Merge branch 'release/v0.5.0' into master

Author: npalm

CHANGELOG.md

@@ -7,6 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.0] - 2020-08-25
+
+### Added
+
+- feat: Manage log groups via module. When upgrading you have to import the log groups by AWS into your state. See below the example commands for the default example.
+
+```bash
+terraform import module.runners.module.runner_binaries.aws_cloudwatch_log_group.syncer "/aws/lambda/default-syncer"
+terraform import module.runners.module.runners.aws_cloudwatch_log_group.scale_up "/aws/lambda/default-scale-up"
+terraform import module.runners.module.runners.aws_cloudwatch_log_group.scale_down "/aws/lambda/default-scale-down"
+terraform import module.runners.module.webhook.aws_cloudwatch_log_group.webhook "/aws/lambda/default-webhook"
+```
+
+- feat: Added option to binaries syncer to upgrade to pre-releases, preventing any auto-updating on startup. Option `runner_allow_prerelease_binaries` is disabled by default. (#141, #165) @sjagoe
+
+- feat: SSM policies are by default disabled, set `enable_ssm_on_runners` to `true` to enable access to the runner instances via SSM. (#143) @HenryNguyen5
+
+- feat: Log full sqs event (#147) @HenryNguyen5
+
 ## [0.4.0] - 2020-08-10
 
 ### Added
@@ -50,7 +69,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - First release.
 
-[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.4.0..HEAD
+[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.5.0..HEAD
+[0.5.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.4.0..v0.5.0
 [0.4.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.3.0..v0.4.0
 [0.3.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.2.0..v0.3.0
 [0.2.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.1.0..v0.2.0

README.md

@@ -100,20 +100,20 @@ First you need to download the lambda releases. The lambda code is available as
 ```terraform
 module "lambdas" {
   source  = "philips-labs/github-runner/aws//modules/download-lambda"
-  version = "0.2.0"
+  version = "0.5.0"
 
   lambdas = [
     {
       name = "webhook"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     },
     {
       name = "runners"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     },
     {
       name = "runner-binaries-syncer"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     }
   ]
 }
@@ -132,7 +132,7 @@ Next create a second terraform workspace and initiate the module, see the exampl
 ```terraform
 module "github-runner" {
   source  = "philips-labs/github-runner/aws"
-  version = "0.2.0"
+  version = "0.5.0"
 
   aws_region = "eu-west-1"
   vpc_id     = "vpc-123"
@@ -297,10 +297,12 @@ No requirements.
 | instance_profile_path                 | The path that will be added to the instance_profile, if not set the environment name will be used.                                                                                                                                                                   | `string`                                                                                                                                         | `null`                  |    no    |
 | instance_type                         | Instance type for the action runner.                                                                                                                                                                                                                                 | `string`                                                                                                                                         | `"m5.large"`            |    no    |
 | kms_key_id                            | Custom KMS key to encrypted lambda secrets, if not provided and `encrypt_secrets` = `true` a KMS key will be created by the module. Secrets will be encrypted with a context `Environment = var.environment`.                                                        | `string`                                                                                                                                         | `null`                  |    no    |
+| logging_retention_in_days             | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.                                                                          | `number`                                                                                                                                         | `7`                     |    no    |
 | manage_kms_key                        | Let the module manage the KMS key.                                                                                                                                                                                                                                   | `bool`                                                                                                                                           | `true`                  |    no    |
 | minimum_running_time_in_minutes       | The time an ec2 action runner should be running at minimum before terminated if non busy.                                                                                                                                                                            | `number`                                                                                                                                         | `5`                     |    no    |
 | role_path                             | The path that will be added to role path for created roles, if not set the environment name will be used.                                                                                                                                                            | `string`                                                                                                                                         | `null`                  |    no    |
 | role_permissions_boundary             | Permissions boundary that will be added to the created roles.                                                                                                                                                                                                        | `string`                                                                                                                                         | `null`                  |    no    |
+| runner_allow_prerelease_binaries      | Allow the runners to update to prerelease binaries.                                                                                                                                                                                                                  | `bool`                                                                                                                                           | `false`                 |    no    |
 | runner_as_root                        | Run the action runner under the root user.                                                                                                                                                                                                                           | `bool`                                                                                                                                           | `false`                 |    no    |
 | runner_binaries_syncer_lambda_timeout | Time out of the binaries sync lambda in seconds.                                                                                                                                                                                                                     | `number`                                                                                                                                         | `300`                   |    no    |
 | runner_binaries_syncer_lambda_zip     | File location of the binaries sync lambda zip file.                                                                                                                                                                                                                  | `string`                                                                                                                                         | `null`                  |    no    |
@@ -317,6 +319,7 @@ No requirements.
 | vpc_id                                | The VPC for security groups of the action runners.                                                                                                                                                                                                                   | `string`                                                                                                                                         | n/a                     |   yes    |
 | webhook_lambda_timeout                | Time out of the webhook lambda in seconds.                                                                                                                                                                                                                           | `number`                                                                                                                                         | `10`                    |    no    |
 | webhook_lambda_zip                    | File location of the webhook lambda zip file.                                                                                                                                                                                                                        | `string`                                                                                                                                         | `null`                  |    no    |
+| enable_ssm_on_runners                 | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances.                                                                                                                      | `bool`                                                                                                                                           | `false`                 |    no    |
 
