}`,
+ },
+ });
- if (!enableJobQueuedCheck || (await isJobQueued(githubInstallationClient, payload))) {
- let scaleUp = true;
- if (maximumRunners !== -1) {
- const currentRunners = await listEC2Runners({
- environment,
- runnerType,
- runnerOwner,
+ if (enableJobQueuedCheck && !(await isJobQueued(githubInstallationClient, message))) {
+ messageLogger.info('No runner will be created, job is not queued.');
+
+ continue;
+ }
+
+ scaleUp++;
+ }
+
+ if (scaleUp === 0) {
+ logger.info('No runners will be created for this group, no valid messages found.');
+
+ continue;
+ }
+
+ // Don't call the EC2 API if we can create an unlimited number of runners.
+ const currentRunners =
+ maximumRunners === -1 ? 0 : (await listEC2Runners({ environment, runnerType, runnerOwner: group })).length;
+
+ logger.info('Current runners', {
+ currentRunners,
+ maximumRunners,
+ });
+
+ // Calculate how many runners we want to create.
+ const newRunners =
+ maximumRunners === -1
+ ? // If we don't have an upper limit, scale up by the number of new jobs.
+ scaleUp
+ : // Otherwise, we do have a limit, so work out if `scaleUp` would exceed it.
+ Math.min(scaleUp, maximumRunners - currentRunners);
+
+ const missingInstanceCount = Math.max(0, scaleUp - newRunners);
+
+ if (missingInstanceCount > 0) {
+ logger.info('Not all runners will be created for this group, maximum number of runners reached.', {
+ desiredNewRunners: scaleUp,
});
- logger.info(`Current runners: ${currentRunners.length} of ${maximumRunners}`);
- scaleUp = currentRunners.length < maximumRunners;
+
+ if (ephemeralEnabled) {
+ // This removes `missingInstanceCount` items from the start of the array
+ // so that, if we retry more messages later, we pick fresh ones.
+ invalidMessages.push(...messages.splice(0, missingInstanceCount).map(({ messageId }) => messageId));
+ }
+
+ // No runners will be created, so skip calling the EC2 API.
+ if (missingInstanceCount === scaleUp) {
+ continue;
+ }
}
- if (scaleUp) {
- logger.info(`Attempting to launch a new runner`);
+ logger.info(`Attempting to launch new runners`, {
+ newRunners,
+ });
- await createRunners(
- {
- ephemeral,
- enableJitConfig,
- ghesBaseUrl,
- runnerLabels,
- runnerGroup,
- runnerNamePrefix,
- runnerOwner,
- runnerType,
- disableAutoUpdate,
- ssmTokenPath,
- ssmConfigPath,
- },
- {
- ec2instanceCriteria: {
- instanceTypes,
- targetCapacityType: instanceTargetCapacityType,
- maxSpotPrice: instanceMaxSpotPrice,
- instanceAllocationStrategy: instanceAllocationStrategy,
- },
- environment,
- launchTemplateName,
- subnets,
- amiIdSsmParameterName,
- tracingEnabled,
- onDemandFailoverOnError,
+ const instances = await createRunners(
+ {
+ ephemeral: ephemeralEnabled,
+ enableJitConfig,
+ ghesBaseUrl,
+ runnerLabels,
+ runnerGroup,
+ runnerNamePrefix,
+ runnerOwner: group,
+ runnerType,
+ disableAutoUpdate,
+ ssmTokenPath,
+ ssmConfigPath,
+ },
+ {
+ ec2instanceCriteria: {
+ instanceTypes,
+ targetCapacityType: instanceTargetCapacityType,
+ maxSpotPrice: instanceMaxSpotPrice,
+ instanceAllocationStrategy: instanceAllocationStrategy,
},
- githubInstallationClient,
- );
+ environment,
+ launchTemplateName,
+ subnets,
+ amiIdSsmParameterName,
+ tracingEnabled,
+ onDemandFailoverOnError,
+ },
+ newRunners,
+ githubInstallationClient,
+ );
- await publishRetryMessage(payload);
- } else {
- logger.info('No runner will be created, maximum number of runners reached.');
- if (ephemeral) {
- throw new ScaleError('No runners create: maximum of runners reached.');
- }
+ // Not all runners we wanted were created, let's reject enough items so that
+ // number of entries will be retried.
+ if (instances.length !== newRunners) {
+ const failedInstanceCount = newRunners - instances.length;
+
+ logger.warn('Some runners failed to be created, rejecting some messages so the requests are retried', {
+ wanted: newRunners,
+ got: instances.length,
+ failedInstanceCount,
+ });
+
+ invalidMessages.push(...messages.slice(0, failedInstanceCount).map(({ messageId }) => messageId));
}
- } else {
- logger.info('No runner will be created, job is not queued.');
}
+
+ return invalidMessages;
}
export function getGitHubEnterpriseApiUrl() {
diff --git a/lambdas/libs/aws-powertools-util/src/logger/index.ts b/lambdas/libs/aws-powertools-util/src/logger/index.ts
index 195b552a74..2bad191a83 100644
--- a/lambdas/libs/aws-powertools-util/src/logger/index.ts
+++ b/lambdas/libs/aws-powertools-util/src/logger/index.ts
@@ -9,7 +9,7 @@ const defaultValues = {
};
function setContext(context: Context, module?: string) {
- logger.addPersistentLogAttributes({
+ logger.appendPersistentKeys({
'aws-request-id': context.awsRequestId,
'function-name': context.functionName,
module: module,
@@ -17,7 +17,7 @@ function setContext(context: Context, module?: string) {
// Add the context to all child loggers
childLoggers.forEach((childLogger) => {
- childLogger.addPersistentLogAttributes({
+ childLogger.appendPersistentKeys({
'aws-request-id': context.awsRequestId,
'function-name': context.functionName,
});
@@ -25,14 +25,14 @@ function setContext(context: Context, module?: string) {
}
const logger = new Logger({
- persistentLogAttributes: {
+ persistentKeys: {
...defaultValues,
},
});
function createChildLogger(module: string): Logger {
const childLogger = logger.createChild({
- persistentLogAttributes: {
+ persistentKeys: {
module: module,
},
});
@@ -47,7 +47,7 @@ type LogAttributes = {
function addPersistentContextToChildLogger(attributes: LogAttributes) {
childLoggers.forEach((childLogger) => {
- childLogger.addPersistentLogAttributes(attributes);
+ childLogger.appendPersistentKeys(attributes);
});
}
diff --git a/main.tf b/main.tf
index 74c4c54ec6..a8c501bc9a 100644
--- a/main.tf
+++ b/main.tf
@@ -177,12 +177,8 @@ module "runners" {
instance_max_spot_price = var.instance_max_spot_price
block_device_mappings = var.block_device_mappings
- runner_architecture = var.runner_architecture
- ami = var.ami
- ami_filter = var.ami_filter
- ami_owners = var.ami_owners
- ami_id_ssm_parameter_name = var.ami_id_ssm_parameter_name
- ami_kms_key_arn = var.ami_kms_key_arn
+ runner_architecture = var.runner_architecture
+ ami = var.ami
sqs_build_queue = aws_sqs_queue.queued_builds
github_app_parameters = local.github_app_parameters
@@ -209,29 +205,32 @@ module "runners" {
metadata_options = var.runner_metadata_options
credit_specification = var.runner_credit_specification
cpu_options = var.runner_cpu_options
-
- enable_runner_binaries_syncer = var.enable_runner_binaries_syncer
- lambda_s3_bucket = var.lambda_s3_bucket
- runners_lambda_s3_key = var.runners_lambda_s3_key
- runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
- lambda_runtime = var.lambda_runtime
- lambda_architecture = var.lambda_architecture
- lambda_zip = var.runners_lambda_zip
- lambda_scale_up_memory_size = var.runners_scale_up_lambda_memory_size
- lambda_scale_down_memory_size = var.runners_scale_down_lambda_memory_size
- lambda_timeout_scale_up = var.runners_scale_up_lambda_timeout
- lambda_timeout_scale_down = var.runners_scale_down_lambda_timeout
- lambda_subnet_ids = var.lambda_subnet_ids
- lambda_security_group_ids = var.lambda_security_group_ids
- lambda_tags = var.lambda_tags
- tracing_config = var.tracing_config
- logging_retention_in_days = var.logging_retention_in_days
- logging_kms_key_id = var.logging_kms_key_id
- enable_cloudwatch_agent = var.enable_cloudwatch_agent
- cloudwatch_config = var.cloudwatch_config
- runner_log_files = var.runner_log_files
- runner_group_name = var.runner_group_name
- runner_name_prefix = var.runner_name_prefix
+ placement = var.runner_placement
+
+ enable_runner_binaries_syncer = var.enable_runner_binaries_syncer
+ lambda_s3_bucket = var.lambda_s3_bucket
+ runners_lambda_s3_key = var.runners_lambda_s3_key
+ runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
+ lambda_runtime = var.lambda_runtime
+ lambda_architecture = var.lambda_architecture
+ lambda_event_source_mapping_batch_size = var.lambda_event_source_mapping_batch_size
+ lambda_event_source_mapping_maximum_batching_window_in_seconds = var.lambda_event_source_mapping_maximum_batching_window_in_seconds
+ lambda_zip = var.runners_lambda_zip
+ lambda_scale_up_memory_size = var.runners_scale_up_lambda_memory_size
+ lambda_scale_down_memory_size = var.runners_scale_down_lambda_memory_size
+ lambda_timeout_scale_up = var.runners_scale_up_lambda_timeout
+ lambda_timeout_scale_down = var.runners_scale_down_lambda_timeout
+ lambda_subnet_ids = var.lambda_subnet_ids
+ lambda_security_group_ids = var.lambda_security_group_ids
+ lambda_tags = var.lambda_tags
+ tracing_config = var.tracing_config
+ logging_retention_in_days = var.logging_retention_in_days
+ logging_kms_key_id = var.logging_kms_key_id
+ enable_cloudwatch_agent = var.enable_cloudwatch_agent
+ cloudwatch_config = var.cloudwatch_config
+ runner_log_files = var.runner_log_files
+ runner_group_name = var.runner_group_name
+ runner_name_prefix = var.runner_name_prefix
scale_up_reserved_concurrent_executions = var.scale_up_reserved_concurrent_executions
diff --git a/modules/ami-housekeeper/README.md b/modules/ami-housekeeper/README.md
index 127d1f96b1..8898e0c85e 100644
--- a/modules/ami-housekeeper/README.md
+++ b/modules/ami-housekeeper/README.md
@@ -67,13 +67,13 @@ yarn run dist
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
@@ -105,7 +105,7 @@ No modules.
| [lambda\_architecture](#input\_lambda\_architecture) | AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions. | `string` | `"arm64"` | no |
| [lambda\_memory\_size](#input\_lambda\_memory\_size) | Memory size limit in MB of the lambda. | `number` | `256` | no |
| [lambda\_principals](#input\_lambda\_principals) | (Optional) add extra principals to the role created for execution of the lambda, e.g. for local testing. | list(object({
type = string
identifiers = list(string)
})) | `[]` | no |
-| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs22.x"` | no |
+| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs24.x"` | no |
| [lambda\_s3\_bucket](#input\_lambda\_s3\_bucket) | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | `string` | `null` | no |
| [lambda\_s3\_key](#input\_lambda\_s3\_key) | S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas. | `string` | `null` | no |
| [lambda\_s3\_object\_version](#input\_lambda\_s3\_object\_version) | S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket. | `string` | `null` | no |
diff --git a/modules/ami-housekeeper/variables.tf b/modules/ami-housekeeper/variables.tf
index 6d9def766b..54bec6dc32 100644
--- a/modules/ami-housekeeper/variables.tf
+++ b/modules/ami-housekeeper/variables.tf
@@ -117,7 +117,7 @@ variable "lambda_s3_object_version" {
variable "lambda_runtime" {
description = "AWS Lambda runtime."
type = string
- default = "nodejs22.x"
+ default = "nodejs24.x"
}
variable "lambda_architecture" {
diff --git a/modules/ami-housekeeper/versions.tf b/modules/ami-housekeeper/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/ami-housekeeper/versions.tf
+++ b/modules/ami-housekeeper/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/download-lambda/README.md b/modules/download-lambda/README.md
index 1d51508ab3..9971618089 100644
--- a/modules/download-lambda/README.md
+++ b/modules/download-lambda/README.md
@@ -30,7 +30,7 @@ module "lambdas" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
| [null](#requirement\_null) | ~> 3 |
## Providers
diff --git a/modules/download-lambda/versions.tf b/modules/download-lambda/versions.tf
index bb56e1e9ba..6bc038a353 100644
--- a/modules/download-lambda/versions.tf
+++ b/modules/download-lambda/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
null = {
source = "hashicorp/null"
diff --git a/modules/lambda/README.md b/modules/lambda/README.md
index 0420776ad4..26ff5e5c24 100644
--- a/modules/lambda/README.md
+++ b/modules/lambda/README.md
@@ -10,13 +10,13 @@ Generic module to create lambda functions
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
@@ -39,7 +39,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [lambda](#input\_lambda) | Configuration for the lambda function.
