From 7e59cddde664e1aa043f66bafe3252254acf9843 Mon Sep 17 00:00:00 2001 From: Laura Martin Date: Wed, 16 Mar 2022 17:39:50 +0000 Subject: [PATCH 1/5] feat: Add resource_name variable We're looking at using this module to deploy multiple sets of runner types (x86_64 and arm architectures) but within the same conceptual "environment". We use the "Environment" tag throughout our tooling, but the constraints of using the "environment" variable for resource naming mean that we need to essentially supply different environment names (eg "env-amd64" and "env-arm64"), even though they are not in different environments. We also use the dot character (".") in our environment names, which isn't allowed in some resource names (eg SQS queue name). This commit adds an additional variable called "resource_name" that if set, is used to name resources. This means we can set it alongside the "environment" variable to ensure we have the correct tags, but resource names are distinct between multiple uses of this module. If the "resource_name" variable isn't used, then it's ignored. --- main.tf | 34 +++++++++++-------- .../runner-binaries-syncer.tf | 15 ++++---- modules/runner-binaries-syncer/variables.tf | 6 ++++ modules/runners/logging.tf | 4 +-- modules/runners/main.tf | 10 +++--- modules/runners/policies-runner.tf | 8 ++--- modules/runners/runner-config.tf | 6 ++-- modules/runners/scale-down.tf | 10 +++--- modules/runners/scale-up.tf | 10 +++--- modules/runners/variables.tf | 6 ++++ modules/ssm/local.tf | 3 +- modules/ssm/ssm.tf | 6 ++-- modules/ssm/variables.tf | 6 ++++ modules/webhook/main.tf | 5 +-- modules/webhook/variables.tf | 6 ++++ modules/webhook/webhook.tf | 10 +++--- variables.tf | 6 ++++ 17 files changed, 96 insertions(+), 55 deletions(-) diff --git a/main.tf b/main.tf index c7f5601cba..d548184d80 100644 --- a/main.tf +++ b/main.tf @@ -9,6 +9,8 @@ locals { id = module.ssm.parameters.github_app_id key_base64 = module.ssm.parameters.github_app_key_base64 } + + resource_name = var.resource_name != null ? var.resource_name : var.environment } resource "random_string" "random" { @@ -50,7 +52,7 @@ resource "aws_sqs_queue_policy" "build_queue_policy" { } resource "aws_sqs_queue" "queued_builds" { - name = "${var.environment}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}" + name = "${local.resource_name}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}" delay_seconds = var.delay_webhook_event visibility_timeout_seconds = var.runners_scale_up_lambda_timeout message_retention_seconds = var.job_queue_retention_in_seconds @@ -74,7 +76,7 @@ resource "aws_sqs_queue_policy" "build_queue_dlq_policy" { resource "aws_sqs_queue" "queued_builds_dlq" { count = var.redrive_build_queue.enabled ? 1 : 0 - name = "${var.environment}-queued-builds_dead_letter" + name = "${local.resource_name}-queued-builds_dead_letter" tags = var.tags } @@ -82,19 +84,21 @@ resource "aws_sqs_queue" "queued_builds_dlq" { module "ssm" { source = "./modules/ssm" - kms_key_arn = var.kms_key_arn - environment = var.environment - github_app = var.github_app - tags = local.tags + kms_key_arn = var.kms_key_arn + environment = var.environment + resource_name = local.resource_name + github_app = var.github_app + tags = local.tags } module "webhook" { source = "./modules/webhook" - aws_region = var.aws_region - environment = var.environment - tags = local.tags - kms_key_arn = var.kms_key_arn + aws_region = var.aws_region + environment = var.environment + resource_name = local.resource_name + tags = local.tags + kms_key_arn = var.kms_key_arn sqs_build_queue = aws_sqs_queue.queued_builds sqs_build_queue_fifo = var.fifo_build_queue @@ -128,6 +132,7 @@ module "runners" { vpc_id = var.vpc_id subnet_ids = var.subnet_ids environment = var.environment + resource_name = local.resource_name tags = local.tags s3_bucket_runner_binaries = module.runner_binaries.bucket @@ -214,9 +219,10 @@ module "runners" { module "runner_binaries" { source = "./modules/runner-binaries-syncer" - aws_region = var.aws_region - environment = var.environment - tags = local.tags + aws_region = var.aws_region + environment = var.environment + resource_name = local.resource_name + tags = local.tags distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}" @@ -244,7 +250,7 @@ module "runner_binaries" { } resource "aws_resourcegroups_group" "resourcegroups_group" { - name = "${var.environment}-group" + name = "${local.resource_name}-group" resource_query { query = templatefile("${path.module}/templates/resource-group.json", { environment = var.environment diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf index e73dad69c3..4fc0ec998a 100644 --- a/modules/runner-binaries-syncer/runner-binaries-syncer.tf +++ b/modules/runner-binaries-syncer/runner-binaries-syncer.tf @@ -1,6 +1,7 @@ locals { - lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/runner-binaries-syncer/runner-binaries-syncer.zip" : var.lambda_zip - role_path = var.role_path == null ? "/${var.environment}/" : var.role_path + resource_name = var.resource_name != null ? var.resource_name : var.environment + lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/runner-binaries-syncer/runner-binaries-syncer.zip" : var.lambda_zip + role_path = var.role_path == null ? "/${local.resource_name}/" : var.role_path gh_binary_os_label = { windows = "win", linux = "linux" @@ -13,7 +14,7 @@ resource "aws_lambda_function" "syncer" { s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null filename = var.lambda_s3_bucket == null ? local.lambda_zip : null source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null - function_name = "${var.environment}-syncer" + function_name = "${local.resource_name}-syncer" role = aws_iam_role.syncer_lambda.arn handler = "index.handler" runtime = "nodejs14.x" @@ -63,7 +64,7 @@ resource "aws_cloudwatch_log_group" "syncer" { } resource "aws_iam_role" "syncer_lambda" { - name = "${var.environment}-action-syncer-lambda-role" + name = "${local.resource_name}-action-syncer-lambda-role" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -92,7 +93,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" { } resource "aws_iam_role_policy" "lambda_logging" { - name = "${var.environment}-lambda-logging-policy-syncer" + name = "${local.resource_name}-lambda-logging-policy-syncer" role = aws_iam_role.syncer_lambda.id policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", { @@ -101,7 +102,7 @@ resource "aws_iam_role_policy" "lambda_logging" { } resource "aws_iam_role_policy" "syncer" { - name = "${var.environment}-lambda-syncer-s3-policy" + name = "${local.resource_name}-lambda-syncer-s3-policy" role = aws_iam_role.syncer_lambda.id policy = templatefile("${path.module}/policies/lambda-syncer.json", { @@ -110,7 +111,7 @@ resource "aws_iam_role_policy" "syncer" { } resource "aws_cloudwatch_event_rule" "syncer" { - name = "${var.environment}-syncer-rule" + name = "${local.resource_name}-syncer-rule" schedule_expression = var.lambda_schedule_expression tags = var.tags } diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf index 37023b0486..8cfe9d35a7 100644 --- a/modules/runner-binaries-syncer/variables.tf +++ b/modules/runner-binaries-syncer/variables.tf @@ -14,6 +14,12 @@ variable "environment" { type = string } +variable "resource_name" { + description = "A name used for resources rather than using the environment name" + type = string + default = null +} + variable "distribution_bucket_name" { description = "Bucket for storing the action runner distribution." type = string diff --git a/modules/runners/logging.tf b/modules/runners/logging.tf index 9f4ab3ee90..1df863dea7 100644 --- a/modules/runners/logging.tf +++ b/modules/runners/logging.tf @@ -30,7 +30,7 @@ locals { ] ) logfiles = var.enable_cloudwatch_agent ? [for l in local.runner_log_files : { - "log_group_name" : l.prefix_log_group ? "/github-self-hosted-runners/${var.environment}/${l.log_group_name}" : "/${l.log_group_name}" + "log_group_name" : l.prefix_log_group ? "/github-self-hosted-runners/${local.resource_name}/${l.log_group_name}" : "/${l.log_group_name}" "log_stream_name" : l.log_stream_name "file_path" : l.file_path }] : [] @@ -42,7 +42,7 @@ locals { resource "aws_ssm_parameter" "cloudwatch_agent_config_runner" { count = var.enable_cloudwatch_agent ? 