diff --git a/README.md b/README.md
index 5ff30f9d1..90ae46955 100644
--- a/README.md
+++ b/README.md
@@ -356,6 +356,9 @@ terraform destroy
| runners\_volumes\_tmpfs | n/a | list(object({
volume = string
options = string
})) | `[]` | no |
| schedule\_config | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable\_schedule is set to true. | `map` | {
"scale_in_count": 0,
"scale_in_recurrence": "0 18 * * 1-5",
"scale_out_count": 1,
"scale_out_recurrence": "0 8 * * 1-5"
} | no |
| secure\_parameter\_store\_runner\_token\_key | The key name used store the Gitlab runner token in Secure Parameter Store | `string` | `"runner-token"` | no |
+| session\_server\_advertise\_address | The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld:8093 | `string` | `""` | no |
+| session\_server\_listen\_address | Listen address of the session server, e.g. [::]:8093. Don't forget to expose this port if you use the docker runner image. | `string` | `""` | no |
+| session\_server\_session\_timeout | Time in seconds how long the session stays active after the job completes. | `number` | `1800` | no |
| ssh\_key\_pair | Set this to use existing AWS key pair | `string` | `null` | no |
| subnet\_id\_runners | List of subnets used for hosting the gitlab-runners. | `string` | n/a | yes |
| subnet\_ids\_gitlab\_runner | Subnet used for hosting the GitLab runner. | `list(string)` | n/a | yes |
diff --git a/locals.tf b/locals.tf
index 03c44375b..09fdb8f22 100644
--- a/locals.tf
+++ b/locals.tf
@@ -5,6 +5,17 @@ locals {
join(",", formatlist("%q", var.docker_machine_options)),
)
+ // convert the options for the session server
+ session_server_string = var.session_server == null ? "" : join("",
+ formatlist("%s", [
+ "[session_server]\n",
+ format("listen_address = \"%s:%d\"\n", var.session_server.listen_address, var.session_server.port),
+ format("advertise_address = \"%q:%d\"\n", var.session_server.advertise_address, var.session_server.port),
+ format("session_timeout = %s\n", var.session_server.timeout)
+ ]
+ )
+ )
+
// Ensure max builds is optional
runners_max_builds_string = var.runners_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runners_max_builds)
diff --git a/main.tf b/main.tf
index 59ca7d6de..8dcd7b6ab 100644
--- a/main.tf
+++ b/main.tf
@@ -133,6 +133,7 @@ locals {
runners_services_volumes_tmpfs = join(",", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)])
bucket_name = local.bucket_name
shared_cache = var.cache_shared
+ session_server_string = var.session_server == null ? "" : local.session_server_string
}
)
}
@@ -158,6 +159,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" {
max_size = "1"
desired_capacity = "1"
health_check_grace_period = 0
+ target_group_arns = [var.session_server != null && var.session_server.listener_arn != "" ? aws_alb_target_group.session_server[0].arn : null]
launch_configuration = aws_launch_configuration.gitlab_runner_instance.name
enabled_metrics = var.metrics_autoscaling
tags = data.null_data_source.agent_tags.*.outputs
@@ -406,3 +408,32 @@ resource "aws_iam_role_policy_attachment" "eip" {
role = aws_iam_role.instance.name
policy_arn = aws_iam_policy.eip[0].arn
}
+
+################################################################################
+### Session server ALB support
+################################################################################
+resource "aws_alb_listener_rule" "session_server" {
+ count = var.session_server != null && var.session_server.listener_arn != "" ? 1 : 0
+
+ listener_arn = var.session_server.listener_arn
+
+ action {
+ type = "forward"
+ target_group_arn = aws_alb_target_group.session_server[0].arn
+ }
+
+ condition {
+ host_header {
+ values = [var.session_server.advertise_address]
+ }
+ }
+}
+
+resource "aws_alb_target_group" "session_server" {
