Merge branch 'develop' of https://github.com/philips-labs/terraform-aws-github-runner into philips-labs-develop

# Conflicts:
#	README.md
#	modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/yarn.lock
#	modules/runners/lambdas/runners/package.json
#	modules/runners/lambdas/runners/yarn.lock
#	modules/webhook/lambdas/webhook/src/webhook/handler.test.ts
#	modules/webhook/lambdas/webhook/src/webhook/handler.ts
#	variables.tf

Author: aadrijnberg

.gitignore

@@ -16,7 +16,7 @@ secrets.auto.tfvars
 *.zip
 *.gz
 *.tgz
-*.env
+*.env*
 .vscode
 
 **/coverage/*

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.15.0](https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.14.0...v0.15.0) (2021-07-07)
+
+
+### Features
+
+* Added support for white listing of repositories ([#915](https://github.com/philips-labs/terraform-aws-github-runner/issues/915)) ([b1f451a](https://github.com/philips-labs/terraform-aws-github-runner/commit/b1f451a0bddf8606b443c5150e939e7628645ccf))
+
 ## [0.14.0](https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.13.1...v0.14.0) (2021-06-17)
 
 

README.md

@@ -118,7 +118,6 @@ Go to GitHub and [create a new app](https://docs.github.com/en/developers/apps/c
      - `Administration`: Read & write (to register runner)
 7. _Permissions for organization level runners only_:
    - Organization
-     - `Administration`: Read & write (to register runner)
      - `Self-hosted runners`: Read & write (to register runner)
 8. Save the new app.
 9. On the General page, make a note of the "App ID" and "Client ID" parameters.
@@ -348,6 +347,7 @@ No requirements.
 | block\_device\_mappings | The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops` | `map(string)` | `{}` | no |
 | cloudwatch\_config | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no |
 | create\_service\_linked\_role\_spot | (optional) create the serviced linked role for spot instances that is required by the scale-up lambda. | `bool` | `false` | no |
+| delay\_webhook\_event | The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event. | `number` | `30` | no |
 | enable\_cloudwatch\_agent | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no |
 | enable\_organization\_runners | Register runners to organization, instead of repo level | `bool` | `false` | no |
 | enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
@@ -368,7 +368,7 @@ No requirements.
 | manage\_kms\_key | Let the module manage the KMS key. | `bool` | `true` | no |
 | market\_options | Market options for the action runner instances. Setting the value to `null` let the scaler create on-demand instances instead of spot instances. | `string` | `"spot"` | no |
 | minimum\_running\_time\_in\_minutes | The time an ec2 action runner should be running at minimum before terminated if non busy. | `number` | `5` | no |
-| repository\_white\_list | (optional) List of github repository full names (owner/repo_name) that will be allowed to call the runners. Leave empty for no filtering | `list(string)` | `[]` | no |
+| repository\_white\_list | List of repositories allowed to use the github app | `list(string)` | `[]` | no |
 | role\_path | The path that will be added to role path for created roles, if not set the environment name will be used. | `string` | `null` | no |
 | role\_permissions\_boundary | Permissions boundary that will be added to the created roles. | `string` | `null` | no |
 | runner\_additional\_security\_group\_ids | (optional) List of additional security groups IDs to apply to the runner | `list(string)` | `[]` | no |

examples/default/.terraform-version

@@ -0,0 +1 @@
+1.0.2

examples/default/.terraform.lock.hcl

@@ -15,9 +15,17 @@ terraform apply
 cd ..
 ```
 
-Before running Terraform, ensure the GitHub app is configured.
+Before running Terraform, ensure the GitHub app is configured. See the [configuration details](../../README.md#usages) for more details.
 