`aws_partition`: Partition for the base arn if not 'aws'
`architecture`: AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions.
`environment_variables`: Environment variables for the lambda.
`handler`: The entrypoint for the lambda.
`principals`: Add extra principals to the role created for execution of the lambda, e.g. for local testing.
`lambda_tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
`log_level`: Logging level for lambda logging. Valid values are 'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.
`logging_kms_key_id`: Specifies the kms key id to encrypt the logs with
`logging_retention_in_days`: Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
`memory_size`: Memory size limit in MB of the lambda.
`metrics_namespace`: Namespace for the metrics emitted by the lambda.
`name`: The name of the lambda function.
`prefix`: The prefix used for naming resources.
`role_path`: The path that will be added to the role, if not set the environment name will be used.
`role_permissions_boundary`: Permissions boundary that will be added to the created role for the lambda.
`runtime`: AWS Lambda runtime.
`s3_bucket`: S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly.
`s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.
`s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.
`security_group_ids`: List of security group IDs associated with the Lambda function.
`subnet_ids`: List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`.
`tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
`timeout`: Time out of the lambda in seconds.
`tracing_config`: Configuration for lambda tracing.
`zip`: File location of the lambda zip file. | object({
aws_partition = optional(string, "aws")
architecture = optional(string, "arm64")
environment_variables = optional(map(string), {})
handler = string
lambda_tags = optional(map(string), {})
log_level = optional(string, "info")
logging_kms_key_id = optional(string, null)
logging_retention_in_days = optional(number, 180)
memory_size = optional(number, 256)
metrics_namespace = optional(string, "GitHub Runners")
name = string
prefix = optional(string, null)
principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
role_path = optional(string, null)
role_permissions_boundary = optional(string, null)
runtime = optional(string, "nodejs22.x")
s3_bucket = optional(string, null)
s3_key = optional(string, null)
s3_object_version = optional(string, null)
security_group_ids = optional(list(string), [])
subnet_ids = optional(list(string), [])
tags = optional(map(string), {})
timeout = optional(number, 60)
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
zip = optional(string, null)
}) | n/a | yes |
+| [lambda](#input\_lambda) | Configuration for the lambda function.
`aws_partition`: Partition for the base arn if not 'aws'
`architecture`: AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions.
`environment_variables`: Environment variables for the lambda.
`handler`: The entrypoint for the lambda.
`principals`: Add extra principals to the role created for execution of the lambda, e.g. for local testing.
`lambda_tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
`log_level`: Logging level for lambda logging. Valid values are 'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.
`logging_kms_key_id`: Specifies the kms key id to encrypt the logs with
`logging_retention_in_days`: Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
`memory_size`: Memory size limit in MB of the lambda.
`metrics_namespace`: Namespace for the metrics emitted by the lambda.
`name`: The name of the lambda function.
`prefix`: The prefix used for naming resources.
`role_path`: The path that will be added to the role, if not set the environment name will be used.
`role_permissions_boundary`: Permissions boundary that will be added to the created role for the lambda.
`runtime`: AWS Lambda runtime.
`s3_bucket`: S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly.
`s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.
`s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.
`security_group_ids`: List of security group IDs associated with the Lambda function.
`subnet_ids`: List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`.
`tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
`timeout`: Time out of the lambda in seconds.
`tracing_config`: Configuration for lambda tracing.
`zip`: File location of the lambda zip file. | object({
aws_partition = optional(string, "aws")
architecture = optional(string, "arm64")
environment_variables = optional(map(string), {})
handler = string
lambda_tags = optional(map(string), {})
log_level = optional(string, "info")
logging_kms_key_id = optional(string, null)
logging_retention_in_days = optional(number, 180)
memory_size = optional(number, 256)
metrics_namespace = optional(string, "GitHub Runners")
name = string
prefix = optional(string, null)
principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
role_path = optional(string, null)
role_permissions_boundary = optional(string, null)
runtime = optional(string, "nodejs24.x")
s3_bucket = optional(string, null)
s3_key = optional(string, null)
s3_object_version = optional(string, null)
security_group_ids = optional(list(string), [])
subnet_ids = optional(list(string), [])
tags = optional(map(string), {})
timeout = optional(number, 60)
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
zip = optional(string, null)
}) | n/a | yes |
## Outputs
diff --git a/modules/lambda/variables.tf b/modules/lambda/variables.tf
index bafd2372e8..7cbecba071 100644
--- a/modules/lambda/variables.tf
+++ b/modules/lambda/variables.tf
@@ -47,7 +47,7 @@ variable "lambda" {
})), [])
role_path = optional(string, null)
role_permissions_boundary = optional(string, null)
- runtime = optional(string, "nodejs22.x")
+ runtime = optional(string, "nodejs24.x")
s3_bucket = optional(string, null)
s3_key = optional(string, null)
s3_object_version = optional(string, null)
diff --git a/modules/lambda/versions.tf b/modules/lambda/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/lambda/versions.tf
+++ b/modules/lambda/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md
index 198078feee..7920092afa 100644
--- a/modules/multi-runner/README.md
+++ b/modules/multi-runner/README.md
@@ -79,14 +79,14 @@ module "multi-runner" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3 |
-| [aws](#requirement\_aws) | >= 5.77 |
+| [aws](#requirement\_aws) | >= 6.21 |
| [random](#requirement\_random) | ~> 3.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.77 |
+| [aws](#provider\_aws) | >= 6.21 |
| [random](#provider\_random) | ~> 3.0 |
## Modules
@@ -137,8 +137,10 @@ module "multi-runner" {
| [key\_name](#input\_key\_name) | Key pair name | `string` | `null` | no |
| [kms\_key\_arn](#input\_kms\_key\_arn) | Optional CMK Key ARN to be used for Parameter Store. | `string` | `null` | no |
| [lambda\_architecture](#input\_lambda\_architecture) | AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions. | `string` | `"arm64"` | no |
+| [lambda\_event\_source\_mapping\_batch\_size](#input\_lambda\_event\_source\_mapping\_batch\_size) | Maximum number of records to pass to the lambda function in a single batch for the event source mapping. When not set, the AWS default of 10 events will be used. | `number` | `10` | no |
+| [lambda\_event\_source\_mapping\_maximum\_batching\_window\_in\_seconds](#input\_lambda\_event\_source\_mapping\_maximum\_batching\_window\_in\_seconds) | Maximum amount of time to gather records before invoking the lambda function, in seconds. AWS requires this to be greater than 0 if batch\_size is greater than 10. Defaults to 0. | `number` | `0` | no |
| [lambda\_principals](#input\_lambda\_principals) | (Optional) add extra principals to the role created for execution of the lambda, e.g. for local testing. | list(object({
type = string
identifiers = list(string)
})) | `[]` | no |
-| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs22.x"` | no |
+| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs24.x"` | no |
| [lambda\_s3\_bucket](#input\_lambda\_s3\_bucket) | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | `string` | `null` | no |
| [lambda\_security\_group\_ids](#input\_lambda\_security\_group\_ids) | List of security group IDs associated with the Lambda function. | `list(string)` | `[]` | no |
| [lambda\_subnet\_ids](#input\_lambda\_subnet\_ids) | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
@@ -148,7 +150,7 @@ module "multi-runner" {
| [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no |
| [matcher\_config\_parameter\_store\_tier](#input\_matcher\_config\_parameter\_store\_tier) | The tier of the parameter store for the matcher configuration. Valid values are `Standard`, and `Advanced`. | `string` | `"Standard"` | no |
| [metrics](#input\_metrics) | Configuration for metrics created by the module, by default metrics are disabled to avoid additional costs. When metrics are enable all metrics are created unless explicit configured otherwise. | object({
enable = optional(bool, false)
namespace = optional(string, "GitHub Runners")
metric = optional(object({
enable_github_app_rate_limit = optional(bool, true)
enable_job_retry = optional(bool, true)
enable_spot_termination_warning = optional(bool, true)
}), {})
}) | `{}` | no |
-| [multi\_runner\_config](#input\_multi\_runner\_config) | multi\_runner\_config = {
runner\_config: {
runner\_os: "The EC2 Operating System type to use for action runner instances (linux,windows)."
runner\_architecture: "The platform architecture of the runner instance\_type."
runner\_metadata\_options: "(Optional) Metadata options for the ec2 runner instances."
ami: "(Optional) AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place."
ami\_filter: "(Optional) List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used."
ami\_owners: "(Optional) The list of owners used to select the AMI of action runner instances."
create\_service\_linked\_role\_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda.
credit\_specification: "(Optional) The credit specification of the runner instance\_type. Can be unset, `standard` or `unlimited`.
delay\_webhook\_event: "The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event."
disable\_runner\_autoupdate: "Disable the auto update of the github runner agent. Be aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"
ebs\_optimized: "The EC2 EBS optimized configuration."
enable\_ephemeral\_runners: "Enable ephemeral runners, runners will only be used once."
enable\_job\_queued\_check: "Enables JIT configuration for creating runners instead of registration token based registraton. JIT configuration will only be applied for ephemeral runners. By default JIT configuration is enabled for ephemeral runners an can be disabled via this override. When running on GHES without support for JIT configuration this variable should be set to true for ephemeral runners."
enable\_on\_demand\_failover\_for\_errors: "Enable on-demand failover. For example to fall back to on demand when no spot capacity is available the variable can be set to `InsufficientInstanceCapacity`. When not defined the default behavior is to retry later."
enable\_organization\_runners: "Register runners to organization, instead of repo level"
enable\_runner\_binaries\_syncer: "Option to disable the lambda to sync GitHub runner distribution, useful when using a pre-build AMI."
enable\_ssm\_on\_runners: "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
enable\_userdata: "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI."
instance\_allocation\_strategy: "The allocation strategy for spot instances. AWS recommends to use `capacity-optimized` however the AWS default is `lowest-price`."
instance\_max\_spot\_price: "Max price price for spot instances per hour. This variable will be passed to the create fleet as max spot price for the fleet."
instance\_target\_capacity\_type: "Default lifecycle used for runner instances, can be either `spot` or `on-demand`."
instance\_types: "List of instance types for the action runner. Defaults are based on runner\_os (al2023 for linux and Windows Server Core for win)."
job\_queue\_retention\_in\_seconds: "The number of seconds the job is held in the queue before it is purged"
minimum\_running\_time\_in\_minutes: "The time an ec2 action runner should be running at minimum before terminated if not busy."
pool\_runner\_owner: "The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported."
runner\_additional\_security\_group\_ids: "List of additional security groups IDs to apply to the runner. If added outside the multi\_runner\_config block, the additional security group(s) will be applied to all runner configs. If added inside the multi\_runner\_config, the additional security group(s) will be applied to the individual runner."
runner\_as\_root: "Run the action runner under the root user. Variable `runner_run_as` will be ignored."
runner\_boot\_time\_in\_minutes: "The minimum time for an EC2 runner to boot and register as a runner."
runner\_disable\_default\_labels: "Disable default labels for the runners (os, architecture and `self-hosted`). If enabled, the runner will only have the extra labels provided in `runner_extra_labels`. In case you on own start script is used, this configuration parameter needs to be parsed via SSM."
runner\_extra\_labels: "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `multi_runner_config.matcherConfig.exactMatch`. GitHub read-only labels should not be provided."
runner\_group\_name: "Name of the runner group."
runner\_name\_prefix: "Prefix for the GitHub runner name."
runner\_run\_as: "Run the GitHub actions agent as user."
runners\_maximum\_count: "The maximum number of runners that will be created. Setting the variable to `-1` desiables the maximum check."
scale\_down\_schedule\_expression: "Scheduler expression to check every x for scale down."
scale\_up\_reserved\_concurrent\_executions: "Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations."
userdata\_template: "Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored."
enable\_jit\_config "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is available. In case you are upgrading from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."
enable\_runner\_detailed\_monitoring: "Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details."
enable\_cloudwatch\_agent: "Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`."
cloudwatch\_config: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
userdata\_pre\_install: "Script to be ran before the GitHub Actions runner is installed on the EC2 instances"
userdata\_post\_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"
runner\_hook\_job\_started: "Script to be ran in the runner environment at the beginning of every job"
runner\_hook\_job\_completed: "Script to be ran in the runner environment at the end of every job"
runner\_ec2\_tags: "Map of tags that will be added to the launch template instance tag specifications."
runner\_iam\_role\_managed\_policy\_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
vpc\_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`."
subnet\_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`."
idle\_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle."
runner\_log\_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
block\_device\_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."
job\_retry: "Experimental! Can be removed / changed without trigger a major release. Configure job retries. The configuration enables job retries (for ephemeral runners). After creating the instances a message will be published to a job retry queue. The job retry check lambda is checking after a delay if the job is queued. If not the message will be published again on the scale-up (build queue). Using this feature can impact the rate limit of the GitHub app."
pool\_config: "The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. Use `schedule_expression_timezone` to override the schedule time zone (defaults to UTC)."
