From d03b77efc7494195aa838c373214298c500e382f Mon Sep 17 00:00:00 2001 From: rstuhlmuller Date: Thu, 7 Dec 2023 13:43:52 -0800 Subject: [PATCH] feat: changes --- .gitattributes | 2 - docker-src/Dockerfile | 2 +- docker-src/scripts/start.sh | 17 +++++-- main.tf | 91 +++++++++++++++++++------------------ variables.tf | 35 ++++++++++++-- 5 files changed, 91 insertions(+), 56 deletions(-) delete mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index dfe0770..0000000 --- a/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -# Auto detect text files and perform LF normalization -* text=auto diff --git a/docker-src/Dockerfile b/docker-src/Dockerfile index 36379aa..ccfd6ad 100644 --- a/docker-src/Dockerfile +++ b/docker-src/Dockerfile @@ -1,5 +1,5 @@ # base image -FROM ubuntu:22.04 +FROM --platform=linux/amd64 ubuntu:22.04 #input GitHub runner version argument # ARG RUNNER_VERSION diff --git a/docker-src/scripts/start.sh b/docker-src/scripts/start.sh index ca0a166..2a37b22 100644 --- a/docker-src/scripts/start.sh +++ b/docker-src/scripts/start.sh @@ -1,17 +1,24 @@ #!/bin/bash -GH_OWNER="rstuhlmuller" -GH_REPOSITORY="aws-ecs-github-runners" -GH_TOKEN="" +GH_OWNER=$GH_OWNER +GH_REPOSITORY=$GH_REPOSITORY +GH_TOKEN=$GH_TOKEN +LABELS=$LABELS RUNNER_SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 5 | head -n 1) -RUNNER_NAME="dockerNode-${RUNNER_SUFFIX}" +RUNNER_NAME="${RUNNER_PREFIX}-${RUNNER_SUFFIX}" + +echo "Configuring runner ${RUNNER_NAME}..." REG_TOKEN=$(curl -sX POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${GH_TOKEN}" https://api.github.com/repos/${GH_OWNER}/${GH_REPOSITORY}/actions/runners/registration-token | jq .token --raw-output) cd /home/docker/actions-runner -./config.sh --unattended --url https://github.com/${GH_OWNER}/${GH_REPOSITORY} --token ${REG_TOKEN} --name ${RUNNER_NAME} +./config.sh --unattended --url https://github.com/${GH_OWNER}/${GH_REPOSITORY} \ + --token ${REG_TOKEN} \ + --name ${RUNNER_NAME} \ + --labels "${LABELS:-default}" \ + --replace cleanup() { echo "Removing runner..." diff --git a/main.tf b/main.tf index b98d95b..7b50aad 100644 --- a/main.tf +++ b/main.tf @@ -43,11 +43,12 @@ resource "aws_ecs_cluster" "github_runner_cluster" { } resource "aws_ecs_service" "runner" { - name = "github-runner" - cluster = aws_ecs_cluster.github_runner_cluster.id - task_definition = aws_ecs_task_definition.runner.arn - desired_count = 1 - launch_type = "FARGATE" + name = var.service_name + cluster = aws_ecs_cluster.github_runner_cluster.id + task_definition = aws_ecs_task_definition.runner.arn + desired_count = 1 + launch_type = "FARGATE" + force_new_deployment = var.force_image_rebuild network_configuration { subnets = var.subnet_ids security_groups = var.security_group_ids @@ -55,14 +56,14 @@ resource "aws_ecs_service" "runner" { } } -# resource "aws_secretsmanager_secret" "github_token" { -# name = "github-token" -# } +resource "aws_secretsmanager_secret" "github_token" { + name = var.secret_name +} -# resource "aws_secretsmanager_secret_version" "github_token" { -# secret_id = aws_secretsmanager_secret.github_token.id -# secret_string = var.runner_token -# } +resource "aws_secretsmanager_secret_version" "github_token" { + secret_id = aws_secretsmanager_secret.github_token.id + secret_string = var.runner_token +} resource "aws_iam_role" "ecs_task_execution_role" { name = "aws-ecs-github-runner-task-execution-role" @@ -85,14 +86,14 @@ resource "aws_iam_role" "ecs_task_execution_role" { policy = jsonencode({ Version = "2012-10-17" Statement = [ - # { - # Sid = "SecretsManager" - # Effect = "Allow" - # Action = [ - # "secretsmanager:GetSecretValue" - # ] - # Resource = "${aws_secretsmanager_secret.github_token.arn}" - # }, + { + Sid = "SecretsManager" + Effect = "Allow" + Action = [ + "secretsmanager:GetSecretValue" + ] + Resource = "${aws_secretsmanager_secret.github_token.arn}" + }, { Sid = "ECR" Effect = "Allow" @@ -119,36 +120,14 @@ resource "aws_iam_role" "ecs_task_execution_role" { ] }) } - inline_policy { - name = "ecr" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "ecr:BatchGetImage", - "ecr:GetDownloadUrlForLayer", - "ecr:GetAuthorizationToken", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:DescribeLogStreams" - ] - Resource = "*" - }, - ] - }) - } } resource "aws_ecs_task_definition" "runner" { family = "Runners" requires_compatibilities = ["FARGATE"] network_mode = "awsvpc" - cpu = 1024 - memory = 2048 + cpu = 1024 * 1 + memory = 1024 * 3 execution_role_arn = aws_iam_role.ecs_task_execution_role.arn container_definitions = jsonencode([ { @@ -163,6 +142,30 @@ resource "aws_ecs_task_definition" "runner" { "appProtocol" : "http" } ], + "environment" : [ + { + "name" : "RUNNER_PREFIX", + "value" : "${var.runner_prefix}" + }, + { + "name" : "GH_OWNER", + "value" : "${var.github_owner}" + }, + { + "name" : "GH_REPOSITORY", + "value" : "${var.github_repository}" + }, + { + "name" : "LABELS", + "value" : "${var.labels}" + } + ] + "secrets" : [ + { + "name" : "GH_TOKEN", + "valueFrom" : "${aws_secretsmanager_secret.github_token.arn}" + } + ], "essential" : true, "logConfiguration" : { "logDriver" : "awslogs", diff --git a/variables.tf b/variables.tf index 4fde4fb..c5549d9 100644 --- a/variables.tf +++ b/variables.tf @@ -12,7 +12,34 @@ variable "security_group_ids" { type = list(string) } -# variable "runner_token" { -# type = string -# sensitive = true -# } +variable "runner_token" { + type = string + sensitive = true +} + +variable "runner_prefix" { + type = string + default = "aws-ecs-github-runner" +} + +variable "github_owner" { + type = string +} + +variable "github_repository" { + type = string +} + +variable "labels" { + type = string +} + +variable "secret_name" { + type = string + default = "aws-ecs-github-runner-token" +} + +variable "service_name" { + type = string + default = "github-runner" +}