Skip to content

Commit 907617b

Browse files
kayman-mkkayman-mk
authored
Merge branch 'main' into release-please--branches--main
2 parents 6b114e2 + 6971e5e commit 907617b

10 files changed

+582
-600
lines changed

docker_autoscaler.tf

+23-64
Original file line numberDiff line numberDiff line change
@@ -3,70 +3,6 @@
33
# outdated docker+machine driver. The docker+machine driver is a legacy driver that is no longer maintained by GitLab.
44
#
55

6-
########################################
7-
###### Security Group and SG rules #####
8-
########################################
9-
10-
# Base security group
11-
resource "aws_security_group" "docker_autoscaler" {
12-
count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
13-
name_prefix = "${local.name_sg}-docker-autoscaler"
14-
vpc_id = var.vpc_id
15-
description = "Docker-autoscaler security group"
16-
17-
tags = merge(
18-
local.tags,
19-
{
20-
"Name" = format("%s", local.name_sg)
21-
},
22-
)
23-
}
24-
25-
# Ingress rules
26-
resource "aws_vpc_security_group_ingress_rule" "docker_autoscaler_ingress" {
27-
for_each = var.runner_worker.type == "docker-autoscaler" ? var.runner_worker_ingress_rules : {}
28-
29-
security_group_id = aws_security_group.docker_autoscaler[0].id
30-
31-
from_port = each.value.from_port
32-
to_port = each.value.to_port
33-
ip_protocol = each.value.protocol
34-
35-
description = each.value.description
36-
prefix_list_id = each.value.prefix_list_id
37-
referenced_security_group_id = each.value.security_group
38-
cidr_ipv4 = each.value.cidr_block
39-
cidr_ipv6 = each.value.ipv6_cidr_block
40-
}
41-
42-
resource "aws_vpc_security_group_ingress_rule" "docker_autoscaler_internal_traffic" {
43-
count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
44-
45-
security_group_id = aws_security_group.docker_autoscaler[0].id
46-
from_port = -1
47-
to_port = -1
48-
ip_protocol = "-1"
49-
description = "Allow ALL Ingress traffic between Runner Manager and Docker-autoscaler workers security group"
50-
referenced_security_group_id = aws_security_group.runner.id
51-
}
52-
53-
# Egress rules
54-
resource "aws_vpc_security_group_egress_rule" "docker_autoscaler_egress" {
55-
for_each = var.runner_worker.type == "docker-autoscaler" ? var.runner_worker_egress_rules : {}
56-
57-
security_group_id = aws_security_group.docker_autoscaler[0].id
58-
59-
from_port = each.value.from_port
60-
to_port = each.value.to_port
61-
ip_protocol = each.value.protocol
62-
63-
description = each.value.description
64-
prefix_list_id = each.value.prefix_list_id
65-
referenced_security_group_id = each.value.security_group
66-
cidr_ipv4 = each.value.cidr_block
67-
cidr_ipv6 = each.value.ipv6_cidr_block
68-
}
69-
706
####################################
717
###### Launch template Workers #####
728
####################################
@@ -215,3 +151,26 @@ resource "aws_autoscaling_group" "autoscaler" {
215151
]
216152
}
217153
}
154+
155+
resource "aws_iam_instance_profile" "docker_autoscaler" {
156+
count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
157+
name = "${local.name_iam_objects}-docker-autoscaler"
158+
role = aws_iam_role.docker_autoscaler[0].name
159+
tags = local.tags
160+
}
161+
162+
resource "tls_private_key" "autoscaler" {
163+
count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
164+
165+
algorithm = "RSA"
166+
rsa_bits = 4096
167+
}
168+
169+
resource "aws_key_pair" "autoscaler" {
170+
count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
171+
172+
key_name = "${var.environment}-${var.runner_worker_docker_autoscaler.key_pair_name}"
173+
public_key = tls_private_key.autoscaler[0].public_key_openssh
174+
175+
tags = local.tags
176+
}