}
matcherConfig: {
labelMatchers: "The list of list of labels supported by the runner configuration. `[[self-hosted, linux, x64, example]]`"
exactMatch: "If set to true all labels in the workflow job must match the GitHub labels (os, architecture and `self-hosted`). When false if __any__ workflow label matches it will trigger the webhook."
priority: "If set it defines the priority of the matcher, the matcher with the lowest priority will be evaluated first. Default is 999, allowed values 0-999."
}
redrive\_build\_queue: "Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries."
} | map(object({
runner_config = object({
runner_os = string
runner_architecture = string
runner_metadata_options = optional(map(any), {
instance_metadata_tags = "enabled"
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 1
})
ami = optional(object({
filter = optional(map(list(string)), { state = ["available"] })
owners = optional(list(string), ["amazon"])
id_ssm_parameter_arn = optional(string, null)
kms_key_arn = optional(string, null)
}), null) # Defaults to null, in which case the module falls back to individual AMI variables (deprecated)
# Deprecated: Use ami object instead
ami_filter = optional(map(list(string)), { state = ["available"] })
ami_owners = optional(list(string), ["amazon"])
ami_id_ssm_parameter_name = optional(string, null)
ami_kms_key_arn = optional(string, "")
create_service_linked_role_spot = optional(bool, false)
credit_specification = optional(string, null)
delay_webhook_event = optional(number, 30)
disable_runner_autoupdate = optional(bool, false)
ebs_optimized = optional(bool, false)
enable_ephemeral_runners = optional(bool, false)
enable_job_queued_check = optional(bool, null)
enable_on_demand_failover_for_errors = optional(list(string), [])
enable_organization_runners = optional(bool, false)
enable_runner_binaries_syncer = optional(bool, true)
enable_ssm_on_runners = optional(bool, false)
enable_userdata = optional(bool, true)
instance_allocation_strategy = optional(string, "lowest-price")
instance_max_spot_price = optional(string, null)
instance_target_capacity_type = optional(string, "spot")
instance_types = list(string)
job_queue_retention_in_seconds = optional(number, 86400)
minimum_running_time_in_minutes = optional(number, null)
pool_runner_owner = optional(string, null)
runner_as_root = optional(bool, false)
runner_boot_time_in_minutes = optional(number, 5)
runner_disable_default_labels = optional(bool, false)
runner_extra_labels = optional(list(string), [])
runner_group_name = optional(string, "Default")
runner_name_prefix = optional(string, "")
runner_run_as = optional(string, "ec2-user")
runners_maximum_count = number
runner_additional_security_group_ids = optional(list(string), [])
scale_down_schedule_expression = optional(string, "cron(*/5 * * * ? *)")
scale_up_reserved_concurrent_executions = optional(number, 1)
userdata_template = optional(string, null)
userdata_content = optional(string, null)
enable_jit_config = optional(bool, null)
enable_runner_detailed_monitoring = optional(bool, false)
enable_cloudwatch_agent = optional(bool, true)
cloudwatch_config = optional(string, null)
userdata_pre_install = optional(string, "")
userdata_post_install = optional(string, "")
runner_hook_job_started = optional(string, "")
runner_hook_job_completed = optional(string, "")
runner_ec2_tags = optional(map(string), {})
runner_iam_role_managed_policy_arns = optional(list(string), [])
vpc_id = optional(string, null)
subnet_ids = optional(list(string), null)
idle_config = optional(list(object({
cron = string
timeZone = string
idleCount = number
evictionStrategy = optional(string, "oldest_first")
})), [])
cpu_options = optional(object({
core_count = number
threads_per_core = number
}), null)
runner_log_files = optional(list(object({
log_group_name = string
prefix_log_group = bool
file_path = string
log_stream_name = string
})), null)
block_device_mappings = optional(list(object({
delete_on_termination = optional(bool, true)
device_name = optional(string, "/dev/xvda")
encrypted = optional(bool, true)
iops = optional(number)
kms_key_id = optional(string)
snapshot_id = optional(string)
throughput = optional(number)
volume_size = number
volume_type = optional(string, "gp3")
})), [{
volume_size = 30
}])
pool_config = optional(list(object({
schedule_expression = string
schedule_expression_timezone = optional(string)
size = number
})), [])
job_retry = optional(object({
enable = optional(bool, false)
delay_in_seconds = optional(number, 300)
delay_backoff = optional(number, 2)
lambda_memory_size = optional(number, 256)
lambda_timeout = optional(number, 30)
max_attempts = optional(number, 1)
}), {})
})
matcherConfig = object({
labelMatchers = list(list(string))
exactMatch = optional(bool, false)
priority = optional(number, 999)
})
redrive_build_queue = optional(object({
enabled = bool
maxReceiveCount = number
}), {
enabled = false
maxReceiveCount = null
})
})) | n/a | yes |
+| [multi\_runner\_config](#input\_multi\_runner\_config) | multi\_runner\_config = {
runner\_config: {
runner\_os: "The EC2 Operating System type to use for action runner instances (linux,windows)."
runner\_architecture: "The platform architecture of the runner instance\_type."
runner\_metadata\_options: "(Optional) Metadata options for the ec2 runner instances."
ami: "(Optional) AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place."
create\_service\_linked\_role\_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda.
credit\_specification: "(Optional) The credit specification of the runner instance\_type. Can be unset, `standard` or `unlimited`.
delay\_webhook\_event: "The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event."
disable\_runner\_autoupdate: "Disable the auto update of the github runner agent. Be aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"
ebs\_optimized: "The EC2 EBS optimized configuration."
enable\_ephemeral\_runners: "Enable ephemeral runners, runners will only be used once."
enable\_job\_queued\_check: "Enables JIT configuration for creating runners instead of registration token based registraton. JIT configuration will only be applied for ephemeral runners. By default JIT configuration is enabled for ephemeral runners an can be disabled via this override. When running on GHES without support for JIT configuration this variable should be set to true for ephemeral runners."
enable\_on\_demand\_failover\_for\_errors: "Enable on-demand failover. For example to fall back to on demand when no spot capacity is available the variable can be set to `InsufficientInstanceCapacity`. When not defined the default behavior is to retry later."
enable\_organization\_runners: "Register runners to organization, instead of repo level"
enable\_runner\_binaries\_syncer: "Option to disable the lambda to sync GitHub runner distribution, useful when using a pre-build AMI."
enable\_ssm\_on\_runners: "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
enable\_userdata: "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI."
instance\_allocation\_strategy: "The allocation strategy for spot instances. AWS recommends to use `capacity-optimized` however the AWS default is `lowest-price`."
instance\_max\_spot\_price: "Max price price for spot instances per hour. This variable will be passed to the create fleet as max spot price for the fleet."
instance\_target\_capacity\_type: "Default lifecycle used for runner instances, can be either `spot` or `on-demand`."
instance\_types: "List of instance types for the action runner. Defaults are based on runner\_os (al2023 for linux and Windows Server Core for win)."
job\_queue\_retention\_in\_seconds: "The number of seconds the job is held in the queue before it is purged"
minimum\_running\_time\_in\_minutes: "The time an ec2 action runner should be running at minimum before terminated if not busy."
pool\_runner\_owner: "The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported."
runner\_additional\_security\_group\_ids: "List of additional security groups IDs to apply to the runner. If added outside the multi\_runner\_config block, the additional security group(s) will be applied to all runner configs. If added inside the multi\_runner\_config, the additional security group(s) will be applied to the individual runner."
runner\_as\_root: "Run the action runner under the root user. Variable `runner_run_as` will be ignored."
runner\_boot\_time\_in\_minutes: "The minimum time for an EC2 runner to boot and register as a runner."
runner\_disable\_default\_labels: "Disable default labels for the runners (os, architecture and `self-hosted`). If enabled, the runner will only have the extra labels provided in `runner_extra_labels`. In case you on own start script is used, this configuration parameter needs to be parsed via SSM."
runner\_extra\_labels: "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `multi_runner_config.matcherConfig.exactMatch`. GitHub read-only labels should not be provided."
runner\_group\_name: "Name of the runner group."
runner\_name\_prefix: "Prefix for the GitHub runner name."
runner\_run\_as: "Run the GitHub actions agent as user."
runners\_maximum\_count: "The maximum number of runners that will be created. Setting the variable to `-1` desiables the maximum check."
scale\_down\_schedule\_expression: "Scheduler expression to check every x for scale down."
scale\_up\_reserved\_concurrent\_executions: "Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations."
userdata\_template: "Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored."
enable\_jit\_config "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is available. In case you are upgrading from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."
enable\_runner\_detailed\_monitoring: "Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details."
enable\_cloudwatch\_agent: "Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`."
cloudwatch\_config: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
userdata\_pre\_install: "Script to be ran before the GitHub Actions runner is installed on the EC2 instances"
userdata\_post\_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"
runner\_hook\_job\_started: "Script to be ran in the runner environment at the beginning of every job"
runner\_hook\_job\_completed: "Script to be ran in the runner environment at the end of every job"
runner\_ec2\_tags: "Map of tags that will be added to the launch template instance tag specifications."
runner\_iam\_role\_managed\_policy\_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
vpc\_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`."
subnet\_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`."
idle\_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle."
runner\_log\_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
block\_device\_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."
job\_retry: "Experimental! Can be removed / changed without trigger a major release. Configure job retries. The configuration enables job retries (for ephemeral runners). After creating the instances a message will be published to a job retry queue. The job retry check lambda is checking after a delay if the job is queued. If not the message will be published again on the scale-up (build queue). Using this feature can impact the rate limit of the GitHub app."
pool\_config: "The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. Use `schedule_expression_timezone` to override the schedule time zone (defaults to UTC)."
}
matcherConfig: {
labelMatchers: "The list of list of labels supported by the runner configuration. `[[self-hosted, linux, x64, example]]`"
exactMatch: "If set to true all labels in the workflow job must match the GitHub labels (os, architecture and `self-hosted`). When false if __any__ workflow label matches it will trigger the webhook."
priority: "If set it defines the priority of the matcher, the matcher with the lowest priority will be evaluated first. Default is 999, allowed values 0-999."
}
redrive\_build\_queue: "Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries."
