Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PLT-338 Fixes for AL2023 image in packer for github actions runners #110

Merged
merged 35 commits into from
Oct 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
71ba9bb
Add launch block device mapping to set volume size
gsf Aug 1, 2024
8aa0bed
Point at standard param for gold image
gsf Aug 1, 2024
396e754
Set volume for created AMI to encrypted
gsf Aug 1, 2024
2be9f49
Set volume size for the launch template
gsf Aug 1, 2024
ef9254e
Drop launch_block_device_mappings from packer source
gsf Aug 1, 2024
29f0bf6
Update packer build for al2023
gsf Aug 1, 2024
8ac28a9
Drop unnecessary packer variables
gsf Sep 2, 2024
c195b39
Switch to variable for security_group_id
gsf Sep 2, 2024
d333f03
Merge branch 'main' into plt-338-new-ami-fix
gsf Sep 5, 2024
41626c6
Switch to temporary CIDRs
gsf Sep 10, 2024
9cf7884
Drop unnecessary packer variables
gsf Sep 2, 2024
4cba1df
Switch to variable for security_group_id
gsf Sep 2, 2024
5e67b73
Update variables for github-hosted runners
gsf Sep 27, 2024
cb2dbb1
Rename and update github runner images workflow for github-hosted
gsf Sep 27, 2024
3599d6b
Pull AMI account variable from new standard parameter
gsf Sep 27, 2024
71f1c8a
Set PACKER_GITHUB_API_TOKEN to avoid rate limiting
gsf Sep 27, 2024
0252479
Set packer ssh timeout to 10 minutes
gsf Sep 27, 2024
cfcdaf9
Add README for packer build
gsf Oct 2, 2024
ddd0c49
Update for session manager tunneling for ssh
gsf Oct 2, 2024
9e86348
Add session-manager-plugin verify check
gsf Oct 2, 2024
a7e2673
Set runner CIDRs in variables file
gsf Oct 2, 2024
7cdff5d
Check packer variables file
gsf Oct 2, 2024
b29a0c5
Switch to security group ID for trend micro
gsf Oct 8, 2024
01a74ce
Switch to security groups for trend micro
gsf Oct 9, 2024
92fd8f2
Switch to flag for security_group_ids
gsf Oct 11, 2024
2af16c0
Switch back to self-hosted
gsf Oct 15, 2024
731adc4
Use unsecure node version on self-hosted
gsf Oct 15, 2024
efc41cd
Merge branch 'main' into plt-338-new-ami-fix
gsf Oct 15, 2024
3026c5b
Merge branch 'plt-663-github-hosted-packer' into plt-338-new-ami-fix
gsf Oct 15, 2024
dc3d600
Fix OS package setup commands and add session-manager-plugin
gsf Oct 16, 2024
2d116ce
Upgrade terraform-aws-github-runner to 5.17.0
gsf Oct 17, 2024
f52859a
Add ami-housekeeper.zip
gsf Oct 17, 2024
3d1d353
Format terraform
gsf Oct 17, 2024
dc629b7
Set TMPDIR for packer
gsf Oct 17, 2024
bdb8f58
Drop unsecure node version
gsf Oct 17, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 0 additions & 63 deletions .github/workflows/build-runner-images.yml

This file was deleted.

44 changes: 44 additions & 0 deletions .github/workflows/github-actions-runner-images.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: GitHub Actions runner images

on:
pull_request:
paths:
- .github/workflows/github-actions-runner-images.yml
- packer/github-actions-runner/**
schedule:
- cron: "0 0 * * 1" # 00:00 on Monday each week
workflow_dispatch:

jobs:
build:
runs-on: self-hosted
defaults:
run:
working-directory: packer/github-actions-runner
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-packer@v2.0.1
- uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::${{ secrets.BCDA_ACCOUNT }}:role/delegatedadmin/developer/bcda-mgmt-github-actions
aws-region: ${{ vars.AWS_REGION }}
- uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
with:
params: |
PKR_VAR_ami_account=/gold-image/account
PKR_VAR_s3_tarball=/github-runner/s3-tarball
PKR_VAR_vpc_id=/github-runner/vpc
PKR_VAR_subnet_id=/github-runner/subnet
SECURITY_GROUPS=/github-runner/security-groups
- name: packer build
env:
PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TMPDIR: /home/ec2-user/
run: |
packer init .
# Security groups must be set by flag since they're a list
packer validate -evaluate-datasources -var "security_group_ids=$SECURITY_GROUPS" .
${RUNNER_DEBUG:+"PACKER_LOG=1"} packer build -var "security_group_ids=$SECURITY_GROUPS" .
24 changes: 24 additions & 0 deletions packer/github-actions-runner/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# GitHub Actions runner packer

These scripts build the images for self-hosted GitHub Actions runners, extending gold images from CMS Cloud.

## Usage

This packer build is generally run by the [GitHub Actions runner images](/.github/workflows/github-actions-runner-images.yml) workflow in this repo. To run and debug locally, ensure the [session-manager-plugin is installed](https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-verify.html) and create a variables.pkrvars.hcl in this directory as follows:

```
ami_account = "xxxxxxxxxxxx" # bcda
s3_tarball = "s3://xxxxxxxxxxxxxxxxxxxxxx/actions-runner-linux.tar.gz"
vpc_id = "vpc-xxxxxxxxxxxxxxx" # bcda-managed-vpc
subnet_id = "subnet-xxxxxxxxxxxxxxx" # bcda-managed-az2-app

# Security groups necessary for Trend Micro and internet access
security_group_ids = ["sg-xxxxxxxxxxxxxx", "sg-xxxxxxxxxxxxxxx"]
```

