From be2c5a9d63816001a64aedd7ea93b92406bd98ec Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Mon, 27 Jul 2020 13:36:30 +0200 Subject: [PATCH 01/20] Add [session_server] section. --- template/runner-config.tpl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/template/runner-config.tpl b/template/runner-config.tpl index 29fe6ef5a..b0af77834 100644 --- a/template/runner-config.tpl +++ b/template/runner-config.tpl @@ -62,3 +62,8 @@ check_interval = 0 OffPeakIdleCount = ${runners_off_peak_idle_count} OffPeakIdleTime = ${runners_off_peak_idle_time} ${runners_off_peak_periods_string} + +[session_server] + listen_address = "${session_server_listen_address" + advertise_address = "${session_server_external_url}" + session_timeout = ${session_server_session_timeout} From 4d1940f43d8b8ceca41f57fd6ebff43694941222 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Tue, 28 Jul 2020 22:52:48 +0200 Subject: [PATCH 02/20] Add session_server configuration variables. --- locals.tf | 6 ++++++ main.tf | 1 + template/runner-config.tpl | 5 +---- variables.tf | 18 ++++++++++++++++++ 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/locals.tf b/locals.tf index 558d0e183..6dff823b6 100644 --- a/locals.tf +++ b/locals.tf @@ -5,6 +5,12 @@ locals { join(",", formatlist("%q", var.docker_machine_options)), ) + // convert the options for the session server + session_server_string = join("", formatlist("%s", ["[session_server]", + format("listen_address = %q", var.session_server_listen_address), + format("advertise_address = %q", var.session_server_advertise_address), + format("session_timeout = %s", var.session_server_session_timeout)])) + // Ensure off peak is optional runners_off_peak_periods_string = var.runners_off_peak_periods == "" ? "" : format("OffPeakPeriods = %s", var.runners_off_peak_periods) diff --git a/main.tf b/main.tf index 2db4bf3ba..9af4e481d 100644 --- a/main.tf +++ b/main.tf @@ -132,6 +132,7 @@ locals { runners_services_volumes_tmpfs = join(",", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) bucket_name = local.bucket_name shared_cache = var.cache_shared + session_server_string = length(var.session_server_listen_address) == 0 ? "" : local.session_server_string } ) } diff --git a/template/runner-config.tpl b/template/runner-config.tpl index b0af77834..08b110e68 100644 --- a/template/runner-config.tpl +++ b/template/runner-config.tpl @@ -63,7 +63,4 @@ check_interval = 0 OffPeakIdleTime = ${runners_off_peak_idle_time} ${runners_off_peak_periods_string} -[session_server] - listen_address = "${session_server_listen_address" - advertise_address = "${session_server_external_url}" - session_timeout = ${session_server_session_timeout} +${session_server_string} diff --git a/variables.tf b/variables.tf index 81f9a256e..a843c3c96 100644 --- a/variables.tf +++ b/variables.tf @@ -578,3 +578,21 @@ variable "log_group_name" { default = null type = string } + +variable "session_server_session_timeout" { + description = "Time in seconds how long the session stays active after the job completes." + default = 1800 + type = number +} + +variable "session_server_listen_address" { + description = "Listen address of the session server, e.g. [::]:8093. Don't forget to expose this port if you use the docker runner image." + default = "" + type = string +} + +variable "session_server_advertise_address" { + description = "The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld:8093" + default = "" + type = string +} From 60fa02206ed701783773f6489207b6ed7ac229ed Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Tue, 28 Jul 2020 23:03:20 +0200 Subject: [PATCH 03/20] Format issue --- locals.tf | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/locals.tf b/locals.tf index 6dff823b6..d7a48a9e5 100644 --- a/locals.tf +++ b/locals.tf @@ -6,10 +6,15 @@ locals { ) // convert the options for the session server - session_server_string = join("", formatlist("%s", ["[session_server]", - format("listen_address = %q", var.session_server_listen_address), - format("advertise_address = %q", var.session_server_advertise_address), - format("session_timeout = %s", var.session_server_session_timeout)])) + session_server_string = join("", + formatlist("%s", [ + "[session_server]", + format("listen_address = %q", var.session_server_listen_address), + format("advertise_address = %q", var.session_server_advertise_address), + format("session_timeout = %s", var.session_server_session_timeout) + ] + ) + ) // Ensure off peak is optional runners_off_peak_periods_string = var.runners_off_peak_periods == "" ? "" : format("OffPeakPeriods = %s", var.runners_off_peak_periods) From 52183fba85120a3bfac6f933cf1d0b20fe284d61 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 13 Aug 2020 10:22:25 +0200 Subject: [PATCH 04/20] Add new parameters --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 338f3fd07..e18dfd84b 100644 --- a/README.md +++ b/README.md @@ -354,6 +354,9 @@ terraform destroy | runners\_volumes\_tmpfs | n/a | 
