From 0a356f066b32d34eb228a631ec34c5986aa3053f Mon Sep 17 00:00:00 2001
From: Niek Palm <npalm@users.noreply.github.com>
Date: Thu, 9 Aug 2018 00:01:55 +0200
Subject: [PATCH 1/2] #15 - Allow instance to create service linked roles (#16)

* #15 - Allow instance to create service linked roles
* #14 - Add example readme and example for public subnet
---
 .gitignore                                    |  3 +-
 CHNAGELOG.md                                  |  3 ++
 README.md                                     |  4 +-
 .../.terraform-version                        |  0
 examples/runner-default/README.md             |  6 +++
 .../generated/.gitkeep                        |  0
 examples/{runner => runner-default}/key.tf    |  0
 examples/{runner => runner-default}/main.tf   |  0
 .../{runner => runner-default}/providers.tf   |  0
 .../terraform.tfvars                          |  0
 .../{runner => runner-default}/variables.tf   |  0
 examples/runner-public/.terraform-version     |  1 +
 examples/runner-public/README.md              |  6 +++
 examples/runner-public/key.tf                 | 25 ++++++++++++
 examples/runner-public/main.tf                | 40 +++++++++++++++++++
 examples/runner-public/providers.tf           | 20 ++++++++++
 examples/runner-public/terraform.tfvars       | 12 ++++++
 examples/runner-public/variables.tf           | 34 ++++++++++++++++
 main.tf                                       | 34 +++++++++++++++-
 .../service-linked-role-create-policy.json    | 10 +++++
 variables.tf                                  |  5 +++
 21 files changed, 198 insertions(+), 5 deletions(-)
 rename examples/{runner => runner-default}/.terraform-version (100%)
 create mode 100644 examples/runner-default/README.md
 rename examples/{runner => runner-default}/generated/.gitkeep (100%)
 rename examples/{runner => runner-default}/key.tf (100%)
 rename examples/{runner => runner-default}/main.tf (100%)
 rename examples/{runner => runner-default}/providers.tf (100%)
 rename examples/{runner => runner-default}/terraform.tfvars (100%)
 rename examples/{runner => runner-default}/variables.tf (100%)
 create mode 100644 examples/runner-public/.terraform-version
 create mode 100644 examples/runner-public/README.md
 create mode 100644 examples/runner-public/key.tf
 create mode 100644 examples/runner-public/main.tf
 create mode 100644 examples/runner-public/providers.tf
 create mode 100644 examples/runner-public/terraform.tfvars
 create mode 100644 examples/runner-public/variables.tf
 create mode 100644 policies/service-linked-role-create-policy.json

diff --git a/.gitignore b/.gitignore
index ee5172cdc..777fbf123 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,5 @@
 # Compiled files
-*.tfstate
-*.tfstate.backup
+*.tfstate*
 
 # Module directory
 .terraform/
diff --git a/CHNAGELOG.md b/CHNAGELOG.md
index 7a3b1d0dd..1a8eaad5b 100644
--- a/CHNAGELOG.md
+++ b/CHNAGELOG.md
@@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
+### Added
+- Added an option to allow gitlab runner instance to create service linked roles, by default enabled.
+- Added example for public subnet
 
 ## [1.3.0] - 2018-08-08
 - Add option to run runners in public subnet
diff --git a/README.md b/README.md
index 9a18fc697..5ea76334c 100644
--- a/README.md
+++ b/README.md
@@ -30,11 +30,11 @@ export AWS_SECRET_ACCESS_KEY=...
 ```
 
 ### Service linked roles
-Currently the ec2 instance role does not allow creation of service linked roles. The runner instances is depended on the following two service linked roles:
+The gitlab runner ec2 instance needs the following sercice linked roles:
 - AWSServiceRoleForAutoScaling
 - AWSServiceRoleForEC2Spot
 
-You can create them manually or via terraform.
+By default the ec2 instance is allowed to create the roles, by setting the option `allow_iam_service_linked_role_creation` to `false` you can deny the creation of roles by the instance. In that case you have to ensure the roles exists. You can create them manually or via terraform.
 
