-
Notifications
You must be signed in to change notification settings - Fork 90
/
Copy pathmain.tf
240 lines (194 loc) · 8.89 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
terraform {
required_version = ">= 1.5"
required_providers {
random = {
source = "hashicorp/random"
version = "~> 3.4.2"
}
aws = {
source = "hashicorp/aws"
version = "~> 5.5"
}
}
}
locals {
tags = merge(var.tags, {
Environment = var.environment
})
s3_action_runner_url_linux = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key_linux}"
s3_action_runner_url_linux_arm64 = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key_linux_arm64}"
s3_action_runner_url_windows = "s3://${module.runner_binaries.bucket.id}/${module.runner_binaries.runner_distribution_object_key_windows}"
runner_architecture = substr(var.instance_type, 0, 2) == "a1" || substr(var.instance_type, 1, 2) == "6g" ? "arm64" : "x64"
}
resource "random_string" "random" {
length = 24
special = false
upper = false
}
resource "aws_sqs_queue" "queued_builds_dead_letter" {
name = "${var.environment}-queued-builds-dead-letter"
redrive_allow_policy = jsonencode({
redrivePermission = "allowAll",
})
tags = var.tags
}
resource "aws_sqs_queue" "queued_builds" {
name = "${var.environment}-queued-builds"
visibility_timeout_seconds = var.runners_scale_up_sqs_visibility_timeout
max_message_size = 2048
message_retention_seconds = var.runners_scale_up_sqs_message_ret_s
redrive_policy = jsonencode({
deadLetterTargetArn = aws_sqs_queue.queued_builds_dead_letter.arn
maxReceiveCount = var.runners_scale_up_sqs_max_retry
})
tags = var.tags
}
resource "aws_sqs_queue" "queued_builds_retry_dead_letter" {
name = "${var.environment}-queued-builds-retry-dead-letter"
redrive_allow_policy = jsonencode({
redrivePermission = "allowAll",
})
tags = var.tags
}
resource "aws_sqs_queue" "queued_builds_retry" {
name = "${var.environment}-queued-builds-retry"
visibility_timeout_seconds = var.runners_scale_up_sqs_visibility_timeout
max_message_size = 2048
message_retention_seconds = var.runners_scale_up_sqs_message_ret_s
redrive_policy = jsonencode({
deadLetterTargetArn = aws_sqs_queue.queued_builds_retry_dead_letter.arn
maxReceiveCount = var.runners_scale_up_sqs_max_retry
})
tags = var.tags
}
module "webhook" {
source = "./modules/webhook"
environment = var.environment
tags = local.tags
encryption = {
kms_key_id = local.kms_key_id
encrypt = var.encrypt_secrets
}
sqs_build_queue = aws_sqs_queue.queued_builds
github_app_webhook_secret = var.github_app.webhook_secret
lambda_zip = var.webhook_lambda_zip
lambda_timeout = var.webhook_lambda_timeout
logging_retention_in_days = var.logging_retention_in_days
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
scale_up_lambda_concurrency = var.scale_up_lambda_concurrency
}
module "runners" {
source = "./modules/runners"
aws_region = var.aws_region
aws_region_instances = var.aws_region_instances
vpc_ids = var.vpc_ids
vpc_sgs = var.vpc_sgs
subnet_vpc_ids = var.subnet_vpc_ids
subnet_azs = var.subnet_azs
environment = var.environment
tags = local.tags
scale_config_org = var.scale_config_org
scale_config_repo = var.scale_config_repo
scale_config_repo_path = var.scale_config_repo_path
encryption = {
kms_key_id = local.kms_key_id
encrypt = var.encrypt_secrets
}
must_have_issues_labels = var.must_have_issues_labels
cant_have_issues_labels = var.cant_have_issues_labels
redis_endpoint = aws_elasticache_replication_group.es.primary_endpoint_address
redis_login = "${aws_elasticache_user.scale_lambda.user_name}:${random_password.es_password.result}"
sqs_build_queue = aws_sqs_queue.queued_builds
sqs_build_queue_retry = aws_sqs_queue.queued_builds_retry
github_app = var.github_app
enable_organization_runners = var.enable_organization_runners
scale_down_schedule_expression = var.scale_down_schedule_expression
minimum_running_time_in_minutes = var.minimum_running_time_in_minutes
runner_extra_labels = var.runner_extra_labels
idle_config = var.idle_config