+ count = var.session_server != null && var.session_server.listener_arn != "" ? 1 : 0
+
+ name = "${var.environment}-session-server"
+ port = var.session_server.port
+ protocol = "HTTP"
+ vpc_id = var.vpc_id
+}
diff --git a/security_groups.tf b/security_groups.tf
index 28b391651..b679bdd68 100644
--- a/security_groups.tf
+++ b/security_groups.tf
@@ -74,6 +74,19 @@ resource "aws_security_group_rule" "runner_ping" {
)
}
+# Allow incoming traffic for the session server to gitlab-runner agent instances
+resource "aws_security_group_rule" "runner_session_server" {
+ count = length(var.session_server) > 0 ? 1 : 0
+
+ type = "ingress"
+ from_port = var.session_server["port"]
+ to_port = var.session_server["port"]
+ protocol = "tcp"
+
+ cidr_blocks = var.session_server["incoming_cidr_blocks"]
+ security_group_id = aws_security_group.runner.id
+}
+
########################################
## Security group IDs to runner agent ##
########################################
@@ -97,6 +110,19 @@ resource "aws_security_group_rule" "runner_ssh_group" {
)
}
+# Allow incoming traffic for the session server from allowed security groups to gitlab-runner agent instances
+resource "aws_security_group_rule" "runner_session_server_group" {
+ count = length(var.session_server) > 0 && var.session_server["listener_arn"] != "" ? 1 : 0
+
+ type = "ingress"
+ from_port = var.session_server["port"]
+ to_port = var.session_server["port"]
+ protocol = "tcp"
+
+ source_security_group_id = var.session_server["alb_security_group_id"]
+ security_group_id = aws_security_group.runner.id
+}
+
# Allow ICMP traffic from allowed security group IDs to gitlab-runner agent instances
resource "aws_security_group_rule" "runner_ping_group" {
count = length(var.gitlab_runner_security_group_ids) > 0 && var.enable_ping ? length(var.gitlab_runner_security_group_ids) : 0
diff --git a/template/runner-config.tpl b/template/runner-config.tpl
index 02c578a5e..9ccdbab3c 100644
--- a/template/runner-config.tpl
+++ b/template/runner-config.tpl
@@ -1,6 +1,8 @@
concurrent = ${runners_concurrent}
check_interval = 0
+${session_server_string}
+
[[runners]]
name = "${runners_name}"
url = "${gitlab_url}"
@@ -63,4 +65,5 @@ check_interval = 0
${runners_off_peak_idle_count}
${runners_off_peak_idle_time}
${runners_off_peak_periods_string}
- ${runners_machine_autoscaling}
\ No newline at end of file
+
+${runners_machine_autoscaling}
diff --git a/variables.tf b/variables.tf
index bd639f5bc..0c74b314f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -633,3 +633,26 @@ variable "runner_iam_policy_arns" {
description = "List of policy ARNs to be added to the instance profile of the gitlab runner agent ec2 instance."
default = []
}
+
+variable "session_server" {
+ description = "Enables the session server support."
+ type = object({
+ timeout = number
+ port = number
+ listen_address = string
+ advertise_address = string
+ listener_arn = string
+ alb_security_group_id = string
+ incoming_cidr_blocks = list(string)
+ }
+ )
+
+ default = null
+ # session_timeout - Time in seconds how long the session stays active after the job completes. (1800)
+ # port - Port which is used to connect to the session server. Don't forget to expose this port if you use the docker runner image. (8093)
+ # listen_address - Listen address of the session server, e.g. [::] without a port. Session_server_port is used for the port.
+ # advertise_address - The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld. session_server_port is used for the port.
+ # listener_arn - ALB listener ARN to connect the session server to the outside. An EIP can be used instead (see enable_eip).
+ # alb_security_group_id - ID of the security group belonging to the ALB to restrict the traffic to the session_server.
+ # incoming_cidr_blocks - CIDR blocks which are allowed to connect to the session server.
+}