diff --git a/CHANGELOG.md b/CHANGELOG.md index 2486eb27e..5e1097596 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,38 @@ # Changelog +## [7.0.0](https://github.com/cattle-ops/terraform-aws-gitlab-runner/compare/6.5.2...7.0.0) (2023-09-09) + + +### ⚠ BREAKING CHANGES + +* group variables for better overview ([#810](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/810)) +* allow to set all docker options for the Executor ([#511](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/511)) +* add idle_count_min` and `idle_scale_factor` to Docker Machine autoscaling options ([#711](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/711)) +* remove deprecated variables ([#738](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/738)) +* remove deprecated pull policy variable ([#710](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/710)) + +### Features + +* add idle_count_min` and `idle_scale_factor` to Docker Machine autoscaling options ([#711](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/711)) ([1538d48](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/1538d48ed5e3bfe37b9e2edfd40e35995bd1305b)) +* allow to set all docker options for the Executor ([#511](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/511)) ([461561e](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/461561e3f33bfb4b289f81d54671f0f6ac383925)) + + +### Bug Fixes + +* add missing defaults ([#905](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/905)) ([eb44182](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/eb44182b01ec0013c01224773e54dc9d9590e966)) +* correct the bugs of major version 7 (pre-release) ([#860](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/860)) ([f236b58](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/f236b58571458fbbdcc82c25930adf255316d1e4)) +* remove deprecated pull policy variable ([#710](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/710)) ([8736ec7](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/8736ec766673a95d1289a12a534de1f04faba2fc)) + + +### Miscellaneous Chores + +* remove deprecated variables ([#738](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/738)) ([676ed6a](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/676ed6aa0b02f20dd071916cc91466a59541f0f6)) + + +### Code Refactoring + +* group variables for better overview ([#810](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/810)) ([c8a3b89](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/c8a3b89c46f749214461bade8e1e6d161d0ef860)) + ## [6.5.2](https://github.com/cattle-ops/terraform-aws-gitlab-runner/compare/6.5.1...6.5.2) (2023-08-31) diff --git a/README.md b/README.md index f3523faf3..92cedafd7 100644 --- a/README.md +++ b/README.md @@ -490,7 +490,7 @@ Made with [contributors-img](https://contrib.rocks). | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1 | +| [terraform](#requirement\_terraform) | >= 1.3 | | [aws](#requirement\_aws) | >= 4 | | [local](#requirement\_local) | >= 2.4.0 | | [tls](#requirement\_tls) | >= 3 | @@ -565,152 +565,65 @@ Made with [contributors-img](https://contrib.rocks). | [aws_availability_zone.runners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.runners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [agent\_tags](#input\_agent\_tags) | Map of tags that will be added to agent EC2 instances. | `map(string)` | `{}` | no | -| [allow\_iam\_service\_linked\_role\_creation](#input\_allow\_iam\_service\_linked\_role\_creation) | Boolean used to control attaching the policy to a runner instance to create service linked roles. | `bool` | `true` | no | -| [ami\_filter](#input\_ami\_filter) | List of maps used to create the AMI filter for the Gitlab runner agent AMI. Must resolve to an Amazon Linux 1 or 2 image. | `map(list(string))` | 
{
  "name": [
    "amzn2-ami-hvm-2.*-x86_64-ebs"
  ]
}
| no | -| [ami\_owners](#input\_ami\_owners) | The list of owners used to select the AMI of Gitlab runner agent instances. | `list(string)` | 
[
  "amazon"
]
