feat!: restructure module variables (#723)

## Description Restructures all input variables of the agent and executor. Closes #467 (add network_mode to docker.runner config) Closes #513 (wait_for_services_timeout paramete) Closes #819 ## Migrations required YES. Check the script in `/migrations/migrate-to-7-0-0.sh`. --------- Co-authored-by: Tyrone Meijn <[email protected]> Co-authored-by: Niek Palm <[email protected]>
cattle-ops · Sep 7, 2023 · b8a8c1c · b8a8c1c
1 parent b8fdc06
commit b8a8c1c
Show file tree

Hide file tree

Showing 31 changed files with 1,797 additions and 1,316 deletions.
diff --git a/.cspell.json b/.cspell.json
@@ -2,8 +2,10 @@
   "version": "0.2",
   "language": "en",
   "words": [
+    "alltrue",
     "amazonec",
     "amannn",
+    "amazonec",
     "anytrue",
     "aquasecurity",
     "awscli",
@@ -16,14 +18,16 @@
     "codeowners",
     "companys",
     "concat",
+    "cpu",
+    "cpus",
+    "cpuset",
     "devskim",
     "dind",
     "endfor",
+    "filesha",
     "formatlist",
     "gitter",
-    "godotenv",
-    "golangci",
-    "gruntwork",
+    "glrunners",
     "instancelifecycle",
     "kics",
     "joho",
@@ -38,24 +42,31 @@
     "pylint",
     "pylintrc",
     "pyright",
+    "setsubtract",
     "shuf",
     "signoff",
     "signum",
     "stretchr",
+    "subkey",
     "substr",
+    "sysctl",
+    "sysctls",
     "templatefile",
     "terrascan",
     "terratest",
     "tfenv",
     "tflint",
     "tftpl",
     "tfsec",
+    "tftpl",
     "tfvars",
     "tmpfs",
     "trivy",
     "typecheck",
     "userdata",
-    "xanzy"
+    "userns",
+    "xanzy",
+    "xvda"
   ],
   "flagWords": []
 }
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,7 +31,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        terraform: [ 1.0.11, 1.3.9, latest ]
+        terraform: [ 1.3.9, latest ]
         example:
           [
             "runner-default",
@@ -137,7 +137,8 @@ jobs:
         run: tflint --init
 
       - name: Run TFLint
-        run: tflint --var 'enable_kms=true'
+        # assign necessary variables to avoid errors
+        run: "tflint --var 'enable_managed_kms_key=true' --var='runner_instance={\"name_prefix\": \"a\", \"name\": \"b\"}'"
 
   tfsec:
     name: tfsec PR commenter

diff --git a/.mega-linter.yml b/.mega-linter.yml
@@ -4,6 +4,8 @@ DISABLE_LINTERS:
   - TERRAFORM_TFLINT
   # Super slow linter, but useful. We disable it here and run it in parallel to Megalinter saves some minutes.
   - REPOSITORY_KICS
+  # has issues with the Terraform code `optional` variable definitions: https://github.com/tenable/terrascan/issues/1532
+  - TERRAFORM_TERRASCAN
   # Nice linter to report CVEs and other cool stuff. But it reports problems with the Terraform code which can't be disabled by
   # configuration.
   - REPOSITORY_TRIVY

diff --git a/.terraform-version b/.terraform-version
@@ -1 +1 @@
-1.0.8
+1.3.0
diff --git a/README.md b/README.md
@@ -1,8 +1,9 @@
 <!-- First line should be a H1: Badges on top please! -->
-<!-- markdownlint-disable MD041 -->
+<!-- markdownlint-disable MD041/first-line-heading/first-line-h1 -->
 [![Terraform registry](https://img.shields.io/github/v/release/cattle-ops/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws/)
 [![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 [![Actions](https://github.com/cattle-ops/terraform-aws-gitlab-runner/workflows/CI/badge.svg)](https://github.com/cattle-ops/terraform-aws-gitlab-runner/actions)
+<!-- markdownlint-enable MD041/first-line-heading/first-line-h1 -->
 
 # Terraform module for GitLab auto scaling runners on AWS spot instances <!-- omit in toc -->
 
@@ -385,13 +386,12 @@ module "runner" {
 
 Since spot instances can be taken over by AWS depending on the instance type and AZ you are using, you may want multiple instances
 types in multiple AZs. This is where spot fleets come in, when there is no capacity on one instance type and one AZ, AWS will take
-the next instance type and so on. This update has been possible since the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2)
-of docker-machine supports spot fleets.
+the next instance type and so on. This update has been possible since the
+[fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine supports spot fleets.
 
 We have seen that the [fork](https://gitlab.com/cki-project/docker-machine/-/tree/v0.16.2-gitlab.19-cki.2) of docker-machine this
-module is using consume more RAM using spot fleets.
-For comparison, if you launch 50 machines in the same time, it consumes ~1.2GB of RAM. In our case, we had to change the
-`instance_type` of the runner from `t3.micro` to `t3.small`.
+module is using consume more RAM using spot fleets. For comparison, if you launch 50 machines in the same time, it consumes
+~1.2GB of RAM. In our case, we had to change the `instance_type` of the runner from `t3.micro` to `t3.small`.
 
