The module will create an autoscaling group and register its instances as GitHub Actions self-hosted runners.
To make it work, the module needs a secret storing a GitHub classic token with org:admin permissions. Alternatively, the module can use temporary GitHub tokens generated bya GitHub App.
Either github_token_secret_arn or github_app_pem_secret_arn is required.
Note: the module registers organization level runners only even though GitHub itself allows to have repo-specific runners.
module "actions-runner" {
source = "registry.infrahouse.com/infrahouse/actions-runner/aws"
version = "~> 2.0"
asg_min_size = 1
asg_max_size = 1
subnet_ids = var.subnet_private_ids
environment = local.environment
github_org_name = "infrahouse"
==== either
github_token_secret_arn = "arn:aws:secretsmanager:us-west-1:123456789:secret:GITHUB_TOKEN-xyz"
---- or
github_app_pem_secret_arn = "arn:aws:secretsmanager:us-west-1:123456789:secret:action-runner-pem-xyz"
github_app_id = 123456 # required if using GitHub App for authentication
====
keypair_name = aws_key_pair.jumphost.key_name
puppet_hiera_config_path = "/opt/infrahouse-puppet-data/environments/${local.environment}/hiera.yaml"
packages = [
"infrahouse-puppet-data"
]
extra_labels = ["awesome"]
}It's not a bad idea to check
test_data/actions-runner/main.tfand other files in the directory. They're a part of Terraform unit test and are supposed to work.
| Name | Version |
|---|---|
| terraform | ~> 1.5 |
| aws | >= 5.31 |
| cloudinit | >= 2.3 |
| null | >= 3.2 |
| random | >= 3.5 |
| tls | >= 4.0 |
| Name | Version |
|---|---|
| aws | >= 5.31 |
| random | >= 3.5 |
| tls | >= 4.0 |
| Name | Source | Version |
|---|---|---|
| instance-profile | registry.infrahouse.com/infrahouse/instance-profile/aws | 1.5.1 |
| registration | ./modules/runner_registration | n/a |
| userdata | registry.infrahouse.com/infrahouse/cloud-init/aws | 1.16.0 |
| Name | Type |
|---|---|
| aws_autoscaling_group.actions-runner | resource |
| aws_autoscaling_lifecycle_hook.terminating | resource |
| aws_iam_policy.required | resource |
| aws_key_pair.actions-runner | resource |
| aws_launch_template.actions-runner | resource |
| aws_security_group.actions-runner | resource |
| aws_vpc_security_group_egress_rule.default | resource |
| aws_vpc_security_group_ingress_rule.icmp | resource |
| aws_vpc_security_group_ingress_rule.ssh | resource |
| random_string.asg_name | resource |
| random_string.profile-suffix | resource |
| random_string.reg_token_suffix | resource |
| tls_private_key.actions-runner | resource |
| aws_ami.selected | data source |
| aws_ami.ubuntu | data source |
| aws_caller_identity.current | data source |
| aws_default_tags.provider | data source |
| aws_iam_policy_document.required_permissions | data source |
| aws_region.current | data source |
| aws_subnet.selected | data source |
| aws_vpc.selected | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_drain_time | How many seconds to give a running job to finish after the instance fails health checks. Maximum allowed value is 900 seconds. | number |
900 |
no |
| ami_id | AMI id for EC2 instances. By default, latest Ubuntu var.ubuntu_codename. | string |
null |
no |
| asg_max_size | Maximum number of EC2 instances in the ASG. By default, the number of subnets plus one. | number |
null |
no |
| asg_min_size | Minimal number of EC2 instances in the ASG. By default, the number of subnets. | number |
null |
no |
| environment | Environment name. Passed on as a puppet fact. | string |
n/a | yes |
| extra_files | Additional files to create on an instance. | list( |
[] |
no |
| extra_labels | A list of strings to be added as actions runner labels. | list(string) |
[] |
no |
| extra_policies | A map of additional policy ARNs to attach to the instance role. | map(string) |
{} |
no |
| extra_repos | Additional APT repositories to configure on an instance. | map( |
{} |
no |
| github_app_id | GitHub App that gives out GitHub tokens for Terraform. Required if github_app_pem_secret_arn is not null. For instance, https://github.com/organizations/infrahouse/settings/apps/infrahouse-github-terraform | any |
null |
no |
| github_app_pem_secret_arn | ARN of a secret that stores GitHub App PEM key. Either github_token_secret_arn or github_app_pem_secret_arn is required. | string |
null |
no |
| github_org_name | GitHub organization name. | string |
n/a | yes |
| github_token_secret_arn | ARN of a secret that stores GitHub token. Either github_token_secret_arn or github_app_pem_secret_arn is required. | string |
null |
no |
| instance_type | EC2 Instance type | string |
"t3a.micro" |
no |
| keypair_name | SSH key pair name that will be added to the postfix instance.By default, create and use a new SSH keypair. | string |
null |
no |
| max_instance_lifetime_days | The maximum amount of time, in _days_, that an instance can be in service, values must be either equal to 0 or between 7 and 365 days. | number |
30 |
no |
| on_demand_base_capacity | If specified, the ASG will request spot instances and this will be the minimal number of on-demand instances. | number |
null |
no |
| packages | List of packages to install when the instances bootstraps. | list(string) |
[] |
no |
| puppet_debug_logging | Enable debug logging if true. | bool |
false |
no |
| puppet_environmentpath | A path for directory environments. | string |
"{root_directory}/environments" |
no |
| puppet_hiera_config_path | Path to hiera configuration file. | string |
"{root_directory}/environments/{environment}/hiera.yaml" |
no |
| puppet_manifest | Path to puppet manifest. By default ih-puppet will apply {root_directory}/environments/{environment}/manifests/site.pp. | string |
null |
no |
| puppet_module_path | Path to common puppet modules. | string |
"{root_directory}/environments/{environment}/modules:{root_directory}/modules" |
no |
| puppet_root_directory | Path where the puppet code is hosted. | string |
"/opt/puppet-code" |
no |
| python_version | Python version to run lambda on. Must one of https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html | string |
"python3.12" |
no |
| role_name | IAM role name that will be created and used by EC2 instances | string |
"actions-runner" |
no |
| root_volume_size | Root volume size in EC2 instance in Gigabytes | number |
30 |
no |
| subnet_ids | List of subnet ids where the actions runner instances will be created. | list(string) |
n/a | yes |
| tags | A map of tags to add to resources. | map |
{} |
no |
| ubuntu_codename | Ubuntu version to use for the actions runner. | string |
"jammy" |
no |
| Name | Description |
|---|---|
| runner_role_arn | An actions runner EC2 instance role ARN. |