Merge pull request #1592 from philips-labs/develop

Release

Author: npalm

.ci/build-yarn.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# Build all the lambda's, output on the default place (inside the lambda module)
+
+lambdaSrcDirs=("modules/runner-binaries-syncer/lambdas/runner-binaries-syncer" "modules/runners/lambdas/runners" "modules/webhook/lambdas/webhook")
+repoRoot=$(dirname $(dirname $(realpath ${BASH_SOURCE[0]})))
+
+for lambdaDir in ${lambdaSrcDirs[@]}; do
+    cd "$repoRoot/${lambdaDir}"
+    yarn && yarn run dist
+done

.github/workflows/packer-build.yml

@@ -18,17 +18,20 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: hashicorp/packer:1.7.8
+    strategy:
+      matrix:
+        image: ["linux-amzn2", "windows-core-2019"]
     defaults:
       run:
-        working-directory: images/linux-amzn2
+        working-directory: images/${{ matrix.image }}
     steps:
       - name: "Checkout"
         uses: actions/checkout@v2
 
       - name: packer init
         run: packer init .
 
-      - name: check terraform formatting
+      - name: check packer formatting
         run: packer fmt -recursive -check=true .        
 
       - name: packer validate

.github/workflows/release.yml

@@ -91,7 +91,7 @@ jobs:
 
     steps:
       - name: Generate provenance for release
-        uses: philips-labs/slsa-provenance-action@v0.4.0
+        uses: philips-labs/slsa-provenance-action@v0.5.0
         with:
           artifact_path: release-assets
           output_path: 'build.provenance'

README.md

@@ -30,11 +30,13 @@ module "runners" {
     webhook_secret = random_id.random.hex
   }
 
+  # Grab zip files via lambda_download
   webhook_lambda_zip                = "lambdas-download/webhook.zip"
   runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
   runners_lambda_zip                = "lambdas-download/runners.zip"
-  enable_organization_runners       = false
-  runner_extra_labels               = "default,example"
+
+  enable_organization_runners = false
+  runner_extra_labels         = "default,example"
 
   # enable access to the runners via SSM
   enable_ssm_on_runners = true
@@ -61,7 +63,11 @@ module "runners" {
   instance_types = ["m5.large", "c5.large"]
 
   # override delay of events in seconds
-  delay_webhook_event = 5
+  delay_webhook_event   = 5
+  runners_maximum_count = 1
+
+  # set up a fifo queue to remain order
+  fifo_build_queue = true
 
   # override scaling down
   scale_down_schedule_expression = "cron(* * * * ? *)"

examples/default/main.tf

@@ -0,0 +1,30 @@
+# Action runners deployment ephemeral example
+
+This example is based on the default setup, but shows how runners can be used with the ephemeral flag enabled. Once enabled, ephemeral runners will be used for one job only. Each job requires a fresh instance. This feature should be used in combination with the `workflow_job` event. See GitHub webhook endpoint configuration(link needed here). It is also suggested to use a pre-build AMI to minimize runner launch times.
+## Usages
+
+Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](../../README.md). First download the Lambda releases from GitHub. Alternatively you can build the lambdas locally with Node or Docker, there is a simple build script in `<root>/.ci/build.sh`. In the `main.tf` you can simply remove the location of the lambda zip files, the default location will work in this case.
+
+> Ensure you have set the version in `lambdas-download/main.tf` for running the example. The version needs to be set to a GitHub release version, see https://github.com/philips-labs/terraform-aws-github-runner/releases
+
+```bash
+cd lambdas-download
+terraform init
+terraform apply
+cd ..
+```
+
+Before running Terraform, ensure the GitHub app is configured. See the [configuration details](../../README.md#usages) for more details.
+
+```bash
+terraform init
+terraform apply
+```
+
+You can receive the webhook details by running:
+
+```bash
+terraform output -raw webhook_secret
+```
+
+Be-aware some shells will print some end of line character `%`. 

examples/ephemeral/.terraform.lock.hcl

@@ -0,0 +1,25 @@
+locals {
+  version = "<REPLACE_BY_GITHUB_RELEASE_VERSION>"
+}
+
+module "lambdas" {
+  source = "../../../modules/download-lambda"
+  lambdas = [
+    {
+      name = "webhook"
+      tag  = local.version
+    },
+    {
+      name = "runners"
+      tag  = local.version
+    },
+    {
+      name = "runner-binaries-syncer"
+      tag  = local.version
+    }
+  ]
+}
+
+output "files" {
+  value = module.lambdas.files
+}

