feat: add module for github self hosted runner

rohit-ng · rohit-ng · commit 74811c4a79e2 · 2024-07-23T18:57:06.000+05:30
diff --git a/README.md b/README.md
@@ -19,6 +19,7 @@
 | <a name="module_ecs_node_security_group"></a> [ecs\_node\_security\_group](#module\_ecs\_node\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
 | <a name="module_ecs_task_role"></a> [ecs\_task\_role](#module\_ecs\_task\_role) | ./modules/iam | n/a |
 | <a name="module_ecs_task_security_group"></a> [ecs\_task\_security\_group](#module\_ecs\_task\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
+| <a name="module_github_runner"></a> [github\_runner](#module\_github\_runner) | ./modules/github-runner | n/a |
 | <a name="module_internal_alb_kong"></a> [internal\_alb\_kong](#module\_internal\_alb\_kong) | github.com/infraspecdev/terraform-aws-ecs-deployment//modules/alb | v1.1.1 |
 | <a name="module_internal_alb_security_group"></a> [internal\_alb\_security\_group](#module\_internal\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
 | <a name="module_kong_internal_dns_record"></a> [kong\_internal\_dns\_record](#module\_kong\_internal\_dns\_record) | ./modules/route-53-record | n/a |
@@ -56,6 +57,8 @@
 | <a name="input_ecs_node_security_group_id"></a> [ecs\_node\_security\_group\_id](#input\_ecs\_node\_security\_group\_id) | ECS node security group id | `string` | `null` | no |
 | <a name="input_ecs_task_security_group_id"></a> [ecs\_task\_security\_group\_id](#input\_ecs\_task\_security\_group\_id) | ECS task security group id | `string` | `null` | no |
 | <a name="input_force_new_deployment"></a> [force\_new\_deployment](#input\_force\_new\_deployment) | Whether to force new deployment | `bool` | `true` | no |
+| <a name="input_github_config_token"></a> [github\_config\_token](#input\_github\_config\_token) | Github config token for self-hosted runner | `string` | n/a | yes |
+| <a name="input_github_config_url"></a> [github\_config\_url](#input\_github\_config\_url) | Github config url for self-hosted runner | `string` | n/a | yes |
 | <a name="input_instance_type_for_kong"></a> [instance\_type\_for\_kong](#input\_instance\_type\_for\_kong) | Instance type for kong | `string` | `"t2.micro"` | no |
 | <a name="input_key_name_for_kong"></a> [key\_name\_for\_kong](#input\_key\_name\_for\_kong) | Key name for to SSH into kong instance | `string` | `null` | no |
 | <a name="input_kong_admin_sub_domain_names"></a> [kong\_admin\_sub\_domain\_names](#input\_kong\_admin\_sub\_domain\_names) | List of kong admin sub domain names | `list(any)` | n/a | yes |
diff --git a/main.tf b/main.tf
@@ -363,3 +363,11 @@ module "kong_internal_dns_record" {
   alb_dns_name = module.internal_alb_kong.dns_name
   alb_zone_id  = module.ecs_kong.alb_zone_id
 }
+
+module "github_runner" {
+  source              = "./modules/github-runner"
+  vpc_id              = var.vpc_id
+  private_subnet_id   = var.private_subnet_ids[0]
+  github_config_token = var.github_config_token
+  github_config_url   = var.github_config_url
+}
diff --git a/modules/github-runner/.header.md b/modules/github-runner/.header.md
diff --git a/modules/github-runner/README.md b/modules/github-runner/README.md
@@ -0,0 +1,35 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.53.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_instance.github_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_security_group.github_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | AMI ID for the private instances | `string` | `"ami-0f58b397bc5c1f2e8"` | no |
+| <a name="input_github_config_token"></a> [github\_config\_token](#input\_github\_config\_token) | Github config token for self-hosted runners | `string` | n/a | yes |
+| <a name="input_github_config_url"></a> [github\_config\_url](#input\_github\_config\_url) | Github config url for self-hosted runners | `string` | n/a | yes |
+| <a name="input_key_name"></a> [key\_name](#input\_key\_name) | The name of the EC2 key pair | `string` | `"runner"` | no |
+| <a name="input_private_subnet_id"></a> [private\_subnet\_id](#input\_private\_subnet\_id) | The ID of the private subnet | `string` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
