forked from philips-labs/terraform-aws-github-runner
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
142 lines (114 loc) · 5.25 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
locals {
tags = merge(var.tags, {
Environment = var.environment
})
s3_action_runner_url = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key}"
runner_architecture = substr(var.instance_type, 0, 2) == "a1" || substr(var.instance_type, 1, 2) == "6g" ? "arm64" : "x64"
ami_filter = length(var.ami_filter) > 0 ? var.ami_filter : local.runner_architecture == "arm64" ? { name = ["amzn2-ami-hvm-2*-arm64-gp2"] } : { name = ["amzn2-ami-hvm-2.*-x86_64-ebs"] }
}
resource "random_string" "random" {
length = 24
special = false
upper = false
}
resource "aws_sqs_queue" "queued_builds" {
name = "${var.environment}-queued-builds.fifo"
delay_seconds = 30
visibility_timeout_seconds = 60
fifo_queue = true
receive_wait_time_seconds = 10
content_based_deduplication = true
tags = var.tags
}
module "webhook" {
source = "./modules/webhook"
aws_region = var.aws_region
environment = var.environment
tags = local.tags
encryption = {
kms_key_id = local.kms_key_id
encrypt = var.encrypt_secrets
}
sqs_build_queue = aws_sqs_queue.queued_builds
github_app_webhook_secret = var.github_app.webhook_secret
lambda_s3_bucket = var.lambda_s3_bucket
webhook_lambda_s3_key = var.webhook_lambda_s3_key
webhook_lambda_s3_object_version = var.webhook_lambda_s3_object_version
lambda_zip = var.webhook_lambda_zip
lambda_timeout = var.webhook_lambda_timeout
logging_retention_in_days = var.logging_retention_in_days
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
}
module "runners" {
source = "./modules/runners"
aws_region = var.aws_region
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
environment = var.environment
tags = local.tags
encryption = {
kms_key_id = local.kms_key_id
encrypt = var.encrypt_secrets
}
s3_bucket_runner_binaries = module.runner_binaries.bucket
s3_location_runner_binaries = local.s3_action_runner_url
instance_type = var.instance_type
block_device_mappings = var.block_device_mappings
runner_architecture = local.runner_architecture
ami_filter = local.ami_filter
ami_owners = var.ami_owners
sqs_build_queue = aws_sqs_queue.queued_builds
github_app = var.github_app
enable_organization_runners = var.enable_organization_runners
scale_down_schedule_expression = var.scale_down_schedule_expression
minimum_running_time_in_minutes = var.minimum_running_time_in_minutes
runner_extra_labels = var.runner_extra_labels
runner_as_root = var.runner_as_root
runners_maximum_count = var.runners_maximum_count
idle_config = var.idle_config
enable_ssm_on_runners = var.enable_ssm_on_runners
lambda_s3_bucket = var.lambda_s3_bucket
runners_lambda_s3_key = var.runners_lambda_s3_key
runners_lambda_s3_object_version = var.runners_lambda_s3_object_version
lambda_zip = var.runners_lambda_zip
lambda_timeout_scale_up = var.runners_scale_up_lambda_timeout
lambda_timeout_scale_down = var.runners_scale_down_lambda_timeout
logging_retention_in_days = var.logging_retention_in_days
enable_cloudwatch_agent = var.enable_cloudwatch_agent
cloudwatch_config = var.cloudwatch_config
runner_log_files = var.runner_log_files
instance_profile_path = var.instance_profile_path
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
userdata_template = var.userdata_template
userdata_pre_install = var.userdata_pre_install
userdata_post_install = var.userdata_post_install
create_service_linked_role_spot = var.create_service_linked_role_spot
runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns
}
module "runner_binaries" {
source = "./modules/runner-binaries-syncer"
aws_region = var.aws_region
environment = var.environment
tags = local.tags
distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}"
runner_architecture = substr(var.instance_type, 0, 2) == "a1" || substr(var.instance_type, 1, 2) == "6g" ? "arm64" : "x64"
runner_allow_prerelease_binaries = var.runner_allow_prerelease_binaries
lambda_s3_bucket = var.lambda_s3_bucket
syncer_lambda_s3_key = var.syncer_lambda_s3_key
syncer_lambda_s3_object_version = var.syncer_lambda_s3_object_version
lambda_zip = var.runner_binaries_syncer_lambda_zip
lambda_timeout = var.runner_binaries_syncer_lambda_timeout
logging_retention_in_days = var.logging_retention_in_days
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
}
resource "aws_resourcegroups_group" "resourcegroups_group" {
name = "${var.environment}-group"
resource_query {
query = templatefile("${path.module}/templates/resource-group.json", {
environment = var.environment
})
}
}