 ## Outputs
 

examples/default/lambdas-download/main.tf

@@ -3,15 +3,15 @@ module "lambdas" {
   lambdas = [
     {
       name = "webhook"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     },
     {
       name = "runners"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     },
     {
       name = "runner-binaries-syncer"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     }
   ]
 }

examples/default/main.tf

@@ -33,6 +33,9 @@ module "runners" {
   enable_organization_runners = false
   runner_extra_labels         = "default,example"
 
+  # enable access to the runners via SSM
+  enable_ssm_on_runners = true
+
   # Uncommet idle config to have idle runners from 9 to 5 in time zone Amsterdam
   # idle_config = [{
   #   cron      = "* * 9-17 * * *"

examples/permissions-boundary/lambdas-download/main.tf

@@ -3,15 +3,15 @@ module "lambdas" {
   lambdas = [
     {
       name = "webhook"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     },
     {
       name = "runners"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     },
     {
       name = "runner-binaries-syncer"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     }
   ]
 }

main.tf

@@ -38,8 +38,9 @@ module "webhook" {
   sqs_build_queue           = aws_sqs_queue.queued_builds
   github_app_webhook_secret = var.github_app.webhook_secret
 
-  lambda_zip     = var.webhook_lambda_zip
-  lambda_timeout = var.webhook_lambda_timeout
+  lambda_zip                = var.webhook_lambda_zip
+  lambda_timeout            = var.webhook_lambda_timeout
+  logging_retention_in_days = var.logging_retention_in_days
 
   role_path                 = var.role_path
   role_permissions_boundary = var.role_permissions_boundary
@@ -75,10 +76,12 @@ module "runners" {
   runner_as_root                  = var.runner_as_root
   runners_maximum_count           = var.runners_maximum_count
   idle_config                     = var.idle_config
+  enable_ssm_on_runners           = var.enable_ssm_on_runners
 
   lambda_zip                = var.runners_lambda_zip
   lambda_timeout_scale_up   = var.runners_scale_up_lambda_timeout
   lambda_timeout_scale_down = var.runners_scale_down_lambda_timeout
+  logging_retention_in_days = var.logging_retention_in_days
 
   instance_profile_path     = var.instance_profile_path
   role_path                 = var.role_path
@@ -97,10 +100,12 @@ module "runner_binaries" {
 
   distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}"
 
-  runner_architecture = substr(var.instance_type, 0, 2) == "a1" || substr(var.instance_type, 1, 2) == "6g" ? "arm64" : "x64"
+  runner_architecture              = substr(var.instance_type, 0, 2) == "a1" || substr(var.instance_type, 1, 2) == "6g" ? "arm64" : "x64"
+  runner_allow_prerelease_binaries = var.runner_allow_prerelease_binaries
 