docker_autoscaler_policy.tf

+47
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
resource "aws_iam_role" "docker_autoscaler" {
2+
count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
3+
name = "${local.name_iam_objects}-docker-autoscaler"
4+
assume_role_policy = length(var.runner_worker_docker_autoscaler_role.assume_role_policy_json) > 0 ? var.runner_worker_docker_autoscaler_role.assume_role_policy_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {})
5+
permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}"
6+
7+
tags = merge(local.tags, var.runner_worker_docker_autoscaler_role.additional_tags)
8+
}
9+
10+
resource "aws_iam_policy" "instance_docker_autoscaler_policy" {
11+
count = var.runner_worker.type == "docker-autoscaler" && var.runner_role.create_role_profile ? 1 : 0
12+
13+
name = "${local.name_iam_objects}-docker-autoscaler"
14+
path = "/"
15+
description = "Policy for docker autoscaler."
16+
# see https://gitlab.com/gitlab-org/fleeting/plugins/aws#recommended-iam-policy for needed policies
17+
policy = templatefile("${path.module}/policies/instance-docker-autoscaler-policy.json",
18+
{
19+
aws_region = data.aws_region.current.name
20+
partition = data.aws_partition.current.partition
21+
autoscaler_asg_arn = aws_autoscaling_group.autoscaler[0].arn
22+
autoscaler_asg_name = aws_autoscaling_group.autoscaler[0].name
23+
})
24+
25+
tags = local.tags
26+
}
27+
28+
resource "aws_iam_role_policy_attachment" "instance_docker_autoscaler_policy" {
29+
count = var.runner_worker.type == "docker-autoscaler" && var.runner_role.create_role_profile ? 1 : 0
30+
31+
role = aws_iam_role.instance[0].name
32+
policy_arn = aws_iam_policy.instance_docker_autoscaler_policy[0].arn
33+
}
34+
35+
resource "aws_iam_role_policy_attachment" "docker_autoscaler_user_defined_policies" {
36+
count = var.runner_worker.type == "docker-autoscaler" ? length(var.runner_worker_docker_autoscaler_role.policy_arns) : 0
37+
38+
role = aws_iam_role.docker_autoscaler[0].name
39+
policy_arn = var.runner_worker_docker_autoscaler_role.policy_arns[count.index]
40+
}
41+
42+
resource "aws_iam_role_policy_attachment" "docker_autoscaler_session_manager_aws_managed" {
43+
count = (var.runner_worker.type == "docker-autoscaler" && var.runner_worker.ssm_access) ? 1 : 0
44+
45+
role = aws_iam_role.docker_autoscaler[0].name
46+
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
47+
}

docker_autoscaler_security_group.tf

+58
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
resource "aws_security_group" "docker_autoscaler" {
2+
count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
3+
name_prefix = "${local.name_sg}-docker-autoscaler"
4+
vpc_id = var.vpc_id
5+
description = "Docker-autoscaler security group"
6+
7+
tags = merge(
8+
local.tags,
9+
{
10+
"Name" = format("%s", local.name_sg)
11+
},
12+
)
13+
}
14+
15+
# Ingress rules
16+
resource "aws_vpc_security_group_ingress_rule" "docker_autoscaler_ingress" {
17+
for_each = var.runner_worker.type == "docker-autoscaler" ? var.runner_worker_ingress_rules : {}
18+
19+
security_group_id = aws_security_group.docker_autoscaler[0].id
20+
21+
from_port = each.value.from_port
22+
to_port = each.value.to_port
23+
ip_protocol = each.value.protocol
24+
25+
description = each.value.description
26+
prefix_list_id = each.value.prefix_list_id
27+
referenced_security_group_id = each.value.security_group
28+
cidr_ipv4 = each.value.cidr_block
29+
cidr_ipv6 = each.value.ipv6_cidr_block
30+
}
31+
32+
resource "aws_vpc_security_group_ingress_rule" "docker_autoscaler_internal_traffic" {
33+
count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
34+
35+
security_group_id = aws_security_group.docker_autoscaler[0].id
36+
from_port = -1
37+
to_port = -1
38+
ip_protocol = "-1"
39+
description = "Allow ALL Ingress traffic between Runner Manager and Docker-autoscaler workers security group"
40+
referenced_security_group_id = aws_security_group.runner.id
41+
}
42+
43+
# Egress rules
44+
resource "aws_vpc_security_group_egress_rule" "docker_autoscaler_egress" {
45+
for_each = var.runner_worker.type == "docker-autoscaler" ? var.runner_worker_egress_rules : {}
46+
47+
security_group_id = aws_security_group.docker_autoscaler[0].id
48+
49+
from_port = each.value.from_port
50+
to_port = each.value.to_port
51+
ip_protocol = each.value.protocol
52+
53+
description = each.value.description
54+
prefix_list_id = each.value.prefix_list_id
55+
referenced_security_group_id = each.value.security_group
56+
cidr_ipv4 = each.value.cidr_block
57+
cidr_ipv6 = each.value.ipv6_cidr_block
58+
}