list(object({
    volume  = string
    options = string
  }))
| `[]` | no | | schedule\_config | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable\_schedule is set to true. | `map` | 
{
  "scale_in_count": 0,
  "scale_in_recurrence": "0 18 * * 1-5",
  "scale_out_count": 1,
  "scale_out_recurrence": "0 8 * * 1-5"
}
| no | | secure\_parameter\_store\_runner\_token\_key | The key name used store the Gitlab runner token in Secure Parameter Store | `string` | `"runner-token"` | no | +| session\_server\_advertise\_address | The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld:8093 | `string` | `""` | no | +| session\_server\_listen\_address | Listen address of the session server, e.g. [::]:8093. Don't forget to expose this port if you use the docker runner image. | `string` | `""` | no | +| session\_server\_session\_timeout | Time in seconds how long the session stays active after the job completes. | `number` | `1800` | no | | ssh\_key\_pair | Set this to use existing AWS key pair | `string` | `null` | no | | subnet\_id\_runners | List of subnets used for hosting the gitlab-runners. | `string` | n/a | yes | | subnet\_ids\_gitlab\_runner | Subnet used for hosting the GitLab runner. | `list(string)` | n/a | yes | From 14f998c09b0fc4610e4f2c490b420ebe8ed5aee7 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Fri, 4 Sep 2020 10:42:40 +0200 Subject: [PATCH 05/20] Add support for session server ALB --- main.tf | 30 ++++++++++++++++++++++++++++++ variables.tf | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/main.tf b/main.tf index 0d5818617..a64acb9c2 100644 --- a/main.tf +++ b/main.tf @@ -159,6 +159,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { max_size = "1" desired_capacity = "1" health_check_grace_period = 0 + target_group_arns = [var.session_server_listener_arn > '' ? aws_alb_target_group.session_server.arn : ''] launch_configuration = aws_launch_configuration.gitlab_runner_instance.name enabled_metrics = var.metrics_autoscaling tags = data.null_data_source.agent_tags.*.outputs @@ -406,3 +407,32 @@ resource "aws_iam_role_policy_attachment" "eip" { role = aws_iam_role.instance.name policy_arn = aws_iam_policy.eip[0].arn } + +################################################################################ +### Session server ALB support +################################################################################ +resource "aws_alb_listener_rule" "session_server" { + count = var.session_server_listener_arn > "" ? 1 : 0 + + listener_arn = var.session_server_listener_arn + + action { + type = "forward" + target_group_arn = aws_alb_target_group.session_server.arn + } + + condition { + host_header { + values = ["to be replaced"] + } + } +} + +resource "aws_alb_target_group" "session_server" { + count = var.session_server_listener_arn > "" ? 1 : 0 + + name = "${var.environment}-session-server" + port = 9999 + protocol = "HTTP" + vpc_id = var.vpc_id +} diff --git a/variables.tf b/variables.tf index 89039cc05..752f5f7d2 100644 --- a/variables.tf +++ b/variables.tf @@ -613,3 +613,9 @@ variable "session_server_advertise_address" { default = "" type = string } + +variable "session_server_listener_arn" { + description = "ALB listener ARN to connect the session server to the outside. An EIP can be used instead (see enable_eip)." + default = "" + type = string +} From 2ede6f5bb2621f8fff2eab3e9ebdd3643ab7d540 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Fri, 4 Sep 2020 11:07:10 +0200 Subject: [PATCH 06/20] Add security groups to protect the session server --- main.tf | 4 ++-- security_groups.tf | 26 ++++++++++++++++++++++++++ variables.tf | 21 +++++++++++++++++++-- 3 files changed, 47 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index a64acb9c2..693e236a1 100644 --- a/main.tf +++ b/main.tf @@ -423,7 +423,7 @@ resource "aws_alb_listener_rule" "session_server" { condition { host_header { - values = ["to be replaced"] + values = [var.session_server_advertise_address] } } } @@ -432,7 +432,7 @@ resource "aws_alb_target_group" "session_server" { count = var.session_server_listener_arn > "" ? 