| no | -| [arn\_format](#input\_arn\_format) | Deprecated! Calculated automatically by the module. ARN format to be used. May be changed to support deployment in GovCloud/China regions. | `string` | `null` | no | -| [asg\_delete\_timeout](#input\_asg\_delete\_timeout) | Timeout when trying to delete the Runner ASG. | `string` | `"10m"` | no | -| [asg\_max\_instance\_lifetime](#input\_asg\_max\_instance\_lifetime) | The seconds before an instance is refreshed in the ASG. | `number` | `null` | no | -| [asg\_terminate\_lifecycle\_hook\_create](#input\_asg\_terminate\_lifecycle\_hook\_create) | (Deprecated and always true now) Boolean toggling the creation of the ASG instance terminate lifecycle hook. | `bool` | `true` | no | -| [asg\_terminate\_lifecycle\_hook\_heartbeat\_timeout](#input\_asg\_terminate\_lifecycle\_hook\_heartbeat\_timeout) | (Deprecated and no longer in use) The amount of time, in seconds, for the instances to remain in wait state. | `number` | `null` | no | -| [asg\_terminate\_lifecycle\_hook\_name](#input\_asg\_terminate\_lifecycle\_hook\_name) | Specifies a custom name for the ASG terminate lifecycle hook and related resources. | `string` | `null` | no | -| [asg\_terminate\_lifecycle\_lambda\_memory\_size](#input\_asg\_terminate\_lifecycle\_lambda\_memory\_size) | (Deprecated and no longer in use) The memory size in MB to allocate to the terminate-instances Lambda function. | `number` | `128` | no | -| [asg\_terminate\_lifecycle\_lambda\_runtime](#input\_asg\_terminate\_lifecycle\_lambda\_runtime) | (Deprecated and no longer in use) Identifier of the function's runtime. This should be a python3.x runtime. See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime for more information. | `string` | `"python3.8"` | no | -| [asg\_terminate\_lifecycle\_lambda\_timeout](#input\_asg\_terminate\_lifecycle\_lambda\_timeout) | (Deprecated and no longer in use) Amount of time the terminate-instances Lambda Function has to run in seconds. | `number` | `30` | no | -| [auth\_type\_cache\_sr](#input\_auth\_type\_cache\_sr) | A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials' | `string` | `"iam"` | no | -| [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes | -| [cache\_bucket](#input\_cache\_bucket) | Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared cache. To use the same cache across multiple runners disable the creation of the cache and provide a policy and bucket name. See the public runner example for more details. | `map(any)` | 
{
  "bucket": "",
  "create": true,
  "policy": ""
}
| no | -| [cache\_bucket\_name\_include\_account\_id](#input\_cache\_bucket\_name\_include\_account\_id) | Boolean to add current account ID to cache bucket name. | `bool` | `true` | no | -| [cache\_bucket\_prefix](#input\_cache\_bucket\_prefix) | Prefix for s3 cache bucket name. | `string` | `""` | no | -| [cache\_bucket\_set\_random\_suffix](#input\_cache\_bucket\_set\_random\_suffix) | Append the cache bucket name with a random string suffix | `bool` | `false` | no | -| [cache\_bucket\_versioning](#input\_cache\_bucket\_versioning) | Boolean used to enable versioning on the cache bucket, false by default. | `bool` | `false` | no | -| [cache\_expiration\_days](#input\_cache\_expiration\_days) | Number of days before cache objects expires. | `number` | `1` | no | -| [cache\_logging\_bucket](#input\_cache\_logging\_bucket) | S3 Bucket ID where the access logs to the cache bucket are stored. | `string` | `null` | no | -| [cache\_logging\_bucket\_prefix](#input\_cache\_logging\_bucket\_prefix) | Prefix within the `cache_logging_bucket`. | `string` | `null` | no | -| [cache\_shared](#input\_cache\_shared) | Enables cache sharing between runners, false by default. | `bool` | `false` | no | -| [cloudwatch\_logging\_retention\_in\_days](#input\_cloudwatch\_logging\_retention\_in\_days) | Retention for cloudwatch logs. Defaults to unlimited | `number` | `0` | no | -| [create\_runner\_iam\_role](#input\_create\_runner\_iam\_role) | Whether to create the runner IAM role of the gitlab runner agent EC2 instance. | `bool` | `true` | no | -| [debug](#input\_debug) | Enable debug settings for development

output\_runner\_config\_to\_file: When enabled, outputs the rendered config.toml file in the root module. This can
then also be used by Terraform to show changes in plan. Note that enabling this can
potentially expose sensitive information.
