cattle-ops · kayman-mk · Jul 27, 2020 · Jul 27, 2020 · Jul 28, 2020 · Jul 28, 2020
@@ -356,6 +356,9 @@ terraform destroy
 | runners\_volumes\_tmpfs | n/a | <pre>list(object({<br>    volume  = string<br>    options = string<br>  }))</pre> | `[]` | no |
 | schedule\_config | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable\_schedule is set to true. | `map` | <pre>{<br>  "scale_in_count": 0,<br>  "scale_in_recurrence": "0 18 * * 1-5",<br>  "scale_out_count": 1,<br>  "scale_out_recurrence": "0 8 * * 1-5"<br>}</pre> | no |
 | secure\_parameter\_store\_runner\_token\_key | The key name used store the Gitlab runner token in Secure Parameter Store | `string` | `"runner-token"` | no |
+| session\_server\_advertise\_address | The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld:8093 | `string` | `""` | no |
+| session\_server\_listen\_address | Listen address of the session server, e.g. [::]:8093. Don't forget to expose this port if you use the docker runner image. | `string` | `""` | no |
+| session\_server\_session\_timeout | Time in seconds how long the session stays active after the job completes. | `number` | `1800` | no |
 | ssh\_key\_pair | Set this to use existing AWS key pair | `string` | `null` | no |
 | subnet\_id\_runners | List of subnets used for hosting the gitlab-runners. | `string` | n/a | yes |
 | subnet\_ids\_gitlab\_runner | Subnet used for hosting the GitLab runner. | `list(string)` | n/a | yes |

@@ -5,6 +5,17 @@ locals {
     join(",", formatlist("%q", var.docker_machine_options)),
   )
 
+  // convert the options for the session server
+  session_server_string = var.session_server == null ? "" : join("",
+    formatlist("%s", [
+      "[session_server]\n",
+      format("listen_address = \"%s:%d\"\n", var.session_server.listen_address, var.session_server.port),
+      format("advertise_address = \"%q:%d\"\n", var.session_server.advertise_address, var.session_server.port),
+      format("session_timeout = %s\n", var.session_server.timeout)
+      ]
+    )
+  )
+
   // Ensure max builds is optional
   runners_max_builds_string = var.runners_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runners_max_builds)
 

@@ -133,6 +133,7 @@ locals {
       runners_services_volumes_tmpfs    = join(",", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)])
       bucket_name                       = local.bucket_name
       shared_cache                      = var.cache_shared
+      session_server_string             = var.session_server == null ? "" : local.session_server_string
     }
   )
 }
@@ -158,6 +159,7 @@ resource "aws_autoscaling_group" "gitlab_runner_instance" {
   max_size                  = "1"
   desired_capacity          = "1"
   health_check_grace_period = 0
+  target_group_arns         = [var.session_server != null && var.session_server.listener_arn != "" ? aws_alb_target_group.session_server[0].arn : null]
   launch_configuration      = aws_launch_configuration.gitlab_runner_instance.name
   enabled_metrics           = var.metrics_autoscaling
   tags                      = data.null_data_source.agent_tags.*.outputs
@@ -406,3 +408,32 @@ resource "aws_iam_role_policy_attachment" "eip" {
   role       = aws_iam_role.instance.name
   policy_arn = aws_iam_policy.eip[0].arn
 }
+
+################################################################################
+### Session server ALB support
+################################################################################
+resource "aws_alb_listener_rule" "session_server" {
+  count = var.session_server != null && var.session_server.listener_arn != "" ? 1 : 0
+
+  listener_arn = var.session_server.listener_arn
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.session_server[0].arn
+  }
+
+  condition {
+    host_header {
+      values = [var.session_server.advertise_address]
+    }
+  }
+}
+
+resource "aws_alb_target_group" "session_server" {
+  count = var.session_server != null && var.session_server.listener_arn != "" ? 1 : 0
+
+  name     = "${var.environment}-session-server"
+  port     = var.session_server.port
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+}
@@ -74,6 +74,19 @@ resource "aws_security_group_rule" "runner_ping" {
   )
 }
 
+# Allow incoming traffic for the session server to gitlab-runner agent instances
+resource "aws_security_group_rule" "runner_session_server" {
+  count = length(var.session_server) > 0 ? 1 : 0
+
+  type      = "ingress"
+  from_port = var.session_server["port"]
+  to_port   = var.session_server["port"]
+  protocol  = "tcp"
+
+  cidr_blocks       = var.session_server["incoming_cidr_blocks"]
+  security_group_id = aws_security_group.runner.id
+}
+
 ########################################
 ## Security group IDs to runner agent ##
 ########################################
@@ -97,6 +110,19 @@ resource "aws_security_group_rule" "runner_ssh_group" {
   )
 }
 
+# Allow incoming traffic for the session server from allowed security groups to gitlab-runner agent instances
+resource "aws_security_group_rule" "runner_session_server_group" {
+  count = length(var.session_server) > 0 && var.session_server["listener_arn"] != "" ? 1 : 0
+
+  type      = "ingress"
+  from_port = var.session_server["port"]
+  to_port   = var.session_server["port"]
+  protocol  = "tcp"
+
+  source_security_group_id = var.session_server["alb_security_group_id"]
+  security_group_id        = aws_security_group.runner.id
+}
+
 # Allow ICMP traffic from allowed security group IDs to gitlab-runner agent instances
 resource "aws_security_group_rule" "runner_ping_group" {
   count = length(var.gitlab_runner_security_group_ids) > 0 && var.enable_ping ? length(var.gitlab_runner_security_group_ids) : 0

@@ -1,6 +1,8 @@
 concurrent = ${runners_concurrent}
 check_interval = 0
 
+${session_server_string}
+
 [[runners]]
   name = "${runners_name}"
   url = "${gitlab_url}"
@@ -63,4 +65,5 @@ check_interval = 0
     ${runners_off_peak_idle_count}
     ${runners_off_peak_idle_time}
     ${runners_off_peak_periods_string}
-  ${runners_machine_autoscaling}
+
+${runners_machine_autoscaling}
@@ -633,3 +633,26 @@ variable "runner_iam_policy_arns" {
   description = "List of policy ARNs to be added to the instance profile of the gitlab runner agent ec2 instance."
   default     = []
 }
+
+variable "session_server" {
+  description = "Enables the session server support."
+  type        = object({
+  timeout = number
+  port = number
+  listen_address = string
+  advertise_address = string
+  listener_arn = string
+  alb_security_group_id = string
+  incoming_cidr_blocks = list(string)
+  }
+  )
+
+  default = null
+  # session_timeout       - Time in seconds how long the session stays active after the job completes. (1800)
+  # port                  - Port which is used to connect to the session server. Don't forget to expose this port if you use the docker runner image. (8093)
+  # listen_address        - Listen address of the session server, e.g. [::] without a port. Session_server_port is used for the port.
+  # advertise_address     - The URL exposed to Gitlab used to access the session server, e.g. runner-host-name.tld. session_server_port is used for the port.
+  # listener_arn          - ALB listener ARN to connect the session server to the outside. An EIP can be used instead (see enable_eip).
+  # alb_security_group_id - ID of the security group belonging to the ALB to restrict the traffic to the session_server.
+  # incoming_cidr_blocks  - CIDR blocks which are allowed to connect to the session server.
+}