docker_machine.tf

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
locals {
2+
template_runner_docker_machine = templatefile("${path.module}/template/runner-docker-machine-config.tftpl",
3+
{
4+
runners_idle_count = var.runner_worker_docker_machine_instance.idle_count
5+
runners_idle_time = var.runner_worker_docker_machine_instance.idle_time
6+
runners_max_builds = local.runners_max_builds_string
7+
docker_machine_name = format("%s-%s", local.runner_tags_merged["Name"], "%s") # %s is always needed
8+
runners_instance_types = var.runner_worker_docker_machine_instance.types
9+
aws_region = data.aws_region.current.name
10+
runners_aws_zone = data.aws_availability_zone.runners.name_suffix
11+
runners_userdata = var.runner_worker_docker_machine_instance.start_script
12+
13+
runners_vpc_id = var.vpc_id
14+
runners_subnet_id = var.subnet_id
15+
runners_subnet_ids = length(var.runner_worker_docker_machine_instance.subnet_ids) > 0 ? var.runner_worker_docker_machine_instance.subnet_ids : [var.subnet_id]
16+
runners_instance_profile = var.runner_worker.type == "docker+machine" ? aws_iam_instance_profile.docker_machine[0].name : ""
17+
18+
runners_use_private_address_only = var.runner_worker_docker_machine_instance.private_address_only
19+
runners_use_private_address = !var.runner_worker_docker_machine_instance.private_address_only
20+
runners_request_spot_instance = var.runner_worker_docker_machine_instance_spot.enable
21+
runners_spot_price_bid = var.runner_worker_docker_machine_instance_spot.max_price == "on-demand-price" || var.runner_worker_docker_machine_instance_spot.max_price == null ? "" : var.runner_worker_docker_machine_instance_spot.max_price
22+
runners_security_group_name = var.runner_worker.type == "docker+machine" ? aws_security_group.docker_machine[0].name : ""
23+
24+
runners_tags = replace(replace(local.runner_tags_string, ",,", ","), "/,$/", "")
25+
runners_ebs_optimized = var.runner_worker_docker_machine_instance.ebs_optimized
26+
runners_monitoring = var.runner_worker_docker_machine_instance.monitoring
27+
runners_iam_instance_profile_name = var.runner_worker_docker_machine_role.profile_name
28+
runners_root_size = var.runner_worker_docker_machine_instance.root_size
29+
runners_volume_type = var.runner_worker_docker_machine_instance.volume_type
30+
runners_ami = var.runner_worker.type == "docker+machine" ? (length(var.runner_worker_docker_machine_ami_id) > 0 ? var.runner_worker_docker_machine_ami_id : data.aws_ami.docker_machine_by_filter[0].id) : ""
31+
use_fleet = var.runner_worker_docker_machine_fleet.enable
32+
launch_template = var.runner_worker_docker_machine_fleet.enable == true ? aws_launch_template.fleet_gitlab_runner[0].name : ""
33+
docker_machine_options = length(local.docker_machine_options_string) == 1 ? "" : local.docker_machine_options_string
34+
runners_max_growth_rate = var.runner_worker_docker_machine_instance.max_growth_rate
35+
runners_volume_kms_key = local.kms_key_arn
36+
})
37+
}
38+
39+
resource "aws_iam_instance_profile" "docker_machine" {
40+
count = var.runner_worker.type == "docker+machine" ? 1 : 0
41+
name = "${local.name_iam_objects}-docker-machine"
42+
role = aws_iam_role.docker_machine[0].name
43+
tags = local.tags
44+
}

