From 593aed7477201e7f001b53178796866a0b1ad8ff Mon Sep 17 00:00:00 2001 From: Kevin Rambaud Date: Sun, 21 Jul 2019 05:34:01 -0400 Subject: [PATCH 1/4] Add variable docker_machine_role_json allowing role policy customization (#100) * Add variable docker_machine_role_json allowing role policy customization * Update docs --- README.md | 4 ++-- _docs/TF_MODULE.md | 4 ++-- main.tf | 2 +- variables.tf | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 28c801a15..c7f1ecf49 100644 --- a/README.md +++ b/README.md @@ -212,6 +212,7 @@ terraform destroy | create\_runners\_iam\_instance\_profile | Boolean to control the creation of the runners IAM instance profile | string | `"true"` | no | | docker\_machine\_instance\_type | Instance type used for the instances hosting docker-machine. | string | `"m5a.large"` | no | | docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list | `` | no | +| docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no | | docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no | @@ -222,8 +223,7 @@ terraform destroy | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map | `` | no | | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access from to the gitlab runner instance. | list | `` | no | | gitlab\_runner\_version | Version of the GitLab runner. | string | `"11.11.2"` | no | -| instance\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | -| instance\_role\_runner\_json | Instance role json for the docker machine runners to override the default. | string | `""` | no | +| instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | | name\_runners\_docker\_machine | | string | `""` | no | | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map | `` | no | diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md index 49099da8e..c511e7ef1 100644 --- a/_docs/TF_MODULE.md +++ b/_docs/TF_MODULE.md @@ -15,6 +15,7 @@ | create\_runners\_iam\_instance\_profile | Boolean to control the creation of the runners IAM instance profile | string | `"true"` | no | | docker\_machine\_instance\_type | Instance type used for the instances hosting docker-machine. | string | `"m5a.large"` | no | | docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list | `` | no | +| docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no | | docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no | @@ -25,8 +26,7 @@ | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map | `` | no | | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access from to the gitlab runner instance. | list | `` | no | | gitlab\_runner\_version | Version of the GitLab runner. | string | `"11.11.2"` | no | -| instance\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | -| instance\_role\_runner\_json | Instance role json for the docker machine runners to override the default. | string | `""` | no | +| instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | | name\_runners\_docker\_machine | | string | `""` | no | | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map | `` | no | diff --git a/main.tf b/main.tf index eef112f44..c1ff4b369 100644 --- a/main.tf +++ b/main.tf @@ -303,7 +303,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" { ### docker machine instance policy ################################################################################ data "template_file" "dockermachine_role_trust_policy" { - template = "${file("${path.module}/policies/instance-role-trust-policy.json")}" + template = "${length(var.docker_machine_role_json) > 0 ? var.docker_machine_role_json : file("${path.module}/policies/instance-role-trust-policy.json")}" } resource "aws_iam_role" "docker_machine" { diff --git a/variables.tf b/variables.tf index 939c1d421..2d0c87319 100644 --- a/variables.tf +++ b/variables.tf @@ -288,13 +288,13 @@ variable "docker_machine_options" { } variable "instance_role_json" { - description = "Docker machine runner instance override policy, expected to be in JSON format." + description = "Default runner instance override policy, expected to be in JSON format." type = "string" default = "" } -variable "instance_role_runner_json" { - description = "Instance role json for the docker machine runners to override the default." +variable "docker_machine_role_json" { + description = "Docker machine runner instance override policy, expected to be in JSON format." type = "string" default = "" } From 55a047f5eb671c2583abe8909b70cd16526243cd Mon Sep 17 00:00:00 2001 From: Kevin Rambaud Date: Sun, 21 Jul 2019 05:46:27 -0400 Subject: [PATCH 2/4] Add variable docker_machine_ssh_cidr_blocks allowing ssh ingress restriction (#101) --- README.md | 3 ++- _docs/TF_MODULE.md | 3 ++- main.tf | 2 +- variables.tf | 8 +++++++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c7f1ecf49..8f3292bb4 100644 --- a/README.md +++ b/README.md @@ -214,6 +214,7 @@ terraform destroy | docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list | `` | no | | docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | +| docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list | `` | no | | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no | | docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no | | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | string | `"true"` | no | @@ -221,7 +222,7 @@ terraform destroy | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | string | `"true"` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map | `` | no | -| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access from to the gitlab runner instance. | list | `` | no | +| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list | `` | no | | gitlab\_runner\_version | Version of the GitLab runner. | string | `"11.11.2"` | no | | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md index c511e7ef1..1afc96291 100644 --- a/_docs/TF_MODULE.md +++ b/_docs/TF_MODULE.md @@ -17,6 +17,7 @@ | docker\_machine\_options | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | list | `` | no | | docker\_machine\_role\_json | Docker machine runner instance override policy, expected to be in JSON format. | string | `""` | no | | docker\_machine\_spot\_price\_bid | Spot price bid. | string | `"0.06"` | no | +| docker\_machine\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the docker machine runner instance. | list | `` | no | | docker\_machine\_user | Username of the user used to create the spot instances that host docker-machine. | string | `"docker-machine"` | no | | docker\_machine\_version | Version of docker-machine. | string | `"0.16.1"` | no | | enable\_cloudwatch\_logging | Boolean used to enable or disable the CloudWatch logging. | string | `"true"` | no | @@ -24,7 +25,7 @@ | enable\_manage\_gitlab\_token | Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | string | `"true"` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes | | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map | `` | no | -| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access from to the gitlab runner instance. | list | `` | no | +| gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list | `` | no | | gitlab\_runner\_version | Version of the GitLab runner. | string | `"11.11.2"` | no | | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no | | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no | diff --git a/main.tf b/main.tf index c1ff4b369..202188626 100644 --- a/main.tf +++ b/main.tf @@ -66,7 +66,7 @@ resource "aws_security_group_rule" "ssh" { from_port = 22 to_port = 22 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = ["${var.docker_machine_ssh_cidr_blocks}"] security_group_id = "${aws_security_group.docker_machine.id}" } diff --git a/variables.tf b/variables.tf index 2d0c87319..7c618deb2 100644 --- a/variables.tf +++ b/variables.tf @@ -260,7 +260,13 @@ variable "enable_gitlab_runner_ssh_access" { } variable "gitlab_runner_ssh_cidr_blocks" { - description = "List of CIDR blocks to allow SSH Access from to the gitlab runner instance." + description = "List of CIDR blocks to allow SSH Access to the gitlab runner instance." + type = "list" + default = ["0.0.0.0/0"] +} + +variable "docker_machine_ssh_cidr_blocks" { + description = "List of CIDR blocks to allow SSH Access to the docker machine runner instance." type = "list" default = ["0.0.0.0/0"] } From b9ecb571a1cdf6ccc6fae807edbf3468af8a301c Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Sun, 21 Jul 2019 11:59:40 +0200 Subject: [PATCH 3/4] Update names for docker machine security-rules (#102) --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 202188626..5551d5dbf 100644 --- a/main.tf +++ b/main.tf @@ -51,7 +51,7 @@ resource "aws_security_group" "docker_machine" { tags = "${merge(local.tags, map("Name", format("%s", local.name_sg)))}" } -resource "aws_security_group_rule" "docker" { +resource "aws_security_group_rule" "docker_machine_docker" { type = "ingress" from_port = 2376 to_port = 2376 @@ -61,7 +61,7 @@ resource "aws_security_group_rule" "docker" { security_group_id = "${aws_security_group.docker_machine.id}" } -resource "aws_security_group_rule" "ssh" { +resource "aws_security_group_rule" "docker_machine_ssh" { type = "ingress" from_port = 22 to_port = 22 From ae969612b31a87c0c7d07ead5be0388db165d335 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Mon, 22 Jul 2019 22:40:29 +0200 Subject: [PATCH 4/4] Release 3.8.0 --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70a039f59..390b6b778 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## 3.8.0 - 2019-07-22 +- Added + - Variable `docker_machine_ssh_cidr_blocks` to set CIDR for ingress on docker machine SSH rules. @kevinrambaud #101 + - Variable `docker_machine_role_json` allowing role policy customization #kevinrambaud #100 ## 3.7.0 - 2019-07-17 - Changed @@ -144,7 +148,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/). - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17. - Minor updates in the example -[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.7.0...HEAD +[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.8.0...HEAD +[3.8.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.7.0...3.8.0 [3.7.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.6.0...3.7.0 [3.6.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.5.0...3.6.0 [3.5.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/3.4.0...3.5.0