} | map(object({
runner_config = object({
runner_os = string
runner_architecture = string
runner_metadata_options = optional(map(any), {
instance_metadata_tags = "enabled"
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 1
})
ami = optional(object({
filter = optional(map(list(string)), { state = ["available"] })
owners = optional(list(string), ["amazon"])
id_ssm_parameter_arn = optional(string, null)
kms_key_arn = optional(string, null)
}), null)
create_service_linked_role_spot = optional(bool, false)
credit_specification = optional(string, null)
delay_webhook_event = optional(number, 30)
disable_runner_autoupdate = optional(bool, false)
ebs_optimized = optional(bool, false)
enable_ephemeral_runners = optional(bool, false)
enable_job_queued_check = optional(bool, null)
enable_on_demand_failover_for_errors = optional(list(string), [])
enable_organization_runners = optional(bool, false)
enable_runner_binaries_syncer = optional(bool, true)
enable_ssm_on_runners = optional(bool, false)
enable_userdata = optional(bool, true)
instance_allocation_strategy = optional(string, "lowest-price")
instance_max_spot_price = optional(string, null)
instance_target_capacity_type = optional(string, "spot")
instance_types = list(string)
job_queue_retention_in_seconds = optional(number, 86400)
minimum_running_time_in_minutes = optional(number, null)
pool_runner_owner = optional(string, null)
runner_as_root = optional(bool, false)
runner_boot_time_in_minutes = optional(number, 5)
runner_disable_default_labels = optional(bool, false)
runner_extra_labels = optional(list(string), [])
runner_group_name = optional(string, "Default")
runner_name_prefix = optional(string, "")
runner_run_as = optional(string, "ec2-user")
runners_maximum_count = number
runner_additional_security_group_ids = optional(list(string), [])
scale_down_schedule_expression = optional(string, "cron(*/5 * * * ? *)")
scale_up_reserved_concurrent_executions = optional(number, 1)
userdata_template = optional(string, null)
userdata_content = optional(string, null)
enable_jit_config = optional(bool, null)
enable_runner_detailed_monitoring = optional(bool, false)
enable_cloudwatch_agent = optional(bool, true)
cloudwatch_config = optional(string, null)
userdata_pre_install = optional(string, "")
userdata_post_install = optional(string, "")
runner_hook_job_started = optional(string, "")
runner_hook_job_completed = optional(string, "")
runner_ec2_tags = optional(map(string), {})
runner_iam_role_managed_policy_arns = optional(list(string), [])
vpc_id = optional(string, null)
subnet_ids = optional(list(string), null)
idle_config = optional(list(object({
cron = string
timeZone = string
idleCount = number
evictionStrategy = optional(string, "oldest_first")
})), [])
cpu_options = optional(object({
core_count = number
threads_per_core = number
}), null)
placement = optional(object({
affinity = optional(string)
availability_zone = optional(string)
group_id = optional(string)
group_name = optional(string)
host_id = optional(string)
host_resource_group_arn = optional(number)
spread_domain = optional(string)
tenancy = optional(string)
partition_number = optional(number)
}), null)
runner_log_files = optional(list(object({
log_group_name = string
prefix_log_group = bool
file_path = string
log_stream_name = string
})), null)
block_device_mappings = optional(list(object({
delete_on_termination = optional(bool, true)
device_name = optional(string, "/dev/xvda")
encrypted = optional(bool, true)
iops = optional(number)
kms_key_id = optional(string)
snapshot_id = optional(string)
throughput = optional(number)
volume_size = number
volume_type = optional(string, "gp3")
})), [{
volume_size = 30
}])
pool_config = optional(list(object({
schedule_expression = string
schedule_expression_timezone = optional(string)
size = number
})), [])
job_retry = optional(object({
enable = optional(bool, false)
delay_in_seconds = optional(number, 300)
delay_backoff = optional(number, 2)
lambda_memory_size = optional(number, 256)
lambda_timeout = optional(number, 30)
max_attempts = optional(number, 1)
}), {})
})
matcherConfig = object({
labelMatchers = list(list(string))
exactMatch = optional(bool, false)
priority = optional(number, 999)
})
redrive_build_queue = optional(object({
enabled = bool
maxReceiveCount = number
}), {
enabled = false
maxReceiveCount = null
})
})) | n/a | yes |
| [pool\_lambda\_reserved\_concurrent\_executions](#input\_pool\_lambda\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `1` | no |
| [pool\_lambda\_timeout](#input\_pool\_lambda\_timeout) | Time out for the pool lambda in seconds. | `number` | `60` | no |
| [prefix](#input\_prefix) | The prefix used for naming resources | `string` | `"github-actions"` | no |
@@ -193,7 +195,6 @@ module "multi-runner" {
| Name | Description |
|------|-------------|
| [binaries\_syncer\_map](#output\_binaries\_syncer\_map) | n/a |
-| [deprecated\_variables\_warning](#output\_deprecated\_variables\_warning) | Warning for deprecated variables usage. These variables will be removed in a future release. Please migrate to using the consolidated 'ami' object in each runner configuration. |
| [instance\_termination\_handler](#output\_instance\_termination\_handler) | n/a |
| [instance\_termination\_watcher](#output\_instance\_termination\_watcher) | n/a |
| [runners\_map](#output\_runners\_map) | n/a |
diff --git a/modules/multi-runner/outputs.tf b/modules/multi-runner/outputs.tf
index 2f2b1d3458..7ce7171faf 100644
--- a/modules/multi-runner/outputs.tf
+++ b/modules/multi-runner/outputs.tf
@@ -67,23 +67,3 @@ output "instance_termination_handler" {
lambda_role = module.instance_termination_watcher[0].spot_termination_handler.lambda_role
} : null
}
-
-output "deprecated_variables_warning" {
- description = "Warning for deprecated variables usage. These variables will be removed in a future release. Please migrate to using the consolidated 'ami' object in each runner configuration."
- value = join("", [
- for key, runner_config in var.multi_runner_config : (
- join("", [
- # Show object migration warning only when ami is null and old variables are used
- try(runner_config.runner_config.ami, null) == null ? (
- (try(runner_config.runner_config.ami_filter, { state = ["available"] }) != { state = ["available"] } ||
- try(runner_config.runner_config.ami_owners, ["amazon"]) != ["amazon"] ||
- try(runner_config.runner_config.ami_kms_key_arn, "") != "") ?
- "DEPRECATION WARNING: Runner '${key}' is using deprecated AMI variables (ami_filter, ami_owners, ami_kms_key_arn). These variables will be removed in a future version. Please migrate to using the consolidated 'ami' object.\n" : ""
- ) : "",
- # Always show warning for ami_id_ssm_parameter_name to migrate to ami_id_ssm_parameter_arn
- try(runner_config.runner_config.ami_id_ssm_parameter_name, null) != null ?
- "DEPRECATION WARNING: Runner '${key}' is using deprecated variable 'ami_id_ssm_parameter_name'. Please use 'ami.id_ssm_parameter_arn' instead.\n" : ""
- ])
- )
- ])
-}
diff --git a/modules/multi-runner/runners.tf b/modules/multi-runner/runners.tf
index 811ab36260..ea8fb17dce 100644
--- a/modules/multi-runner/runners.tf
+++ b/modules/multi-runner/runners.tf
@@ -27,9 +27,6 @@ module "runners" {
runner_architecture = each.value.runner_config.runner_architecture
ami = each.value.runner_config.ami
- ami_filter = each.value.runner_config.ami_filter
- ami_owners = each.value.runner_config.ami_owners
- ami_kms_key_arn = each.value.runner_config.ami_kms_key_arn
sqs_build_queue = { "arn" : each.value.arn, "url" : each.value.url }
github_app_parameters = local.github_app_parameters
@@ -57,29 +54,32 @@ module "runners" {
metadata_options = each.value.runner_config.runner_metadata_options
credit_specification = each.value.runner_config.credit_specification
cpu_options = each.value.runner_config.cpu_options
-
- enable_runner_binaries_syncer = each.value.runner_config.enable_runner_binaries_syncer
- lambda_s3_bucket = var.lambda_s3_bucket
- runners_lambda_s3_key = var.runners_lambda_s3_key
- runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
- lambda_runtime = var.lambda_runtime
- lambda_architecture = var.lambda_architecture
- lambda_zip = var.runners_lambda_zip
- lambda_scale_up_memory_size = var.scale_up_lambda_memory_size
- lambda_timeout_scale_up = var.runners_scale_up_lambda_timeout
- lambda_scale_down_memory_size = var.scale_down_lambda_memory_size
- lambda_timeout_scale_down = var.runners_scale_down_lambda_timeout
- lambda_subnet_ids = var.lambda_subnet_ids
- lambda_security_group_ids = var.lambda_security_group_ids
- lambda_tags = var.lambda_tags
- tracing_config = var.tracing_config
- logging_retention_in_days = var.logging_retention_in_days
- logging_kms_key_id = var.logging_kms_key_id
- enable_cloudwatch_agent = each.value.runner_config.enable_cloudwatch_agent
- cloudwatch_config = try(coalesce(each.value.runner_config.cloudwatch_config, var.cloudwatch_config), null)
- runner_log_files = each.value.runner_config.runner_log_files
- runner_group_name = each.value.runner_config.runner_group_name
- runner_name_prefix = each.value.runner_config.runner_name_prefix
+ placement = each.value.runner_config.placement
+
+ enable_runner_binaries_syncer = each.value.runner_config.enable_runner_binaries_syncer
+ lambda_s3_bucket = var.lambda_s3_bucket
+ runners_lambda_s3_key = var.runners_lambda_s3_key
+ runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
+ lambda_runtime = var.lambda_runtime
+ lambda_architecture = var.lambda_architecture
+ lambda_zip = var.runners_lambda_zip
+ lambda_scale_up_memory_size = var.scale_up_lambda_memory_size
+ lambda_event_source_mapping_batch_size = var.lambda_event_source_mapping_batch_size
+ lambda_event_source_mapping_maximum_batching_window_in_seconds = var.lambda_event_source_mapping_maximum_batching_window_in_seconds
+ lambda_timeout_scale_up = var.runners_scale_up_lambda_timeout
+ lambda_scale_down_memory_size = var.scale_down_lambda_memory_size
+ lambda_timeout_scale_down = var.runners_scale_down_lambda_timeout
+ lambda_subnet_ids = var.lambda_subnet_ids
+ lambda_security_group_ids = var.lambda_security_group_ids
+ lambda_tags = var.lambda_tags
+ tracing_config = var.tracing_config
+ logging_retention_in_days = var.logging_retention_in_days
+ logging_kms_key_id = var.logging_kms_key_id
+ enable_cloudwatch_agent = each.value.runner_config.enable_cloudwatch_agent
+ cloudwatch_config = try(coalesce(each.value.runner_config.cloudwatch_config, var.cloudwatch_config), null)
+ runner_log_files = each.value.runner_config.runner_log_files
+ runner_group_name = each.value.runner_config.runner_group_name
+ runner_name_prefix = each.value.runner_config.runner_name_prefix
scale_up_reserved_concurrent_executions = each.value.runner_config.scale_up_reserved_concurrent_executions
diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf
index 119af5c36c..0ca473ecf2 100644
--- a/modules/multi-runner/variables.tf
+++ b/modules/multi-runner/variables.tf
@@ -70,12 +70,7 @@ variable "multi_runner_config" {
owners = optional(list(string), ["amazon"])
id_ssm_parameter_arn = optional(string, null)
kms_key_arn = optional(string, null)
- }), null) # Defaults to null, in which case the module falls back to individual AMI variables (deprecated)
- # Deprecated: Use ami object instead
- ami_filter = optional(map(list(string)), { state = ["available"] })
- ami_owners = optional(list(string), ["amazon"])
- ami_id_ssm_parameter_name = optional(string, null)
- ami_kms_key_arn = optional(string, "")
+ }), null)
create_service_linked_role_spot = optional(bool, false)
credit_specification = optional(string, null)
delay_webhook_event = optional(number, 30)
@@ -130,6 +125,17 @@ variable "multi_runner_config" {
core_count = number
threads_per_core = number
}), null)
+ placement = optional(object({
+ affinity = optional(string)
+ availability_zone = optional(string)
+ group_id = optional(string)
+ group_name = optional(string)
+ host_id = optional(string)
+ host_resource_group_arn = optional(number)
+ spread_domain = optional(string)
+ tenancy = optional(string)
+ partition_number = optional(number)
+ }), null)
runner_log_files = optional(list(object({
log_group_name = string
prefix_log_group = bool
@@ -183,8 +189,6 @@ variable "multi_runner_config" {
runner_architecture: "The platform architecture of the runner instance_type."
runner_metadata_options: "(Optional) Metadata options for the ec2 runner instances."
ami: "(Optional) AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place."
- ami_filter: "(Optional) List of maps used to create the AMI filter for the action runner AMI. By default amazon linux 2 is used."
- ami_owners: "(Optional) The list of owners used to select the AMI of action runner instances."
create_service_linked_role_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda.
credit_specification: "(Optional) The credit specification of the runner instance_type. Can be unset, `standard` or `unlimited`.
delay_webhook_event: "The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event."
@@ -364,7 +368,7 @@ variable "log_level" {
variable "lambda_runtime" {
description = "AWS Lambda runtime."
type = string
- default = "nodejs22.x"
+ default = "nodejs24.x"
}
variable "lambda_architecture" {
@@ -724,3 +728,15 @@ variable "user_agent" {
type = string
default = "github-aws-runners"
}
+
+variable "lambda_event_source_mapping_batch_size" {
+ description = "Maximum number of records to pass to the lambda function in a single batch for the event source mapping. When not set, the AWS default of 10 events will be used."
+ type = number
+ default = 10
+}
+
+variable "lambda_event_source_mapping_maximum_batching_window_in_seconds" {
+ description = "Maximum amount of time to gather records before invoking the lambda function, in seconds. AWS requires this to be greater than 0 if batch_size is greater than 10. Defaults to 0."