docker_machine_fleet.tf

+80
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
resource "aws_key_pair" "fleet" {
2+
count = var.runner_worker_docker_machine_fleet.enable == true && var.runner_worker.type == "docker+machine" ? 1 : 0
3+
4+
key_name = "${var.environment}-${var.runner_worker_docker_machine_fleet.key_pair_name}"
5+
public_key = tls_private_key.fleet[0].public_key_openssh
6+
7+
tags = local.tags
8+
}
9+
10+
resource "tls_private_key" "fleet" {
11+
count = var.runner_worker_docker_machine_fleet.enable == true && var.runner_worker.type == "docker+machine" ? 1 : 0
12+
13+
algorithm = "RSA"
14+
rsa_bits = 4096
15+
}
16+
17+
resource "aws_launch_template" "fleet_gitlab_runner" {
18+
# checkov:skip=CKV_AWS_88:User can decide to add a public IP.
19+
# checkov:skip=CKV_AWS_79:User can decide to enable Metadata service V2. V2 is the default.
20+
# checkov:skip=CKV_AWS_341:Hop limit is user-defined and set to 2 by default as the workload might run in a Docker container.
21+
count = var.runner_worker_docker_machine_fleet.enable == true && var.runner_worker.type == "docker+machine" ? 1 : 0
22+
name_prefix = "${local.name_runner_agent_instance}-worker-"
23+
24+
key_name = aws_key_pair.fleet[0].key_name
25+
image_id = length(var.runner_worker_docker_machine_ami_id) > 0 ? var.runner_worker_docker_machine_ami_id : data.aws_ami.docker_machine_by_filter[0].id
26+
user_data = base64gzip(var.runner_worker_docker_machine_instance.start_script)
27+
instance_type = var.runner_worker_docker_machine_instance.types[0] # it will be override by the fleet
28+
update_default_version = true
29+
ebs_optimized = var.runner_worker_docker_machine_instance.ebs_optimized
30+
monitoring {
31+
enabled = var.runner_worker_docker_machine_instance.monitoring
32+
}
33+
block_device_mappings {
34+
device_name = var.runner_worker_docker_machine_instance.root_device_name
35+
36+
ebs {
37+
volume_size = var.runner_worker_docker_machine_instance.root_size
38+
volume_type = var.runner_worker_docker_machine_instance.volume_type
39+
iops = contains(["gp3", "io1", "io2"], var.runner_worker_docker_machine_instance.volume_type) ? var.runner_worker_docker_machine_instance.volume_iops : null
40+
throughput = var.runner_worker_docker_machine_instance.volume_type == "gp3" ? var.runner_worker_docker_machine_instance.volume_throughput : null
41+
encrypted = true
42+
kms_key_id = local.kms_key_arn
43+
}
44+
}
45+
46+
iam_instance_profile {
47+
name = aws_iam_instance_profile.docker_machine[0].name
48+
}
49+
50+
network_interfaces {
51+
security_groups = [aws_security_group.docker_machine[0].id]
52+
associate_public_ip_address = !var.runner_worker_docker_machine_instance.private_address_only
53+
}
54+
55+
tag_specifications {
56+
resource_type = "instance"
57+
tags = local.tags
58+
}
59+
tag_specifications {
60+
resource_type = "volume"
61+
tags = local.tags
62+
}
63+
tag_specifications {
64+
resource_type = "network-interface"
65+
tags = local.tags
66+
}
67+
# tag_specifications for spot-instances-request do not work. Instance creation fails.
68+
69+
tags = local.tags
70+
71+
metadata_options {
72+
http_tokens = var.runner_worker_docker_machine_ec2_metadata_options.http_tokens
73+
http_put_response_hop_limit = var.runner_worker_docker_machine_ec2_metadata_options.http_put_response_hop_limit
74+
instance_metadata_tags = "enabled"
75+
}
76+
77+
lifecycle {
78+
create_before_destroy = true
79+
}
80+
}

docker_machine_policy.tf

+54
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
################################################################################
2+
### docker machine instance policy
3+
################################################################################
4+
resource "aws_iam_role" "docker_machine" {
5+
count = var.runner_worker.type == "docker+machine" ? 1 : 0
6+
name = "${local.name_iam_objects}-docker-machine"
7+
assume_role_policy = length(var.runner_worker_docker_machine_role.assume_role_policy_json) > 0 ? var.runner_worker_docker_machine_role.assume_role_policy_json : templatefile("${path.module}/policies/instance-role-trust-policy.json", {})
8+
permissions_boundary = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}"
9+
10+
tags = merge(local.tags, var.runner_worker_docker_machine_role.additional_tags)
11+
}
12+
13+
################################################################################
14+
### Policies for runner agent instance to create docker machines via spot req.
15+
###
16+
### iam:PassRole To pass the role from the agent to the docker machine runners
17+
################################################################################
18+
resource "aws_iam_policy" "instance_docker_machine_policy" {
19+
count = var.runner_worker.type == "docker+machine" && var.runner_role.create_role_profile ? 1 : 0
20+
21+
name = "${local.name_iam_objects}-docker-machine"
22+
path = "/"
23+
description = "Policy for docker machine."
24+
policy = templatefile("${path.module}/policies/instance-docker-machine-policy.json",
25+
{
26+
docker_machine_role_arn = aws_iam_role.docker_machine[0].arn
27+
})
28+
29+
tags = local.tags
30+
}
31+
32+
resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" {
33+
count = var.runner_worker.type == "docker+machine" && var.runner_role.create_role_profile ? 1 : 0
34+
35+
role = aws_iam_role.instance[0].name
36+
policy_arn = aws_iam_policy.instance_docker_machine_policy[0].arn
37+
}
38+
39+
################################################################################
40+
### Add user defined policies
41+
################################################################################
42+
resource "aws_iam_role_policy_attachment" "docker_machine_user_defined_policies" {
43+
count = var.runner_worker.type == "docker+machine" ? length(var.runner_worker_docker_machine_role.policy_arns) : 0
44+
45+
role = aws_iam_role.docker_machine[0].name
46+
policy_arn = var.runner_worker_docker_machine_role.policy_arns[count.index]
47+
}
48+
49+
resource "aws_iam_role_policy_attachment" "docker_machine_session_manager_aws_managed" {
50+
count = (var.runner_worker.type == "docker+machine" && var.runner_worker.ssm_access) ? 1 : 0
51+
52+
role = aws_iam_role.docker_machine[0].name
53+
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
54+
}

0 commit comments

Comments
 (0)