1 : 0 name = "${var.environment}-session-server" - port = 9999 + port = var.session_server_port protocol = "HTTP" vpc_id = var.vpc_id } diff --git a/security_groups.tf b/security_groups.tf index ad1c99ab7..a3a1bd9ad 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -64,6 +64,19 @@ resource "aws_security_group_rule" "runner_ping" { ) } +# Allow incoming traffic for the session server to gitlab-runner agent instances +resource "aws_security_group_rule" "runner_session_server" { + count = var.session_server_listen_address > '' && var.enable_eip > 0 ? 1 : 0 + + type = "ingress" + from_port = var.session_server_port + to_port = var.session_server_port + protocol = "tcp" + + cidr_blocks = var.gitlab_runner_session_server_cidr_blocks + security_group_id = aws_security_group.runner.id +} + ######################################## ## Security group IDs to runner agent ## ######################################## @@ -87,6 +100,19 @@ resource "aws_security_group_rule" "runner_ssh_group" { ) } +# Allow incoming traffic for the session server from allowed security groups to gitlab-runner agent instances +resource "aws_security_group_rule" "runner_session_server" { + count = var.session_server_listen_address > '' && var.session_server_listener_arn > '' ? 1 : 0 + + type = "ingress" + from_port = var.session_server_port + to_port = var.session_server_port + protocol = "tcp" + + source_security_group_id = var.session_server_alb_security_group_id + security_group_id = aws_security_group.runner.id +} + # Allow ICMP traffic from allowed security group IDs to gitlab-runner agent instances resource "aws_security_group_rule" "runner_ping_group" { count = length(var.gitlab_runner_security_group_ids) > 0 && var.enable_ping ? length(var.gitlab_runner_security_group_ids) : 0 diff --git a/variables.tf b/variables.tf index 752f5f7d2..5cb8b85d6 100644 --- a/variables.tf +++ b/variables.tf @@ -602,14 +602,19 @@ variable "session_server_session_timeout" { type = number } +variable "session_server_port" { + description = "Port which is used to connect to the session server. Don't forget to expose this port if you use the docker runner image." + default = 8093 + type = number +} variable "session_server_listen_address" { - description = "Listen address of the session server, e.g. [::]:8093. Don't forget to expose this port if you use the docker runner image." + description = "Listen address of the session server, e.g. [::] without a port. Session_server_port is used for the port." default = "" type = string } variable "session_server_advertise_address" { - description = "The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld:8093" + description = "The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld. session_server_port is used for the port." default = "" type = string } @@ -619,3 +624,15 @@ variable "session_server_listener_arn" { default = "" type = string } + +variable "session_server_alb_security_group_id" { + description = "ID of the security group belonging to the ALB to restrict the traffic to the session_server." + default = "" + type = string +} + +variable "gitlab_runner_session_server_cidr_blocks" { + description = "CIDR blocks which are allowed to connect to the session server." + default = [] + type = list(string) +} From c53f8d01810b3c80ebd3956cc3f69b8e0f29864a Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Fri, 4 Sep 2020 11:15:54 +0200 Subject: [PATCH 07/20] Fix verification errors --- main.tf | 2 +- security_groups.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 693e236a1..073d339d6 100644 --- a/main.tf +++ b/main.tf @@ -159,7 +159,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { max_size = "1" desired_capacity = "1" health_check_grace_period = 0 - target_group_arns = [var.session_server_listener_arn > '' ? aws_alb_target_group.session_server.arn : ''] + target_group_arns = [var.session_server_listener_arn > "" ? aws_alb_target_group.session_server.arn : ""] launch_configuration = aws_launch_configuration.gitlab_runner_instance.name enabled_metrics = var.metrics_autoscaling tags = data.null_data_source.agent_tags.*.outputs diff --git a/security_groups.tf b/security_groups.tf index a3a1bd9ad..a68a2a44b 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -66,7 +66,7 @@ resource "aws_security_group_rule" "runner_ping" { # Allow incoming traffic for the session server to gitlab-runner agent instances resource "aws_security_group_rule" "runner_session_server" { - count = var.session_server_listen_address > '' && var.enable_eip > 0 ? 1 : 0 + count = var.session_server_listen_address > "" && var.enable_eip > 0 ? 1 : 0 type = "ingress" from_port = var.session_server_port @@ -101,8 +101,8 @@ resource "aws_security_group_rule" "runner_ssh_group" { } # Allow incoming traffic for the session server from allowed security groups to gitlab-runner agent instances -resource "aws_security_group_rule" "runner_session_server" { - count = var.session_server_listen_address > '' && var.session_server_listener_arn > '' ? 