1 : 0 - name = "${var.environment}-cloudwatch_agent_config_runner" + name = "${local.resource_name}-cloudwatch_agent_config_runner" type = "String" value = var.cloudwatch_config != null ? var.cloudwatch_config : templatefile("${path.module}/templates/cloudwatch_config.json", { logfiles = jsonencode(local.logfiles) diff --git a/modules/runners/main.tf b/modules/runners/main.tf index f8fc25d97c..a9b2fd8b60 100644 --- a/modules/runners/main.tf +++ b/modules/runners/main.tf @@ -6,10 +6,12 @@ locals { var.tags, ) + resource_name = var.resource_name != null ? var.resource_name : var.environment + name_sg = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"] name_runner = var.overrides["name_runner"] == "" ? local.tags["Name"] : var.overrides["name_runner"] - role_path = var.role_path == null ? "/${var.environment}/" : var.role_path - instance_profile_path = var.instance_profile_path == null ? "/${var.environment}/" : var.instance_profile_path + role_path = var.role_path == null ? "/${local.resource_name}/" : var.role_path + instance_profile_path = var.instance_profile_path == null ? "/${local.resource_name}/" : var.instance_profile_path lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/runners/runners.zip" : var.lambda_zip userdata_template = var.userdata_template == null ? local.default_userdata_template[var.runner_os] : var.userdata_template kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : "" @@ -54,7 +56,7 @@ data "aws_ami" "runner" { } resource "aws_launch_template" "runner" { - name = "${var.environment}-action-runner" + name = "${local.resource_name}-action-runner" dynamic "block_device_mappings" { for_each = var.block_device_mappings != null ? var.block_device_mappings : [] @@ -143,7 +145,7 @@ resource "aws_launch_template" "runner" { resource "aws_security_group" "runner_sg" { count = var.enable_managed_runner_security_group ? 1 : 0 - name_prefix = "${var.environment}-github-actions-runner-sg" + name_prefix = "${local.resource_name}-github-actions-runner-sg" description = "Github Actions Runner security group" vpc_id = var.vpc_id diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf index 2e6351ac00..163ad6b595 100644 --- a/modules/runners/policies-runner.tf +++ b/modules/runners/policies-runner.tf @@ -1,7 +1,7 @@ data "aws_caller_identity" "current" {} resource "aws_iam_role" "runner" { - name = "${var.environment}-runner-role" + name = "${local.resource_name}-runner-role" assume_role_policy = templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -9,7 +9,7 @@ resource "aws_iam_role" "runner" { } resource "aws_iam_instance_profile" "runner" { - name = "${var.environment}-runner-profile" + name = "${local.resource_name}-runner-profile" role = aws_iam_role.runner.name path = local.instance_profile_path } @@ -26,8 +26,8 @@ resource "aws_iam_role_policy" "ssm_parameters" { role = aws_iam_role.runner.name policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json", { - arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*" - arn_ssm_parameters_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*" + arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${local.resource_name}-*" + arn_ssm_parameters_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${local.resource_name}/*" } ) } diff --git a/modules/runners/runner-config.tf b/modules/runners/runner-config.tf index 591ab90be0..bc5cb4faf5 100644 --- a/modules/runners/runner-config.tf +++ b/modules/runners/runner-config.tf @@ -1,19 +1,19 @@ resource "aws_ssm_parameter" "runner_config_run_as" { - name = "/${var.environment}/runner/run-as" + name = "/${local.resource_name}/runner/run-as" type = "String" value = var.runner_as_root ? "root" : var.runner_run_as tags = local.tags } resource "aws_ssm_parameter" "runner_agent_mode" { - name = "/${var.environment}/runner/agent-mode" + name = "/${local.resource_name}/runner/agent-mode" type = "String" value = var.enable_ephemeral_runners ? "ephemeral" : "persistent" tags = local.tags } resource "aws_ssm_parameter" "runner_enable_cloudwatch" { - name = "/${var.environment}/runner/enable-cloudwatch" + name = "/${local.resource_name}/runner/enable-cloudwatch" type = "String" value = var.enable_cloudwatch_agent tags = local.tags diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf index a1c30fcf9b..b293bca728 100644 --- a/modules/runners/scale-down.tf +++ b/modules/runners/scale-down.tf @@ -11,7 +11,7 @@ resource "aws_lambda_function" "scale_down" { s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null filename = var.lambda_s3_bucket == null ? local.lambda_zip : null source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null - function_name = "${var.environment}-scale-down" + function_name = "${local.resource_name}-scale-down" role = aws_iam_role.scale_down.arn handler = "index.scaleDownHandler" runtime = "nodejs14.x" @@ -51,7 +51,7 @@ resource "aws_cloudwatch_log_group" "scale_down" { } resource "aws_cloudwatch_event_rule" "scale_down" { - name = "${var.environment}-scale-down-rule" + name = "${local.resource_name}-scale-down-rule" schedule_expression = var.scale_down_schedule_expression tags = var.tags } @@ -70,7 +70,7 @@ resource "aws_lambda_permission" "scale_down" { } resource "aws_iam_role" "scale_down" { - name = "${var.environment}-action-scale-down-lambda-role" + name = "${local.resource_name}-action-scale-down-lambda-role" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -78,7 +78,7 @@ resource "aws_iam_role" "scale_down" { } resource "aws_iam_role_policy" "scale_down" { - name = "${var.environment}-lambda-scale-down-policy" + name = "${local.resource_name}-lambda-scale-down-policy" role = aws_iam_role.scale_down.name policy = templatefile("${path.module}/policies/lambda-scale-down.json", { github_app_id_arn = var.github_app_parameters.id.arn @@ -88,7 +88,7 @@ resource "aws_iam_role_policy" "scale_down" { } resource "aws_iam_role_policy" "scale_down_logging" { - name = "${var.environment}-lambda-logging" + name = "${local.resource_name}-lambda-logging" role = aws_iam_role.scale_down.name policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", { log_group_arn = aws_cloudwatch_log_group.scale_down.arn diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index 00a1d7e122..30a3466d50 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -4,7 +4,7 @@ resource "aws_lambda_function" "scale_up" { s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null filename = var.lambda_s3_bucket == null ? local.lambda_zip : null source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null - function_name = "${var.environment}-scale-up" + function_name = "${local.resource_name}-scale-up" role = aws_iam_role.scale_up.arn handler = "index.scaleUpHandler" runtime = "nodejs14.x" @@ -69,7 +69,7 @@ resource "aws_lambda_permission" "scale_runners_lambda" { } resource "aws_iam_role" "scale_up" { - name = "${var.environment}-action-scale-up-lambda-role" + name = "${local.resource_name}-action-scale-up-lambda-role" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -77,7 +77,7 @@ resource "aws_iam_role" "scale_up" { } resource "aws_iam_role_policy" "scale_up" { - name = "${var.environment}-lambda-scale-up-policy" + name = "${local.resource_name}-lambda-scale-up-policy" role = aws_iam_role.scale_up.name policy = templatefile("${path.module}/policies/lambda-scale-up.json", { arn_runner_instance_role = aws_iam_role.runner.arn @@ -90,7 +90,7 @@ resource "aws_iam_role_policy" "scale_up" { resource "aws_iam_role_policy" "scale_up_logging" { - name = "${var.environment}-lambda-logging" + name = "${local.resource_name}-lambda-logging" role = aws_iam_role.scale_up.name policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", { log_group_arn = aws_cloudwatch_log_group.scale_up.arn @@ -99,7 +99,7 @@ resource "aws_iam_role_policy" "scale_up_logging" { resource "aws_iam_role_policy" "service_linked_role" { count = var.create_service_linked_role_spot ? 