examples/ephemeral/README.md

@@ -0,0 +1,71 @@
+locals {
+  environment = "ephemeral"
+  aws_region  = "eu-west-1"
+}
+
+resource "random_id" "random" {
+  byte_length = 20
+}
+
+data "aws_caller_identity" "current" {}
+
+module "runners" {
+  source                          = "../../"
+  create_service_linked_role_spot = true
+  aws_region                      = local.aws_region
+  vpc_id                          = module.vpc.vpc_id
+  subnet_ids                      = module.vpc.private_subnets
+
+  environment = local.environment
+  tags = {
+    Project = "ProjectX"
+  }
+
+  github_app = {
+    key_base64     = var.github_app_key_base64
+    id             = var.github_app_id
+    webhook_secret = random_id.random.hex
+  }
+
+  # Grab the lambda packages from local directory. Must run /.ci/build.sh first
+  webhook_lambda_zip                = "../../lambda_output/webhook.zip"
+  runner_binaries_syncer_lambda_zip = "../../lambda_output/runner-binaries-syncer.zip"
+  runners_lambda_zip                = "../../lambda_output/runners.zip"
+
+  enable_organization_runners = true
+  runner_extra_labels         = "default,example"
+
+  # enable access to the runners via SSM
+  enable_ssm_on_runners = true
+
+  # Let the module manage the service linked role
+  # create_service_linked_role_spot = true
+
+  instance_types = ["m5.large", "c5.large"]
+
+  # override delay of events in seconds
+  delay_webhook_event = 0
+
+  # Ensure you set the number not too low, each build require a new instance
+  runners_maximum_count = 20
+
+  # override scaling down
+  scale_down_schedule_expression = "cron(* * * * ? *)"
+
+  enable_ephemeral_runners = true
+
+  # configure your pre-built AMI
+  # enabled_userdata = false
+  # ami_filter       = { name = ["github-runner-amzn2-x86_64-2021*"] }
+  # ami_owners       = [data.aws_caller_identity.current.account_id]
+
+  # Enable logging
+  # log_level = "debug"
+
+  # Setup a dead letter queue, by default scale up lambda will kepp retrying to process event in case of scaling error.
+  # redrive_policy_build_queue = {
+  #   enabled             = true
+  #   maxReceiveCount     = 50 # 50 retries every 30 seconds => 25 minutes
+  #   deadLetterTargetArn = null
+  # }
+}

examples/ephemeral/lambdas-download/main.tf

@@ -0,0 +1,15 @@
+output "runners" {
+  value = {
+    lambda_syncer_name = module.runners.binaries_syncer.lambda.function_name
+  }
+}
+
+output "webhook_endpoint" {
+  value = module.runners.webhook.endpoint
+}
+
+output "webhook_secret" {
+  sensitive = true
+  value     = random_id.random.hex
+}
+

examples/ephemeral/main.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = local.aws_region
+}

examples/ephemeral/outputs.tf

@@ -0,0 +1,5 @@
+
+variable "github_app_key_base64" {}
+
+variable "github_app_id" {}
+

examples/ephemeral/providers.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.27"
+    }
+    local = {
+      source = "hashicorp/local"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+  }
+  required_version = ">= 0.14"
+}

examples/ephemeral/variables.tf

@@ -0,0 +1,7 @@
+module "vpc" {
+  source = "git::https://github.com/philips-software/terraform-aws-vpc.git?ref=2.2.0"
+
+  environment                = local.environment
+  aws_region                 = local.aws_region
+  create_private_hosted_zone = false
+}

examples/ephemeral/versions.tf

@@ -4,7 +4,17 @@ This module shows how to create GitHub action runners using a prebuilt AMI for t
 
 ## Usages
 
-Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](../../README.md). 
+Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](../../README.md).
+
+## Variables
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ami_filter"></a> [ami\_filter](#input\_ami\_filter) | The amis to search.  Use the default for the provided amazon linux image, `github-runner-windows-core-2019-*` for the provided widnows image | `string` | `github-runner-amzn2-x86_64-2021*` | no |
+| <a name="input_github_app_key_base64"></a> [github\_app\_key\_base64](#input\_github\_app\_key\_base64) | The base64 encoded private key you downloaded from GitHub when creating the app | `string` | | yes |
+| <a name="input_github_app_id"></a> [github\_app\_id](#input\_github\_app\_id) | The id of the app you created on GitHub | `string` | | yes |
+| <a name="input_region"></a> [region](#input\_region) | The target aws region | `string` | `eu-west-1` | no |
+| <a name="input_runner_os"></a> [runner\_os](#input\_runner\_os) | The os of the image, either `linux` or `windows` | `string` | `linux` | no |
 
 ### Lambdas
 

examples/ephemeral/vpc.tf

@@ -1,6 +1,5 @@
 locals {
   environment = "prebuilt"
-  aws_region  = "eu-west-1"
 }
 
 resource "random_id" "random" {
@@ -12,7 +11,7 @@ data "aws_caller_identity" "current" {}
 module "runners" {
   source                          = "../../"
   create_service_linked_role_spot = true
-  aws_region                      = local.aws_region
+  aws_region                      = var.aws_region
   vpc_id                          = module.vpc.vpc_id
   subnet_ids                      = module.vpc.private_subnets
 
@@ -24,15 +23,17 @@ module "runners" {
     webhook_secret = random_id.random.hex
   }
 
-  webhook_lambda_zip                = "../../lambda_output/webhook.zip"
-  runner_binaries_syncer_lambda_zip = "../../lambda_output/runner-binaries-syncer.zip"
-  runners_lambda_zip                = "../../lambda_output/runners.zip"
+  webhook_lambda_zip                = "lambdas-download/webhook.zip"
+  runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
+  runners_lambda_zip                = "lambdas-download/runners.zip"
 
   runner_extra_labels = "default,example"
 
+  runner_os = var.runner_os
+
   # configure your pre-built AMI
   enabled_userdata = false
-  ami_filter       = { name = ["github-runner-amzn2-x86_64-2021*"] }
+  ami_filter       = { name = [var.ami_name_filter] }
   ami_owners       = [data.aws_caller_identity.current.account_id]
 
   # enable access to the runners via SSM

examples/prebuilt/README.md

@@ -1,3 +1,3 @@
 provider "aws" {
-  region = local.aws_region
+  region = var.aws_region
 }

examples/prebuilt/main.tf

@@ -2,3 +2,18 @@
 variable "github_app_key_base64" {}
 
 variable "github_app_id" {}
+
+variable "runner_os" {
+  type    = string
+  default = "linux"
+}
+
+variable "ami_name_filter" {
+  type    = string
+  default = "github-runner-amzn2-x86_64-2021*"
+}
+
+variable "aws_region" {
+  type    = string
+  default = "eu-west-1"
+}