 ```bash
 terraform init
 terraform apply
 ```
+
+You can receive the webhook details by running:
+
+```bash
+terraform output -raw webhook_secret
+```
+
+Be-aware some shells will print some end of line character `%`. 

examples/default/README.md

@@ -4,9 +4,12 @@ output "runners" {
   }
 }
 
-output "webhook" {
-  value = {
-    secret   = random_password.random.result
-    endpoint = module.runners.webhook.endpoint
-  }
+output "webhook_endpoint" {
+  value = module.runners.webhook.endpoint
 }
+
+output "webhook_secret" {
+  sensitive = true
+  value     = random_password.random.result
+}
+

examples/default/outputs.tf

@@ -1,4 +1,3 @@
 provider "aws" {
-  region  = local.aws_region
-  version = "3.20"
+  region = local.aws_region
 }

examples/default/providers.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.20"
+    }
+    local = {
+      source = "hashicorp/local"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+  }
+  required_version = ">= 0.14"
+}

examples/default/versions.tf

@@ -17,7 +17,7 @@ resource "random_string" "random" {
 
 resource "aws_sqs_queue" "queued_builds" {
   name                        = "${var.environment}-queued-builds.fifo"
-  delay_seconds               = 30
+  delay_seconds               = var.delay_webhook_event
   visibility_timeout_seconds  = var.runners_scale_up_lambda_timeout
   fifo_queue                  = true
   receive_wait_time_seconds   = 10

main.tf

@@ -21,7 +21,7 @@
     "@types/request": "^2.48.4",
     "@typescript-eslint/eslint-plugin": "^4.28.0",
     "@typescript-eslint/parser": "^4.17.0",
-    "@zeit/ncc": "^0.22.1",
+    "@vercel/ncc": "^0.29.0",
     "aws-sdk": "^2.888.0",
     "eslint": "^7.24.0",
     "jest": "^26.6.3",

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/package.json

@@ -1,7 +1,7 @@
 import { handle } from './syncer/handler';
 
 // eslint-disable-next-line
-module.exports.handler = async (event: any, context: any, callback: any): Promise<any> => {
+export const handler = async (event: any, context: any, callback: any): Promise<void> => {
   await handle();
-  return callback();
+  callback();
 };

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/src/lambda.ts

@@ -890,10 +890,10 @@
     "@typescript-eslint/types" "4.28.0"
     eslint-visitor-keys "^2.0.0"
 
-"@zeit/ncc@^0.22.1":
-  version "0.22.3"
-  resolved "https://registry.yarnpkg.com/@zeit/ncc/-/ncc-0.22.3.tgz#fca6b86b4454ce7a7e1e7e755165ec06457f16cd"
-  integrity sha512-jnCLpLXWuw/PAiJiVbLjA8WBC0IJQbFeUwF4I9M+23MvIxTxk5pD4Q8byQBSPmHQjz5aBoA7AKAElQxMpjrCLQ==
+"@vercel/ncc@^0.29.0":
+  version "0.29.0"
+  resolved "https://registry.yarnpkg.com/@vercel/ncc/-/ncc-0.29.0.tgz#ac23fc23f1593b05c72360108bcf6d849d2f317a"
+  integrity sha512-p+sB835wOSDdgm2mgFgSOcXJF84AqZ+vBEnnGS0sm8veA92Hia7sqH0qEnqeFilPl+cXtxbdh2er+WdlfbVCZA==
 
 abab@^2.0.3, abab@^2.0.5:
   version "2.0.5"

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/yarn.lock

@@ -20,7 +20,7 @@
     "@types/jest": "^26.0.20",
     "@typescript-eslint/eslint-plugin": "^4.17.0",
     "@typescript-eslint/parser": "^4.22.0",
-    "@vercel/ncc": "^0.28.6",
+    "@vercel/ncc": "^0.29.0",
     "eslint": "^7.22.0",
     "jest": "^26.6.3",
     "jest-mock-extended": "^1.0.13",
@@ -41,4 +41,4 @@
     "typescript": "^4.2.3",
     "yn": "^4.0.0"
   }
-}
+}

modules/runners/lambdas/runners/package.json

@@ -1,26 +1,27 @@
-import { scaleUp } from './scale-runners/scale-up';
-import { scaleDown } from './scale-runners/scale-down';
+import { scaleUp as scaleUpAction } from './scale-runners/scale-up';
+import { scaleDown as scaleDownAction } from './scale-runners/scale-down';
 import { SQSEvent, ScheduledEvent, Context } from 'aws-lambda';
 
-module.exports.scaleUp = async (event: SQSEvent, context: Context, callback: any) => {
+export const scaleUp = async (event: SQSEvent, context: Context, callback: any): Promise<void> => {
   console.dir(event, { depth: 5 });
   try {
     for (const e of event.Records) {
-      await scaleUp(e.eventSource, JSON.parse(e.body));
+      await scaleUpAction(e.eventSource, JSON.parse(e.body));
     }
-    return callback(null);
+
+    callback(null);
   } catch (e) {
     console.error(e);
-    return callback('Failed handling SQS event');
+    callback('Failed handling SQS event');
   }
 };
 