diff --git a/modules/github-runner/locals.tf b/modules/github-runner/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  security_group_name_prefix = "github-runner-sg"
+  ubuntu_instance_name       = "github-runner"
+  instance_type              = "t2.micro"
+}
diff --git a/modules/github-runner/main.tf b/modules/github-runner/main.tf
@@ -0,0 +1,38 @@
+resource "aws_instance" "github_runner" {
+  ami                    = var.ami_id
+  instance_type          = local.instance_type
+  subnet_id              = var.private_subnet_id
+  vpc_security_group_ids = [aws_security_group.github_runner.id]
+  key_name               = var.key_name
+  user_data = templatefile("${path.module}/scripts/self-hosted-runner.sh", {
+    CONFIG_TOKEN = var.github_config_token
+    CONFIG_URL   = var.github_config_url
+  })
+  tags = {
+    Name = local.ubuntu_instance_name
+  }
+}
+
+resource "aws_security_group" "github_runner" {
+  name_prefix = local.security_group_name_prefix
+  description = "Allow ssh ingress and all egress traffic"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = local.security_group_name_prefix
+  }
+}
diff --git a/modules/github-runner/outputs.tf b/modules/github-runner/outputs.tf
diff --git a/modules/github-runner/scripts/self-hosted-runner.sh b/modules/github-runner/scripts/self-hosted-runner.sh
@@ -0,0 +1,123 @@
+#!/bin/bash
+
+# Define multiple runner configurations
+# declare -A RUNNERS=(
+#     ["runner-1"]="https://github.com/actions/runner/releases/download/v2.317.0/actions-runner-linux-x64-2.317.0.tar.gz"
+# )
+
+DEFAULT_USER="githubrunner"
+USER_HOME="/home/$DEFAULT_USER"
+USER_PASSWORD="password"
+RUNNER_VERSION="2.317.0"
+RUNNER_PACKAGE="actions-runner-linux-x64-$RUNNER_VERSION.tar.gz"
+
+# Function to display error message and exit
+die() {
+    echo >&2 "Error: $@"
+    exit 1
+}
+
+# Function to install required packages
+install_packages() {
+    local packages="$@"
+    if [ -x "$(command -v apt-get)" ]; then
+        sudo DEBIAN_FRONTEND=noninteractive apt-get -y update
+        sudo DEBIAN_FRONTEND=noninteractive apt-get -y install $packages || die "Failed to install $packages. Aborting."
+    elif [ -x "$(command -v yum)" ]; then
+        sudo yum -y install $packages || die "Failed to install $packages. Aborting."
+    elif [ -x "$(command -v dnf)" ]; then
+        sudo dnf -y install $packages || die "Failed to install $packages. Aborting."
+    elif [ -x "$(command -v pacman)" ]; then
+        sudo pacman -Sy --noconfirm $packages || die "Failed to install $packages. Aborting."
+    else
+        die "Unsupported package manager. Please install $packages manually."
+    fi
+}
+
+# Function to check if a command exists
+command_exists() {
+    command -v "$1" >/dev/null 2>&1
+}
+
+# Function to set up runner directory and permissions
+setup_runner_directory() {
+    local RUNNER_NAME="$1"
+    local RUNNER_DIR="$USER_HOME/$RUNNER_NAME/actions-runner"
+
+    sudo mkdir -p "$RUNNER_DIR" || die "Failed to create $RUNNER_DIR directory."
+    sudo chown -R $DEFAULT_USER:$DEFAULT_USER "$RUNNER_DIR" || die "Failed to set ownership for $RUNNER_DIR."
+}
+
+# Function to download and extract GitHub Actions runner package
+download_and_extract_runner() {
+    local RUNNER_NAME="$1"
+    local EXPECTED_CHECKSUM="9e883d210df8c6028aff475475a457d380353f9d01877d51cc01a17b2a91161d"
+    local RUNNER="https://github.com/actions/runner/releases/download/v2.317.0/actions-runner-linux-x64-2.317.0.tar.gz"
+
+    # Ensure directory exists and has correct ownership
+    sudo mkdir -p "$USER_HOME/$RUNNER_NAME/actions-runner" || die "Failed to create $USER_HOME/$RUNNER_NAME/actions-runner directory."
+    sudo chown -R $DEFAULT_USER:$DEFAULT_USER "$USER_HOME/$RUNNER_NAME/actions-runner" || die "Failed to set ownership for $USER_HOME/$RUNNER_NAME/actions-runner."
+
+    # Download and verify checksum
+    sudo -u $DEFAULT_USER curl -o "$USER_HOME/$RUNNER_NAME/actions-runner/$RUNNER_PACKAGE" -L "$RUNNER" || die "Failed to download $RUNNER_PACKAGE."
+    sudo chown $DEFAULT_USER:$DEFAULT_USER "$USER_HOME/$RUNNER_NAME/actions-runner/$RUNNER_PACKAGE" || die "Failed to set ownership for $USER_HOME/$RUNNER_NAME/actions-runner/$RUNNER_PACKAGE."
