Skip to content

Commit edad5bf

Browse files
GitHub Actions Runner, Dev Deploy Fixes (#128)
- Specify self-hosted runner infrastructure, policies, security groups - Fix bugs with dev configuration Co-authored-by: Blaine Price <william.price@cms.hhs.gov>
1 parent 7d91dd9 commit edad5bf

File tree

8 files changed

+187
-7
lines changed

8 files changed

+187
-7
lines changed

infrastructure/envs/dev/main.tf

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -98,10 +98,11 @@ module "ecs" {
9898
module "fhir-api" {
9999
source = "../../modules/fhir-api"
100100

101-
account_name = local.account_name
102-
fhir_api_migration_image = var.migration_image
103-
fhir_api_image = var.fhir_api_image
104-
ecs_cluster_id = module.ecs.cluster_id
101+
account_name = local.account_name
102+
fhir_api_migration_image = var.migration_image
103+
fhir_api_image = var.fhir_api_image
104+
ecs_cluster_id = module.ecs.cluster_id
105+
redirect_to_strategy_page = false
105106
db = {
106107
db_instance_master_user_secret_arn = module.api-db.db_instance_master_user_secret_arn
107108
db_instance_address = module.api-db.db_instance_address
@@ -130,3 +131,12 @@ module "frontend" {
130131
account_name = local.account_name
131132
}
132133

134+
# CI/CD
135+
module "github-actions" {
136+
source = "../../modules/github-actions-runner"
137+
138+
account_name = local.account_name
139+
vpc_id = module.networking.vpc_id
140+
subnet_id = module.networking.etl_subnet_ids[0]
141+
}
142+

infrastructure/envs/dev/outputs.tf

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,4 +8,12 @@ output "api_db_instance_endpoint" {
88

99
output "etl_db_instance_endpoint" {
1010
value = module.etl-db.db_instance_endpoint
11-
}
11+
}
12+
13+
output "api_ecr_repository_name" {
14+
value = module.fhir-api.api_ecr_repository_name
15+
}
16+
17+
output "api_migrations_ecr_repository_name" {
18+
value = module.fhir-api.api_migrations_ecr_repository_name
19+
}

infrastructure/envs/prod/outputs.tf

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,3 +9,11 @@ output "api_db_instance_endpoint" {
99
output "etl_db_instance_endpoint" {
1010
value = module.etl-db.db_instance_endpoint
1111
}
12+
13+
output "api_ecr_repository_name" {
14+
value = module.fhir-api.api_ecr_repository_name
15+
}
16+
17+
output "api_migrations_ecr_repository_name" {
18+
value = module.fhir-api.api_migrations_ecr_repository_name
19+
}

infrastructure/modules/fhir-api/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -291,7 +291,7 @@ resource "aws_lb_listener" "forward_to_task_group" {
291291

292292
default_action {
293293
type = "forward"
294-
target_group_arn = aws_lb_target_group.fhir_api_tg[1].arn
294+
target_group_arn = aws_lb_target_group.fhir_api_tg[0].arn
295295
}
296296
}
297297