 #### Configuration example
 
@@ -685,7 +685,6 @@ Made with [contributors-img](https://contrib.rocks).
 | <a name="input_runners_pre_clone_script"></a> [runners\_pre\_clone\_script](#input\_runners\_pre\_clone\_script) | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | `string` | `"\"\""` | no |
 | <a name="input_runners_privileged"></a> [runners\_privileged](#input\_runners\_privileged) | Runners will run in privileged mode, will be used in the runner config.toml | `bool` | `true` | no |
 | <a name="input_runners_pull_policies"></a> [runners\_pull\_policies](#input\_runners\_pull\_policies) | pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies | `list(string)` | <pre>[<br>  "always"<br>]</pre> | no |
-| <a name="input_runners_pull_policy"></a> [runners\_pull\_policy](#input\_runners\_pull\_policy) | Deprecated! Use runners\_pull\_policies instead. pull\_policy for the runners, will be used in the runner config.toml | `string` | `""` | no |
 | <a name="input_runners_request_concurrency"></a> [runners\_request\_concurrency](#input\_runners\_request\_concurrency) | Limit number of concurrent requests for new jobs from GitLab (default 1). | `number` | `1` | no |
 | <a name="input_runners_request_spot_instance"></a> [runners\_request\_spot\_instance](#input\_runners\_request\_spot\_instance) | Whether or not to request spot instances via docker-machine | `bool` | `true` | no |
 | <a name="input_runners_root_size"></a> [runners\_root\_size](#input\_runners\_root\_size) | Runner instance root size in GB. | `number` | `16` | no |

diff --git a/examples/runner-certificates/README.md b/examples/runner-certificates/README.md
@@ -32,20 +32,24 @@ Create a PEM-encoded `.crt` file containing the public certificate of your Gitla
 
 ```hcl
 module {
-  ...
+  # ...
   # Public cert of my companys gitlab instance
-  runners_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt")
-  ...
+  runner_gitlab = {
+    certificate = file("${path.module}/my_gitlab_instance_cert.crt")
+  }  
+  # ...
 }
 ```
 
 Add your CA and intermediary certs to a second PEM-encoded `.crt` file.
 ```hcl
 module {
-  ...
+  # ...
   # Other public certs relating to my company.
-  runners_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt")
-  ...
+  runner_gitlab = {
+    ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt")
+  }
+  # ...
 }
 ```
 
@@ -58,15 +62,17 @@ For **user images**, you must:
     The runner module can be configured to do this step. Configure the module like so:
 
     ```terraform
-    module {
+    module "runner" {
       # ...
       
       # Mount EC2 host certs in docker so all user docker images can reference them.
-      runners_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"]
-      
-        # ...
+      runner_worker_docker_options = {
+        volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"]
       }
-      ```
+      
+      # ...
+    }
+    ```
       
 2. Trust the certificates from within the user image.
 
@@ -107,17 +113,18 @@ For **user images**, you must:
     This avoids maintaining the script in each pipeline file, but expects that all user images use the same OS.
 
     ```terraform
-    module {
+    module "runner" {
       # ...
     
-      runners_pre_build_script = <<EOT
-      '''
-      apt-get install -y ca-certificates
-      cp /etc/gitlab-runner/certs/* /usr/local/share/ca-certificates/
-      update-ca-certificates
-      '''
-      EOT
-    
+      runner_worker_gitlab_pipeline = {
+        pre_build_script = <<EOT
+        '''
+        apt-get install -y ca-certificates
+        cp /etc/gitlab-runner/certs/* /usr/local/share/ca-certificates/
+        update-ca-certificates
+        '''
+        EOT
+      }
       # ...
     }
     ```

diff --git a/examples/runner-certificates/main.tf b/examples/runner-certificates/main.tf
@@ -27,37 +27,36 @@ module "runner" {
   ###############################################
   # General
   ###############################################
-
-  runners_name       = var.runner_name
-  runners_gitlab_url = var.gitlab_url
-
-  runners_executor = "docker"
-
-  aws_region  = var.aws_region
   environment = var.environment
 
   ###############################################
   # Certificates
   ###############################################
 
   # Public cert of my companys gitlab instance
-  runners_gitlab_certificate = file("${path.module}/my_gitlab_instance_cert.crt")
-
   # Other public certs relating to my company.
-  runners_ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt")
+  runner_gitlab = {
+    url            = var.gitlab_url
+    certificate    = file("${path.module}/my_gitlab_instance_cert.crt")
+    ca_certificate = file("${path.module}/my_company_ca_cert_bundle.crt")
+  }
 
   # Mount EC2 host certs in docker so all user docker images can reference them.
   # Each user image will need to do:
   # cp /etc/gitlab-runner/certs/* /usr/local/share/ca-certificates/
   # update-ca-certificates
   # Or similar OS-dependent commands. The above are an example for Ubuntu.
-  runners_additional_volumes = ["/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"]
+  runner_worker_docker_options = {
+    volumes = [
+      "/cache",
+      "/etc/gitlab-runner/certs/:/etc/gitlab-runner/certs:ro"
+    ]
+  }
 
   ###############################################
   # Registration
   ###############################################
-
-  gitlab_runner_registration_config = {
+  runner_gitlab_registration_config = {
     registration_token = var.registration_token
     tag_list           = "docker_runner"
     description        = "runner docker - auto"
@@ -71,5 +70,11 @@ module "runner" {
   ###############################################
   vpc_id    = module.vpc.vpc_id
   subnet_id = element(module.vpc.public_subnets, 0)
+  runner_instance = {
+    name = var.runner_name
+  }
 
+  runner_worker = {
+    type = "docker"
+  }
 }