output\_user\_data\_to\_file: When enabled, outputs the rendered userdata.sh file in the root module. This can then
also be used by Terraform to show changes in plan. Note that enabling this can
potentially expose sensitive information. | 
object({
    output_runner_config_to_file    = bool
    output_runner_user_data_to_file = bool
  })
| 
{
  "output_runner_config_to_file": false,
  "output_runner_user_data_to_file": false
}
| no | -| [docker\_machine\_download\_url](#input\_docker\_machine\_download\_url) | (Optional) By default the module will use `docker_machine_version` to download the CKI maintained version (https://gitlab.com/cki-project/docker-machine) of Docker Machine. Alternative you can set this property to download location of the distribution of for the OS. See also https://docs.gitlab.com/runner/executors/docker_machine.html#install | `string` | `""` | no | -| [docker\_machine\_egress\_rules](#input\_docker\_machine\_egress\_rules) | List of egress rules for the docker-machine instance(s). | 
list(object({
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    prefix_list_ids  = list(string)
    from_port        = number
    protocol         = string
    security_groups  = list(string)
    self             = bool
    to_port          = number
    description      = string
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "Allow all egress traffic for docker machine build runners",
    "from_port": 0,
    "ipv6_cidr_blocks": [
      "::/0"
    ],
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "self": null,
    "to_port": 0
  }
]
| no | -| [docker\_machine\_iam\_policy\_arns](#input\_docker\_machine\_iam\_policy\_arns) | List of policy ARNs to be added to the instance profile of the docker machine runners. | `list(string)` | `[]` | no | -| [docker\_machine\_instance\_metadata\_options](#input\_docker\_machine\_instance\_metadata\_options) | Enable the docker machine instances metadata service. Requires you use GitLab maintained docker machines. | 
object({
    http_tokens                 = string
    http_put_response_hop_limit = number
  })
| 
{
  "http_put_response_hop_limit": 2,
  "http_tokens": "required"
}
| no | -| [docker\_machine\_instance\_type](#input\_docker\_machine\_instance\_type) | Instance type used for the instances hosting docker-machine. | `string` | `"m5.large"` | no | -| [docker\_machine\_instance\_types\_fleet](#input\_docker\_machine\_instance\_types\_fleet) | Instance types used for the instances hosting docker-machine. This variable is only supported when use\_fleet is set to true. | `list(string)` | `[]` | no | -| [docker\_machine\_options](#input\_docker\_machine\_options) | List of additional options for the docker machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | `list(string)` | `[]` | no | -| [docker\_machine\_role\_json](#input\_docker\_machine\_role\_json) | Docker machine runner instance override policy, expected to be in JSON format. | `string` | `""` | no | -| [docker\_machine\_security\_group\_description](#input\_docker\_machine\_security\_group\_description) | A description for the docker-machine security group | `string` | `"A security group containing docker-machine instances"` | no | -| [docker\_machine\_spot\_price\_bid](#input\_docker\_machine\_spot\_price\_bid) | Spot price bid. The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen. | `string` | `"on-demand-price"` | no | -| [docker\_machine\_version](#input\_docker\_machine\_version) | By default docker\_machine\_download\_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases | `string` | `"0.16.2-gitlab.19-cki.2"` | no | -| [enable\_asg\_recreation](#input\_enable\_asg\_recreation) | Enable automatic redeployment of the Runner ASG when the Launch Configs change. | `bool` | `true` | no | -| [enable\_cloudwatch\_logging](#input\_enable\_cloudwatch\_logging) | Boolean used to enable or disable the CloudWatch logging. | `bool` | `true` | no | -| [enable\_docker\_machine\_ssm\_access](#input\_enable\_docker\_machine\_ssm\_access) | Add IAM policies to the docker-machine instances to connect via the Session Manager. | `bool` | `false` | no | -| [enable\_eip](#input\_enable\_eip) | Enable the assignment of an EIP to the gitlab runner instance | `bool` | `false` | no | -| [enable\_kms](#input\_enable\_kms) | Let the module manage a KMS key, logs will be encrypted via KMS. Be-aware of the costs of an custom key. | `bool` | `false` | no | -| [enable\_manage\_gitlab\_token](#input\_enable\_manage\_gitlab\_token) | (Deprecated) Boolean to enable the management of the GitLab token in SSM. If `true` the token will be stored in SSM, which means the SSM property is a terraform managed resource. If `false` the Gitlab token will be stored in the SSM by the user-data script during creation of the instance. However the SSM parameter is not managed by terraform and will remain in SSM after a `terraform destroy`. | `bool` | `null` | no | -| [enable\_ping](#input\_enable\_ping) | Allow ICMP Ping to the ec2 instances. | `bool` | `false` | no | -| [enable\_runner\_ssm\_access](#input\_enable\_runner\_ssm\_access) | Add IAM policies to the runner agent instance to connect via the Session Manager. | `bool` | `false` | no | -| [enable\_runner\_user\_data\_trace\_log](#input\_enable\_runner\_user\_data\_trace\_log) | Enable bash trace for the user data script that creates the EC2 instance for the runner agent. Be aware this could log sensitive data such as you GitLab runner token. | `bool` | `true` | no | -| [enable\_schedule](#input\_enable\_schedule) | Flag used to enable/disable auto scaling group schedule for the runner instance. | `bool` | `false` | no | +| [debug](#input\_debug) | trace\_runner\_user\_data: Enable bash trace for the user data script on the Agent. Be aware this could log sensitive data such as you GitLab runner token.
write\_runner\_config\_to\_file: When enabled, outputs the rendered config.toml file in the root module. Note that enabling this can
potentially expose sensitive information.
write\_runner\_user\_data\_to\_file: When enabled, outputs the rendered userdata.sh file in the root module. Note that enabling this
can potentially expose sensitive information. | 
object({
    trace_runner_user_data         = optional(bool, false)
    write_runner_config_to_file    = optional(bool, false)
    write_runner_user_data_to_file = optional(bool, false)
  })
| `{}` | no | +| [enable\_managed\_kms\_key](#input\_enable\_managed\_kms\_key) | Let the module manage a KMS key. Be-aware of the costs of an custom key. Do not specify a `kms_key_id` when `enable_kms` is set to `true`. | `bool` | `false` | no | | [environment](#input\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | -| [extra\_security\_group\_ids\_runner\_agent](#input\_extra\_security\_group\_ids\_runner\_agent) | Optional IDs of extra security groups to apply to the runner agent. This will not apply to the runners spun up when using the docker+machine executor, which is the default. | `list(string)` | `[]` | no | -| [fleet\_executor\_subnet\_ids](#input\_fleet\_executor\_subnet\_ids) | List of subnets used for executors when the fleet mode is enabled. Must belong to the VPC specified above. | `list(string)` | `[]` | no | -| [fleet\_key\_pair\_name](#input\_fleet\_key\_pair\_name) | The name of the key pair used by the runner to connect to the docker-machine executors. | `string` | `"fleet-key"` | no | -| [gitlab\_runner\_egress\_rules](#input\_gitlab\_runner\_egress\_rules) | List of egress rules for the gitlab runner instance. | 
list(object({
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    prefix_list_ids  = list(string)
    from_port        = number
    protocol         = string
    security_groups  = list(string)
    self             = bool
    to_port          = number
    description      = string
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": null,
    "from_port": 0,
    "ipv6_cidr_blocks": [
      "::/0"
    ],
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "self": null,
    "to_port": 0
  }
]
| no | -| [gitlab\_runner\_registration\_config](#input\_gitlab\_runner\_registration\_config) | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | `map(string)` | 
{
  "access_level": "",
  "description": "",
  "locked_to_project": "",
  "maximum_timeout": "",