Then get short-term access keys for AWS and run these packer commands in this directory:

```
packer init .
packer build -var-file=variables.pkrvars.hcl -debug .
```
12 changes: 5 additions & 7 deletions packer/github-actions-runner/build.pkr.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,14 @@ build {

provisioner "shell" {
remote_folder = "/home/ec2-user/"
environment_vars = []
inline = concat([
"sudo yum -y update --security",
"sudo yum -y install amazon-cloudwatch-agent jq git docker",
"sudo yum -y install curl",
inline = [
"sudo dnf install -y amazon-cloudwatch-agent jq git docker libicu curl",
"sudo dnf install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm",
"sudo systemctl enable docker.service",
"sudo systemctl enable containerd.service",
"sudo service docker start",
"sudo systemctl start docker.service",
"sudo usermod -a -G docker ec2-user",
], var.custom_shell_commands)
]
}

provisioner "file" {
Expand Down
48 changes: 22 additions & 26 deletions packer/github-actions-runner/sources.pkr.hcl
Original file line number Diff line number Diff line change
@@ -1,43 +1,39 @@
source "amazon-ebs" "github-actions-runner" {
ami_name = "github-actions-runner-${formatdate("YYYYMMDDhhmm", timestamp())}"
instance_type = var.instance_type
region = var.region
vpc_id = var.vpc_id
subnet_id = var.subnet_id
associate_public_ip_address = var.associate_public_ip_address
temporary_security_group_source_public_ip = var.temporary_security_group_source_public_ip
iam_instance_profile = "bcda-mgmt-github-actions"
ami_name = "github-actions-runner-${formatdate("YYYYMMDDhhmm", timestamp())}"
instance_type = var.instance_type
region = var.region
vpc_id = var.vpc_id
subnet_id = var.subnet_id
security_group_ids = var.security_group_ids

source_ami_filter {
filters = {
name = "al2023-legacy-gi-*"
}
owners = ["${var.ami_account}"]
most_recent = true
}
iam_instance_profile = "bcda-mgmt-github-actions"

security_group_filter {
source_ami_filter {
filters = {
"tag:Name": "bcda-managed-vpn-private"
name = "al2023-legacy-gi-*"
}
owners = ["${var.ami_account}"]
most_recent = true
}

communicator = "ssh"
ssh_username = "ec2-user"
ssh_timeout = "1h"
ssh_pty = true
communicator = "ssh"
ssh_interface = "session_manager"
ssh_username = "ec2-user"
ssh_timeout = "10m"
ssh_pty = true

# enforces IMDSv2 support on the running instance being provisioned by Packer
# Enforces IMDSv2 support on the running instance being provisioned by Packer
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 2
}
# enforces IMDSv2 support on the resulting AMI

# Enforces IMDSv2 support on the resulting AMI
imds_support = "v2.0"

tags = {
Name = "github-actions-runner-ami",
Name = "github-actions-runner-ami",
Base_AMI_Name = "{{ .SourceAMIName }}"
}
}
70 changes: 9 additions & 61 deletions packer/github-actions-runner/variables.pkr.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -4,85 +4,33 @@ variable "region" {
default = "us-east-1"
}

variable "instance_type" {
description = "The instance type Packer will use for the builder"
type = string
default = "t3.large"
}

variable "ami_account" {
description = "The target AMI account"
type = string
default = null
}

variable "s3_tarball" {
description = "The target S3 bucket for the Github Runner Agent"
type = string
default = null
}

variable "instance_type" {
description = "The instance type Packer will use for the builder"
type = string
default = "t3.xlarge"
}

variable "vpc_id" {
description = "The name of the VPC where the instance will be launched"
type = string
default = null
}

variable "subnet_id" {
description = "If using VPC, the ID of the subnet, such as subnet-12345def, where Packer will launch the EC2 instance. This field is required if you are using an non-default VPC"
description = "The ID of the subnet where Packer will launch the EC2 instance"
type = string
default = null
}

variable "associate_public_ip_address" {
description = "If using a non-default VPC, there is no public IP address assigned to the EC2 instance. If you specified a public subnet, you probably want to set this to true. Otherwise the EC2 instance won't have access to the internet"
type = string
default = null
}

variable "temporary_security_group_source_public_ip" {
description = "When enabled, use public IP of the host (obtained from https://checkip.amazonaws.com) as CIDR block to be authorized access to the instance, when packer is creating a temporary security group. Note: If you specify `security_group_id` then this input is ignored."
type = bool
default = false
}

variable "global_tags" {
description = "Tags to apply to everything"
type = map(string)
default = {}
}

variable "ami_tags" {
description = "Tags to apply to the AMI"
type = map(string)
default = {}
}

variable "snapshot_tags" {
description = "Tags to apply to the snapshot"
type = map(string)
default = {}
}

variable "custom_shell_commands" {
description = "Additional commands to run on the EC2 instance, to customize the instance, like installing packages"
variable "security_group_ids" {
description = "IDs for security groups to attach to the builder. Should be set to IDs for cmscloud-security-tools and bcda-mgmt-internet."
type = list(string)
default = []
}

variable "runner_version" {
description = "The version (no v prefix) of the runner software to install https://github.com/actions/runner/releases. The latest release will be fetched from GitHub if not provided."
default = null
}

data "http" github_runner_release_json {
url = "https://api.github.com/repos/actions/runner/releases/latest"
request_headers = {
Accept = "application/vnd.github+json"
X-GitHub-Api-Version : "2022-11-28"
}
}

locals {
runner_version = coalesce(var.runner_version, trimprefix(jsondecode(data.http.github_runner_release_json.body).tag_name, "v"))
}
Loading
Loading