1 : 0 +resource "aws_security_group_rule" "runner_session_server_group" { + count = var.session_server_listen_address > "" && var.session_server_listener_arn > "" ? 1 : 0 type = "ingress" from_port = var.session_server_port From ae6e0c7637c3485a911eb00dd8dc52735d49eb70 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Fri, 4 Sep 2020 11:17:24 +0200 Subject: [PATCH 08/20] Correct formatting --- security_groups.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security_groups.tf b/security_groups.tf index a68a2a44b..1afe6f82d 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -110,7 +110,7 @@ resource "aws_security_group_rule" "runner_session_server_group" { protocol = "tcp" source_security_group_id = var.session_server_alb_security_group_id - security_group_id = aws_security_group.runner.id + security_group_id = aws_security_group.runner.id } # Allow ICMP traffic from allowed security group IDs to gitlab-runner agent instances From fb898be14bb00d179bf18839b284eac7d285e8fb Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Fri, 4 Sep 2020 11:23:22 +0200 Subject: [PATCH 09/20] Correct string comparison --- main.tf | 4 ++-- security_groups.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 073d339d6..00edfd49a 100644 --- a/main.tf +++ b/main.tf @@ -412,7 +412,7 @@ resource "aws_iam_role_policy_attachment" "eip" { ### Session server ALB support ################################################################################ resource "aws_alb_listener_rule" "session_server" { - count = var.session_server_listener_arn > "" ? 1 : 0 + count = var.session_server_listener_arn != "" ? 1 : 0 listener_arn = var.session_server_listener_arn @@ -429,7 +429,7 @@ resource "aws_alb_listener_rule" "session_server" { } resource "aws_alb_target_group" "session_server" { - count = var.session_server_listener_arn > "" ? 1 : 0 + count = var.session_server_listener_arn != "" ? 1 : 0 name = "${var.environment}-session-server" port = var.session_server_port diff --git a/security_groups.tf b/security_groups.tf index 1afe6f82d..f120025d9 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -66,7 +66,7 @@ resource "aws_security_group_rule" "runner_ping" { # Allow incoming traffic for the session server to gitlab-runner agent instances resource "aws_security_group_rule" "runner_session_server" { - count = var.session_server_listen_address > "" && var.enable_eip > 0 ? 1 : 0 + count = var.session_server_listen_address != "" && var.enable_eip ? 1 : 0 type = "ingress" from_port = var.session_server_port @@ -102,7 +102,7 @@ resource "aws_security_group_rule" "runner_ssh_group" { # Allow incoming traffic for the session server from allowed security groups to gitlab-runner agent instances resource "aws_security_group_rule" "runner_session_server_group" { - count = var.session_server_listen_address > "" && var.session_server_listener_arn > "" ? 1 : 0 + count = var.session_server_listen_address != "" && var.session_server_listener_arn != "" ? 1 : 0 type = "ingress" from_port = var.session_server_port From ed780bf21ac65183e7385077153c9da8f27de424 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Fri, 4 Sep 2020 11:26:33 +0200 Subject: [PATCH 10/20] Use correct format --- security_groups.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security_groups.tf b/security_groups.tf index f120025d9..e267acabe 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -66,7 +66,7 @@ resource "aws_security_group_rule" "runner_ping" { # Allow incoming traffic for the session server to gitlab-runner agent instances resource "aws_security_group_rule" "runner_session_server" { - count = var.session_server_listen_address != "" && var.enable_eip ? 1 : 0 + count = var.session_server_listen_address != "" && var.enable_eip ? 1 : 0 type = "ingress" from_port = var.session_server_port From e056c36497afb209df3f10e720ddbf4e6de60125 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Fri, 4 Sep 2020 11:29:31 +0200 Subject: [PATCH 11/20] Fix errors --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 00edfd49a..32b98454b 100644 --- a/main.tf +++ b/main.tf @@ -159,7 +159,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { max_size = "1" desired_capacity = "1" health_check_grace_period = 0 - target_group_arns = [var.session_server_listener_arn > "" ? aws_alb_target_group.session_server.arn : ""] + target_group_arns = [var.session_server_listener_arn != "" ? aws_alb_target_group.session_server[0].arn : ""] launch_configuration = aws_launch_configuration.gitlab_runner_instance.name enabled_metrics = var.metrics_autoscaling tags = data.null_data_source.agent_tags.