+
+    # Verify SHA256 checksum
+    actual_checksum=$(sudo -u $DEFAULT_USER sha256sum "$USER_HOME/$RUNNER_NAME/actions-runner/$RUNNER_PACKAGE" | awk '{print $1}')
+    if [ "$EXPECTED_CHECKSUM" != "$actual_checksum" ]; then
+        die "Checksum verification failed for $USER_HOME/$RUNNER_NAME/actions-runner/$RUNNER_PACKAGE. Aborting."
+    fi
+
+    # Extract the runner package
+    sudo -u $DEFAULT_USER tar xzf "$USER_HOME/$RUNNER_NAME/actions-runner/$RUNNER_PACKAGE" -C "$USER_HOME/$RUNNER_NAME/actions-runner" || die "Failed to extract $USER_HOME/$RUNNER_NAME/actions-runner/$RUNNER_PACKAGE."
+    sudo chown -R $DEFAULT_USER:$DEFAULT_USER "$USER_HOME/$RUNNER_NAME/actions-runner" || die "Failed to set ownership for $USER_HOME/$RUNNER_NAME/actions-runner."
+}
+
+# Function to configure and start the runner
+configure_and_start_runner() {
+    local RUNNER_NAME="$1"
+
+    sudo -u $DEFAULT_USER -i <<EOF
+    cd "$USER_HOME/$RUNNER_NAME/actions-runner" || exit 1
+
+    ./config.sh --url "${CONFIG_URL}" \
+                --token "${CONFIG_TOKEN}" \
+                --name "$RUNNER_NAME" \
+                --runnergroup "Default" \
+                --work "_work" \
+                --labels "self-hosted,Linux,X64,$RUNNER_NAME" \
+                --unattended \
+                --replace || { echo "Failed to configure GitHub Actions runner"; exit 1; }
+
+    nohup ./run.sh > runner.log 2>&1 &
+    if [ \$? -ne 0 ]; then
+        echo "Failed to start GitHub Actions runner $RUNNER_NAME"
+        exit 1
+    fi
+
+    echo "GitHub Actions runner setup for $RUNNER_NAME completed successfully."
+    echo "The runner is running in the background. Check runner.log for output."
+EOF
+}
+
+# Main script
+main() {
+    local RUNNER_NAME="runner"
+    # Install required packages if not already installed
+    command_exists curl || install_packages curl
+
+    # Ensure default user exists and has necessary permissions (no longer creating new users)
+    sudo useradd -m -s /bin/bash $DEFAULT_USER 2>/dev/null || true
+    echo "$DEFAULT_USER:$USER_PASSWORD" | sudo chpasswd || die "Failed to set password for $DEFAULT_USER. Aborting."
+    echo "$DEFAULT_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/$DEFAULT_USER >/dev/null
+    sudo chmod 0440 /etc/sudoers.d/$DEFAULT_USER
+
+    setup_runner_directory "$RUNNER_NAME"
+    download_and_extract_runner "$RUNNER_NAME"
+    configure_and_start_runner "$RUNNER_NAME"
+
+    echo "All GitHub Actions runners setup completed successfully."
+}
+
+# Execute main script
+main
diff --git a/modules/github-runner/variables.tf b/modules/github-runner/variables.tf
@@ -0,0 +1,33 @@
+variable "ami_id" {
+  description = "AMI ID for the private instances"
+  type        = string
+  default     = "ami-0f58b397bc5c1f2e8"
+}
+
+variable "vpc_id" {
+  description = "The ID of the VPC"
+  type        = string
+}
+
+variable "private_subnet_id" {
+  description = "The ID of the private subnet"
+  type        = string
+}
+
+variable "key_name" {
+  description = "The name of the EC2 key pair"
+  type        = string
+  default     = "runner"
+}
+
+variable "github_config_url" {
+  description = "Github config url for self-hosted runners"
+  type        = string
+  sensitive   = true
+}
+
+variable "github_config_token" {
+  description = "Github config token for self-hosted runners"
+  type        = string
+  sensitive   = true
+}
diff --git a/modules/iam/README.md b/modules/iam/README.md
@@ -6,7 +6,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.59.0 |
 
 ## Modules
 
diff --git a/variables.tf b/variables.tf
@@ -254,3 +254,13 @@ variable "instance_type_for_kong" {
   type        = string
   default     = "t2.micro"
 }
+
+variable "github_config_token" {
+  description = "Github config token for self-hosted runner"
+  type        = string
+}
+
+variable "github_config_url" {
+  description = "Github config url for self-hosted runner"
+  type        = string
+}
