Merge branch 'release/v0.9.0' into master

Author: npalm

.ci/.dockerignore

@@ -0,0 +1 @@
+node_modules

.ci/Dockerfile

@@ -1,13 +1,13 @@
 FROM node:12
 
-WORKDIR /lambda
-
-COPY . /lambda
-
 RUN apt-get update \
     && apt-get install -y zip \
     && rm -rf /var/lib/apt/lists/*
 
+WORKDIR /lambda
+
+COPY . /lambda
+
 RUN yarn install \
     && yarn run dist
 

.ci/build.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -e
 
 lambdaSrcDirs=("modules/runner-binaries-syncer/lambdas/runner-binaries-syncer" "modules/runners/lambdas/runners" "modules/webhook/lambdas/webhook")
 repoRoot=$(dirname $(dirname $(realpath ${BASH_SOURCE[0]})))

.gitignore

@@ -17,3 +17,6 @@ example/*.secrets*.tfvars
 *.gz
 *.tgz
 *.env
+.vscode
+
+**/coverage/*

CHANGELOG.md

@@ -7,8 +7,42 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.0] - 2020-12-08
+
+### Added
+
+- Add support for GitHub Enterprise Server (GHES) #412, #481, #467 @mcaulifn @jonico
+- Allow configuring additional security groups #392 @surminus
+
+### Changed
+
+- Log groups per type of logging #476
+- Copy directory *after* installing zip #444 @masterful
+- Update ubuntu example with rootless docker and non privileged user #433
+- Changed strategy in scaling. Previous the module scaled by checking for any queued workflow for the repo initiation the check_run event. Now the module scales only if the correlated check_run is still in queued state. #423
+
+### Fixed
+
+- Fix missing permissions for CloudWatch Agent #445 @bennettp123
+- Swap scale up/scale down timeout description #468 @jonico
+- Fix for invalid configuration #466 @jonico
+- Add ssm:GetParameter to runner-ssm-parameters #446 @bennettp123  
+- Replace crypto #429
+- Scale up lambda deprecated attribute #410
+
+### Mirgrations
+
+Changes related to logging groups introduced via #476 will destroy existing logging group in AWS cloudwatch for runners log. In case you would like to keep the logging ensure you remove the log group from the state before running an apply
+
+```bash
+export RESOURCE=$(terraform state list | grep "aws_cloudwatch_log_group.runner")
+terraform state rm $RESOURCE
+```
+
 ## [0.8.1] - 2020-12-08
+
 ### Changed
+
 - Policy is missing for streaming logs to cloudwatch #388
 
 ## [0.8.0] - 2020-12-08
@@ -105,7 +139,8 @@ terraform import module.runners.module.webhook.aws_cloudwatch_log_group.webhook
 
 - First release.
 
-[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.8.1..HEAD
+[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.9.0..HEAD
+[0.9.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.8.1..v0.9.0
 [0.8.1]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.8.0..v0.8.1
 [0.8.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.7.0..v0.8.0
 [0.7.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.6.0..v0.7.0

README.md

@@ -27,9 +27,9 @@ module "runners" {
     webhook_secret = random_password.random.result
   }
 
-  webhook_lambda_zip                = "lambdas-download/webhook.zip"
-  runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
-  runners_lambda_zip                = "lambdas-download/runners.zip"
+  # webhook_lambda_zip                = "lambdas-download/webhook.zip"
+  # runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
+  # runners_lambda_zip                = "lambdas-download/runners.zip"
 
   enable_organization_runners = false
   runner_extra_labels         = "ubuntu,example"
@@ -49,6 +49,17 @@ module "runners" {
     device_name = "/dev/sda1"
   }
 
+  runner_log_files = [
+    {
+      "file_path" : "/var/log/user-data.log",
+      "log_stream_name" : "{instance_id}/user_data"
+    },
+    {
+      "file_path" : "/home/runners/actions-runner/_diag/Runner_**.log",
+      "log_stream_name" : "{instance_id}/runner"
+    }
+  ]
+
   # Uncommet idle config to have idle runners from 9 to 5 in time zone Amsterdam
   # idle_config = [{
   #   cron      = "* * 9-17 * * *"

examples/ubuntu/main.tf

@@ -1,37 +1,63 @@
-#!/bin/bash -e
+#!/bin/bash -x
 exec > >(tee /var/log/user-data.log | logger -t user-data -s 2>/dev/console) 2>&1
 
