Merge branch 'release/3.8.0'

cattle-ops · Jul 22, 2019 · 2807ceb · 2807ceb
2 parents 35273d5 + ae96961
commit 2807ceb
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 15 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## 3.8.0 - 2019-07-22
+- Added
+ - Variable `docker_machine_ssh_cidr_blocks` to set CIDR for ingress on docker machine SSH rules. @kevinrambaud #101
+ - Variable `docker_machine_role_json` allowing role policy customization #kevinrambaud #100
 
 ## 3.7.0 - 2019-07-17
 - Changed
@@ -144,7 +148,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17.
 - Minor updates in the example
 
-[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.7.0...HEAD
+[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.8.0...HEAD
+[3.8.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.7.0...3.8.0
 [3.7.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.6.0...3.7.0
 [3.6.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.5.0...3.6.0
 [3.5.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.4.0...3.5.0

diff --git a/README.md b/README.md
@@ -212,18 +212,19 @@ terraform destroy
 | create\_runners\_iam\_instance\_profile | Boolean to control the creation of the runners IAM instance profile | string | `"true"` | no |
 | docker\_machine\_instance\_type | Instance type used for the instances hosting docker-machine. | string | `"m5a.large"` | no |
 | docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list | `<list>` | no |
+| docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no |
 | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no |
+| docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list | `<list>` | no |
 | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no |
 | docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no |
 | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | string | `"true"` | no |
 | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | string | `"false"` | no |
 | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | string | `"true"` | no |
 | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes |
 | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map | `<map>` | no |
-| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access from to the gitlab runner instance. | list | `<list>` | no |
+| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list | `<list>` | no |
 | gitlab\_runner\_version | Version of the GitLab runner. | string | `"11.11.2"` | no |
-| instance\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no |
-| instance\_role\_runner\_json | Instance role json for the docker machine runners to override the default. | string | `""` | no |
+| instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no |
 | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no |
 | name\_runners\_docker\_machine | | string | `""` | no |
 | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map | `<map>` | no |

diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md
@@ -15,18 +15,19 @@
 | create\_runners\_iam\_instance\_profile | Boolean to control the creation of the runners IAM instance profile | string | `"true"` | no |
 | docker\_machine\_instance\_type | Instance type used for the instances hosting docker-machine. | string | `"m5a.large"` | no |
 | docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list | `<list>` | no |
+| docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no |
 | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no |
+| docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list | `<list>` | no |
 | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no |
 | docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no |
 | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | string | `"true"` | no |
 | enable\_gitlab\_runner\_ssh\_access | Enables SSH Access to the gitlab runner instance. | string | `"false"` | no |
 | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | string | `"true"` | no |
 | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes |
 | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map | `<map>` | no |
-| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access from to the gitlab runner instance. | list | `<list>` | no |
+| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list | `<list>` | no |
 | gitlab\_runner\_version | Version of the GitLab runner. | string | `"11.11.2"` | no |
-| instance\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no |
-| instance\_role\_runner\_json | Instance role json for the docker machine runners to override the default. | string | `""` | no |
+| instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no |
 | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no |
 | name\_runners\_docker\_machine | | string | `""` | no |
 | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map | `<map>` | no |

diff --git a/main.tf b/main.tf
@@ -51,7 +51,7 @@ resource "aws_security_group" "docker_machine" {
  tags = "${merge(local.tags, map("Name", format("%s", local.name_sg)))}"
 }
 
-resource "aws_security_group_rule" "docker" {
+resource "aws_security_group_rule" "docker_machine_docker" {
  type = "ingress"
  from_port = 2376
  to_port = 2376
@@ -61,12 +61,12 @@ resource "aws_security_group_rule" "docker" {
  security_group_id = "${aws_security_group.docker_machine.id}"
 }
 
-resource "aws_security_group_rule" "ssh" {
+resource "aws_security_group_rule" "docker_machine_ssh" {
  type = "ingress"
  from_port = 22
  to_port = 22
  protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"]
+ cidr_blocks = ["${var.docker_machine_ssh_cidr_blocks}"]
 
  security_group_id = "${aws_security_group.docker_machine.id}"
 }
@@ -303,7 +303,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" {
 ### docker machine instance policy
 ################################################################################
 data "template_file" "dockermachine_role_trust_policy" {
- template = "${file("${path.module}/policies/instance-role-trust-policy.json")}"
+ template = "${length(var.docker_machine_role_json) > 0 ? var.docker_machine_role_json : file("${path.module}/policies/instance-role-trust-policy.json")}"
 }
 
 resource "aws_iam_role" "docker_machine" {

diff --git a/variables.tf b/variables.tf
@@ -260,7 +260,13 @@ variable "enable_gitlab_runner_ssh_access" {
 }
 
 variable "gitlab_runner_ssh_cidr_blocks" {
- description = "List of CIDR blocks to allow SSH Access from to the gitlab runner instance."
+ description = "List of CIDR blocks to allow SSH Access to the gitlab runner instance."
+ type = "list"
+ default = ["0.0.0.0/0"]
+}
+
+variable "docker_machine_ssh_cidr_blocks" {
+ description = "List of CIDR blocks to allow SSH Access to the docker machine runner instance."
  type = "list"
  default = ["0.0.0.0/0"]
 }
@@ -288,13 +294,13 @@ variable "docker_machine_options" {
 }
 
 variable "instance_role_json" {
- description = "Docker machine runner instance override policy, expected to be in JSON format."
+ description = "Default runner instance override policy, expected to be in JSON format."
  type = "string"
  default = ""
 }
 
-variable "instance_role_runner_json" {
- description = "Instance role json for the docker machine runners to override the default."
+variable "docker_machine_role_json" {
+ description = "Docker machine runner instance override policy, expected to be in JSON format."
  type = "string"
  default = ""
 }