1 : 0 - name = "${var.environment}-service_linked_role" + name = "${local.resource_name}-service_linked_role" role = aws_iam_role.scale_up.name policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition }) } diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index 91b77806fa..409322e11b 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -34,6 +34,12 @@ variable "environment" { type = string } +variable "resource_name" { + description = "A name used for resources rather than using the environment name" + type = string + default = null +} + variable "s3_bucket_runner_binaries" { type = object({ arn = string diff --git a/modules/ssm/local.tf b/modules/ssm/local.tf index 0ed128d8ba..b7a0b512bd 100644 --- a/modules/ssm/local.tf +++ b/modules/ssm/local.tf @@ -1,3 +1,4 @@ locals { - kms_key_arn = var.kms_key_arn == null ? "alias/aws/ssm" : var.kms_key_arn + kms_key_arn = var.kms_key_arn == null ? "alias/aws/ssm" : var.kms_key_arn + resource_name = var.resource_name != null ? var.resource_name : var.environment } diff --git a/modules/ssm/ssm.tf b/modules/ssm/ssm.tf index 91f1d17cdf..9b254d51b4 100644 --- a/modules/ssm/ssm.tf +++ b/modules/ssm/ssm.tf @@ -1,5 +1,5 @@ resource "aws_ssm_parameter" "github_app_id" { - name = "/actions_runner/${var.environment}/github_app_id" + name = "/actions_runner/${local.resource_name}/github_app_id" type = "SecureString" value = var.github_app.id key_id = local.kms_key_arn @@ -7,7 +7,7 @@ resource "aws_ssm_parameter" "github_app_id" { } resource "aws_ssm_parameter" "github_app_key_base64" { - name = "/actions_runner/${var.environment}/github_app_key_base64" + name = "/actions_runner/${local.resource_name}/github_app_key_base64" type = "SecureString" value = var.github_app.key_base64 key_id = local.kms_key_arn @@ -15,7 +15,7 @@ resource "aws_ssm_parameter" "github_app_key_base64" { } resource "aws_ssm_parameter" "github_app_webhook_secret" { - name = "/actions_runner/${var.environment}/github_app_webhook_secret" + name = "/actions_runner/${local.resource_name}/github_app_webhook_secret" type = "SecureString" value = var.github_app.webhook_secret key_id = local.kms_key_arn diff --git a/modules/ssm/variables.tf b/modules/ssm/variables.tf index 7528d0721c..4e0b554d44 100644 --- a/modules/ssm/variables.tf +++ b/modules/ssm/variables.tf @@ -12,6 +12,12 @@ variable "environment" { type = string } +variable "resource_name" { + description = "A name used for resources rather than using the environment name" + type = string + default = null +} + variable "kms_key_arn" { description = "Optional CMK Key ARN to be used for Parameter Store." type = string diff --git a/modules/webhook/main.tf b/modules/webhook/main.tf index ad536051da..4091e32a8d 100644 --- a/modules/webhook/main.tf +++ b/modules/webhook/main.tf @@ -1,11 +1,12 @@ locals { + resource_name = var.resource_name != null ? var.resource_name : var.environment webhook_endpoint = "webhook" - role_path = var.role_path == null ? "/${var.environment}/" : var.role_path + role_path = var.role_path == null ? "/${local.resource_name}/" : var.role_path lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/webhook/webhook.zip" : var.lambda_zip } resource "aws_apigatewayv2_api" "webhook" { - name = "${var.environment}-github-action-webhook" + name = "${local.resource_name}-github-action-webhook" protocol_type = "HTTP" tags = var.tags } diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf index d719ad45d9..602ad8f8c8 100644 --- a/modules/webhook/variables.tf +++ b/modules/webhook/variables.tf @@ -8,6 +8,12 @@ variable "environment" { type = string } +variable "resource_name" { + description = "A name used for resources rather than using the environment name" + type = string + default = null +} + variable "github_app_webhook_secret_arn" { type = string } diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf index 25e9c4d60a..24a61e8b91 100644 --- a/modules/webhook/webhook.tf +++ b/modules/webhook/webhook.tf @@ -4,7 +4,7 @@ resource "aws_lambda_function" "webhook" { s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null filename = var.lambda_s3_bucket == null ? local.lambda_zip : null source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null - function_name = "${var.environment}-webhook" + function_name = "${local.resource_name}-webhook" role = aws_iam_role.webhook_lambda.arn handler = "index.githubWebhook" runtime = "nodejs14.x" @@ -53,7 +53,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" { } resource "aws_iam_role" "webhook_lambda" { - name = "${var.environment}-action-webhook-lambda-role" + name = "${local.resource_name}-action-webhook-lambda-role" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -61,7 +61,7 @@ resource "aws_iam_role" "webhook_lambda" { } resource "aws_iam_role_policy" "webhook_logging" { - name = "${var.environment}-lambda-logging-policy" + name = "${local.resource_name}-lambda-logging-policy" role = aws_iam_role.webhook_lambda.name policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", { log_group_arn = aws_cloudwatch_log_group.webhook.arn @@ -69,7 +69,7 @@ resource "aws_iam_role_policy" "webhook_logging" { } resource "aws_iam_role_policy" "webhook_sqs" { - name = "${var.environment}-lambda-webhook-publish-sqs-policy" + name = "${local.resource_name}-lambda-webhook-publish-sqs-policy" role = aws_iam_role.webhook_lambda.name policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", { @@ -78,7 +78,7 @@ resource "aws_iam_role_policy" "webhook_sqs" { } resource "aws_iam_role_policy" "webhook_ssm" { - name = "${var.environment}-lambda-webhook-publish-ssm-policy" + name = "${local.resource_name}-lambda-webhook-publish-ssm-policy" role = aws_iam_role.webhook_lambda.name policy = templatefile("${path.module}/policies/lambda-ssm.json", { diff --git a/variables.tf b/variables.tf index fc0102c61b..53efa3d8c5 100644 --- a/variables.tf +++ b/variables.tf @@ -24,6 +24,12 @@ variable "environment" { type = string } +variable "resource_name" { + description = "A name used for resources rather than using the environment name" + type = string + default = null +} + variable "enable_organization_runners" { description = "Register runners to organization, instead of repo level" type = bool From 89f30c97d1bd66868aae3db2a87ddb3f8630616f Mon Sep 17 00:00:00 2001 From: Laura Martin Date: Thu, 21 Apr 2022 11:23:32 +0100 Subject: [PATCH 2/5] feat: Remove environment tag completely --- main.tf | 43 ++++++++----------- .../runner-binaries-syncer.tf | 15 +++---- modules/runner-binaries-syncer/variables.tf | 11 ++--- modules/runners/README.md | 6 +-- modules/runners/logging.tf | 4 +- modules/runners/main.tf | 14 +++--- modules/runners/policies-runner.tf | 8 ++-- modules/runners/pool.tf | 2 +- modules/runners/pool/main.tf | 12 +++--- modules/runners/pool/variables.tf | 2 +- modules/runners/runner-config.tf | 6 +-- modules/runners/scale-down.tf | 12 +++--- modules/runners/scale-up.tf | 12 +++--- modules/runners/variables.tf | 19 +++----- modules/setup-iam-permissions/main.tf | 8 ++-- modules/setup-iam-permissions/variables.tf | 5 ++- modules/ssm/local.tf | 3 +- modules/ssm/ssm.tf | 6 +-- modules/ssm/variables.tf | 11 ++--- modules/webhook/main.tf | 5 +-- modules/webhook/variables.tf | 11 ++--- modules/webhook/webhook.tf | 12 +++--- variables.tf | 11 ++--- 23 files changed, 101 insertions(+), 137 deletions(-) diff --git a/main.tf b/main.tf index d548184d80..7f460be4f8 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,6 @@ locals { tags = merge(var.tags, { - Environment = var.environment, - "ghr:environment" = format("%s", var.environment) + "ghr:environment" = var.prefix }) s3_action_runner_url = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key}" @@ -9,8 +8,6 @@ locals { id = module.ssm.parameters.github_app_id key_base64 = module.ssm.parameters.github_app_key_base64 } - - resource_name = var.resource_name != null ? var.resource_name : var.environment } resource "random_string" "random" { @@ -52,7 +49,7 @@ resource "aws_sqs_queue_policy" "build_queue_policy" { } resource "aws_sqs_queue" "queued_builds" { - name = "${local.resource_name}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}" + name = "${var.prefix}-queued-builds${var.fifo_build_queue ? ".fifo" : ""}" delay_seconds = var.delay_webhook_event visibility_timeout_seconds = var.runners_scale_up_lambda_timeout message_retention_seconds = var.job_queue_retention_in_seconds @@ -76,7 +73,7 @@ resource "aws_sqs_queue_policy" "build_queue_dlq_policy" { resource "aws_sqs_queue" "queued_builds_dlq" { count = var.redrive_build_queue.enabled ? 