*.outputs @@ -418,7 +418,7 @@ resource "aws_alb_listener_rule" "session_server" { action { type = "forward" - target_group_arn = aws_alb_target_group.session_server.arn + target_group_arn = aws_alb_target_group.session_server[0].arn } condition { From 27bf9cde678c252c1e26b65dc5566c4c411fe105 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 12 Nov 2020 10:28:44 +0100 Subject: [PATCH 12/20] Rename variable to match 'session_server' prefix --- security_groups.tf | 2 +- variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/security_groups.tf b/security_groups.tf index 98d3993e8..b42eb0fa8 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -83,7 +83,7 @@ resource "aws_security_group_rule" "runner_session_server" { to_port = var.session_server_port protocol = "tcp" - cidr_blocks = var.gitlab_runner_session_server_cidr_blocks + cidr_blocks = var.session_server_gitlab_runner_cidr_blocks security_group_id = aws_security_group.runner.id } diff --git a/variables.tf b/variables.tf index 00ce849fe..2d178f490 100644 --- a/variables.tf +++ b/variables.tf @@ -669,7 +669,7 @@ variable "session_server_alb_security_group_id" { type = string } -variable "gitlab_runner_session_server_cidr_blocks" { +variable "session_server_gitlab_runner_cidr_blocks" { description = "CIDR blocks which are allowed to connect to the session server." default = [] type = list(string) From 9d1988d502bfe3161bd66101a90544e7da82b73d Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 12 Nov 2020 10:47:58 +0100 Subject: [PATCH 13/20] Refactor variables and use a map instead of single variables --- locals.tf | 6 +++--- main.tf | 14 ++++++------- security_groups.tf | 16 +++++++-------- variables.tf | 49 +++++++++++----------------------------------- 4 files changed, 29 insertions(+), 56 deletions(-) diff --git a/locals.tf b/locals.tf index a114e01ff..9adbb7f28 100644 --- a/locals.tf +++ b/locals.tf @@ -9,9 +9,9 @@ locals { session_server_string = join("", formatlist("%s", [ "[session_server]", - format("listen_address = %q", var.session_server_listen_address), - format("advertise_address = %q", var.session_server_advertise_address), - format("session_timeout = %s", var.session_server_session_timeout) + format("listen_address = %q", var.session_server["listen_address"]), + format("advertise_address = %q", var.session_server["advertise_address"]), + format("session_timeout = %s", var.session_server["timeout"]) ] ) ) diff --git a/main.tf b/main.tf index 1053f79c7..76bb066e8 100644 --- a/main.tf +++ b/main.tf @@ -133,7 +133,7 @@ locals { runners_services_volumes_tmpfs = join(",", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) bucket_name = local.bucket_name shared_cache = var.cache_shared - session_server_string = length(var.session_server_listen_address) == 0 ? "" : local.session_server_string + session_server_string = length(var.session_server) == 0 ? "" : local.session_server_string } ) } @@ -159,7 +159,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { max_size = "1" desired_capacity = "1" health_check_grace_period = 0 - target_group_arns = [var.session_server_listener_arn != "" ? aws_alb_target_group.session_server[0].arn : ""] + target_group_arns = [var.session_server["listener_arn"] != "" ? aws_alb_target_group.session_server[0].arn : ""] launch_configuration = aws_launch_configuration.gitlab_runner_instance.name enabled_metrics = var.metrics_autoscaling tags = data.null_data_source.agent_tags.*.outputs @@ -413,9 +413,9 @@ resource "aws_iam_role_policy_attachment" "eip" { ### Session server ALB support ################################################################################ resource "aws_alb_listener_rule" "session_server" { - count = var.session_server_listener_arn != "" ? 1 : 0 + count = length(var.session_server) > 0 && var.session_server["listener_arn"] != "" ? 1 : 0 - listener_arn = var.session_server_listener_arn + listener_arn = var.session_server["listener_arn"] action { type = "forward" @@ -424,16 +424,16 @@ resource "aws_alb_listener_rule" "session_server" { condition { host_header { - values = [var.session_server_advertise_address] + values = [var.session_server["advertise_address"]] } } } resource "aws_alb_target_group" "session_server" { - count = var.session_server_listener_arn != "" ? 1 : 0 + count = length(var.session_server) > 0 && var.session_server["listener_arn"] != "" ? 