+${pre_install}
+
 # Install AWS CLI
 apt-get update
-DEBIAN_FRONTEND=noninteractive apt-get install -y awscli jq
+DEBIAN_FRONTEND=noninteractive apt-get install -y awscli jq curl wget git uidmap
+
+USER_NAME=runners
+useradd -m -s /bin/bash $USER_NAME
+USER_ID=$(id -ru $USER_NAME)
+
+# install and configure cloudwatch logging agent
+wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
+dpkg -i -E ./amazon-cloudwatch-agent.deb
+amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:${ssm_key_cloudwatch_agent_config}
+
+# configure systemd for running service in users accounts
+cat >/etc/systemd/[email protected] <<-EOF
+
+[Unit]
+Description=User Manager for UID %i
+After=user-runtime-dir@%i.service
+Wants=user-runtime-dir@%i.service
+
+[Service]
+LimitNOFILE=infinity
+LimitNPROC=infinity
+User=%i
+PAMName=systemd-user
+Type=notify
+
+[Install]
+WantedBy=default.target
 
-# Install runner
-cd /home/ubuntu
-mkdir actions-runner && cd actions-runner
+EOF
 
-aws s3 cp ${s3_location_runner_distribution} actions-runner.tar.gz
-tar xzf ./actions-runner.tar.gz
-rm -rf actions-runner.tar.gz
+echo export XDG_RUNTIME_DIR=/run/user/$USER_ID >>/home/$USER_NAME/.profile
 
-INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
-REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
+systemctl daemon-reload
+systemctl enable [email protected]
+systemctl start [email protected]
 
-echo wait for configuration
-while [[ $(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value") == null ]]; do
-    echo Waiting for configuration ...
-    sleep 1
-done
-CONFIG=$(aws ssm get-parameters --names ${environment}-$INSTANCE_ID --with-decryption --region $REGION | jq -r ".Parameters | .[0] | .Value")
-aws ssm delete-parameter --name ${environment}-$INSTANCE_ID --region $REGION
+curl -fsSL https://get.docker.com/rootless >>/opt/rootless.sh && chmod 755 /opt/rootless.sh
+su -l $USER_NAME -c /opt/rootless.sh
+echo export DOCKER_HOST=unix:///run/user/$USER_ID/docker.sock >>/home/$USER_NAME/.profile
+echo export PATH=/home/$USER_NAME/bin:$PATH >>/home/$USER_NAME/.profile
 
-export RUNNER_ALLOW_RUNASROOT=1
+# Run docker service by default
+loginctl enable-linger $USER_NAME
+su -l $USER_NAME -c "systemctl --user enable docker"
 
-sudo -u ubuntu mkdir /home/ubuntu/work
+${install_config_runner}
 
-./bin/installdependencies.sh
-./config.sh --unattended --name $INSTANCE_ID --work "/home/ubuntu/work" $CONFIG
+# config runner for rootless docker
+cd /home/$USER_NAME/actions-runner/
+echo DOCKER_HOST=unix:///run/user/$USER_ID/docker.sock >>.env
+echo PATH=/home/$USER_NAME/bin:$PATH >>.env
 
-chown -R ubuntu:ubuntu .
-./svc.sh install ubuntu
+${post_install}
 
 ./svc.sh start

examples/ubuntu/templates/user-data.sh

@@ -18,7 +18,7 @@ resource "random_string" "random" {
 resource "aws_sqs_queue" "queued_builds" {
   name                        = "${var.environment}-queued-builds.fifo"
   delay_seconds               = 30
-  visibility_timeout_seconds  = 60
+  visibility_timeout_seconds  = var.runners_scale_up_lambda_timeout
   fifo_queue                  = true
   receive_wait_time_seconds   = 10
   content_based_deduplication = true
@@ -74,23 +74,26 @@ module "runners" {
   ami_filter          = local.ami_filter
   ami_owners          = var.ami_owners
 
-  sqs_build_queue                 = aws_sqs_queue.queued_builds
-  github_app                      = var.github_app
-  enable_organization_runners     = var.enable_organization_runners
-  scale_down_schedule_expression  = var.scale_down_schedule_expression
-  minimum_running_time_in_minutes = var.minimum_running_time_in_minutes
-  runner_extra_labels             = var.runner_extra_labels
-  runner_as_root                  = var.runner_as_root
-  runners_maximum_count           = var.runners_maximum_count
-  idle_config                     = var.idle_config
-  enable_ssm_on_runners           = var.enable_ssm_on_runners
+  sqs_build_queue                      = aws_sqs_queue.queued_builds
+  github_app                           = var.github_app
+  enable_organization_runners          = var.enable_organization_runners
+  scale_down_schedule_expression       = var.scale_down_schedule_expression
+  minimum_running_time_in_minutes      = var.minimum_running_time_in_minutes
+  runner_extra_labels                  = var.runner_extra_labels
+  runner_as_root                       = var.runner_as_root
+  runners_maximum_count                = var.runners_maximum_count
+  idle_config                          = var.idle_config
+  enable_ssm_on_runners                = var.enable_ssm_on_runners
+  runner_additional_security_group_ids = var.runner_additional_security_group_ids
 