1 : 0 - name = "${local.resource_name}-queued-builds_dead_letter" + name = "${var.prefix}-queued-builds_dead_letter" tags = var.tags } @@ -84,21 +81,19 @@ resource "aws_sqs_queue" "queued_builds_dlq" { module "ssm" { source = "./modules/ssm" - kms_key_arn = var.kms_key_arn - environment = var.environment - resource_name = local.resource_name - github_app = var.github_app - tags = local.tags + kms_key_arn = var.kms_key_arn + prefix = var.prefix + github_app = var.github_app + tags = local.tags } module "webhook" { source = "./modules/webhook" - aws_region = var.aws_region - environment = var.environment - resource_name = local.resource_name - tags = local.tags - kms_key_arn = var.kms_key_arn + aws_region = var.aws_region + prefix = var.prefix + tags = local.tags + kms_key_arn = var.kms_key_arn sqs_build_queue = aws_sqs_queue.queued_builds sqs_build_queue_fifo = var.fifo_build_queue @@ -131,8 +126,7 @@ module "runners" { aws_partition = var.aws_partition vpc_id = var.vpc_id subnet_ids = var.subnet_ids - environment = var.environment - resource_name = local.resource_name + prefix = var.prefix tags = local.tags s3_bucket_runner_binaries = module.runner_binaries.bucket @@ -219,12 +213,11 @@ module "runners" { module "runner_binaries" { source = "./modules/runner-binaries-syncer" - aws_region = var.aws_region - environment = var.environment - resource_name = local.resource_name - tags = local.tags + aws_region = var.aws_region + prefix = var.prefix + tags = local.tags - distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}" + distribution_bucket_name = "${var.prefix}-dist-${random_string.random.result}" runner_os = var.runner_os runner_architecture = var.runner_architecture @@ -250,10 +243,10 @@ module "runner_binaries" { } resource "aws_resourcegroups_group" "resourcegroups_group" { - name = "${local.resource_name}-group" + name = "${var.prefix}-group" resource_query { query = templatefile("${path.module}/templates/resource-group.json", { - environment = var.environment + environment = var.prefix }) } } diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf index 4fc0ec998a..a7118a6844 100644 --- a/modules/runner-binaries-syncer/runner-binaries-syncer.tf +++ b/modules/runner-binaries-syncer/runner-binaries-syncer.tf @@ -1,7 +1,6 @@ locals { - resource_name = var.resource_name != null ? var.resource_name : var.environment - lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/runner-binaries-syncer/runner-binaries-syncer.zip" : var.lambda_zip - role_path = var.role_path == null ? "/${local.resource_name}/" : var.role_path + lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/runner-binaries-syncer/runner-binaries-syncer.zip" : var.lambda_zip + role_path = var.role_path == null ? "/${var.prefix}/" : var.role_path gh_binary_os_label = { windows = "win", linux = "linux" @@ -14,7 +13,7 @@ resource "aws_lambda_function" "syncer" { s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null filename = var.lambda_s3_bucket == null ? local.lambda_zip : null source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null - function_name = "${local.resource_name}-syncer" + function_name = "${var.prefix}-syncer" role = aws_iam_role.syncer_lambda.arn handler = "index.handler" runtime = "nodejs14.x" @@ -64,7 +63,7 @@ resource "aws_cloudwatch_log_group" "syncer" { } resource "aws_iam_role" "syncer_lambda" { - name = "${local.resource_name}-action-syncer-lambda-role" + name = "${var.prefix}-action-syncer-lambda-role" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -93,7 +92,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" { } resource "aws_iam_role_policy" "lambda_logging" { - name = "${local.resource_name}-lambda-logging-policy-syncer" + name = "${var.prefix}-lambda-logging-policy-syncer" role = aws_iam_role.syncer_lambda.id policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", { @@ -102,7 +101,7 @@ resource "aws_iam_role_policy" "lambda_logging" { } resource "aws_iam_role_policy" "syncer" { - name = "${local.resource_name}-lambda-syncer-s3-policy" + name = "${var.prefix}-lambda-syncer-s3-policy" role = aws_iam_role.syncer_lambda.id policy = templatefile("${path.module}/policies/lambda-syncer.json", { @@ -111,7 +110,7 @@ resource "aws_iam_role_policy" "syncer" { } resource "aws_cloudwatch_event_rule" "syncer" { - name = "${local.resource_name}-syncer-rule" + name = "${var.prefix}-syncer-rule" schedule_expression = var.lambda_schedule_expression tags = var.tags } diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf index 8cfe9d35a7..bf6f32c3db 100644 --- a/modules/runner-binaries-syncer/variables.tf +++ b/modules/runner-binaries-syncer/variables.tf @@ -9,15 +9,10 @@ variable "tags" { default = {} } -variable "environment" { - description = "A name that identifies the environment, used as prefix and for tagging." +variable "prefix" { + description = "The prefix used for naming resources" type = string -} - -variable "resource_name" { - description = "A name used for resources rather than using the environment name" - type = string - default = null + default = "github-actions" } variable "distribution_bucket_name" { diff --git a/modules/runners/README.md b/modules/runners/README.md index 4c6b82a082..13fb5efdc1 100644 --- a/modules/runners/README.md +++ b/modules/runners/README.md @@ -130,7 +130,7 @@ yarn run dist | [enable\_runner\_detailed\_monitoring](#input\_enable\_runner\_detailed\_monitoring) | Enable detailed monitoring for runners | `bool` | `false` | no | | [enable\_ssm\_on\_runners](#input\_enable\_ssm\_on\_runners) | Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes | | [enabled\_userdata](#input\_enabled\_userdata) | Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI | `bool` | `true` | no | -| [environment](#input\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | +| [prefix](#input\_prefix) | The prefix used for naming resources | `string` | `github-actions` | no | | [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no | | [github\_app\_parameters](#input\_github\_app\_parameters) | Parameter Store for GitHub App Parameters. | 
object({
    key_base64 = map(string)
    id         = map(string)
  })
| n/a | yes | @@ -171,7 +171,7 @@ yarn run dist | [runner\_extra\_labels](#input\_runner\_extra\_labels) | Extra labels for the runners (GitHub). Separate each label by a comma | `string` | `""` | no | | [runner\_group\_name](#input\_runner\_group\_name) | Name of the runner group. | `string` | `"Default"` | no | | [runner\_iam\_role\_managed\_policy\_arns](#input\_runner\_iam\_role\_managed\_policy\_arns) | Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role | `list(string)` | `[]` | no | -| [runner\_log\_files](#input\_runner\_log\_files) | (optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream. | 
list(object({
    log_group_name   = string
    prefix_log_group = bool
    file_path        = string
    log_stream_name  = string
  }))
| `null` | no | +| [runner\_log\_files](#input\_runner\_log\_files) | (optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream. | 
list(object({
    log_group_name   = string
    prefix_log_group = bool
    file_path        = string
    log_stream_name  = string
  }))
| `null` | no | | [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no | | [runner\_run\_as](#input\_runner\_run\_as) | Run the GitHub actions agent as user. | `string` | `"ec2-user"` | no | | [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no | @@ -183,7 +183,7 @@ yarn run dist | [scale\_up\_reserved\_concurrent\_executions](#input\_scale\_up\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `1` | no | | [sqs\_build\_queue](#input\_sqs\_build\_queue) | SQS queue to consume accepted build events. | 
object({
    arn = string
  })