1 : 0 name = "${var.environment}-session-server" - port = var.session_server_port + port = var.session_server["port"] protocol = "HTTP" vpc_id = var.vpc_id } diff --git a/security_groups.tf b/security_groups.tf index b42eb0fa8..b679bdd68 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -76,14 +76,14 @@ resource "aws_security_group_rule" "runner_ping" { # Allow incoming traffic for the session server to gitlab-runner agent instances resource "aws_security_group_rule" "runner_session_server" { - count = var.session_server_listen_address != "" && var.enable_eip ? 1 : 0 + count = length(var.session_server) > 0 ? 1 : 0 type = "ingress" - from_port = var.session_server_port - to_port = var.session_server_port + from_port = var.session_server["port"] + to_port = var.session_server["port"] protocol = "tcp" - cidr_blocks = var.session_server_gitlab_runner_cidr_blocks + cidr_blocks = var.session_server["incoming_cidr_blocks"] security_group_id = aws_security_group.runner.id } @@ -112,14 +112,14 @@ resource "aws_security_group_rule" "runner_ssh_group" { # Allow incoming traffic for the session server from allowed security groups to gitlab-runner agent instances resource "aws_security_group_rule" "runner_session_server_group" { - count = var.session_server_listen_address != "" && var.session_server_listener_arn != "" ? 1 : 0 + count = length(var.session_server) > 0 && var.session_server["listener_arn"] != "" ? 1 : 0 type = "ingress" - from_port = var.session_server_port - to_port = var.session_server_port + from_port = var.session_server["port"] + to_port = var.session_server["port"] protocol = "tcp" - source_security_group_id = var.session_server_alb_security_group_id + source_security_group_id = var.session_server["alb_security_group_id"] security_group_id = aws_security_group.runner.id } diff --git a/variables.tf b/variables.tf index 2d178f490..ad4305cb9 100644 --- a/variables.tf +++ b/variables.tf @@ -634,43 +634,16 @@ variable "runner_iam_policy_arns" { default = [] } -variable "session_server_session_timeout" { - description = "Time in seconds how long the session stays active after the job completes." - default = 1800 - type = number -} - -variable "session_server_port" { - description = "Port which is used to connect to the session server. Don't forget to expose this port if you use the docker runner image." - default = 8093 - type = number -} -variable "session_server_listen_address" { - description = "Listen address of the session server, e.g. [::] without a port. Session_server_port is used for the port." - default = "" - type = string -} - -variable "session_server_advertise_address" { - description = "The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld. session_server_port is used for the port." - default = "" - type = string -} +variable "session_server" { + description = "Enables the session server support." + type = map(object) -variable "session_server_listener_arn" { - description = "ALB listener ARN to connect the session server to the outside. An EIP can be used instead (see enable_eip)." - default = "" - type = string -} - -variable "session_server_alb_security_group_id" { - description = "ID of the security group belonging to the ALB to restrict the traffic to the session_server." - default = "" - type = string -} - -variable "session_server_gitlab_runner_cidr_blocks" { - description = "CIDR blocks which are allowed to connect to the session server." - default = [] - type = list(string) + default = {} + # session_timeout - Time in seconds how long the session stays active after the job completes. (1800) + # port - Port which is used to connect to the session server. Don't forget to expose this port if you use the docker runner image. (8093) + # listen_address - Listen address of the session server, e.g. [::] without a port. Session_server_port is used for the port. + # advertise_address - The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld. session_server_port is used for the port. + # listener_arn - ALB listener ARN to connect the session server to the outside. An EIP can be used instead (see enable_eip). + # alb_security_group_id - ID of the security group belonging to the ALB to restrict the traffic to the session_server. + # incoming_cidr_blocks - CIDR blocks which are allowed to connect to the session server. } From 6a8fccaa2244d772c2b659e16ae368d11bf832d1 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 12 Nov 2020 11:26:50 +0100 Subject: [PATCH 14/20] Fix syntax error --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index ad4305cb9..2e7686faa 100644 --- a/variables.tf +++ b/variables.tf @@ -636,7 +636,7 @@ variable "runner_iam_policy_arns" { variable "session_server" { description = "Enables the session server support." - type = map(object) + type = map(string) default = {} # session_timeout - Time in seconds how long the session stays active after the job