secretsmanager_secrets_id = var.secretsmanager_secrets_id
min_available_runners = var.min_available_runners
lambda_zip = var.runners_lambda_zip
lambda_timeout_scale_up = var.runners_scale_up_lambda_timeout
lambda_timeout_scale_down = var.runners_scale_down_lambda_timeout
lambda_subnet_ids = var.lambda_subnet_ids
lambda_security_group_ids = var.lambda_security_group_ids
runners_security_group_ids = module.runners_instances.security_groups_ids_vpcs
github_app_key_base64 = module.runners_instances.github_app_key_base64
github_app_client_secret = module.runners_instances.github_app_client_secret
role_runner_arn = module.runners_instances.role_runner_arn
launch_template_name_linux = module.runners_instances.launch_template_name_linux
launch_template_name_linux_nvidia = module.runners_instances.launch_template_name_linux_nvidia
launch_template_name_linux_arm64 = module.runners_instances.launch_template_name_linux_arm64
launch_template_name_windows = module.runners_instances.launch_template_name_windows
launch_template_version_linux = module.runners_instances.launch_template_version_linux
launch_template_version_windows = module.runners_instances.launch_template_version_windows
launch_template_version_linux_nvidia = module.runners_instances.launch_template_version_linux_nvidia
launch_template_version_linux_arm64 = module.runners_instances.launch_template_version_linux_arm64
logging_retention_in_days = var.logging_retention_in_days
scale_up_lambda_concurrency = var.scale_up_lambda_concurrency
scale_up_provisioned_concurrent_executions = var.scale_up_provisioned_concurrent_executions
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
create_service_linked_role_spot = var.create_service_linked_role_spot
ghes_url = var.ghes_url
}
module "runners_instances" {
source = "./modules/runners-instances"
aws_region = var.aws_region
vpc_ids = var.vpc_ids
environment = var.environment
tags = local.tags
encryption = {
kms_key_id = local.kms_key_id
encrypt = var.encrypt_secrets
}
s3_bucket_runner_binaries = module.runner_binaries.bucket
s3_location_runner_binaries_linux = local.s3_action_runner_url_linux
s3_location_runner_binaries_linux_arm64 = local.s3_action_runner_url_linux_arm64
s3_location_runner_binaries_windows = local.s3_action_runner_url_windows
instance_type = var.instance_type
block_device_mappings = var.block_device_mappings
runner_architecture = local.runner_architecture
ami_owners_linux = var.ami_owners_linux
ami_owners_linux_arm64 = var.ami_owners_linux_arm64
ami_owners_windows = var.ami_owners_windows
ami_filter_linux = var.ami_filter_linux
ami_filter_linux_arm64 = var.ami_filter_linux_arm64
ami_filter_windows = var.ami_filter_windows
github_app = var.github_app
runner_as_root = var.runner_as_root
enable_ssm_on_runners = var.enable_ssm_on_runners
logging_retention_in_days = var.logging_retention_in_days
enable_cloudwatch_agent = var.enable_cloudwatch_agent
instance_profile_path = var.instance_profile_path
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
userdata_template = var.userdata_template
userdata_pre_install = var.userdata_pre_install
userdata_post_install = var.userdata_post_install
key_name = var.key_name
runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns
ghes_url = var.ghes_url
}
module "runner_binaries" {
source = "./modules/runner-binaries-syncer"
environment = var.environment
tags = local.tags
distribution_bucket_name = "${var.environment}-dist-${random_string.random.result}"
runner_allow_prerelease_binaries = var.runner_allow_prerelease_binaries
lambda_zip = var.runner_binaries_syncer_lambda_zip
lambda_timeout = var.runner_binaries_syncer_lambda_timeout
logging_retention_in_days = var.logging_retention_in_days
role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
}
resource "aws_resourcegroups_group" "resourcegroups_group" {
name = "${var.environment}-group"
resource_query {
query = templatefile("${path.module}/templates/resource-group.json", {
environment = var.environment
})
}
}