+ type = number
+ default = 0
+}
diff --git a/modules/multi-runner/versions.tf b/modules/multi-runner/versions.tf
index fa763f4e76..cf8961bb61 100644
--- a/modules/multi-runner/versions.tf
+++ b/modules/multi-runner/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.77"
+ version = ">= 6.21"
}
random = {
source = "hashicorp/random"
diff --git a/modules/runner-binaries-syncer/README.md b/modules/runner-binaries-syncer/README.md
index 740be89925..2999be138f 100644
--- a/modules/runner-binaries-syncer/README.md
+++ b/modules/runner-binaries-syncer/README.md
@@ -37,13 +37,13 @@ yarn run dist
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
@@ -89,7 +89,7 @@ No modules.
| [lambda\_architecture](#input\_lambda\_architecture) | AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions. | `string` | `"arm64"` | no |
| [lambda\_memory\_size](#input\_lambda\_memory\_size) | Memory size of the lambda. | `number` | `256` | no |
| [lambda\_principals](#input\_lambda\_principals) | (Optional) add extra principals to the role created for execution of the lambda, e.g. for local testing. | list(object({
type = string
identifiers = list(string)
})) | `[]` | no |
-| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs22.x"` | no |
+| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs24.x"` | no |
| [lambda\_s3\_bucket](#input\_lambda\_s3\_bucket) | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | `string` | `null` | no |
| [lambda\_schedule\_expression](#input\_lambda\_schedule\_expression) | Scheduler expression for action runner binary syncer. | `string` | `"cron(27 * * * ? *)"` | no |
| [lambda\_security\_group\_ids](#input\_lambda\_security\_group\_ids) | List of security group IDs associated with the Lambda function. | `list(string)` | `[]` | no |
diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf
index 4a38fb24b0..dd16a7c3ee 100644
--- a/modules/runner-binaries-syncer/variables.tf
+++ b/modules/runner-binaries-syncer/variables.tf
@@ -220,7 +220,7 @@ variable "lambda_principals" {
variable "lambda_runtime" {
description = "AWS Lambda runtime."
type = string
- default = "nodejs22.x"
+ default = "nodejs24.x"
}
variable "lambda_architecture" {
diff --git a/modules/runner-binaries-syncer/versions.tf b/modules/runner-binaries-syncer/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/runner-binaries-syncer/versions.tf
+++ b/modules/runner-binaries-syncer/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/runners/README.md b/modules/runners/README.md
index eddf7edb40..9bb3a6f4e6 100644
--- a/modules/runners/README.md
+++ b/modules/runners/README.md
@@ -53,13 +53,13 @@ yarn run dist
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
@@ -137,10 +137,6 @@ yarn run dist
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [ami](#input\_ami) | AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place.
Parameters:
- `filter`: Map of lists to filter AMIs by various criteria (e.g., { name = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-*"], state = ["available"] })
- `owners`: List of AMI owners to limit the search. Common values: ["amazon"], ["self"], or specific AWS account IDs
- `id_ssm_parameter_name`: Name of an SSM parameter containing the AMI ID. If specified, this overrides the AMI filter
- `id_ssm_parameter_arn`: ARN of an SSM parameter containing the AMI ID. If specified, this overrides both AMI filter and parameter name
- `kms_key_arn`: Optional KMS key ARN if the AMI is encrypted with a customer managed key
Defaults to null, in which case the module falls back to individual AMI variables (deprecated). | object({
filter = optional(map(list(string)), { state = ["available"] })
owners = optional(list(string), ["amazon"])
id_ssm_parameter_arn = optional(string, null)
kms_key_arn = optional(string, null)
}) | `null` | no |
-| [ami\_filter](#input\_ami\_filter) | [DEPRECATED: Use ami.filter] Map of lists used to create the AMI filter for the action runner AMI. | `map(list(string))` | {
"state": [
"available"
]
} | no |
-| [ami\_id\_ssm\_parameter\_name](#input\_ami\_id\_ssm\_parameter\_name) | [DEPRECATED: Use ami.id\_ssm\_parameter\_name] Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami\_filter | `string` | `null` | no |
-| [ami\_kms\_key\_arn](#input\_ami\_kms\_key\_arn) | [DEPRECATED: Use ami.kms\_key\_arn] Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI | `string` | `null` | no |
-| [ami\_owners](#input\_ami\_owners) | [DEPRECATED: Use ami.owners] The list of owners used to select the AMI of action runner instances. | `list(string)` | [
"amazon"
]
| no |
| [associate\_public\_ipv4\_address](#input\_associate\_public\_ipv4\_address) | Associate public IPv4 with the runner. Only tested with IPv4 | `bool` | `false` | no |
| [aws\_partition](#input\_aws\_partition) | (optional) partition for the base arn if not 'aws' | `string` | `"aws"` | no |
| [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
@@ -177,7 +173,9 @@ yarn run dist
| [key\_name](#input\_key\_name) | Key pair name | `string` | `null` | no |
| [kms\_key\_arn](#input\_kms\_key\_arn) | Optional CMK Key ARN to be used for Parameter Store. | `string` | `null` | no |
| [lambda\_architecture](#input\_lambda\_architecture) | AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions. | `string` | `"arm64"` | no |
-| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs22.x"` | no |
+| [lambda\_event\_source\_mapping\_batch\_size](#input\_lambda\_event\_source\_mapping\_batch\_size) | Maximum number of records to pass to the lambda function in a single batch for the event source mapping. When not set, the AWS default of 10 events will be used. | `number` | `10` | no |
+| [lambda\_event\_source\_mapping\_maximum\_batching\_window\_in\_seconds](#input\_lambda\_event\_source\_mapping\_maximum\_batching\_window\_in\_seconds) | Maximum amount of time to gather records before invoking the lambda function, in seconds. AWS requires this to be greater than 0 if batch\_size is greater than 10. Defaults to 0. | `number` | `0` | no |
+| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs24.x"` | no |
| [lambda\_s3\_bucket](#input\_lambda\_s3\_bucket) | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | `string` | `null` | no |
| [lambda\_scale\_down\_memory\_size](#input\_lambda\_scale\_down\_memory\_size) | Memory size limit in MB for scale down lambda. | `number` | `512` | no |
| [lambda\_scale\_up\_memory\_size](#input\_lambda\_scale\_up\_memory\_size) | Memory size limit in MB for scale-up lambda. | `number` | `512` | no |
@@ -194,6 +192,7 @@ yarn run dist
| [metrics](#input\_metrics) | Configuration for metrics created by the module, by default metrics are disabled to avoid additional costs. When metrics are enable all metrics are created unless explicit configured otherwise. | object({
enable = optional(bool, false)
namespace = optional(string, "GitHub Runners")
metric = optional(object({
enable_github_app_rate_limit = optional(bool, true)
enable_job_retry = optional(bool, true)
enable_spot_termination_warning = optional(bool, true)
}), {})
}) | `{}` | no |
| [minimum\_running\_time\_in\_minutes](#input\_minimum\_running\_time\_in\_minutes) | The time an ec2 action runner should be running at minimum before terminated if non busy. If not set the default is calculated based on the OS. | `number` | `null` | no |
| [overrides](#input\_overrides) | This map provides the possibility to override some defaults. The following attributes are supported: `name_sg` overrides the `Name` tag for all security groups created by this module. `name_runner_agent_instance` overrides the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` overrides the `Name` tag spot instances created by the runner agent. | `map(string)` | {
"name_runner": "",
"name_sg": ""
} | no |
+| [placement](#input\_placement) | The placement options for the instance. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#placement for details. | object({
affinity = optional(string)
availability_zone = optional(string)
group_id = optional(string)
group_name = optional(string)
host_id = optional(string)
host_resource_group_arn = optional(number)
spread_domain = optional(string)
tenancy = optional(string)
partition_number = optional(number)
}) | `null` | no |
| [pool\_config](#input\_pool\_config) | The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. Use `schedule_expression_timezone ` to override the schedule time zone (defaults to UTC). | list(object({
schedule_expression = string
schedule_expression_timezone = optional(string)
size = number
})) | `[]` | no |
| [pool\_lambda\_memory\_size](#input\_pool\_lambda\_memory\_size) | Lambda Memory size limit in MB for pool lambda | `number` | `512` | no |
| [pool\_lambda\_reserved\_concurrent\_executions](#input\_pool\_lambda\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `1` | no |
diff --git a/modules/runners/job-retry.tf b/modules/runners/job-retry.tf
index e51c3903d4..130992667f 100644
--- a/modules/runners/job-retry.tf
+++ b/modules/runners/job-retry.tf
@@ -3,30 +3,32 @@ locals {
job_retry_enabled = var.job_retry != null && var.job_retry.enable ? true : false
job_retry = {
- prefix = var.prefix
- tags = local.tags
- aws_partition = var.aws_partition
- architecture = var.lambda_architecture
- runtime = var.lambda_runtime
- security_group_ids = var.lambda_security_group_ids
- subnet_ids = var.lambda_subnet_ids
- kms_key_arn = var.kms_key_arn
- lambda_tags = var.lambda_tags
- log_level = var.log_level
- logging_kms_key_id = var.logging_kms_key_id
- logging_retention_in_days = var.logging_retention_in_days
- metrics = var.metrics
- role_path = var.role_path
- role_permissions_boundary = var.role_permissions_boundary
- s3_bucket = var.lambda_s3_bucket
- s3_key = var.runners_lambda_s3_key
- s3_object_version = var.runners_lambda_s3_object_version
- zip = var.lambda_zip
- tracing_config = var.tracing_config
- github_app_parameters = var.github_app_parameters
- enable_organization_runners = var.enable_organization_runners
- sqs_build_queue = var.sqs_build_queue
- ghes_url = var.ghes_url
+ prefix = var.prefix
+ tags = local.tags
+ aws_partition = var.aws_partition
+ architecture = var.lambda_architecture
+ runtime = var.lambda_runtime
+ security_group_ids = var.lambda_security_group_ids
+ subnet_ids = var.lambda_subnet_ids
+ kms_key_arn = var.kms_key_arn
+ lambda_tags = var.lambda_tags
+ log_level = var.log_level
+ logging_kms_key_id = var.logging_kms_key_id
+ logging_retention_in_days = var.logging_retention_in_days
+ metrics = var.metrics
+ role_path = var.role_path
+ role_permissions_boundary = var.role_permissions_boundary
+ s3_bucket = var.lambda_s3_bucket
+ s3_key = var.runners_lambda_s3_key
+ s3_object_version = var.runners_lambda_s3_object_version
+ zip = var.lambda_zip
+ tracing_config = var.tracing_config
+ github_app_parameters = var.github_app_parameters
+ enable_organization_runners = var.enable_organization_runners
+ sqs_build_queue = var.sqs_build_queue
+ ghes_url = var.ghes_url
+ lambda_event_source_mapping_batch_size = var.lambda_event_source_mapping_batch_size
+ lambda_event_source_mapping_maximum_batching_window_in_seconds = var.lambda_event_source_mapping_maximum_batching_window_in_seconds
}
}
diff --git a/modules/runners/job-retry/README.md b/modules/runners/job-retry/README.md
index 168f2d324e..7ecd69deeb 100644
--- a/modules/runners/job-retry/README.md
+++ b/modules/runners/job-retry/README.md
@@ -13,13 +13,13 @@ The module is an inner module and used by the runner module when the opt-in feat
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
@@ -42,7 +42,7 @@ The module is an inner module and used by the runner module when the opt-in feat
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [config](#input\_config) | Configuration for the spot termination watcher lambda function.
`aws_partition`: Partition for the base arn if not 'aws'
`architecture`: AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions.
`environment_variables`: Environment variables for the lambda.
`enable_organization_runners`: Enable organization runners.
`enable_metric`: Enable metric for the lambda. If `spot_warning` is set to true, the lambda will emit a metric when it detects a spot termination warning.
'ghes\_url': Optional GitHub Enterprise Server URL.
'user\_agent': Optional User-Agent header for GitHub API requests.
'github\_app\_parameters': Parameter Store for GitHub App Parameters.
'kms\_key\_arn': Optional CMK Key ARN instead of using the default AWS managed key.
`lambda_principals`: Add extra principals to the role created for execution of the lambda, e.g. for local testing.
`lambda_tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
`log_level`: Logging level for lambda logging. Valid values are 'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.