 ```
 resource "aws_iam_service_linked_role" "spot" {
diff --git a/examples/runner/.terraform-version b/examples/runner-default/.terraform-version
similarity index 100%
rename from examples/runner/.terraform-version
rename to examples/runner-default/.terraform-version
diff --git a/examples/runner-default/README.md b/examples/runner-default/README.md
new file mode 100644
index 000000000..7cb86509b
--- /dev/null
+++ b/examples/runner-default/README.md
@@ -0,0 +1,6 @@
+# Example - Runner - Private subnets
+
+Example how create a gitlab runner, running in a private subnet.
+
+## Prerequisite
+The terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using tfenv please check `.terraform-version` for the tested version.
diff --git a/examples/runner/generated/.gitkeep b/examples/runner-default/generated/.gitkeep
similarity index 100%
rename from examples/runner/generated/.gitkeep
rename to examples/runner-default/generated/.gitkeep
diff --git a/examples/runner/key.tf b/examples/runner-default/key.tf
similarity index 100%
rename from examples/runner/key.tf
rename to examples/runner-default/key.tf
diff --git a/examples/runner/main.tf b/examples/runner-default/main.tf
similarity index 100%
rename from examples/runner/main.tf
rename to examples/runner-default/main.tf
diff --git a/examples/runner/providers.tf b/examples/runner-default/providers.tf
similarity index 100%
rename from examples/runner/providers.tf
rename to examples/runner-default/providers.tf
diff --git a/examples/runner/terraform.tfvars b/examples/runner-default/terraform.tfvars
similarity index 100%
rename from examples/runner/terraform.tfvars
rename to examples/runner-default/terraform.tfvars
diff --git a/examples/runner/variables.tf b/examples/runner-default/variables.tf
similarity index 100%
rename from examples/runner/variables.tf
rename to examples/runner-default/variables.tf
diff --git a/examples/runner-public/.terraform-version b/examples/runner-public/.terraform-version
new file mode 100644
index 000000000..b80f98e66
--- /dev/null
+++ b/examples/runner-public/.terraform-version
@@ -0,0 +1 @@
+0.11.7
diff --git a/examples/runner-public/README.md b/examples/runner-public/README.md
new file mode 100644
index 000000000..5acd71f25
--- /dev/null
+++ b/examples/runner-public/README.md
@@ -0,0 +1,6 @@
+# Example - Runner - Public subnets
+
+Example how create a gitlab runner, running in a public subnet.
+
+## Prerequisite
+The terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using tfenv please check `.terraform-version` for the tested version.
diff --git a/examples/runner-public/key.tf b/examples/runner-public/key.tf
new file mode 100644
index 000000000..84da24f1f
--- /dev/null
+++ b/examples/runner-public/key.tf
@@ -0,0 +1,25 @@
+resource "tls_private_key" "ssh" {
+  algorithm = "RSA"
+}
+
+resource "local_file" "public_ssh_key" {
+  depends_on = ["tls_private_key.ssh"]
+
+  content  = "${tls_private_key.ssh.public_key_openssh}"
+  filename = "${var.public_ssh_key_filename}"
+}
+
+resource "local_file" "private_ssh_key" {
+  depends_on = ["tls_private_key.ssh"]
+
+  content  = "${tls_private_key.ssh.private_key_pem}"
+  filename = "${var.private_ssh_key_filename}"
+}
+
+resource "null_resource" "file_permission" {
+  depends_on = ["local_file.private_ssh_key"]
+
+  provisioner "local-exec" {
+    command = "${format("chmod 600 %s", var.private_ssh_key_filename)}"