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
11
output "api_alb_dns_name" {
22
value = aws_lb.fhir_api_alb.dns_name
3-
}
3+
}
4+
5+
output "api_ecr_repository_name" {
6+
value = aws_ecr_repository.fhir_api.name
7+
}
8+
9+
output "api_migrations_ecr_repository_name" {
10+
value = aws_ecr_repository.fhir_api_migrations.name
11+
}
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# GitHub Action Runner
2+
3+
## Manual Work After Deploy
4+
5+
1. Get GitHub self-hosted runner script from GitHub
6+
2. Install on instance
7+
3. cp to /opt/actions-runner
8+
4. give ec2-user ownership of /opt/actions-runner
9+
10+
```bash
11+
sudo chown -R ec2-user:ec2-user /opt/github-runner
12+
```
13+
14+
5. Create a github action service using this template:
15+
16+
```bash
17+
sudo tee /etc/systemd/system/github-runner.service > /dev/null <<'EOF'
18+
[Unit]
19+
Description=GitHub Actions Runner
20+
After=network-online.target
21+
Wants=network-online.target
22+
23+
[Service]
24+
User=ec2-user
25+
WorkingDirectory=/opt/actions-runner
26+
ExecStart=/opt/actions-runner/run.sh
27+
Restart=always
28+
RestartSec=5s
29+
KillMode=process
30+
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
31+
32+
[Install]
33+
WantedBy=multi-user.target
34+
EOF
35+
```
36+
37+
6. enable service `systemctl start github-runner.service`
38+
7. Configure Docker
39+
40+
```bash
41+
sudo yum update -y
42+
sudo yum install docker -y
43+
sudo service docker start
44+
sudo usermod -a -G docker ec2-user
45+
sudo systemctl start docker
46+
sudo systemctl enable docker
47+
```
48+
49+
8. Install Git
50+
51+
```bash
52+
sudo yum install git -y
53+
```
54+
55+
9. Restart the instance
56+
10. Confirm GH Runner is available on GH
Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
data "aws_caller_identity" "current" {}
2+
3+
locals {
4+
account_id = data.aws_caller_identity.current.account_id
5+
}
6+
7+
data "aws_security_groups" "cms_cloud_sg" {
8+
filter {
9+
name = "group-name"
10+
values = ["cmscloud*"]
11+
}
12+
13+
filter {
14+
name = "vpc-id"
15+
values = [var.vpc_id]
16+
}
17+
}
18+
19+
resource "aws_iam_role" "github_runner_resource_creation_role" {
20+
description = "Role to be assumed for resource creation"
21+
name = "${var.account_name}-github-actions-runner-creation-role"
22+
assume_role_policy = jsonencode({
23+
Version = "2012-10-17"
24+
Statement = [{
25+
Effect = "Allow"
26+
Action = "sts:AssumeRoleWithWebIdentity"
27+
Condition = {
28+
StringEquals = {
29+
"token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
30+
}
31+
StringLike = {
32+
"token.actions.githubusercontent.com:sub" = "repo:CMS-Enterprise/NPD:*"
33+
}
34+
}
35+
Principal = {
36+
Federated = "arn:aws:iam::${local.account_id}:oidc-provider/token.actions.githubusercontent.com"
37+
}
38+
}]
39+
})
40+
}
41+
42+
resource "aws_iam_role_policy_attachment" "github_runner_has_admin" {
43+
role = aws_iam_role.github_runner_resource_creation_role.id
44+
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
45+
}
46+
47+
resource "aws_iam_role_policy_attachment" "github_runner_has_ado_restriction" {
48+
role = aws_iam_role.github_runner_resource_creation_role.id
49+
policy_arn = "arn:aws:iam::${local.account_id}:policy/ADO-Restriction-Policy"
50+
}
51+
52+
resource "aws_iam_role_policy_attachment" "github_runner_has_region_restriction" {
53+
role = aws_iam_role.github_runner_resource_creation_role.id
54+
policy_arn = "arn:aws:iam::${local.account_id}:policy/CMSCloudApprovedRegions"
55+
}
56+
57+
resource "aws_iam_role_policy_attachment" "github_runner_has_user_creation_restriction" {
58+
role = aws_iam_role.github_runner_resource_creation_role.id
59+
policy_arn = "arn:aws:iam::${local.account_id}:policy/ct-iamCreateUserRestrictionPolicy"
60+
}
61+
62+
resource "aws_security_group" "github_runner_security_group" {
63+
description = "Defines traffic flows to/from the GitHub Action runner"
64+
name = "${var.account_name}-github-actions-runner-sg"
65+
vpc_id = var.vpc_id
66+
}
67+
68+
resource "aws_vpc_security_group_egress_rule" "github_runner_can_make_outgoing_requests" {
69+
description = "Allows the GitHub Runner instance to make outgoing requests"
70+
ip_protocol = "-1"
71+
cidr_ipv4 = "0.0.0.0/0"
72+
security_group_id = aws_security_group.github_runner_security_group.id
73+
}
74+
75+
resource "aws_instance" "github_actions_instance" {
76+
ami = "ami-04345af6ff8317b5e"
77+
instance_type = "m5.xlarge"
78+
vpc_security_group_ids = concat(
79+
data.aws_security_groups.cms_cloud_sg.ids,
80+
[aws_security_group.github_runner_security_group.id]
81+
)
82+
subnet_id = var.subnet_id
83+
iam_instance_profile = "cms-cloud-base-ec2-profile-v4"
84+
tags = {
85+
Name = "github-actions-runner-instance"
86+
}
87+
}
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
variable "subnet_id" {}
2+
variable "vpc_id" {}
3+
variable "account_name" {}

0 commit comments

Comments
 (0)