`logging_kms_key_id`: Specifies the kms key id to encrypt the logs with
`logging_retention_in_days`: Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
`memory_size`: Memory size limit in MB of the lambda.
`metrics`: Configuration to enable metrics creation by the lambda.
`prefix`: The prefix used for naming resources.
`role_path`: The path that will be added to the role, if not set the environment name will be used.
`role_permissions_boundary`: Permissions boundary that will be added to the created role for the lambda.
`runtime`: AWS Lambda runtime.
`s3_bucket`: S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly.
`s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.
`s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.
`security_group_ids`: List of security group IDs associated with the Lambda function.
'sqs\_build\_queue': SQS queue for build events to re-publish job request.
`subnet_ids`: List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`.
`tag_filters`: Map of tags that will be used to filter the resources to be tracked. Only for which all tags are present and starting with the same value as the value in the map will be tracked.
`tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
`timeout`: Time out of the lambda in seconds.
`tracing_config`: Configuration for lambda tracing.
`zip`: File location of the lambda zip file. | object({
aws_partition = optional(string, null)
architecture = optional(string, null)
enable_organization_runners = bool
environment_variables = optional(map(string), {})
ghes_url = optional(string, null)
user_agent = optional(string, null)
github_app_parameters = object({
key_base64 = map(string)
id = map(string)
})
kms_key_arn = optional(string, null)
lambda_tags = optional(map(string), {})
log_level = optional(string, null)
logging_kms_key_id = optional(string, null)
logging_retention_in_days = optional(number, null)
memory_size = optional(number, null)
metrics = optional(object({
enable = optional(bool, false)
namespace = optional(string, null)
metric = optional(object({
enable_github_app_rate_limit = optional(bool, true)
enable_job_retry = optional(bool, true)
}), {})
}), {})
prefix = optional(string, null)
principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
queue_encryption = optional(object({
kms_data_key_reuse_period_seconds = optional(number, null)
kms_master_key_id = optional(string, null)
sqs_managed_sse_enabled = optional(bool, true)
}), {})
role_path = optional(string, null)
role_permissions_boundary = optional(string, null)
runtime = optional(string, null)
security_group_ids = optional(list(string), [])
subnet_ids = optional(list(string), [])
s3_bucket = optional(string, null)
s3_key = optional(string, null)
s3_object_version = optional(string, null)
sqs_build_queue = object({
url = string
arn = string
})
tags = optional(map(string), {})
timeout = optional(number, 30)
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
zip = optional(string, null)
}) | n/a | yes |
+| [config](#input\_config) | Configuration for the spot termination watcher lambda function.
`aws_partition`: Partition for the base arn if not 'aws'
`architecture`: AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions.
`environment_variables`: Environment variables for the lambda.
`enable_organization_runners`: Enable organization runners.
`enable_metric`: Enable metric for the lambda. If `spot_warning` is set to true, the lambda will emit a metric when it detects a spot termination warning.
'ghes\_url': Optional GitHub Enterprise Server URL.
'user\_agent': Optional User-Agent header for GitHub API requests.
'github\_app\_parameters': Parameter Store for GitHub App Parameters.
'kms\_key\_arn': Optional CMK Key ARN instead of using the default AWS managed key.
`lambda_event_source_mapping_batch_size`: Maximum number of records to pass to the lambda function in a single batch for the event source mapping. When not set, the AWS default will be used.
`lambda_event_source_mapping_maximum_batching_window_in_seconds`: Maximum amount of time to gather records before invoking the lambda function, in seconds. AWS requires this to be greater than 0 if batch\_size is greater than 10.
`lambda_principals`: Add extra principals to the role created for execution of the lambda, e.g. for local testing.
`lambda_tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
`log_level`: Logging level for lambda logging. Valid values are 'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.
`logging_kms_key_id`: Specifies the kms key id to encrypt the logs with
`logging_retention_in_days`: Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
`memory_size`: Memory size limit in MB of the lambda.
`metrics`: Configuration to enable metrics creation by the lambda.
`prefix`: The prefix used for naming resources.
`role_path`: The path that will be added to the role, if not set the environment name will be used.
`role_permissions_boundary`: Permissions boundary that will be added to the created role for the lambda.
`runtime`: AWS Lambda runtime.
`s3_bucket`: S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly.
`s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.
`s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.
`security_group_ids`: List of security group IDs associated with the Lambda function.
'sqs\_build\_queue': SQS queue for build events to re-publish job request.
`subnet_ids`: List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`.
`tag_filters`: Map of tags that will be used to filter the resources to be tracked. Only for which all tags are present and starting with the same value as the value in the map will be tracked.
`tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
`timeout`: Time out of the lambda in seconds.
`tracing_config`: Configuration for lambda tracing.
`zip`: File location of the lambda zip file. | object({
aws_partition = optional(string, null)
architecture = optional(string, null)
enable_organization_runners = bool
environment_variables = optional(map(string), {})
ghes_url = optional(string, null)
user_agent = optional(string, null)
github_app_parameters = object({
key_base64 = map(string)
id = map(string)
})
kms_key_arn = optional(string, null)
lambda_event_source_mapping_batch_size = optional(number, 10)
lambda_event_source_mapping_maximum_batching_window_in_seconds = optional(number, 0)
lambda_tags = optional(map(string), {})
log_level = optional(string, null)
logging_kms_key_id = optional(string, null)
logging_retention_in_days = optional(number, null)
memory_size = optional(number, null)
metrics = optional(object({
enable = optional(bool, false)
namespace = optional(string, null)
metric = optional(object({
enable_github_app_rate_limit = optional(bool, true)
enable_job_retry = optional(bool, true)
}), {})
}), {})
prefix = optional(string, null)
principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
queue_encryption = optional(object({
kms_data_key_reuse_period_seconds = optional(number, null)
kms_master_key_id = optional(string, null)
sqs_managed_sse_enabled = optional(bool, true)
}), {})
role_path = optional(string, null)
role_permissions_boundary = optional(string, null)
runtime = optional(string, null)
security_group_ids = optional(list(string), [])
subnet_ids = optional(list(string), [])
s3_bucket = optional(string, null)
s3_key = optional(string, null)
s3_object_version = optional(string, null)
sqs_build_queue = object({
url = string
arn = string
})
tags = optional(map(string), {})
timeout = optional(number, 30)
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
zip = optional(string, null)
}) | n/a | yes |
## Outputs
diff --git a/modules/runners/job-retry/main.tf b/modules/runners/job-retry/main.tf
index 807f52a49a..eba478b214 100644
--- a/modules/runners/job-retry/main.tf
+++ b/modules/runners/job-retry/main.tf
@@ -44,9 +44,10 @@ module "job_retry" {
}
resource "aws_lambda_event_source_mapping" "job_retry" {
- event_source_arn = aws_sqs_queue.job_retry_check_queue.arn
- function_name = module.job_retry.lambda.function.arn
- batch_size = 1
+ event_source_arn = aws_sqs_queue.job_retry_check_queue.arn
+ function_name = module.job_retry.lambda.function.arn
+ batch_size = var.config.lambda_event_source_mapping_batch_size
+ maximum_batching_window_in_seconds = var.config.lambda_event_source_mapping_maximum_batching_window_in_seconds
}
resource "aws_lambda_permission" "job_retry" {
diff --git a/modules/runners/job-retry/variables.tf b/modules/runners/job-retry/variables.tf
index 4741dd1b45..7ccfdf63b3 100644
--- a/modules/runners/job-retry/variables.tf
+++ b/modules/runners/job-retry/variables.tf
@@ -11,6 +11,8 @@ variable "config" {
'user_agent': Optional User-Agent header for GitHub API requests.
'github_app_parameters': Parameter Store for GitHub App Parameters.
'kms_key_arn': Optional CMK Key ARN instead of using the default AWS managed key.
+ `lambda_event_source_mapping_batch_size`: Maximum number of records to pass to the lambda function in a single batch for the event source mapping. When not set, the AWS default will be used.
+ `lambda_event_source_mapping_maximum_batching_window_in_seconds`: Maximum amount of time to gather records before invoking the lambda function, in seconds. AWS requires this to be greater than 0 if batch_size is greater than 10.
`lambda_principals`: Add extra principals to the role created for execution of the lambda, e.g. for local testing.
`lambda_tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
`log_level`: Logging level for lambda logging. Valid values are 'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.
@@ -45,12 +47,14 @@ variable "config" {
key_base64 = map(string)
id = map(string)
})
- kms_key_arn = optional(string, null)
- lambda_tags = optional(map(string), {})
- log_level = optional(string, null)
- logging_kms_key_id = optional(string, null)
- logging_retention_in_days = optional(number, null)
- memory_size = optional(number, null)
+ kms_key_arn = optional(string, null)
+ lambda_event_source_mapping_batch_size = optional(number, 10)
+ lambda_event_source_mapping_maximum_batching_window_in_seconds = optional(number, 0)
+ lambda_tags = optional(map(string), {})
+ log_level = optional(string, null)
+ logging_kms_key_id = optional(string, null)
+ logging_retention_in_days = optional(number, null)
+ memory_size = optional(number, null)
metrics = optional(object({
enable = optional(bool, false)
namespace = optional(string, null)
diff --git a/modules/runners/job-retry/versions.tf b/modules/runners/job-retry/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/runners/job-retry/versions.tf
+++ b/modules/runners/job-retry/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/runners/main.tf b/modules/runners/main.tf
index 68365f2280..5522c5fb45 100644
--- a/modules/runners/main.tf
+++ b/modules/runners/main.tf
@@ -37,16 +37,18 @@ locals {
"linux" = "${path.module}/templates/start-runner.sh"
}
- # Handle AMI configuration from either the new object or old variables
+ # Handle AMI configuration
ami_config = var.ami != null ? var.ami : {
- filter = var.ami_filter
- owners = var.ami_owners
+ filter = local.default_ami[var.runner_os]
+ owners = ["amazon"]
id_ssm_parameter_arn = null
- kms_key_arn = var.ami_kms_key_arn
+ kms_key_arn = null
}
ami_kms_key_arn = local.ami_config.kms_key_arn != null ? local.ami_config.kms_key_arn : ""
ami_filter = merge(local.default_ami[var.runner_os], local.ami_config.filter)
ami_id_ssm_module_managed = local.ami_config.id_ssm_parameter_arn == null
+ # Extract parameter name from ARN (format: arn:aws:ssm:region:account:parameter/path/to/param)
+ ami_id_ssm_parameter_name = local.ami_id_ssm_module_managed ? null : try(regex("parameter/(.+)$", local.ami_config.id_ssm_parameter_arn)[0], null)
enable_job_queued_check = var.enable_job_queued_check == null ? !var.enable_ephemeral_runners : var.enable_job_queued_check
@@ -169,6 +171,21 @@ resource "aws_launch_template" "runner" {
}
}
+ dynamic "placement" {
+ for_each = var.placement != null ? [var.placement] : []
+ content {
+ affinity = try(placement.value.affinity, null)
+ availability_zone = try(placement.value.availability_zone, null)
+ group_id = try(placement.value.group_id, null)
+ group_name = try(placement.value.group_name, null)
+ host_id = try(placement.value.host_id, null)
+ host_resource_group_arn = try(placement.value.host_resource_group_arn, null)
+ spread_domain = try(placement.value.spread_domain, null)
+ tenancy = try(placement.value.tenancy, null)
+ partition_number = try(placement.value.partition_number, null)
+ }
+ }
+
monitoring {
enabled = var.enable_runner_detailed_monitoring
}
diff --git a/modules/runners/policies-lambda-common.tf b/modules/runners/policies-lambda-common.tf
index feb0d39fd9..0e9b2eace9 100644
--- a/modules/runners/policies-lambda-common.tf
+++ b/modules/runners/policies-lambda-common.tf
@@ -10,7 +10,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
}
resource "aws_iam_policy" "ami_id_ssm_parameter_read" {
- count = var.ami_id_ssm_parameter_name != null ? 1 : 0
+ count = local.ami_id_ssm_parameter_name != null ? 1 : 0
name = "${var.prefix}-ami-id-ssm-parameter-read"
path = local.role_path
