Merge branch 'release/v0.8.1' into master

npalm · npalm · commit f68d65b7d3a8 · 2020-12-08T14:36:09.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,18 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.8.1] - 2020-12-08
+### Changed
+- Policy is missing for streaming logs to cloudwatch #388
+
 ## [0.8.0] - 2020-12-08
 
 ### Changed
+
 - Examples upgraded to Terraform 13  (#372)
 ### Added
+
 - Streaming runner logs to cloudwatch #375
 
 ## [0.7.0] - 2020-12-04
+
 ### Changed
+
 - Small clarifications in the README #368 @lrytz
 
 ### Added
+
 - Allow operator to pass in a list of managed IAM policy ARNs for the runner role #361 @jpalomaki
 - expand options for sourcing lambda to include S3 #292 @eky5006 
 
@@ -96,7 +105,8 @@ terraform import module.runners.module.webhook.aws_cloudwatch_log_group.webhook
 
 - First release.
 
-[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.8.0..HEAD
+[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.8.1..HEAD
+[0.8.1]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.8.0..v0.8.1
 [0.8.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.7.0..v0.8.0
 [0.7.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.6.0..v0.7.0
 [0.6.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.5.0..v0.6.0
diff --git a/modules/runners/logging.tf b/modules/runners/logging.tf
@@ -18,3 +18,14 @@ resource "aws_cloudwatch_log_group" "runners" {
   retention_in_days = var.logging_retention_in_days
   tags              = local.tags
 }
+
+resource "aws_iam_role_policy" "cloudwatch" {
+  count = var.enable_ssm_on_runners ? 1 : 0
+  name  = "CloudWatchLogginAndMetrics"
+  role  = aws_iam_role.runner.name
+  policy = templatefile("${path.module}/policies/instance-cloudwatch-policy.json",
+    {
+      ssm_parameter_arn = aws_ssm_parameter.cloudwatch_agent_config_runner[0].arn
+    }
+  )
+}
diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
@@ -45,3 +45,5 @@ resource "aws_iam_role_policy_attachment" "managed_policies" {
   role       = aws_iam_role.runner.name
   policy_arn = element(var.runner_iam_role_managed_policy_arns, count.index)
 }
+
+// see also logging.tf for logging and metrics policies
diff --git a/modules/runners/policies/instance-cloudwatch-policy.json b/modules/runners/policies/instance-cloudwatch-policy.json
@@ -0,0 +1,25 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cloudwatch:PutMetricData",
+                "ec2:DescribeVolumes",
+                "ec2:DescribeTags",
+                "logs:PutLogEvents",
+                "logs:DescribeLogStreams",
+                "logs:DescribeLogGroups",
+                "logs:CreateLogStream"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssm:GetParameter"
+            ],
+            "Resource": "${ssm_parameter_arn}/*"
+        }
+    ]
+}

Original file line number	Diff line number	Diff line change
`@@ -45,3 +45,5 @@ resource "aws_iam_role_policy_attachment" "managed_policies" {`
`45`	`45`	`role = aws_iam_role.runner.name`
`46`	`46`	`policy_arn = element(var.runner_iam_role_managed_policy_arns, count.index)`
`47`	`47`	`}`
	`48`	`+`
	`49`	`+// see also logging.tf for logging and metrics policies`