change

Author: marcoacierno

.github/workflows/build-backend.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: [self-hosted, arm64-fargate]
+    runs-on: ${{ format('arm64-fargate-{0}{1}{2}', github.run_id, github.run_number, github.run_attempt) }}
     steps:
       - uses: actions/checkout@v4
         with:

infrastructure/tools/github_runner_cluster.tf

@@ -0,0 +1,15 @@
+resource "aws_ecs_cluster" "github_runners" {
+  name = "github-actions-runners"
+}
+
+resource "aws_ecs_cluster_capacity_providers" "github_runners" {
+  cluster_name = aws_ecs_cluster.github_runners.name
+
+  capacity_providers = ["FARGATE_SPOT"]
+
+  default_capacity_provider_strategy {
+    base              = 1
+    weight            = 100
+    capacity_provider = "FARGATE_SPOT"
+  }
+}

infrastructure/tools/github_runner_lambda.tf

@@ -1,4 +1,4 @@
-data "aws_iam_policy_document" "github_runner_assume_role" {
+data "aws_iam_policy_document" "github_runner_webhook_assume_role" {
   statement {
     effect = "Allow"
 
@@ -11,14 +11,18 @@ data "aws_iam_policy_document" "github_runner_assume_role" {
   }
 }
 
-resource "aws_iam_role" "github_runner_iam" {
-  name               = "github_runner_iam"
-  assume_role_policy = data.aws_iam_policy_document.github_runner_assume_role.json
+resource "aws_iam_role" "github_runner_webhook_role" {
+  name               = "github_runner_webhook_role"
+  assume_role_policy = data.aws_iam_policy_document.github_runner_webhook_assume_role.json
 }
 
-resource "aws_iam_role_policy" "github_runner_lambda_policy" {
-  name = "github_runner_lambda_policy"
-  role = aws_iam_role.github_runner_iam.id
+data "aws_ssm_parameter" "github_token" {
+  name = "/github-runner/github-token"
+}
+
+resource "aws_iam_role_policy" "github_runner_webhook_lambda_policy" {
+  name = "github_runner_webhook_lambda_policy"
+  role = aws_iam_role.github_runner_webhook_role.id
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -31,6 +35,15 @@ resource "aws_iam_role_policy" "github_runner_lambda_policy" {
           "logs:PutLogEvents"
         ]
         Resource = "*"
+      },
+      {
+        Effect   = "Allow"
+        Action   = [
+          "ssm:GetParameter"
+        ]
+        Resource = [
+          data.aws_ssm_parameter.github_token.arn
+        ]
       }
     ]
   })
@@ -44,14 +57,16 @@ data "archive_file" "github_runner_webhook_artifact" {
 
 resource "aws_lambda_function" "github_runner_webhook" {
   function_name = "github_runner_webhook"
-  role          = aws_iam_role.github_runner_iam.arn
+  role          = aws_iam_role.github_runner_webhook_role.arn
   handler       = "github_runner_webhook.handler"
   runtime = "python3.13"
   filename         = data.archive_file.github_runner_webhook_artifact.output_path
   source_code_hash = data.archive_file.github_runner_webhook_artifact.output_base64sha256
+  timeout = 60
   environment {
     variables = {
       WEBHOOK_SECRET = random_password.webhook_secret.result
+      GITHUB_TOKEN_SSM_NAME = data.aws_ssm_parameter.github_token.name
     }
   }
 }

infrastructure/tools/github_runner_task.tf

@@ -0,0 +1,86 @@
+data "aws_iam_policy_document" "github_runner_execution_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs.amazonaws.com", "ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "github_runner_execution_role" {
+  name               = "github_runner_execution_role"
+  assume_role_policy = data.aws_iam_policy_document.github_runner_execution_assume_role.json
+}
+
+resource "aws_iam_role_policy" "github_runner_execution_role_policy" {
+  name = "github_runner_execution_role_policy"
+  role = aws_iam_role.github_runner_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = [
+          aws_cloudwatch_log_group.github_runner.arn,
+          "${aws_cloudwatch_log_group.github_runner.arn}*"
+        ]
+      },
+      {
+        Effect   = "Allow"
+        Action   = [
+          "ecr:GetAuthorizationToken",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:BatchGetImage",
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+
+resource "aws_cloudwatch_log_group" "github_runner" {
+  name              = "/github-runner/"
+  retention_in_days = 1
+}
+
+resource "aws_ecs_task_definition" "github_runner" {
+  family = "github-runner"
+  requires_compatibilities = ["FARGATE"]
+  network_mode = "awsvpc"
+  cpu = 1024
+  memory = 2048
+  execution_role_arn = aws_iam_role.github_runner_execution_role.arn
+
+  container_definitions = jsonencode([
+    {
+      name      = "runner"
+      image     = "ghcr.io/actions/actions-runner:2.321.0"
+      essential = true
+      portMappings = []
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = aws_cloudwatch_log_group.github_runner.name
+          "awslogs-region"        = "eu-central-1"
+          "awslogs-stream-prefix" = "runner"
+        }
+      }
+    },
+  ])
+
+  runtime_platform {
+    operating_system_family = "LINUX"
+    cpu_architecture = "ARM64"
+  }
+}

infrastructure/tools/lambdas/github_runner_webhook.py

@@ -1,9 +1,12 @@
+import boto3
 import json
 import os
 import hashlib
 import hmac
+from urllib import request
 
 WEBHOOK_SECRET = os.environ["WEBHOOK_SECRET"]
+GITHUB_TOKEN_SSM_NAME = os.environ["GITHUB_TOKEN_SSM_NAME"]
 
 
 def handler(event, context):
@@ -42,7 +45,40 @@ def handle_workflow_job(body, context):
     if labels != ["self-hosted", "arm64-fargate"]:
         return
 
-    print("Handling workflow job - start?")
+    ssm_client = boto3.client("ssm")
+    github_token = ssm_client.get_parameter(Name=GITHUB_TOKEN_SSM_NAME)["Parameter"][
+        "Value"
+    ]
+
+    payload = {
+        "name": "Test from Lambda",
+        "runner_group_id": 3,
+        "labels": [
+            "lambda-test"
+            # 'self-hosted',
+            # 'arm64-fargate',
+        ],
+    }
+    payload_encoded = json.dumps(payload).encode("utf-8")
+    print("sending payload:", payload_encoded)
+    req = request.Request(
+        "https://api.github.com/orgs/pythonitalia/actions/runners/generate-jitconfig",
+        data=payload_encoded,
+        method="POST",
+        headers={
+            "Authorization": f"Bearer {github_token}",
+            "Accept": "application/vnd.github.v3+json",
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+    )
+
+    with request.urlopen(req) as response:
+        response_data = response.read().decode("utf-8")
+        print(response_data)
+
+    jit_config = json.loads(response_data)["encoded_jit_config"]
+
+    print("Handling workflow job - start?", jit_config)
     print("Body:", body)
     print("Context:", context)