change

marcoacierno · marcoacierno · commit 9e6072be4cef · 2025-01-04T19:29:40.000+01:00
diff --git a/infrastructure/tools/github_runner_lambda.tf b/infrastructure/tools/github_runner_lambda.tf
@@ -63,10 +63,18 @@ resource "aws_lambda_function" "github_runner_webhook" {
   filename         = data.archive_file.github_runner_webhook_artifact.output_path
   source_code_hash = data.archive_file.github_runner_webhook_artifact.output_base64sha256
   timeout = 60
+
   environment {
     variables = {
       WEBHOOK_SECRET = random_password.webhook_secret.result
       GITHUB_TOKEN_SSM_NAME = data.aws_ssm_parameter.github_token.name
+      NETWORK_CONFIGURATION = jsonencode({
+        "awsvpcConfiguration": {
+          "subnets": [aws_subnet.public["eu-central-1a"].id],
+          "securityGroups": [],
+          "assignPublicIp": "ENABLED"
+        }
+      })
     }
   }
 }
diff --git a/infrastructure/tools/lambdas/github_runner_webhook.py b/infrastructure/tools/lambdas/github_runner_webhook.py
@@ -7,6 +7,7 @@
 
 WEBHOOK_SECRET = os.environ["WEBHOOK_SECRET"]
 GITHUB_TOKEN_SSM_NAME = os.environ["GITHUB_TOKEN_SSM_NAME"]
+NETWORK_CONFIGURATION = os.environ["NETWORK_CONFIGURATION"]
 
 
 def handler(event, context):
@@ -42,22 +43,23 @@ def handle_workflow_job(body, context):
         return
 
     labels = workflow_job["labels"]
-    if labels != ["self-hosted", "arm64-fargate"]:
+    arm64_fargate_label = next(
+        (label for label in labels if "arm64-fargate-" in label), None
+    )
+    if not arm64_fargate_label:
         return
 
+    unique_run_id = arm64_fargate_label.replace("arm64-fargate-", "")
+
     ssm_client = boto3.client("ssm")
     github_token = ssm_client.get_parameter(Name=GITHUB_TOKEN_SSM_NAME)["Parameter"][
         "Value"
     ]
 
     payload = {
-        "name": "Test from Lambda",
+        "name": f"Runner for run #{unique_run_id}",
         "runner_group_id": 3,
-        "labels": [
-            "lambda-test"
-            # 'self-hosted',
-            # 'arm64-fargate',
-        ],
+        "labels": [arm64_fargate_label],
     }
     payload_encoded = json.dumps(payload).encode("utf-8")
     print("sending payload:", payload_encoded)
@@ -82,6 +84,12 @@ def handle_workflow_job(body, context):
     print("Body:", body)
     print("Context:", context)
 
+    ecs_client = boto3.client("ecs")
+    ecs_client.start_task(
+        cluster="github-actions-runners",
+        networkConfiguration=json.loads(NETWORK_CONFIGURATION),
+    )
+
 
 def verify_signature(payload_body, secret_token, signature_header):
     """Verify that the payload was sent from GitHub by validating SHA256.
diff --git a/infrastructure/tools/vpc.tf b/infrastructure/tools/vpc.tf
@@ -0,0 +1,76 @@
+locals {
+  public_azs_cidr = {
+    "eu-central-1a" : "10.0.1.0/24",
+    "eu-central-1b" : "10.0.2.0/24",
+    "eu-central-1c" : "10.0.3.0/24",
+  }
+  private_azs_cidr = {
+    "eu-central-1a" : "10.0.4.0/24",
+    "eu-central-1b" : "10.0.5.0/24",
+    "eu-central-1c" : "10.0.6.0/24",
+  }
+}
+
+resource "aws_vpc" "default" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = "main-vpc"
+  }
+}
+
+resource "aws_subnet" "private" {
+  for_each          = local.private_azs_cidr
+  vpc_id            = aws_vpc.default.id
+  availability_zone = each.key
+  cidr_block        = each.value
+
+  tags = {
+    Name = "main-vpc-private-subnet-${each.key}"
+    Type = "private"
+    AZ   = each.key
+  }
+}
+
+resource "aws_subnet" "public" {
+  for_each                = local.public_azs_cidr
+  vpc_id                  = aws_vpc.default.id
+  availability_zone       = each.key
+  cidr_block              = each.value
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "main-vpc-public-subnet-${each.key}"
+    Type = "public"
+    AZ   = each.key
+  }
+}
+
+resource "aws_route_table" "public" {
+  for_each = toset(keys(local.public_azs_cidr))
+  vpc_id   = aws_vpc.default.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.default.id
+  }
+
+  tags = {
+    Name = "main-vpc-public-route-${each.value}"
+  }
+
+  depends_on = [
+    aws_internet_gateway.default
+  ]
+}
+
+resource "aws_route_table_association" "public_subnet_to_public_route" {
+  for_each       = toset(keys(local.public_azs_cidr))
+  route_table_id = aws_route_table.public[each.value].id
+  subnet_id      = aws_subnet.public[each.value].id
+}
+
+resource "aws_internet_gateway" "default" {
+  vpc_id = aws_vpc.default.id
+}

Original file line number	Diff line number	Diff line change
`@@ -63,10 +63,18 @@ resource "aws_lambda_function" "github_runner_webhook" {`
`63`	`63`	`filename = data.archive_file.github_runner_webhook_artifact.output_path`
`64`	`64`	`source_code_hash = data.archive_file.github_runner_webhook_artifact.output_base64sha256`
`65`	`65`	`timeout = 60`
	`66`	`+`
`66`	`67`	`environment {`
`67`	`68`	`variables = {`
`68`	`69`	`WEBHOOK_SECRET = random_password.webhook_secret.result`
`69`	`70`	`GITHUB_TOKEN_SSM_NAME = data.aws_ssm_parameter.github_token.name`
	`71`	`+ NETWORK_CONFIGURATION = jsonencode({`
	`72`	`+ "awsvpcConfiguration": {`
	`73`	`+ "subnets": [aws_subnet.public["eu-central-1a"].id],`
	`74`	`+ "securityGroups": [],`
	`75`	`+ "assignPublicIp": "ENABLED"`
	`76`	`+ }`
	`77`	`+ })`
`70`	`78`	`}`
`71`	`79`	`}`
`72`	`80`	`}`