+  }
+}
diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf
new file mode 100644
index 000000000..c44039965
--- /dev/null
+++ b/examples/runner-public/main.tf
@@ -0,0 +1,40 @@
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "1.37.0"
+
+  name = "vpc-${var.environment}"
+  cidr = "10.1.0.0/16"
+
+  azs            = ["eu-west-1a"]
+  public_subnets = ["10.1.101.0/24"]
+
+  tags = {
+    Environment = "${var.environment}"
+  }
+}
+
+module "runner" {
+  source = "../../"
+
+  aws_region  = "${var.aws_region}"
+  environment = "${var.environment}"
+
+  ssh_public_key = "${local_file.public_ssh_key.content}"
+
+  runners_use_private_address = false
+
+  vpc_id                  = "${module.vpc.vpc_id}"
+  subnet_id_gitlab_runner = "${element(module.vpc.public_subnets, 0)}"
+  subnet_id_runners       = "${element(module.vpc.public_subnets, 0)}"
+
+  runners_name       = "${var.runner_name}"
+  runners_gitlab_url = "${var.gitlab_url}"
+  runners_token      = "${var.runner_token}"
+
+  runners_off_peak_timezone   = "Europe/Amsterdam"
+  runners_off_peak_idle_count = 0
+  runners_off_peak_idle_time  = 60
+
+  # working 9 to 5 :)
+  runners_off_peak_periods = "[\"* * 0-9,17-23 * * mon-fri *\", \"* * * * * sat,sun *\"]"
+}
diff --git a/examples/runner-public/providers.tf b/examples/runner-public/providers.tf
new file mode 100644
index 000000000..448ccd70f
--- /dev/null
+++ b/examples/runner-public/providers.tf
@@ -0,0 +1,20 @@
+provider "aws" {
+  region  = "${var.aws_region}"
+  version = "1.23"
+}
+
+provider "template" {
+  version = "1.0"
+}
+
+provider "local" {
+  version = "1.1"
+}
+
+provider "null" {
+  version = "1.0"
+}
+
+provider "tls" {
+  version = "1.1"
+}
diff --git a/examples/runner-public/terraform.tfvars b/examples/runner-public/terraform.tfvars
new file mode 100644
index 000000000..895b1cc1e
--- /dev/null
+++ b/examples/runner-public/terraform.tfvars
@@ -0,0 +1,12 @@
+key_name = "gitlab-runner"
+
+environment = "runner-public"
+
+aws_region = "eu-west-1"
+
+# Add the following variables:
+runner_name = "docker.m3"
+
+gitlab_url = "https://gitlab.com"
+
+runner_token = "3939146918cced54ecf1dd08e6b87e"
diff --git a/examples/runner-public/variables.tf b/examples/runner-public/variables.tf
new file mode 100644
index 000000000..bd7286242
--- /dev/null
+++ b/examples/runner-public/variables.tf
@@ -0,0 +1,34 @@
+variable "aws_region" {
+  description = "AWS region."
+  type        = "string"
+  default     = "eu-west-1"
+}
+
+variable "environment" {
+  description = "A name that indentifies the environment, will used as prefix and for taggin."
+  default     = "ci-runners"
+  type        = "string"
+}
+
+variable "public_ssh_key_filename" {
+  default = "generated/id_rsa.pub"
+}
+
+variable "private_ssh_key_filename" {
+  default = "generated/id_rsa"
+}
+
+variable "runner_name" {
+  description = "Name of the runner, will be used in the runner config.toml"
+  type        = "string"
+}
+
+variable "gitlab_url" {
+  description = "URL of the gitlab instance to connect to."
+  type        = "string"
+}
+
+variable "runner_token" {
+  description = "Token for the runner, will be used in the runner config.toml"
+  type        = "string"
+}
diff --git a/main.tf b/main.tf
index 7f986af30..fc269a577 100644
--- a/main.tf
+++ b/main.tf
@@ -151,6 +151,9 @@ resource "aws_launch_configuration" "gitlab_runner_instance" {
   }
 }
 