description = "Allows for reading ${var.prefix} GitHub runner AMI ID from an SSM parameter"
@@ -25,7 +25,7 @@ resource "aws_iam_policy" "ami_id_ssm_parameter_read" {
"ssm:GetParameter"
],
"Resource": [
- "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${trimprefix(var.ami_id_ssm_parameter_name, "/")}"
+ "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${trimprefix(local.ami_id_ssm_parameter_name, "/")}"
]
}
]
diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf
index 2762008ebf..2019ebbc6f 100644
--- a/modules/runners/pool.tf
+++ b/modules/runners/pool.tf
@@ -53,8 +53,8 @@ module "pool" {
subnet_ids = var.subnet_ids
ssm_token_path = "${var.ssm_paths.root}/${var.ssm_paths.tokens}"
ssm_config_path = "${var.ssm_paths.root}/${var.ssm_paths.config}"
- ami_id_ssm_parameter_name = var.ami_id_ssm_parameter_name
- ami_id_ssm_parameter_read_policy_arn = var.ami_id_ssm_parameter_name != null ? aws_iam_policy.ami_id_ssm_parameter_read[0].arn : null
+ ami_id_ssm_parameter_name = local.ami_id_ssm_parameter_name
+ ami_id_ssm_parameter_read_policy_arn = local.ami_id_ssm_parameter_name != null ? aws_iam_policy.ami_id_ssm_parameter_read[0].arn : null
tags = local.tags
lambda_tags = var.lambda_tags
arn_ssm_parameters_path_config = local.arn_ssm_parameters_path_config
diff --git a/modules/runners/pool/README.md b/modules/runners/pool/README.md
index 052a8be60c..4bd268c37c 100644
--- a/modules/runners/pool/README.md
+++ b/modules/runners/pool/README.md
@@ -11,13 +11,13 @@ The pool is an opt-in feature. To be able to use the count on a module level to
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.14.1 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
diff --git a/modules/runners/pool/versions.tf b/modules/runners/pool/versions.tf
index 5e8b391414..bceee0424e 100644
--- a/modules/runners/pool/versions.tf
+++ b/modules/runners/pool/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
index 89d95a50d0..b97fefed4f 100644
--- a/modules/runners/scale-up.tf
+++ b/modules/runners/scale-up.tf
@@ -25,7 +25,7 @@ resource "aws_lambda_function" "scale_up" {
architectures = [var.lambda_architecture]
environment {
variables = {
- AMI_ID_SSM_PARAMETER_NAME = var.ami_id_ssm_parameter_name
+ AMI_ID_SSM_PARAMETER_NAME = local.ami_id_ssm_parameter_name
DISABLE_RUNNER_AUTOUPDATE = var.disable_runner_autoupdate
ENABLE_EPHEMERAL_RUNNERS = var.enable_ephemeral_runners
ENABLE_JIT_CONFIG = var.enable_jit_config
@@ -87,10 +87,12 @@ resource "aws_cloudwatch_log_group" "scale_up" {
}
resource "aws_lambda_event_source_mapping" "scale_up" {
- event_source_arn = var.sqs_build_queue.arn
- function_name = aws_lambda_function.scale_up.arn
- batch_size = 1
- tags = var.tags
+ event_source_arn = var.sqs_build_queue.arn
+ function_name = aws_lambda_function.scale_up.arn
+ function_response_types = ["ReportBatchItemFailures"]
+ batch_size = var.lambda_event_source_mapping_batch_size
+ maximum_batching_window_in_seconds = var.lambda_event_source_mapping_maximum_batching_window_in_seconds
+ tags = var.tags
}
resource "aws_lambda_permission" "scale_runners_lambda" {
@@ -146,7 +148,7 @@ resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" {
}
resource "aws_iam_role_policy_attachment" "ami_id_ssm_parameter_read" {
- count = var.ami_id_ssm_parameter_name != null ? 1 : 0
+ count = local.ami_id_ssm_parameter_name != null ? 1 : 0
role = aws_iam_role.scale_up.name
policy_arn = aws_iam_policy.ami_id_ssm_parameter_read[0].arn
}
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
index 352285e786..8c8a1a136c 100644
--- a/modules/runners/variables.tf
+++ b/modules/runners/variables.tf
@@ -135,34 +135,6 @@ variable "instance_types" {
default = null
}
-variable "ami_filter" {
- description = "[DEPRECATED: Use ami.filter] Map of lists used to create the AMI filter for the action runner AMI."
- type = map(list(string))
- default = { state = ["available"] }
- validation {
- # check the availability of the AMI
- condition = contains(keys(var.ami_filter), "state")
- error_message = "The \"ami_filter\" variable must contain the \"state\" key with the value \"available\"."
- }
-}
-
-variable "ami_owners" {
- description = "[DEPRECATED: Use ami.owners] The list of owners used to select the AMI of action runner instances."
- type = list(string)
- default = ["amazon"]
-}
-
-variable "ami_id_ssm_parameter_name" {
- description = "[DEPRECATED: Use ami.id_ssm_parameter_name] Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter"
- type = string
- default = null
-}
-
-variable "ami_kms_key_arn" {
- description = "[DEPRECATED: Use ami.kms_key_arn] Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI"
- type = string
- default = null
-}
variable "enable_userdata" {
description = "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI"
@@ -597,7 +569,7 @@ variable "disable_runner_autoupdate" {
variable "lambda_runtime" {
description = "AWS Lambda runtime."
type = string
- default = "nodejs22.x"
+ default = "nodejs24.x"
}
variable "lambda_architecture" {
@@ -671,6 +643,22 @@ variable "cpu_options" {
default = null
}
+variable "placement" {
+ description = "The placement options for the instance. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#placement for details."
+ type = object({
+ affinity = optional(string)
+ availability_zone = optional(string)
+ group_id = optional(string)
+ group_name = optional(string)
+ host_id = optional(string)
+ host_resource_group_arn = optional(number)
+ spread_domain = optional(string)
+ tenancy = optional(string)
+ partition_number = optional(number)
+ })
+ default = null
+}
+
variable "enable_jit_config" {
description = "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is available. In case you are upgrading from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."
type = bool
@@ -770,3 +758,23 @@ variable "user_agent" {
type = string
default = null
}
+
+variable "lambda_event_source_mapping_batch_size" {
+ description = "Maximum number of records to pass to the lambda function in a single batch for the event source mapping. When not set, the AWS default of 10 events will be used."
+ type = number
+ default = 10
+ validation {
+ condition = var.lambda_event_source_mapping_batch_size >= 1 && var.lambda_event_source_mapping_batch_size <= 1000
+ error_message = "The batch size for the lambda event source mapping must be between 1 and 1000."
+ }
+}
+
+variable "lambda_event_source_mapping_maximum_batching_window_in_seconds" {
+ description = "Maximum amount of time to gather records before invoking the lambda function, in seconds. AWS requires this to be greater than 0 if batch_size is greater than 10. Defaults to 0."
+ type = number
+ default = 0
+ validation {
+ condition = var.lambda_event_source_mapping_maximum_batching_window_in_seconds >= 0 && var.lambda_event_source_mapping_maximum_batching_window_in_seconds <= 300
+ error_message = "Maximum batching window must be between 0 and 300 seconds."
+ }
+}
diff --git a/modules/runners/versions.tf b/modules/runners/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/runners/versions.tf
+++ b/modules/runners/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/setup-iam-permissions/README.md b/modules/setup-iam-permissions/README.md
index 29096519ae..f2401278c0 100644
--- a/modules/setup-iam-permissions/README.md
+++ b/modules/setup-iam-permissions/README.md
@@ -42,13 +42,13 @@ Next execute the created Terraform code via `terraform init && terraform apply`.
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
diff --git a/modules/setup-iam-permissions/versions.tf b/modules/setup-iam-permissions/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/setup-iam-permissions/versions.tf
+++ b/modules/setup-iam-permissions/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/ssm/README.md b/modules/ssm/README.md
index cb23d3aa87..19b872e919 100644
--- a/modules/ssm/README.md
+++ b/modules/ssm/README.md
@@ -10,13 +10,13 @@ This module is used for storing configuration of runners, registration tokens an
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
diff --git a/modules/ssm/versions.tf b/modules/ssm/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/ssm/versions.tf
+++ b/modules/ssm/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/termination-watcher/README.md b/modules/termination-watcher/README.md
index c79939065f..788f4c5c13 100644
--- a/modules/termination-watcher/README.md
+++ b/modules/termination-watcher/README.md
@@ -61,7 +61,7 @@ yarn run dist
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
diff --git a/modules/termination-watcher/notification/README.md b/modules/termination-watcher/notification/README.md
index a6de04ac27..1a26de3bce 100644
--- a/modules/termination-watcher/notification/README.md
+++ b/modules/termination-watcher/notification/README.md
@@ -4,13 +4,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
diff --git a/modules/termination-watcher/notification/versions.tf b/modules/termination-watcher/notification/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/termination-watcher/notification/versions.tf
+++ b/modules/termination-watcher/notification/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/termination-watcher/termination/README.md b/modules/termination-watcher/termination/README.md
index 28b321aaa3..22912b9646 100644
--- a/modules/termination-watcher/termination/README.md
+++ b/modules/termination-watcher/termination/README.md
@@ -4,13 +4,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
diff --git a/modules/termination-watcher/termination/versions.tf b/modules/termination-watcher/termination/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/termination-watcher/termination/versions.tf
+++ b/modules/termination-watcher/termination/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/termination-watcher/versions.tf b/modules/termination-watcher/versions.tf
index 33f3480ddf..42a40b33fd 100644
--- a/modules/termination-watcher/versions.tf
+++ b/modules/termination-watcher/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
}
}
diff --git a/modules/webhook-github-app/README.md b/modules/webhook-github-app/README.md
index 0c09a761c5..6de85ee30d 100644
--- a/modules/webhook-github-app/README.md
+++ b/modules/webhook-github-app/README.md
@@ -34,7 +34,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | object({
key_base64 = string
id = string
webhook_secret = string
}) | n/a | yes |
+| [github\_app](#input\_github\_app) | GitHub app parameters, see your GitHub app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | object({
key_base64 = string
id = string
webhook_secret = string
}) | n/a | yes |
| [webhook\_endpoint](#input\_webhook\_endpoint) | The endpoint to use for the webhook, defaults to the endpoint of the runners module. | `string` | n/a | yes |
## Outputs
diff --git a/modules/webhook/README.md b/modules/webhook/README.md
index 0dbd1429cf..10b0179672 100644
--- a/modules/webhook/README.md
+++ b/modules/webhook/README.md
@@ -36,14 +36,14 @@ yarn run dist
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
| [null](#requirement\_null) | ~> 3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
## Modules
@@ -72,7 +72,7 @@ yarn run dist
| [kms\_key\_arn](#input\_kms\_key\_arn) | Optional CMK Key ARN to be used for Parameter Store. | `string` | `null` | no |
| [lambda\_architecture](#input\_lambda\_architecture) | AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions. | `string` | `"arm64"` | no |
| [lambda\_memory\_size](#input\_lambda\_memory\_size) | Memory size limit in MB for lambda. | `number` | `256` | no |
-| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs22.x"` | no |
+| [lambda\_runtime](#input\_lambda\_runtime) | AWS Lambda runtime. | `string` | `"nodejs24.x"` | no |
| [lambda\_s3\_bucket](#input\_lambda\_s3\_bucket) | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | `string` | `null` | no |
| [lambda\_security\_group\_ids](#input\_lambda\_security\_group\_ids) | List of security group IDs associated with the Lambda function. | `list(string)` | `[]` | no |
| [lambda\_subnet\_ids](#input\_lambda\_subnet\_ids) | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
diff --git a/modules/webhook/direct/README.md b/modules/webhook/direct/README.md
index ee3db410b9..aa69347ae4 100644
--- a/modules/webhook/direct/README.md
+++ b/modules/webhook/direct/README.md
@@ -4,14 +4,14 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.27 |
+| [aws](#requirement\_aws) | >= 6.21 |
| [null](#requirement\_null) | ~> 3.2 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.27 |
+| [aws](#provider\_aws) | >= 6.21 |
| [null](#provider\_null) | ~> 3.2 |
## Modules
@@ -40,7 +40,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [config](#input\_config) | Configuration object for all variables. | object({
prefix = string
archive = optional(object({
enable = optional(bool, true)
retention_days = optional(number, 7)
}), {})
tags = optional(map(string), {})
lambda_subnet_ids = optional(list(string), [])
lambda_security_group_ids = optional(list(string), [])
sqs_job_queues_arns = list(string)
lambda_zip = optional(string, null)
lambda_memory_size = optional(number, 256)
lambda_timeout = optional(number, 10)
role_permissions_boundary = optional(string, null)