| n/a | yes | | [subnet\_ids](#input\_subnet\_ids) | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | n/a | yes | -| [tags](#input\_tags) | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Map of tags that will be added to created resources. By default resources will be tagged with name. | `map(string)` | `{}` | no | | [userdata\_post\_install](#input\_userdata\_post\_install) | User-data script snippet to insert after GitHub action runner install | `string` | `""` | no | | [userdata\_pre\_install](#input\_userdata\_pre\_install) | User-data script snippet to insert before GitHub action runner install | `string` | `""` | no | | [userdata\_template](#input\_userdata\_template) | Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored. | `string` | `null` | no | diff --git a/modules/runners/logging.tf b/modules/runners/logging.tf index 1df863dea7..4051ad415c 100644 --- a/modules/runners/logging.tf +++ b/modules/runners/logging.tf @@ -30,7 +30,7 @@ locals { ] ) logfiles = var.enable_cloudwatch_agent ? [for l in local.runner_log_files : { - "log_group_name" : l.prefix_log_group ? "/github-self-hosted-runners/${local.resource_name}/${l.log_group_name}" : "/${l.log_group_name}" + "log_group_name" : l.prefix_log_group ? "/github-self-hosted-runners/${var.prefix}/${l.log_group_name}" : "/${l.log_group_name}" "log_stream_name" : l.log_stream_name "file_path" : l.file_path }] : [] @@ -42,7 +42,7 @@ locals { resource "aws_ssm_parameter" "cloudwatch_agent_config_runner" { count = var.enable_cloudwatch_agent ? 1 : 0 - name = "${local.resource_name}-cloudwatch_agent_config_runner" + name = "${var.prefix}-cloudwatch_agent_config_runner" type = "String" value = var.cloudwatch_config != null ? var.cloudwatch_config : templatefile("${path.module}/templates/cloudwatch_config.json", { logfiles = jsonencode(local.logfiles) diff --git a/modules/runners/main.tf b/modules/runners/main.tf index a9b2fd8b60..a3d009c28a 100644 --- a/modules/runners/main.tf +++ b/modules/runners/main.tf @@ -1,17 +1,15 @@ locals { tags = merge( { - "Name" = format("%s-action-runner", var.environment) + "Name" = format("%s-action-runner", var.prefix) }, var.tags, ) - resource_name = var.resource_name != null ? var.resource_name : var.environment - name_sg = var.overrides["name_sg"] == "" ? local.tags["Name"] : var.overrides["name_sg"] name_runner = var.overrides["name_runner"] == "" ? local.tags["Name"] : var.overrides["name_runner"] - role_path = var.role_path == null ? "/${local.resource_name}/" : var.role_path - instance_profile_path = var.instance_profile_path == null ? "/${local.resource_name}/" : var.instance_profile_path + role_path = var.role_path == null ? "/${var.prefix}/" : var.role_path + instance_profile_path = var.instance_profile_path == null ? "/${var.prefix}/" : var.instance_profile_path lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/runners/runners.zip" : var.lambda_zip userdata_template = var.userdata_template == null ? local.default_userdata_template[var.runner_os] : var.userdata_template kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : "" @@ -56,7 +54,7 @@ data "aws_ami" "runner" { } resource "aws_launch_template" "runner" { - name = "${local.resource_name}-action-runner" + name = "${var.prefix}-action-runner" dynamic "block_device_mappings" { for_each = var.block_device_mappings != null ? var.block_device_mappings : [] @@ -133,7 +131,7 @@ resource "aws_launch_template" "runner" { ghes_url = var.ghes_url ghes_ssl_verify = var.ghes_ssl_verify ## retain these for backwards compatibility - environment = var.environment + environment = var.prefix enable_cloudwatch_agent = var.enable_cloudwatch_agent ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner[0].name : "" })) : "" @@ -145,7 +143,7 @@ resource "aws_launch_template" "runner" { resource "aws_security_group" "runner_sg" { count = var.enable_managed_runner_security_group ? 1 : 0 - name_prefix = "${local.resource_name}-github-actions-runner-sg" + name_prefix = "${var.prefix}-github-actions-runner-sg" description = "Github Actions Runner security group" vpc_id = var.vpc_id diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf index 163ad6b595..5ba9004b14 100644 --- a/modules/runners/policies-runner.tf +++ b/modules/runners/policies-runner.tf @@ -1,7 +1,7 @@ data "aws_caller_identity" "current" {} resource "aws_iam_role" "runner" { - name = "${local.resource_name}-runner-role" + name = "${var.prefix}-runner-role" assume_role_policy = templatefile("${path.module}/policies/instance-role-trust-policy.json", {}) path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -9,7 +9,7 @@ resource "aws_iam_role" "runner" { } resource "aws_iam_instance_profile" "runner" { - name = "${local.resource_name}-runner-profile" + name = "${var.prefix}-runner-profile" role = aws_iam_role.runner.name path = local.instance_profile_path } @@ -26,8 +26,8 @@ resource "aws_iam_role_policy" "ssm_parameters" { role = aws_iam_role.runner.name policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json", { - arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${local.resource_name}-*" - arn_ssm_parameters_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${local.resource_name}/*" + arn_ssm_parameters_prefix = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.prefix}-*" + arn_ssm_parameters_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.prefix}/*" } ) } diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf index 593ace1b29..c8c54ce2c5 100644 --- a/modules/runners/pool.tf +++ b/modules/runners/pool.tf @@ -4,7 +4,7 @@ module "pool" { source = "./pool" config = { - environment = var.environment + prefix = var.prefix ghes = { ssl_verify = var.ghes_ssl_verify url = var.ghes_url diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf index 3a4b1e7fd4..3c5d77de5d 100644 --- a/modules/runners/pool/main.tf +++ b/modules/runners/pool/main.tf @@ -5,7 +5,7 @@ resource "aws_lambda_function" "pool" { s3_object_version = var.config.lambda.s3_object_version != null ? var.config.lambda.s3_object_version : null filename = var.config.lambda.s3_bucket == null ? var.config.lambda.zip : null source_code_hash = var.config.lambda.s3_bucket == null ? filebase64sha256(var.config.lambda.zip) : null - function_name = "${var.config.environment}-pool" + function_name = "${var.config.prefix}-pool" role = aws_iam_role.pool.arn handler = "index.adjustPool" runtime = "nodejs14.x" @@ -18,7 +18,7 @@ resource "aws_lambda_function" "pool" { variables = { DISABLE_RUNNER_AUTOUPDATE = var.config.runner.disable_runner_autoupdate ENABLE_EPHEMERAL_RUNNERS = var.config.runner.ephemeral - ENVIRONMENT = var.config.environment + ENVIRONMENT = var.config.prefix GHES_URL = var.config.ghes.url INSTANCE_ALLOCATION_STRATEGY = var.config.instance_allocation_strategy INSTANCE_MAX_SPOT_PRICE = var.config.instance_max_spot_price @@ -54,7 +54,7 @@ resource "aws_cloudwatch_log_group" "pool" { } resource "aws_iam_role" "pool" { - name = "${var.config.environment}-action-pool-lambda-role" + name = "${var.config.prefix}-action-pool-lambda-role" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json path = var.config.role_path permissions_boundary = var.config.role_permissions_boundary @@ -62,7 +62,7 @@ resource "aws_iam_role" "pool" { } resource "aws_iam_role_policy" "pool" { - name = "${var.config.environment}-lambda-pool-policy" + name = "${var.config.prefix}-lambda-pool-policy" role = aws_iam_role.pool.name policy = templatefile("${path.module}/policies/lambda-pool.json", { arn_runner_instance_role = var.config.runner.role.arn @@ -73,7 +73,7 @@ resource "aws_iam_role_policy" "pool" { } resource "aws_iam_role_policy" "pool_logging" { - name = "${var.config.environment}-lambda-logging" + name = "${var.config.prefix}-lambda-logging" role = aws_iam_role.pool.name policy = templatefile("${path.module}/../policies/lambda-cloudwatch.json", { log_group_arn = aws_cloudwatch_log_group.pool.arn @@ -101,7 +101,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" { resource "aws_cloudwatch_event_rule" "pool" { count = length(var.config.pool) - name = "${var.config.environment}-pool-${count.index}-rule" + name = "${var.config.prefix}-pool-${count.index}-rule" schedule_expression = var.config.pool[count.index].schedule_expression tags = var.config.tags } diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf index 579a37f904..29ee1d2f5f 100644 --- a/modules/runners/pool/variables.tf +++ b/modules/runners/pool/variables.tf @@ -41,7 +41,7 @@ variable "config" { instance_target_capacity_type = string instance_allocation_strategy = string instance_max_spot_price = string - environment = string + prefix = string pool = list(object({ schedule_expression = string size = number diff --git a/modules/runners/runner-config.tf b/modules/runners/runner-config.tf