-module.exports.scaleDown = async (event: ScheduledEvent, context: Context, callback: any) => {
+export const scaleDown = async (event: ScheduledEvent, context: Context, callback: any): Promise<void> => {
   try {
-    scaleDown();
-    return callback(null);
+    scaleDownAction();
+    callback(null);
   } catch (e) {
     console.error(e);
-    return callback('Failed');
+    callback('Failed');
   }
 };

modules/runners/lambdas/runners/src/lambda.ts

@@ -983,10 +983,10 @@
     "@typescript-eslint/types" "4.27.0"
     eslint-visitor-keys "^2.0.0"
 
-"@vercel/ncc@^0.28.6":
-  version "0.28.6"
-  resolved "https://registry.yarnpkg.com/@vercel/ncc/-/ncc-0.28.6.tgz#073c0ce8e0269210c0a9f180fb0bf949eecc20e0"
-  integrity sha512-t4BoSSuyK8BZaUE0gV18V6bkFs4st7baumtFGa50dv1tMu2GDBEBF8sUZaKBdKiL6DzJ2D2+XVCwYWWDcQOYdQ==
+"@vercel/ncc@^0.29.0":
+  version "0.29.0"
+  resolved "https://registry.yarnpkg.com/@vercel/ncc/-/ncc-0.29.0.tgz#ac23fc23f1593b05c72360108bcf6d849d2f317a"
+  integrity sha512-p+sB835wOSDdgm2mgFgSOcXJF84AqZ+vBEnnGS0sm8veA92Hia7sqH0qEnqeFilPl+cXtxbdh2er+WdlfbVCZA==
 
 abab@^2.0.3, abab@^2.0.5:
   version "2.0.5"

modules/runners/lambdas/runners/yarn.lock

@@ -14,10 +14,11 @@ resource "aws_iam_instance_profile" "runner" {
   path = local.instance_profile_path
 }
 
-resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" {
-  count      = var.enable_ssm_on_runners ? 1 : 0
-  role       = aws_iam_role.runner.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+resource "aws_iam_role_policy" "runner_session_manager_aws_managed" {
+  name   = "runner-ssm-session"
+  count  = var.enable_ssm_on_runners ? 1 : 0
+  role   = aws_iam_role.runner.name
+  policy = templatefile("${path.module}/policies/instance-ssm-policy.json", {})
 }
 
 resource "aws_iam_role_policy" "ssm_parameters" {

modules/runners/policies-runner.tf

@@ -0,0 +1,46 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssm:DescribeAssociation",
+                "ssm:GetDeployablePatchSnapshotForInstance",
+                "ssm:GetDocument",
+                "ssm:DescribeDocument",
+                "ssm:GetManifest",
+                "ssm:ListAssociations",
+                "ssm:ListInstanceAssociations",
+                "ssm:PutInventory",
+                "ssm:PutComplianceItems",
+                "ssm:PutConfigurePackageResult",
+                "ssm:UpdateAssociationStatus",
+                "ssm:UpdateInstanceAssociationStatus",
+                "ssm:UpdateInstanceInformation"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssmmessages:CreateControlChannel",
+                "ssmmessages:CreateDataChannel",
+                "ssmmessages:OpenControlChannel",
+                "ssmmessages:OpenDataChannel"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2messages:AcknowledgeMessage",
+                "ec2messages:DeleteMessage",
+                "ec2messages:FailMessage",
+                "ec2messages:GetEndpoint",
+                "ec2messages:GetMessages",
+                "ec2messages:SendReply"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

modules/runners/policies/instance-ssm-policy.json

@@ -21,7 +21,7 @@
     "@types/node": "^15.12.2",
     "@typescript-eslint/eslint-plugin": "^4.22.0",
     "@typescript-eslint/parser": "^4.22.0",
-    "@zeit/ncc": "^0.22.1",
+    "@vercel/ncc": "0.29.0",
     "aws-sdk": "^2.888.0",
     "body-parser": "^1.19.0",
     "eslint": "^7.29.0",
@@ -33,6 +33,6 @@
   },
   "dependencies": {
     "@octokit/rest": "^18.3.5",
-    "@octokit/webhooks": "^8.5.4"
+    "@octokit/webhooks": "^9.10.0"
   }
 }

modules/webhook/lambdas/webhook/package.json

@@ -1,8 +1,8 @@
-import { handle as githubWebhook } from './webhook/handler';
+import { handle } from './webhook/handler';
 
-module.exports.githubWebhook = async (event: any, context: any, callback: any) => {
-  const statusCode = await githubWebhook(event.headers, event.body);
-  return callback(null, {
+export const githubWebhook = async (event: any, context: any, callback: any): Promise<void> => {
+  const statusCode = await handle(event.headers, event.body);
+  callback(null, {
     statusCode: statusCode,
   });
 };

modules/webhook/lambdas/webhook/src/lambda.ts

@@ -92,5 +92,4 @@ describe('handler', () => {
     expect(resp).toBe(200);
     expect(sendActionRequest).toBeCalled();
   });
-
 });