-  lambda_zip     = var.runner_binaries_syncer_lambda_zip
-  lambda_timeout = var.runner_binaries_syncer_lambda_timeout
+  lambda_zip                = var.runner_binaries_syncer_lambda_zip
+  lambda_timeout            = var.runner_binaries_syncer_lambda_timeout
+  logging_retention_in_days = var.logging_retention_in_days
 
   role_path                 = var.role_path
   role_permissions_boundary = var.role_permissions_boundary

modules/download-lambda/README.md

@@ -10,33 +10,42 @@ module "lambdas" {
   lambdas = [
     {
       name = "webhook"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     },
     {
       name = "runners"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     },
     {
       name = "runner-binaries-syncer"
-      tag  = "v0.3.0"
+      tag  = "v0.5.0"
     }
   ]
 }
 ```
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+| ---- | ------- |
+| null | n/a     |
 
 ## Inputs
 
-| Name    | Description                           |  Type  | Default | Required |
-| ------- | ------------------------------------- | :----: | :-----: | :------: |
-| lambdas | Name and tag for lambdas to download. | object |   n/a   |   yes    |
+| Name    | Description                           | Type                                                                        | Default | Required |
+| ------- | ------------------------------------- | --------------------------------------------------------------------------- | ------- | :------: |
+| lambdas | Name and tag for lambdas to download. | <pre>list(object({<br>    name = string<br>    tag  = string<br>  }))</pre> | n/a     |   yes    |
 
 ## Outputs
 
 | Name  | Description |
 | ----- | ----------- |
-| files |             |
+| files | n/a         |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

modules/runner-binaries-syncer/README.md

@@ -54,8 +54,10 @@ No requirements.
 | lambda\_schedule\_expression | Scheduler expression for action runner binary syncer. | `string` | `"cron(27 * * * ? *)"` | no |
 | lambda\_timeout | Time out of the lambda in seconds. | `number` | `300` | no |
 | lambda\_zip | File location of the lambda zip file. | `string` | `null` | no |
+| logging\_retention\_in\_days | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `7` | no |
 | role\_path | The path that will be added to the role, if not set the environment name will be used. | `string` | `null` | no |
 | role\_permissions\_boundary | Permissions boundary that will be added to the created role for the lambda. | `string` | `null` | no |
+| runner\_allow\_prerelease\_binaries | Allow the runners to update to prerelease binaries. | `bool` | `false` | no |
 | runner\_architecture | The platform architecture for the runner instance (x64, arm64), defaults to 'x64' | `string` | `"x64"` | no |
 | tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no |
 

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/package.json

@@ -15,16 +15,19 @@
   "devDependencies": {
     "@octokit/rest": "^18.0.3",
     "@types/jest": "^26.0.9",
-    "@types/node": "^14.0.27",
+    "@types/node": "^14.6.0",
     "@types/request": "^2.48.4",
-    "@typescript-eslint/eslint-plugin": "^2.30.0",
-    "@typescript-eslint/parser": "^2.30.0",
+    "@typescript-eslint/eslint-plugin": "^3.10.0",
+    "@typescript-eslint/parser": "^3.9.0",
     "@zeit/ncc": "^0.22.1",
-    "aws-sdk": "^2.729.0",
+    "aws-sdk": "^2.739.0",
     "eslint": "^6.8.0",
-    "jest": "^26.1.0",
-    "ts-jest": "^26.1.2",
-    "ts-node-dev": "^1.0.0-pre.51",
+    "jest": "^26.4.2",
+    "ts-jest": "^26.2.0",
+    "ts-node-dev": "^1.0.0-pre.60",
     "typescript": "^3.9.6"
+  },
+  "dependencies": {
+    "yn": "^4.0.0"
   }
 }

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/src/lambda.ts

@@ -1,5 +1,6 @@
 import { handle } from './syncer/handler';
 
+// eslint-disable-next-line
 module.exports.handler = async (event: any, context: any, callback: any): Promise<any> => {
   await handle();
   return callback();