   lambda_s3_bucket                 = var.lambda_s3_bucket
   runners_lambda_s3_key            = var.runners_lambda_s3_key
   runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
   lambda_zip                       = var.runners_lambda_zip
   lambda_timeout_scale_up          = var.runners_scale_up_lambda_timeout
   lambda_timeout_scale_down        = var.runners_scale_down_lambda_timeout
+  lambda_subnet_ids                = var.lambda_subnet_ids
+  lambda_security_group_ids        = var.lambda_security_group_ids
   logging_retention_in_days        = var.logging_retention_in_days
   enable_cloudwatch_agent          = var.enable_cloudwatch_agent
   cloudwatch_config                = var.cloudwatch_config
@@ -103,10 +106,13 @@ module "runners" {
   userdata_template     = var.userdata_template
   userdata_pre_install  = var.userdata_pre_install
   userdata_post_install = var.userdata_post_install
+  key_name              = var.key_name
 
   create_service_linked_role_spot = var.create_service_linked_role_spot
 
   runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns
+
+  ghes_url = var.ghes_url
 }
 
 module "runner_binaries" {
@@ -118,7 +124,7 @@ module "runner_binaries" {
 
   distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}"
 
-  runner_architecture              = substr(var.instance_type, 0, 2) == "a1" || substr(var.instance_type, 1, 2) == "6g" ? "arm64" : "x64"
+  runner_architecture              = local.runner_architecture
   runner_allow_prerelease_binaries = var.runner_allow_prerelease_binaries
 
   lambda_s3_bucket                = var.lambda_s3_bucket

main.tf

@@ -32,20 +32,20 @@ No requirements.
 ## Providers
 
 | Name | Version |
-| ---- | ------- |
-| null | n/a     |
+|------|---------|
+| null | n/a |
 
 ## Inputs
 
-| Name    | Description                           | Type                                                                        | Default | Required |
-| ------- | ------------------------------------- | --------------------------------------------------------------------------- | ------- | :------: |
-| lambdas | Name and tag for lambdas to download. | <pre>list(object({<br>    name = string<br>    tag  = string<br>  }))</pre> | n/a     |   yes    |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| lambdas | Name and tag for lambdas to download. | <pre>list(object({<br>    name = string<br>    tag  = string<br>  }))</pre> | n/a | yes |
 
 ## Outputs
 
-| Name  | Description |
-| ----- | ----------- |
-| files | n/a         |
+| Name | Description |
+|------|-------------|
+| files | n/a |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

modules/download-lambda/.terraform.lock.hcl

@@ -53,6 +53,8 @@ No requirements.
 | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
 | lambda\_s3\_bucket | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | `any` | `null` | no |
 | lambda\_schedule\_expression | Scheduler expression for action runner binary syncer. | `string` | `"cron(27 * * * ? *)"` | no |
+| lambda\_security\_group\_ids | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
+| lambda\_subnet\_ids | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
 | lambda\_timeout | Time out of the lambda in seconds. | `number` | `300` | no |
 | lambda\_zip | File location of the lambda zip file. | `string` | `null` | no |
 | logging\_retention\_in\_days | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `7` | no |

modules/download-lambda/README.md

@@ -1,5 +1,7 @@
 {
   "printWidth": 120,
   "singleQuote": true,
-  "trailingComma": "all"
+  "trailingComma": "all",
+  "semi": true,
 }
+  

modules/runner-binaries-syncer/README.md

@@ -10,22 +10,24 @@
     "lint": "yarn eslint --ext ts,tsx src",
     "watch": "ts-node-dev --respawn --exit-child src/local.ts",
     "build": "ncc build src/lambda.ts -o dist",
-    "dist": "yarn build && cd dist && zip ../runner-binaries-syncer.zip index.js"
+    "dist": "yarn build && cd dist && zip ../runner-binaries-syncer.zip index.js",
+    "format": "prettier --write \"**/*.ts\"",
+    "format-check": "prettier --check \"**/*.ts\""
   },
   "devDependencies": {
     "@octokit/rest": "^18.0.12",
-    "@types/jest": "^26.0.16",
-    "@types/node": "^14.14.10",
+    "@types/jest": "^26.0.20",
+    "@types/node": "^14.14.21",
     "@types/request": "^2.48.4",
     "@typescript-eslint/eslint-plugin": "^4.0.0",
     "@typescript-eslint/parser": "^3.10.1",
     "@zeit/ncc": "^0.22.1",
-    "aws-sdk": "^2.804.0",
-    "eslint": "^7.15.0",
+    "aws-sdk": "^2.828.0",
+    "eslint": "^7.18.0",
     "jest": "^26.6.3",
     "ts-jest": "^26.4.4",
-    "ts-node-dev": "^1.0.0",
-    "typescript": "^4.1.2"
+    "ts-node-dev": "^1.1.1",
+    "typescript": "^4.1.3"
   },
   "dependencies": {
     "yn": "^4.0.0"