index bc5cb4faf5..e4745a1a9a 100644 --- a/modules/runners/runner-config.tf +++ b/modules/runners/runner-config.tf @@ -1,19 +1,19 @@ resource "aws_ssm_parameter" "runner_config_run_as" { - name = "/${local.resource_name}/runner/run-as" + name = "/${var.prefix}/runner/run-as" type = "String" value = var.runner_as_root ? "root" : var.runner_run_as tags = local.tags } resource "aws_ssm_parameter" "runner_agent_mode" { - name = "/${local.resource_name}/runner/agent-mode" + name = "/${var.prefix}/runner/agent-mode" type = "String" value = var.enable_ephemeral_runners ? "ephemeral" : "persistent" tags = local.tags } resource "aws_ssm_parameter" "runner_enable_cloudwatch" { - name = "/${local.resource_name}/runner/enable-cloudwatch" + name = "/${var.prefix}/runner/enable-cloudwatch" type = "String" value = var.enable_cloudwatch_agent tags = local.tags diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf index b293bca728..34a77e90c1 100644 --- a/modules/runners/scale-down.tf +++ b/modules/runners/scale-down.tf @@ -11,7 +11,7 @@ resource "aws_lambda_function" "scale_down" { s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null filename = var.lambda_s3_bucket == null ? local.lambda_zip : null source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null - function_name = "${local.resource_name}-scale-down" + function_name = "${var.prefix}-scale-down" role = aws_iam_role.scale_down.arn handler = "index.scaleDownHandler" runtime = "nodejs14.x" @@ -21,7 +21,7 @@ resource "aws_lambda_function" "scale_down" { environment { variables = { - ENVIRONMENT = var.environment + ENVIRONMENT = var.prefix GHES_URL = var.ghes_url LOG_LEVEL = var.log_level LOG_TYPE = var.log_type @@ -51,7 +51,7 @@ resource "aws_cloudwatch_log_group" "scale_down" { } resource "aws_cloudwatch_event_rule" "scale_down" { - name = "${local.resource_name}-scale-down-rule" + name = "${var.prefix}-scale-down-rule" schedule_expression = var.scale_down_schedule_expression tags = var.tags } @@ -70,7 +70,7 @@ resource "aws_lambda_permission" "scale_down" { } resource "aws_iam_role" "scale_down" { - name = "${local.resource_name}-action-scale-down-lambda-role" + name = "${var.prefix}-action-scale-down-lambda-role" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -78,7 +78,7 @@ resource "aws_iam_role" "scale_down" { } resource "aws_iam_role_policy" "scale_down" { - name = "${local.resource_name}-lambda-scale-down-policy" + name = "${var.prefix}-lambda-scale-down-policy" role = aws_iam_role.scale_down.name policy = templatefile("${path.module}/policies/lambda-scale-down.json", { github_app_id_arn = var.github_app_parameters.id.arn @@ -88,7 +88,7 @@ resource "aws_iam_role_policy" "scale_down" { } resource "aws_iam_role_policy" "scale_down_logging" { - name = "${local.resource_name}-lambda-logging" + name = "${var.prefix}-lambda-logging" role = aws_iam_role.scale_down.name policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", { log_group_arn = aws_cloudwatch_log_group.scale_down.arn diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index 30a3466d50..6e39308abc 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -4,7 +4,7 @@ resource "aws_lambda_function" "scale_up" { s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null filename = var.lambda_s3_bucket == null ? local.lambda_zip : null source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null - function_name = "${local.resource_name}-scale-up" + function_name = "${var.prefix}-scale-up" role = aws_iam_role.scale_up.arn handler = "index.scaleUpHandler" runtime = "nodejs14.x" @@ -19,7 +19,7 @@ resource "aws_lambda_function" "scale_up" { ENABLE_EPHEMERAL_RUNNERS = var.enable_ephemeral_runners ENABLE_JOB_QUEUED_CHECK = local.enable_job_queued_check ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners - ENVIRONMENT = var.environment + ENVIRONMENT = var.prefix GHES_URL = var.ghes_url INSTANCE_ALLOCATION_STRATEGY = var.instance_allocation_strategy INSTANCE_MAX_SPOT_PRICE = var.instance_max_spot_price @@ -69,7 +69,7 @@ resource "aws_lambda_permission" "scale_runners_lambda" { } resource "aws_iam_role" "scale_up" { - name = "${local.resource_name}-action-scale-up-lambda-role" + name = "${var.prefix}-action-scale-up-lambda-role" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -77,7 +77,7 @@ resource "aws_iam_role" "scale_up" { } resource "aws_iam_role_policy" "scale_up" { - name = "${local.resource_name}-lambda-scale-up-policy" + name = "${var.prefix}-lambda-scale-up-policy" role = aws_iam_role.scale_up.name policy = templatefile("${path.module}/policies/lambda-scale-up.json", { arn_runner_instance_role = aws_iam_role.runner.arn @@ -90,7 +90,7 @@ resource "aws_iam_role_policy" "scale_up" { resource "aws_iam_role_policy" "scale_up_logging" { - name = "${local.resource_name}-lambda-logging" + name = "${var.prefix}-lambda-logging" role = aws_iam_role.scale_up.name policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", { log_group_arn = aws_cloudwatch_log_group.scale_up.arn @@ -99,7 +99,7 @@ resource "aws_iam_role_policy" "scale_up_logging" { resource "aws_iam_role_policy" "service_linked_role" { count = var.create_service_linked_role_spot ? 1 : 0 - name = "${local.resource_name}-service_linked_role" + name = "${var.prefix}-service_linked_role" role = aws_iam_role.scale_up.name policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition }) } diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index 409322e11b..1f416139d4 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -24,20 +24,15 @@ variable "overrides" { } variable "tags" { - description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment." + description = "Map of tags that will be added to created resources. By default resources will be tagged with name." type = map(string) default = {} } -variable "environment" { - description = "A name that identifies the environment, used as prefix and for tagging." +variable "prefix" { + description = "The prefix used for naming resources" type = string -} - -variable "resource_name" { - description = "A name used for resources rather than using the environment name" - type = string - default = null + default = "github-actions" } variable "s3_bucket_runner_binaries" { @@ -249,13 +244,13 @@ variable "role_permissions_boundary" { } variable "role_path" { - description = "The path that will be added to the role; if not set, the environment name will be used." + description = "The path that will be added to the role; if not set, the prefix will be used." type = string default = null } variable "instance_profile_path" { - description = "The path that will be added to the instance_profile, if not set the environment name will be used." + description = "The path that will be added to the instance_profile, if not set the prefix will be used." type = string default = null } @@ -363,7 +358,7 @@ variable "cloudwatch_config" { } variable "runner_log_files" { - description = "(optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream." + description = "(optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/`, `file_path`: path to the log file, `log_stream_name`: name of the log stream." type = list(object({ log_group_name = string prefix_log_group = bool diff --git a/modules/setup-iam-permissions/main.tf b/modules/setup-iam-permissions/main.tf index a577dfd482..ce39031058 100644 --- a/modules/setup-iam-permissions/main.tf +++ b/modules/setup-iam-permissions/main.tf @@ -1,7 +1,7 @@ data "aws_caller_identity" "current" {} resource "aws_iam_role" "deploy" { - name = "${var.environment}-terraform" + name = "${var.prefix}-terraform" permissions_boundary = aws_iam_policy.deploy_boundary.arn assume_role_policy = templatefile("${path.module}/policies/assume-role-for-account.json", { @@ -11,7 +11,7 @@ resource "aws_iam_role" "deploy" { } resource "aws_iam_policy" "boundary" { - name = "${var.environment}-boundary" + name = "${var.prefix}-boundary" path = "/${var.namespaces.boundary_namespace}/" policy = templatefile("${path.module}/policies/boundary.json", { @@ -22,7 +22,7 @@ resource "aws_iam_policy" "boundary" { } resource "aws_iam_policy" "deploy" { - name = "${var.environment}-terraform" + name = "${var.prefix}-terraform" path = "/" policy = templatefile("${path.module}/policies/deploy-policy.json", { @@ -36,7 +36,7 @@ resource "aws_iam_role_policy_attachment" "deploy" { } resource "aws_iam_policy" "deploy_boundary" { - name = "${var.environment}-terraform-boundary" + name = "${var.prefix}-terraform-boundary" path = "/${var.namespaces.boundary_namespace}/" policy = templatefile("${path.module}/policies/deploy-boundary.json", { diff --git a/modules/setup-iam-permissions/variables.tf b/modules/setup-iam-permissions/variables.tf index a67d56648c..cc7fc3d936 100644 --- a/modules/setup-iam-permissions/variables.tf +++ b/modules/setup-iam-permissions/variables.tf @@ -1,6 +1,7 @@ -variable "environment" { - description = "A name that identifies the environment, used as prefix and for tagging." +variable "prefix" { + description = "The prefix used for naming resources" type = string + default = "github-actions" } variable "namespaces" { diff --git a/modules/ssm/local.tf b/modules/ssm/local.tf index b7a0b512bd..0ed128d8ba 100644 --- a/modules/ssm/local.tf +++ b/modules/ssm/local.tf @@ -1,4 +1,3 @@ locals { - kms_key_arn = var.kms_key_arn == null ? "alias/aws/ssm" : var.kms_key_arn - resource_name = var.resource_name != null ? var.resource_name : var.environment + kms_key_arn = var.kms_key_arn == null ? "alias/aws/ssm" : var.kms_key_arn } diff --git a/modules/ssm/ssm.tf b/modules/ssm/ssm.tf index 9b254d51b4..9b4d96cb1f 100644 --- a/modules/ssm/ssm.tf +++ b/modules/ssm/ssm.tf @@ -1,5 +1,5 @@ resource "aws_ssm_parameter" "github_app_id" { - name = "/actions_runner/${local.resource_name}/github_app_id" + name = "/actions_runner/${var.prefix}/github_app_id" type = "SecureString" value = var.github_app.id key_id = local.kms_key_arn @@ -7,7 +7,7 @@ resource "aws_ssm_parameter" "github_app_id" { } resource "aws_ssm_parameter" "github_app_key_base64" { - name = "/actions_runner/${local.resource_name}/github_app_key_base64" + name = "/actions_runner/${var.prefix}/github_app_key_base64" type = "SecureString" value = var.github_app.key_base64 key_id = local.kms_key_arn @@ -15,7 +15,7 @@ resource "aws_ssm_parameter" "github_app_key_base64" { } resource "aws_ssm_parameter" "github_app_webhook_secret" { - name = "/actions_runner/${local.resource_name}/github_app_webhook_secret" + name = "/actions_runner/${var.prefix}/github_app_webhook_secret" type = "SecureString" value = var.github_app.webhook_secret key_id = local.kms_key_arn diff --git a/modules/ssm/variables.tf b/modules/ssm/variables.tf index 4e0b554d44..4fc2ac2fe0 100644 --- a/modules/ssm/variables.tf +++ b/modules/ssm/variables.tf @@ -7,15 +7,10 @@ variable "github_app" { }) } -variable "environment" { - description = "A name that identifies the environment, used as prefix and for tagging." +variable "prefix" { + description = "The prefix used for naming resources" type = string -} - -variable "resource_name" { - description = "A name used for resources rather than using the environment name" - type = string - default = null + default = "github-actions" } variable "kms_key_arn" { diff --git a/modules/webhook/main.tf b/modules/webhook/main.tf index 4091e32a8d..b330913158 100644 --- a/modules/webhook/main.tf +++ b/modules/webhook/main.tf @@ -1,12 +1,11 @@ locals { - resource_name = var.resource_name != null ? var.resource_name : var.environment webhook_endpoint = "webhook" - role_path = var.role_path == null ? "/${local.resource_name}/" : var.role_path + role_path = var.role_path == null ? "/${var.prefix}/" : var.role_path lambda_zip = var.lambda_zip == null ? "${path.module}/lambdas/webhook/webhook.zip" : var.lambda_zip } resource "aws_apigatewayv2_api" "webhook" { - name = "${local.resource_name}-github-action-webhook" + name = "${var.prefix}-github-action-webhook" protocol_type = "HTTP" tags = var.tags } diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf index 602ad8f8c8..3b7c0546e8 100644 --- a/modules/webhook/variables.tf +++ b/modules/webhook/variables.tf @@ -3,15 +3,10 @@ variable "aws_region" { type = string } -variable "environment" { - description = "A name that identifies the environment, used as prefix and for tagging." +variable "prefix" { + description = "The prefix used for naming resources" type = string -} - -variable "resource_name" { - description = "A name used for resources rather than using the environment name" - type = string - default = null + default = "github-actions" } variable "github_app_webhook_secret_arn" { diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf index 24a61e8b91..2e3c6836d4 100644 --- a/modules/webhook/webhook.tf +++ b/modules/webhook/webhook.tf @@ -4,7 +4,7 @@ resource "aws_lambda_function" "webhook" { s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null filename = var.lambda_s3_bucket == null ? local.lambda_zip : null source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null - function_name = "${local.resource_name}-webhook" + function_name = "${var.prefix}-webhook" role = aws_iam_role.webhook_lambda.arn handler = "index.githubWebhook" runtime = "nodejs14.x" @@ -13,7 +13,7 @@ resource "aws_lambda_function" "webhook" { environment { variables = { ENABLE_WORKFLOW_JOB_LABELS_CHECK = var.enable_workflow_job_labels_check - ENVIRONMENT = var.environment + ENVIRONMENT = var.prefix LOG_LEVEL = var.log_level LOG_TYPE = var.log_type REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list) @@ -53,7 +53,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" { } resource "aws_iam_role" "webhook_lambda" { - name = "${local.resource_name}-action-webhook-lambda-role" + name = "${var.prefix}-action-webhook-lambda-role" assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json path = local.role_path permissions_boundary = var.role_permissions_boundary @@ -61,7 +61,7 @@ resource "aws_iam_role" "webhook_lambda" { } resource "aws_iam_role_policy" "webhook_logging" { - name = "${local.resource_name}-lambda-logging-policy" + name = "${var.prefix}-lambda-logging-policy" role = aws_iam_role.webhook_lambda.name policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", { log_group_arn = aws_cloudwatch_log_group.webhook.arn @@ -69,7 +69,7 @@ resource "aws_iam_role_policy" "webhook_logging" { } resource "aws_iam_role_policy" "webhook_sqs" { - name = "${local.resource_name}-lambda-webhook-publish-sqs-policy" + name = "${var.prefix}-lambda-webhook-publish-sqs-policy" role = aws_iam_role.webhook_lambda.name policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", { @@ -78,7 +78,7 @@ resource "aws_iam_role_policy" "webhook_sqs" { } resource "aws_iam_role_policy" "webhook_ssm" { - name = "${local.resource_name}-lambda-webhook-publish-ssm-policy" + name = "${var.prefix}-lambda-webhook-publish-ssm-policy" role = aws_iam_role.webhook_lambda.name policy = templatefile("${path.module}/policies/lambda-ssm.json", { diff --git a/variables.tf b/variables.tf index 53efa3d8c5..ca9ab7ce0f 100644 --- a/variables.tf +++ b/variables.tf @@ -19,15 +19,10 @@ variable "tags" { default = {} } -variable "environment" { - description = "A name that identifies the environment, used as prefix and for tagging." +variable "prefix" { + description = "The prefix used for naming resources" type = string -} - -variable "resource_name" { - description = "A name used for resources rather than using the environment name" - type = string - default = null + default = "github-actions" } variable "enable_organization_runners" { From 8435e0a1d32b807f94f707e36aab7a7c2a506fad Mon Sep 17 00:00:00 2001 From: Laura Martin Date: Thu, 21 Apr 2022 11:57:19 +0100 Subject: [PATCH 3/5] docs: Update examples --- examples/arm64/main.tf | 2 +- examples/default/main.tf | 2 +- examples/ephemeral/main.tf | 2 +- examples/permissions-boundary/main.tf | 2 +- examples/prebuilt/main.tf | 2 +- examples/ubuntu/main.tf | 2 +- examples/windows/main.tf | 8 ++++---- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/examples/arm64/main.tf b/examples/arm64/main.tf index 1ea26c9066..c541177cd4 100644 --- a/examples/arm64/main.tf +++ b/examples/arm64/main.tf @@ -19,7 +19,7 @@ module "runners" { vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets - environment = local.environment + prefix = local.environment tags = { Project = "ProjectX" } diff --git a/examples/default/main.tf b/examples/default/main.tf index 6ee90a15c8..d273cc0558 