  "registration_token": "",
  "run_untagged": "",
  "tag_list": ""
}
| no | -| [gitlab\_runner\_security\_group\_description](#input\_gitlab\_runner\_security\_group\_description) | A description for the gitlab-runner security group | `string` | `"A security group containing gitlab-runner agent instances"` | no | -| [gitlab\_runner\_security\_group\_ids](#input\_gitlab\_runner\_security\_group\_ids) | A list of security group ids that are allowed to access the gitlab runner agent | `list(string)` | `[]` | no | -| [gitlab\_runner\_version](#input\_gitlab\_runner\_version) | Version of the [GitLab runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). | `string` | `"15.8.2"` | no | -| [instance\_role\_json](#input\_instance\_role\_json) | Default runner instance override policy, expected to be in JSON format. | `string` | `""` | no | -| [instance\_type](#input\_instance\_type) | Instance type used for the GitLab runner. | `string` | `"t3.micro"` | no | -| [kms\_alias\_name](#input\_kms\_alias\_name) | Alias added to the kms\_key (if created and not provided by kms\_key\_id) | `string` | `""` | no | -| [kms\_deletion\_window\_in\_days](#input\_kms\_deletion\_window\_in\_days) | Key rotation window, set to 0 for no rotation. Only used when `enable_kms` is set to `true`. | `number` | `7` | no | -| [kms\_key\_id](#input\_kms\_key\_id) | KMS key ARN to encrypt the resources. Ensure CloudWatch has access to the provided KMS key (see policies/kms-policy.json). | `string` | `""` | no | -| [log\_group\_name](#input\_log\_group\_name) | Option to override the default name (`environment`) of the log group, requires `enable_cloudwatch_logging = true`. | `string` | `null` | no | -| [metrics\_autoscaling](#input\_metrics\_autoscaling) | A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances. | `list(string)` | `null` | no | -| [overrides](#input\_overrides) | This map provides the possibility to override some defaults.
The following attributes are supported:
* `name_sg` set the name prefix and overwrite the `Name` tag for all security groups created by this module.
* `name_runner_agent_instance` set the name prefix and override the `Name` tag for the EC2 gitlab runner instances defined in the auto launch configuration.
* `name_docker_machine_runners` override the `Name` tag of EC2 instances created by the runner agent (used as name prefix for `docker_machine_version` >= 0.16.2).
* `name_iam_objects` set the name prefix of all AWS IAM resources created by this module. | `map(string)` | 
{
  "name_docker_machine_runners": "",
  "name_iam_objects": "",
  "name_runner_agent_instance": "",
  "name_sg": ""
}
| no | -| [permissions\_boundary](#input\_permissions\_boundary) | Name of permissions boundary policy to attach to AWS IAM roles | `string` | `""` | no | -| [prometheus\_listen\_address](#input\_prometheus\_listen\_address) | Defines an address (:) the Prometheus metrics HTTP server should listen on. | `string` | `""` | no | -| [role\_tags](#input\_role\_tags) | Map of tags that will be added to the role created. Useful for tag based authorization. | `map(string)` | `{}` | no | -| [runner\_agent\_uses\_private\_address](#input\_runner\_agent\_uses\_private\_address) | Restrict the runner agent to the use of a private IP address. If `runner_agent_uses_private_address` is set to `false` it will override the `runners_use_private_address` for the agent. | `bool` | `true` | no | -| [runner\_ami\_filter](#input\_runner\_ami\_filter) | List of maps used to create the AMI filter for the Gitlab runner docker-machine AMI. | `map(list(string))` | 
{
  "name": [
    "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"
  ]
}
| no | -| [runner\_ami\_owners](#input\_runner\_ami\_owners) | The list of owners used to select the AMI of Gitlab runner docker-machine instances. | `list(string)` | 
[
  "099720109477"
]
