feat: changes

docker-src/Dockerfile

@@ -1,5 +1,5 @@
 # base image
-FROM ubuntu:22.04
+FROM --platform=linux/amd64 ubuntu:22.04
 
 #input GitHub runner version argument
 # ARG RUNNER_VERSION

docker-src/scripts/start.sh

@@ -1,17 +1,24 @@
 #!/bin/bash
 
-GH_OWNER="rstuhlmuller"
-GH_REPOSITORY="aws-ecs-github-runners"
-GH_TOKEN=""
+GH_OWNER=$GH_OWNER
+GH_REPOSITORY=$GH_REPOSITORY
+GH_TOKEN=$GH_TOKEN
+LABELS=$LABELS
 
 RUNNER_SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 5 | head -n 1)
-RUNNER_NAME="dockerNode-${RUNNER_SUFFIX}"
+RUNNER_NAME="${RUNNER_PREFIX}-${RUNNER_SUFFIX}"
+
+echo "Configuring runner ${RUNNER_NAME}..."
 
 REG_TOKEN=$(curl -sX POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${GH_TOKEN}" https://api.github.com/repos/${GH_OWNER}/${GH_REPOSITORY}/actions/runners/registration-token | jq .token --raw-output)
 
 cd /home/docker/actions-runner
 
-./config.sh --unattended --url https://github.com/${GH_OWNER}/${GH_REPOSITORY} --token ${REG_TOKEN} --name ${RUNNER_NAME}
+./config.sh --unattended --url https://github.com/${GH_OWNER}/${GH_REPOSITORY} \
+    --token ${REG_TOKEN} \
+    --name ${RUNNER_NAME} \
+    --labels "${LABELS:-default}" \
+    --replace
 
 cleanup() {
     echo "Removing runner..."

main.tf

@@ -43,26 +43,27 @@ resource "aws_ecs_cluster" "github_runner_cluster" {
 }
 
 resource "aws_ecs_service" "runner" {
-  name            = "github-runner"
-  cluster         = aws_ecs_cluster.github_runner_cluster.id
-  task_definition = aws_ecs_task_definition.runner.arn
-  desired_count   = 1
-  launch_type     = "FARGATE"
+  name                 = var.service_name
+  cluster              = aws_ecs_cluster.github_runner_cluster.id
+  task_definition      = aws_ecs_task_definition.runner.arn
+  desired_count        = 1
+  launch_type          = "FARGATE"
+  force_new_deployment = var.force_image_rebuild
   network_configuration {
     subnets          = var.subnet_ids
     security_groups  = var.security_group_ids
     assign_public_ip = true
   }
 }
 
-# resource "aws_secretsmanager_secret" "github_token" {
-#   name = "github-token"
-# }
+resource "aws_secretsmanager_secret" "github_token" {
+  name = var.secret_name
+}
 
-# resource "aws_secretsmanager_secret_version" "github_token" {
-#   secret_id     = aws_secretsmanager_secret.github_token.id
-#   secret_string = var.runner_token
-# }
+resource "aws_secretsmanager_secret_version" "github_token" {
+  secret_id     = aws_secretsmanager_secret.github_token.id
+  secret_string = var.runner_token
+}
 
 resource "aws_iam_role" "ecs_task_execution_role" {
   name = "aws-ecs-github-runner-task-execution-role"
@@ -85,14 +86,14 @@ resource "aws_iam_role" "ecs_task_execution_role" {
     policy = jsonencode({
       Version = "2012-10-17"
       Statement = [
-        # {
-        #   Sid    = "SecretsManager"
-        #   Effect = "Allow"
-        #   Action = [
-        #     "secretsmanager:GetSecretValue"
-        #   ]
-        #   Resource = "${aws_secretsmanager_secret.github_token.arn}"
-        # },
+        {
+          Sid    = "SecretsManager"
+          Effect = "Allow"
+          Action = [
+            "secretsmanager:GetSecretValue"
+          ]
+          Resource = "${aws_secretsmanager_secret.github_token.arn}"
+        },
         {
           Sid    = "ECR"
           Effect = "Allow"
@@ -119,36 +120,14 @@ resource "aws_iam_role" "ecs_task_execution_role" {
       ]
     })
   }
-  inline_policy {
-    name = "ecr"
-
-    policy = jsonencode({
-      Version = "2012-10-17"
-      Statement = [
-        {
-          Effect = "Allow"
-          Action = [
-            "ecr:BatchGetImage",
-            "ecr:GetDownloadUrlForLayer",
-            "ecr:GetAuthorizationToken",
-            "logs:CreateLogGroup",
-            "logs:CreateLogStream",
-            "logs:PutLogEvents",
-            "logs:DescribeLogStreams"
-          ]
-          Resource = "*"
-        },
-      ]
-    })
-  }
 }
 
 resource "aws_ecs_task_definition" "runner" {
   family                   = "Runners"
   requires_compatibilities = ["FARGATE"]
   network_mode             = "awsvpc"
-  cpu                      = 1024
-  memory                   = 2048
+  cpu                      = 1024 * 1
+  memory                   = 1024 * 3
   execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
   container_definitions = jsonencode([
     {
@@ -163,6 +142,30 @@ resource "aws_ecs_task_definition" "runner" {
           "appProtocol" : "http"
         }
       ],
+      "environment" : [
+        {
+          "name" : "RUNNER_PREFIX",
+          "value" : "${var.runner_prefix}"
+        },
+        {
+          "name" : "GH_OWNER",
+          "value" : "${var.github_owner}"
+        },
+        {
+          "name" : "GH_REPOSITORY",
+          "value" : "${var.github_repository}"
+        },
+        {
+          "name" : "LABELS",
+          "value" : "${var.labels}"
+        }
+      ]
+      "secrets" : [
+        {
+          "name" : "GH_TOKEN",
+          "valueFrom" : "${aws_secretsmanager_secret.github_token.arn}"
+        }
+      ],
       "essential" : true,
       "logConfiguration" : {
         "logDriver" : "awslogs",

variables.tf

@@ -12,7 +12,34 @@ variable "security_group_ids" {
   type = list(string)
 }
 
-# variable "runner_token" {
-#   type      = string
-#   sensitive = true
-# }
+variable "runner_token" {
+  type      = string
+  sensitive = true
+}
+
+variable "runner_prefix" {
+  type    = string
+  default = "aws-ecs-github-runner"
+}
+
+variable "github_owner" {
+  type = string
+}
+
+variable "github_repository" {
+  type = string
+}
+
+variable "labels" {
+  type = string
+}
+
+variable "secret_name" {
+  type    = string
+  default = "aws-ecs-github-runner-token"
+}
+
+variable "service_name" {
+  type    = string
+  default = "github-runner"
+}