+################################################################################
+### Trust policy
+################################################################################
 resource "aws_iam_instance_profile" "instance" {
   name = "${var.environment}-instance-profile"
   role = "${aws_iam_role.instance.name}"
@@ -165,6 +168,9 @@ resource "aws_iam_role" "instance" {
   assume_role_policy = "${data.template_file.instance_role_trust_policy.rendered}"
 }
 
+################################################################################
+### docker machine instance policy
+################################################################################
 data "template_file" "docker_machine_policy" {
   template = "${file("${path.module}/policies/instance-docker-machine-policy.json")}"
 }
@@ -177,7 +183,33 @@ resource "aws_iam_policy" "docker_machine" {
   policy = "${data.template_file.docker_machine_policy.rendered}"
 }
 
-resource "aws_iam_role_policy_attachment" "test-attach" {
+resource "aws_iam_role_policy_attachment" "docker_machine" {
   role       = "${aws_iam_role.instance.name}"
   policy_arn = "${aws_iam_policy.docker_machine.arn}"
 }
+
+################################################################################
+### Service linked policy, optional
+################################################################################
+data "template_file" "service_linked_role" {
+  count = "${var.allow_iam_service_linked_role_creation ? 1 : 0}"
+
+  template = "${file("${path.module}/policies/service-linked-role-create-policy.json")}"
+}
+
+resource "aws_iam_policy" "service_linked_role" {
+  count = "${var.allow_iam_service_linked_role_creation ? 1 : 0}"
+
+  name        = "${var.environment}-service_linked_role"
+  path        = "/"
+  description = "Policy for creation of service linked roles."
+
+  policy = "${data.template_file.service_linked_role.rendered}"
+}
+
+resource "aws_iam_role_policy_attachment" "service_linked_role" {
+  count = "${var.allow_iam_service_linked_role_creation ? 1 : 0}"
+
+  role       = "${aws_iam_role.instance.name}"
+  policy_arn = "${aws_iam_policy.service_linked_role.arn}"
+}
diff --git a/policies/service-linked-role-create-policy.json b/policies/service-linked-role-create-policy.json
new file mode 100644
index 000000000..db6224d26
--- /dev/null
+++ b/policies/service-linked-role-create-policy.json
@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "iam:CreateServiceLinkedRole",
+      "Resource": "arn:aws:iam::*:role/aws-service-role/*"
+    }
+  ]
+}
diff --git a/variables.tf b/variables.tf
index a3cb2c571..06b5362a1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -182,3 +182,8 @@ variable "tags" {
   description = "Map of tags that will be added to created resources. By default resources will be taggen with name and environemnt."
   default     = {}
 }
+
+variable "allow_iam_service_linked_role_creation" {
+  description = "Attach policy to runner instance to create service linked roles."
+  default     = true
+}

From 5ef48c242ecc12d974c35c387ebc05d354ba6a6a Mon Sep 17 00:00:00 2001
From: Niek Palm <dev.npalm@gmail.com>
Date: Thu, 9 Aug 2018 00:03:26 +0200
Subject: [PATCH 2/2] Release 1.4.0

---
 CHNAGELOG.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHNAGELOG.md b/CHNAGELOG.md
index 1a8eaad5b..88b35a31c 100644
--- a/CHNAGELOG.md
+++ b/CHNAGELOG.md
@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
+
+## [1.4.0] - 2018-08-09
 ### Added
 - Added an option to allow gitlab runner instance to create service linked roles, by default enabled.
 - Added example for public subnet
@@ -58,7 +60,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17.
 - Minor updates in the example
 
-[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.3.0...HEAD
+[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.4.0...HEAD
+[1.4.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.3.0...1.4.0
 [1.3.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.2.1...1.3.0
 [1.2.1]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.2.0...1.2.1
 [1.2.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.1.0...1.2.0