completes. (1800) From 1392baa1753322e080d903f754aa9552b8f9ee46 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 12 Nov 2020 11:27:57 +0100 Subject: [PATCH 15/20] Fix indentation --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 2e7686faa..025f79f39 100644 --- a/variables.tf +++ b/variables.tf @@ -638,7 +638,7 @@ variable "session_server" { description = "Enables the session server support." type = map(string) - default = {} + default = {} # session_timeout - Time in seconds how long the session stays active after the job completes. (1800) # port - Port which is used to connect to the session server. Don't forget to expose this port if you use the docker runner image. (8093) # listen_address - Listen address of the session server, e.g. [::] without a port. Session_server_port is used for the port. From 8e90692b09ad252593ca19f1eaa9d3e821029d0f Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 19 Nov 2020 11:57:37 +0100 Subject: [PATCH 16/20] Fix syntax errors --- locals.tf | 8 ++++---- variables.tf | 13 +++++++++++-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/locals.tf b/locals.tf index 9adbb7f28..ce7c24a77 100644 --- a/locals.tf +++ b/locals.tf @@ -6,12 +6,12 @@ locals { ) // convert the options for the session server - session_server_string = join("", + session_server_string = var.session_server == null ? "" : join("", formatlist("%s", [ "[session_server]", - format("listen_address = %q", var.session_server["listen_address"]), - format("advertise_address = %q", var.session_server["advertise_address"]), - format("session_timeout = %s", var.session_server["timeout"]) + format("listen_address = %q", var.session_server.listen_address), + format("advertise_address = %q", var.session_server.advertise_address), + format("session_timeout = %s", var.session_server.timeout) ] ) ) diff --git a/variables.tf b/variables.tf index 025f79f39..0c74b314f 100644 --- a/variables.tf +++ b/variables.tf @@ -636,9 +636,18 @@ variable "runner_iam_policy_arns" { variable "session_server" { description = "Enables the session server support." - type = map(string) + type = object({ + timeout = number + port = number + listen_address = string + advertise_address = string + listener_arn = string + alb_security_group_id = string + incoming_cidr_blocks = list(string) + } + ) - default = {} + default = null # session_timeout - Time in seconds how long the session stays active after the job completes. (1800) # port - Port which is used to connect to the session server. Don't forget to expose this port if you use the docker runner image. (8093) # listen_address - Listen address of the session server, e.g. [::] without a port. Session_server_port is used for the port. From d932063a22906c7a7f7c7f614ea7ce2d7d669b94 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 19 Nov 2020 14:18:48 +0100 Subject: [PATCH 17/20] Add port to listen/advertise address --- locals.tf | 8 ++++---- template/runner-config.tpl | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/locals.tf b/locals.tf index ce7c24a77..68800d429 100644 --- a/locals.tf +++ b/locals.tf @@ -8,10 +8,10 @@ locals { // convert the options for the session server session_server_string = var.session_server == null ? "" : join("", formatlist("%s", [ - "[session_server]", - format("listen_address = %q", var.session_server.listen_address), - format("advertise_address = %q", var.session_server.advertise_address), - format("session_timeout = %s", var.session_server.timeout) + "[session_server]\n", + format("listen_address = %q:%d\n", var.session_server.listen_address, var.session_server.port), + format("advertise_address = %q:%d\n", var.session_server.advertise_address, var.session_server.port), + format("session_timeout = %s\n", var.session_server.timeout) ] ) ) diff --git a/template/runner-config.tpl b/template/runner-config.tpl index 25cf1a15c..9ccdbab3c 100644 --- a/template/runner-config.tpl +++ b/template/runner-config.tpl @@ -1,6 +1,8 @@ concurrent = ${runners_concurrent} check_interval = 0 +${session_server_string} + [[runners]] name = "${runners_name}" url = "${gitlab_url}" @@ -64,6 +66,4 @@ check_interval = 0 ${runners_off_peak_idle_time} ${runners_off_peak_periods_string} -${session_server_string} - ${runners_machine_autoscaling} From aa4acd14004fd71964e29880511a4fa2d04a68b1 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 19 Nov 2020 14:21:09 +0100 Subject: [PATCH 18/20] Check if session_server is set --- main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 76bb066e8..8701e1911 100644 --- a/main.tf +++ b/main.tf @@ -133,7 +133,7 @@ locals { runners_services_volumes_tmpfs = join(",", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)]) bucket_name = local.bucket_name shared_cache = var.cache_shared - session_server_string = length(var.session_server) == 0 ? "" : local.session_server_string + session_server_string = var.session_server == null ? "" : local.session_server_string } ) } @@ -159,7 +159,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { max_size = "1" desired_capacity = "1" health_check_grace_period = 0 - target_group_arns = [var.session_server["listener_arn"] != "" ? aws_alb_target_group.session_server[0].arn : ""] + target_group_arns = [var.session_server != null && var.session_server["listener_arn"] != "" ? aws_alb_target_group.session_server[0].arn : null] launch_configuration = aws_launch_configuration.gitlab_runner_instance.name enabled_metrics = var.metrics_autoscaling tags = data.null_data_source.agent_tags.*.outputs @@ -413,7 +413,7 @@ resource "aws_iam_role_policy_attachment" "eip" { ### Session server ALB support ################################################################################ resource "aws_alb_listener_rule" "session_server" { - count = length(var.session_server) > 0 && var.session_server["listener_arn"] != "" ? 1 : 0 + count = var.session_server != null && var.session_server["listener_arn"] != "" ? 1 : 0 listener_arn = var.session_server["listener_arn"] @@ -430,7 +430,7 @@ resource "aws_alb_listener_rule" "session_server" { } resource "aws_alb_target_group" "session_server" { - count = length(var.session_server) > 0 && var.session_server["listener_arn"] != "" ? 1 : 0 + count = var.session_server != null && var.session_server["listener_arn"] != "" ? 1 : 0 name = "${var.environment}-session-server" port = var.session_server["port"] From 7d927b7974ad9e1bd22c229e12664cc9d16c5400 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 19 Nov 2020 14:26:22 +0100 Subject: [PATCH 19/20] Quote session server settings --- locals.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/locals.tf b/locals.tf index 68800d429..09fdb8f22 100644 --- a/locals.tf +++ b/locals.tf @@ -9,8 +9,8 @@ locals { session_server_string = var.session_server == null ? "" : join("", formatlist("%s", [ "[session_server]\n", - format("listen_address = %q:%d\n", var.session_server.listen_address, var.session_server.port), - format("advertise_address = %q:%d\n", var.session_server.advertise_address, var.session_server.port), + format("listen_address = \"%s:%d\"\n", var.session_server.listen_address, var.session_server.port), + format("advertise_address = \"%q:%d\"\n", var.session_server.advertise_address, var.session_server.port), format("session_timeout = %s\n", var.session_server.timeout) ] ) From 63b8e80b5532e9965c7d1cdbb535f862452bf86b Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 19 Nov 2020 15:28:29 +0100 Subject: [PATCH 20/20] Replace map by object reference --- main.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index 8701e1911..8dcd7b6ab 100644 --- a/main.tf +++ b/main.tf @@ -159,7 +159,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" { max_size = "1" desired_capacity = "1" health_check_grace_period = 0 - target_group_arns = [var.session_server != null && var.session_server["listener_arn"] != "" ? aws_alb_target_group.session_server[0].arn : null] + target_group_arns = [var.session_server != null && var.session_server.listener_arn != "" ? aws_alb_target_group.session_server[0].arn : null] launch_configuration = aws_launch_configuration.gitlab_runner_instance.name enabled_metrics = var.metrics_autoscaling tags = data.null_data_source.agent_tags.*.outputs @@ -413,9 +413,9 @@ resource "aws_iam_role_policy_attachment" "eip" { ### Session server ALB support ################################################################################ resource "aws_alb_listener_rule" "session_server" { - count = var.session_server != null && var.session_server["listener_arn"] != "" ? 1 : 0 + count = var.session_server != null && var.session_server.listener_arn != "" ? 1 : 0 - listener_arn = var.session_server["listener_arn"] + listener_arn = var.session_server.listener_arn action { type = "forward" @@ -424,16 +424,16 @@ resource "aws_alb_listener_rule" "session_server" { condition { host_header { - values = [var.session_server["advertise_address"]] + values = [var.session_server.advertise_address] } } } resource "aws_alb_target_group" "session_server" { - count = var.session_server != null && var.session_server["listener_arn"] != "" ? 1 : 0 + count = var.session_server != null && var.session_server.listener_arn != "" ? 1 : 0 name = "${var.environment}-session-server" - port = var.session_server["port"] + port = var.session_server.port protocol = "HTTP" vpc_id = var.vpc_id }