role_path = optional(string, null)
logging_retention_in_days = optional(number, 180)
logging_kms_key_id = optional(string, null)
lambda_s3_bucket = optional(string, null)
lambda_s3_key = optional(string, null)
lambda_s3_object_version = optional(string, null)
lambda_apigateway_access_log_settings = optional(object({
destination_arn = string
format = string
}), null)
repository_white_list = optional(list(string), [])
kms_key_arn = optional(string, null)
log_level = optional(string, "info")
lambda_runtime = optional(string, "nodejs22.x")
aws_partition = optional(string, "aws")
lambda_architecture = optional(string, "arm64")
github_app_parameters = object({
webhook_secret = map(string)
})
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
lambda_tags = optional(map(string), {})
api_gw_source_arn = string
ssm_parameter_runner_matcher_config = list(object({
name = string
arn = string
version = string
}))
}) | n/a | yes |
+| [config](#input\_config) | Configuration object for all variables. | object({
prefix = string
archive = optional(object({
enable = optional(bool, true)
retention_days = optional(number, 7)
}), {})
tags = optional(map(string), {})
lambda_subnet_ids = optional(list(string), [])
lambda_security_group_ids = optional(list(string), [])
sqs_job_queues_arns = list(string)
lambda_zip = optional(string, null)
lambda_memory_size = optional(number, 256)
lambda_timeout = optional(number, 10)
role_permissions_boundary = optional(string, null)
role_path = optional(string, null)
logging_retention_in_days = optional(number, 180)
logging_kms_key_id = optional(string, null)
lambda_s3_bucket = optional(string, null)
lambda_s3_key = optional(string, null)
lambda_s3_object_version = optional(string, null)
lambda_apigateway_access_log_settings = optional(object({
destination_arn = string
format = string
}), null)
repository_white_list = optional(list(string), [])
kms_key_arn = optional(string, null)
log_level = optional(string, "info")
lambda_runtime = optional(string, "nodejs24.x")
aws_partition = optional(string, "aws")
lambda_architecture = optional(string, "arm64")
github_app_parameters = object({
webhook_secret = map(string)
})
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
lambda_tags = optional(map(string), {})
api_gw_source_arn = string
ssm_parameter_runner_matcher_config = list(object({
name = string
arn = string
version = string
}))
}) | n/a | yes |
## Outputs
diff --git a/modules/webhook/direct/variables.tf b/modules/webhook/direct/variables.tf
index 2a1b559c92..5da98e548a 100644
--- a/modules/webhook/direct/variables.tf
+++ b/modules/webhook/direct/variables.tf
@@ -28,7 +28,7 @@ variable "config" {
repository_white_list = optional(list(string), [])
kms_key_arn = optional(string, null)
log_level = optional(string, "info")
- lambda_runtime = optional(string, "nodejs22.x")
+ lambda_runtime = optional(string, "nodejs24.x")
aws_partition = optional(string, "aws")
lambda_architecture = optional(string, "arm64")
github_app_parameters = object({
diff --git a/modules/webhook/direct/versions.tf b/modules/webhook/direct/versions.tf
index 3f6adcb64a..82776fc618 100644
--- a/modules/webhook/direct/versions.tf
+++ b/modules/webhook/direct/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
null = {
diff --git a/modules/webhook/eventbridge/README.md b/modules/webhook/eventbridge/README.md
index 329ac3c232..5c22c69010 100644
--- a/modules/webhook/eventbridge/README.md
+++ b/modules/webhook/eventbridge/README.md
@@ -4,14 +4,14 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 6.21 |
| [null](#requirement\_null) | ~> 3.2 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 6.21 |
| [null](#provider\_null) | ~> 3.2 |
## Modules
@@ -54,7 +54,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [config](#input\_config) | Configuration object for all variables. | object({
prefix = string
archive = optional(object({
enable = optional(bool, true)
retention_days = optional(number, 7)
}), {})
tags = optional(map(string), {})
lambda_subnet_ids = optional(list(string), [])
lambda_security_group_ids = optional(list(string), [])
sqs_job_queues_arns = list(string)
lambda_zip = optional(string, null)
lambda_memory_size = optional(number, 256)
lambda_timeout = optional(number, 10)
role_permissions_boundary = optional(string, null)
role_path = optional(string, null)
logging_retention_in_days = optional(number, 180)
logging_kms_key_id = optional(string, null)
lambda_s3_bucket = optional(string, null)
lambda_s3_key = optional(string, null)
lambda_s3_object_version = optional(string, null)
lambda_apigateway_access_log_settings = optional(object({
destination_arn = string
format = string
}), null)
repository_white_list = optional(list(string), [])
kms_key_arn = optional(string, null)
log_level = optional(string, "info")
lambda_runtime = optional(string, "nodejs22.x")
aws_partition = optional(string, "aws")
lambda_architecture = optional(string, "arm64")
github_app_parameters = object({
webhook_secret = map(string)
})
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
lambda_tags = optional(map(string), {})
api_gw_source_arn = string
ssm_parameter_runner_matcher_config = list(object({
name = string
arn = string
version = string
}))
accept_events = optional(list(string), null)
}) | n/a | yes |
+| [config](#input\_config) | Configuration object for all variables. | object({
prefix = string
archive = optional(object({
enable = optional(bool, true)
retention_days = optional(number, 7)
}), {})
tags = optional(map(string), {})
lambda_subnet_ids = optional(list(string), [])
lambda_security_group_ids = optional(list(string), [])
sqs_job_queues_arns = list(string)
lambda_zip = optional(string, null)
lambda_memory_size = optional(number, 256)
lambda_timeout = optional(number, 10)
role_permissions_boundary = optional(string, null)
role_path = optional(string, null)
logging_retention_in_days = optional(number, 180)
logging_kms_key_id = optional(string, null)
lambda_s3_bucket = optional(string, null)
lambda_s3_key = optional(string, null)
lambda_s3_object_version = optional(string, null)
lambda_apigateway_access_log_settings = optional(object({
destination_arn = string
format = string
}), null)
repository_white_list = optional(list(string), [])
kms_key_arn = optional(string, null)
log_level = optional(string, "info")
lambda_runtime = optional(string, "nodejs24.x")
aws_partition = optional(string, "aws")
lambda_architecture = optional(string, "arm64")
github_app_parameters = object({
webhook_secret = map(string)
})
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
lambda_tags = optional(map(string), {})
api_gw_source_arn = string
ssm_parameter_runner_matcher_config = list(object({
name = string
arn = string
version = string
}))
accept_events = optional(list(string), null)
}) | n/a | yes |
## Outputs
diff --git a/modules/webhook/eventbridge/variables.tf b/modules/webhook/eventbridge/variables.tf
index 8a884a6ba3..e39f24ab6d 100644
--- a/modules/webhook/eventbridge/variables.tf
+++ b/modules/webhook/eventbridge/variables.tf
@@ -28,7 +28,7 @@ variable "config" {
repository_white_list = optional(list(string), [])
kms_key_arn = optional(string, null)
log_level = optional(string, "info")
- lambda_runtime = optional(string, "nodejs22.x")
+ lambda_runtime = optional(string, "nodejs24.x")
aws_partition = optional(string, "aws")
lambda_architecture = optional(string, "arm64")
github_app_parameters = object({
diff --git a/modules/webhook/eventbridge/versions.tf b/modules/webhook/eventbridge/versions.tf
index a3c66b7b40..82776fc618 100644
--- a/modules/webhook/eventbridge/versions.tf
+++ b/modules/webhook/eventbridge/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 6.21"
}
null = {
diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
index c1683f2d3c..5f0a39c0d2 100644
--- a/modules/webhook/variables.tf
+++ b/modules/webhook/variables.tf
@@ -142,7 +142,7 @@ variable "log_level" {
variable "lambda_runtime" {
description = "AWS Lambda runtime."
type = string
- default = "nodejs22.x"
+ default = "nodejs24.x"
}
variable "aws_partition" {
diff --git a/modules/webhook/versions.tf b/modules/webhook/versions.tf
index 14f948428d..e864c4f9ed 100644
--- a/modules/webhook/versions.tf
+++ b/modules/webhook/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27"
+ version = ">= 6.21"
}
null = {
diff --git a/outputs.tf b/outputs.tf
index 84d1842256..fdf4a37801 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -75,16 +75,3 @@ output "instance_termination_handler" {
lambda_role = module.instance_termination_watcher[0].spot_termination_handler.lambda_role
} : null
}
-
-output "deprecated_variables_warning" {
- description = "Warning for deprecated variables usage. These variables will be removed in a future release. Please migrate to using the consolidated 'ami' object."
- value = join("", [
- # Show object migration warning only when ami is null and old variables are used
- var.ami == null ? join("", [
- (var.ami_filter != { state = ["available"] } || var.ami_owners != ["amazon"] || var.ami_kms_key_arn != null) ?
- "DEPRECATION WARNING: You are using the deprecated AMI variables (ami_filter, ami_owners, ami_kms_key_arn). These variables will be removed in a future version. Please migrate to using the consolidated 'ami' object.\n" : "",
- ]) : "",
- # Always show warning for ami_id_ssm_parameter_name to migrate to ami_id_ssm_parameter_arn
- var.ami_id_ssm_parameter_name != null ? "DEPRECATION WARNING: The variable 'ami_id_ssm_parameter_name' is deprecated and will be removed in a future version. Please use 'ami.id_ssm_parameter_arn' instead.\n" : ""
- ])
-}
diff --git a/variables.tf b/variables.tf
index 0bf3563145..bc9d3abac5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -393,35 +393,6 @@ EOT
default = null
}
-variable "ami_filter" {
- description = "[DEPRECATED: Use ami.filter] Map of lists used to create the AMI filter for the action runner AMI."
- type = map(list(string))
- default = { state = ["available"] }
- validation {
- # check the availability of the AMI
- condition = contains(keys(var.ami_filter), "state")
- error_message = "The AMI filter must contain the state filter."
- }
-}
-
-variable "ami_owners" {
- description = "[DEPRECATED: Use ami.owners] The list of owners that should be used to find the AMI."
- type = list(string)
- default = ["amazon"]
-}
-
-variable "ami_id_ssm_parameter_name" {
- description = "[DEPRECATED: Use ami.id_ssm_parameter_arn] String used to construct the SSM parameter name used to resolve the latest AMI ID for the runner instances. The SSM parameter should be of type String and contain a valid AMI ID. The default behavior is to use the latest Ubuntu 22.04 AMI."
- type = string
- default = null
-}
-
-variable "ami_kms_key_arn" {
- description = "[DEPRECATED: Use ami.kms_key_arn] Optional CMK Key ARN to be used to launch an instance from a shared encrypted AMI"
- type = string
- default = null
-}
-
variable "lambda_s3_bucket" {
description = "S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly."
type = string
@@ -781,7 +752,7 @@ variable "disable_runner_autoupdate" {
variable "lambda_runtime" {
description = "AWS Lambda runtime."
type = string
- default = "nodejs22.x"
+ default = "nodejs24.x"
}
variable "lambda_architecture" {
@@ -887,6 +858,22 @@ variable "runner_cpu_options" {
default = null
}
+variable "runner_placement" {
+ description = "The placement options for the instance. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#placement for details."
+ type = object({
+ affinity = optional(string)
+ availability_zone = optional(string)
+ group_id = optional(string)
+ group_name = optional(string)
+ host_id = optional(string)
+ host_resource_group_arn = optional(number)
+ spread_domain = optional(string)
+ tenancy = optional(string)
+ partition_number = optional(number)
+ })
+ default = null
+}
+
variable "enable_jit_config" {
description = "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is available. In case you are upgrading from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."
type = bool
@@ -1021,3 +1008,19 @@ variable "user_agent" {
type = string
default = "github-aws-runners"
}
+
+variable "lambda_event_source_mapping_batch_size" {
+ description = "Maximum number of records to pass to the lambda function in a single batch for the event source mapping. When not set, the AWS default of 10 events will be used."
+ type = number
+ default = 10
+}
+
+variable "lambda_event_source_mapping_maximum_batching_window_in_seconds" {
+ description = "Maximum amount of time to gather records before invoking the lambda function, in seconds. AWS requires this to be greater than 0 if batch_size is greater than 10. Defaults to 0."
+ type = number
+ default = 0
+ validation {
+ condition = var.lambda_event_source_mapping_maximum_batching_window_in_seconds >= 0 && var.lambda_event_source_mapping_maximum_batching_window_in_seconds <= 300
+ error_message = "Maximum batching window must be between 0 and 300 seconds."
+ }
+}
diff --git a/versions.tf b/versions.tf
index f1bce2af72..77f4d7b326 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.77"
+ version = ">= 6.21"
}
random = {
source = "hashicorp/random"