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -19,7 +19,7 @@ module "runners" { vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets - environment = local.environment + prefix = local.environment tags = { Project = "ProjectX" } diff --git a/examples/ephemeral/main.tf b/examples/ephemeral/main.tf index 9abaef9e8d..89735a2e83 100644 --- a/examples/ephemeral/main.tf +++ b/examples/ephemeral/main.tf @@ -16,7 +16,7 @@ module "runners" { vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets - environment = local.environment + prefix = local.environment tags = { Project = "ProjectX" } diff --git a/examples/permissions-boundary/main.tf b/examples/permissions-boundary/main.tf index 1d1eb792ed..c4fc4630f3 100644 --- a/examples/permissions-boundary/main.tf +++ b/examples/permissions-boundary/main.tf @@ -35,7 +35,7 @@ module "runners" { subnet_ids = module.vpc.private_subnets kms_key_arn = aws_kms_key.github.key_id - environment = local.environment + prefix = local.environment tags = { Project = "ProjectX" } diff --git a/examples/prebuilt/main.tf b/examples/prebuilt/main.tf index 710f6c1f60..9134dfc464 100644 --- a/examples/prebuilt/main.tf +++ b/examples/prebuilt/main.tf @@ -15,7 +15,7 @@ module "runners" { vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets - environment = local.environment + prefix = local.environment github_app = { key_base64 = var.github_app_key_base64 diff --git a/examples/ubuntu/main.tf b/examples/ubuntu/main.tf index e03ac544e7..cad0e1ca59 100644 --- a/examples/ubuntu/main.tf +++ b/examples/ubuntu/main.tf @@ -16,7 +16,7 @@ module "runners" { vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets - environment = local.environment + prefix = local.environment tags = { Project = "ProjectX" } diff --git a/examples/windows/main.tf b/examples/windows/main.tf index 0a1d770c64..359b654c9a 100644 --- a/examples/windows/main.tf +++ b/examples/windows/main.tf @@ -10,10 +10,10 @@ resource "random_id" "random" { module "runners" { source = "../../" - aws_region = local.aws_region - vpc_id = module.vpc.vpc_id - subnet_ids = module.vpc.private_subnets - environment = local.environment + aws_region = local.aws_region + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + prefix = local.environment github_app = { key_base64 = var.github_app_key_base64 From 7ff656279a5c777223d6a67111ce6a677c4fe72c Mon Sep 17 00:00:00 2001 From: Laura Martin Date: Wed, 18 May 2022 13:22:47 +0100 Subject: [PATCH 4/5] Add validation rule for environment variable To aid in a safe migration, this adds a validation rule to ensure that are users explicitly informed of the steps to migrate safely. --- modules/runner-binaries-syncer/variables.tf | 11 +++++++++++ modules/runners/variables.tf | 11 +++++++++++ modules/setup-iam-permissions/variables.tf | 11 +++++++++++ modules/ssm/variables.tf | 11 +++++++++++ modules/webhook/variables.tf | 11 +++++++++++ variables.tf | 11 +++++++++++ 6 files changed, 66 insertions(+) diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf index bf6f32c3db..436608a6ab 100644 --- a/modules/runner-binaries-syncer/variables.tf +++ b/modules/runner-binaries-syncer/variables.tf @@ -9,6 +9,17 @@ variable "tags" { default = {} } +variable "environment" { + description = "A name that identifies the environment, used as prefix and for tagging." + type = string + default = null + + validation { + condition = var.environment == null + error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value." + } +} + variable "prefix" { description = "The prefix used for naming resources" type = string diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index 1f416139d4..6fabdf3ac5 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -29,6 +29,17 @@ variable "tags" { default = {} } +variable "environment" { + description = "A name that identifies the environment, used as prefix and for tagging." + type = string + default = null + + validation { + condition = var.environment == null + error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value." + } +} + variable "prefix" { description = "The prefix used for naming resources" type = string diff --git a/modules/setup-iam-permissions/variables.tf b/modules/setup-iam-permissions/variables.tf index cc7fc3d936..833ee873f5 100644 --- a/modules/setup-iam-permissions/variables.tf +++ b/modules/setup-iam-permissions/variables.tf @@ -1,3 +1,14 @@ +variable "environment" { + description = "A name that identifies the environment, used as prefix and for tagging." + type = string + default = null + + validation { + condition = var.environment == null + error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value." + } +} + variable "prefix" { description = "The prefix used for naming resources" type = string diff --git a/modules/ssm/variables.tf b/modules/ssm/variables.tf index 4fc2ac2fe0..4078ad6d1c 100644 --- a/modules/ssm/variables.tf +++ b/modules/ssm/variables.tf @@ -7,6 +7,17 @@ variable "github_app" { }) } +variable "environment" { + description = "A name that identifies the environment, used as prefix and for tagging." + type = string + default = null + + validation { + condition = var.environment == null + error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value." + } +} + variable "prefix" { description = "The prefix used for naming resources" type = string diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf index 3b7c0546e8..9753fbae7d 100644 --- a/modules/webhook/variables.tf +++ b/modules/webhook/variables.tf @@ -3,6 +3,17 @@ variable "aws_region" { type = string } +variable "environment" { + description = "A name that identifies the environment, used as prefix and for tagging." + type = string + default = null + + validation { + condition = var.environment == null + error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value." + } +} + variable "prefix" { description = "The prefix used for naming resources" type = string diff --git a/variables.tf b/variables.tf index ca9ab7ce0f..a837afb8cf 100644 --- a/variables.tf +++ b/variables.tf @@ -19,6 +19,17 @@ variable "tags" { default = {} } +variable "environment" { + description = "A name that identifies the environment, used as prefix and for tagging." + type = string + default = null + + validation { + condition = var.environment == null + error_message = "The \"environment\" variable is no longer used. To migrate, set the \"prefix\" variable to the original value of \"environment\" and optionally, add \"Environment\" to the \"tags\" variable map with the same value." + } +} + variable "prefix" { description = "The prefix used for naming resources" type = string From c9991f10cc539c7530fbc74ed5c3c892ec2ef6d6 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Thu, 19 May 2022 15:25:56 +0200 Subject: [PATCH 5/5] fix: Replace tag used by lambda for scaling --- modules/runners/lambdas/runners/src/aws/runners.test.ts | 2 +- modules/runners/lambdas/runners/src/aws/runners.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/runners/lambdas/runners/src/aws/runners.test.ts b/modules/runners/lambdas/runners/src/aws/runners.test.ts index 38ee9e798a..a18759463f 100644 --- a/modules/runners/lambdas/runners/src/aws/runners.test.ts +++ b/modules/runners/lambdas/runners/src/aws/runners.test.ts @@ -101,7 +101,7 @@ describe('list instances', () => { Filters: [ { Name: 'tag:Application', Values: ['github-action-runner'] }, { Name: 'instance-state-name', Values: ['running', 'pending'] }, - { Name: 'tag:Environment', Values: [ENVIRONMENT] }, + { Name: 'tag:ghr:environment', Values: [ENVIRONMENT] }, ], }); }); diff --git a/modules/runners/lambdas/runners/src/aws/runners.ts b/modules/runners/lambdas/runners/src/aws/runners.ts index f5f8e449a6..20a2d93770 100644 --- a/modules/runners/lambdas/runners/src/aws/runners.ts +++ b/modules/runners/lambdas/runners/src/aws/runners.ts @@ -54,7 +54,7 @@ export async function listEC2Runners(filters: ListRunnerFilters | undefined = un if (filters) { if (filters.environment !== undefined) { - ec2Filters.push({ Name: 'tag:Environment', Values: [filters.environment] }); + ec2Filters.push({ Name: 'tag:ghr:environment', Values: [filters.environment] }); } if (filters.runnerType && filters.runnerOwner) { ec2Filters.push({ Name: `tag:Type`, Values: [filters.runnerType] });