| no | -| [runner\_extra\_config](#input\_runner\_extra\_config) | Extra commands to run as part of starting the runner | `string` | `""` | no | -| [runner\_iam\_policy\_arns](#input\_runner\_iam\_policy\_arns) | List of policy ARNs to be added to the instance profile of the gitlab runner agent ec2 instance. | `list(string)` | `[]` | no | -| [runner\_iam\_role\_name](#input\_runner\_iam\_role\_name) | IAM role name of the gitlab runner agent EC2 instance. If unspecified then `{name_iam_objects}-instance` is used | `string` | `""` | no | -| [runner\_instance\_ebs\_optimized](#input\_runner\_instance\_ebs\_optimized) | Enable the GitLab runner instance to be EBS-optimized. | `bool` | `true` | no | -| [runner\_instance\_enable\_monitoring](#input\_runner\_instance\_enable\_monitoring) | Enable the GitLab runner instance to have detailed monitoring. | `bool` | `true` | no | -| [runner\_instance\_metadata\_options](#input\_runner\_instance\_metadata\_options) | Enable the Gitlab runner agent instance metadata service. | 
object({
    http_endpoint               = string
    http_tokens                 = string
    http_put_response_hop_limit = number
    instance_metadata_tags      = string
  })
| 
{
  "http_endpoint": "enabled",
  "http_put_response_hop_limit": 2,
  "http_tokens": "required",
  "instance_metadata_tags": "disabled"
}
| no | -| [runner\_instance\_spot\_price](#input\_runner\_instance\_spot\_price) | By setting a spot price bid price the runner agent will be created via a spot request. Be aware that spot instances can be stopped by AWS. Choose "on-demand-price" to pay up to the current on demand price for the instance type chosen. | `string` | `null` | no | -| [runner\_root\_block\_device](#input\_runner\_root\_block\_device) | The EC2 instance root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id` | `map(string)` | `{}` | no | -| [runner\_tags](#input\_runner\_tags) | Map of tags that will be added to runner EC2 instances. | `map(string)` | `{}` | no | -| [runner\_yum\_update](#input\_runner\_yum\_update) | Run a yum update as part of starting the runner | `bool` | `true` | no | -| [runners\_add\_dind\_volumes](#input\_runners\_add\_dind\_volumes) | Add certificates and docker.sock to the volumes to support docker-in-docker (dind) | `bool` | `false` | no | -| [runners\_additional\_volumes](#input\_runners\_additional\_volumes) | Additional volumes that will be used in the runner config.toml, e.g Docker socket | `list(any)` | `[]` | no | -| [runners\_ca\_certificate](#input\_runners\_ca\_certificate) | Trusted CA certificate bundle. Example: `file("${path.module}/ca.crt")` | `string` | `""` | no | -| [runners\_check\_interval](#input\_runners\_check\_interval) | defines the interval length, in seconds, between new jobs check. | `number` | `3` | no | -| [runners\_clone\_url](#input\_runners\_clone\_url) | Overwrites the URL for the GitLab instance. Use only if the runner can’t connect to the GitLab URL. | `string` | `""` | no | -| [runners\_concurrent](#input\_runners\_concurrent) | Concurrent value for the runners, will be used in the runner config.toml. | `number` | `10` | no | -| [runners\_disable\_cache](#input\_runners\_disable\_cache) | Runners will not use local cache, will be used in the runner config.toml | `bool` | `false` | no | -| [runners\_docker\_registry\_mirror](#input\_runners\_docker\_registry\_mirror) | The docker registry mirror to use to avoid rate limiting by hub.docker.com | `string` | `""` | no | -| [runners\_docker\_runtime](#input\_runners\_docker\_runtime) | docker runtime for runners, will be used in the runner config.toml | `string` | `""` | no | -| [runners\_docker\_services](#input\_runners\_docker\_services) | adds `runners.docker.services` blocks to config.toml. All fields must be set (examine the Dockerfile of the service image for the entrypoint - see ./examples/runner-default/main.tf) | 
list(object({
    name       = string
    alias      = string
    entrypoint = list(string)
    command    = list(string)
  }))
| `[]` | no | -| [runners\_ebs\_optimized](#input\_runners\_ebs\_optimized) | Enable runners to be EBS-optimized. | `bool` | `true` | no | -| [runners\_environment\_vars](#input\_runners\_environment\_vars) | Environment variables during build execution, e.g. KEY=Value, see runner-public example. Will be used in the runner config.toml | `list(string)` | `[]` | no | -| [runners\_executor](#input\_runners\_executor) | The executor to use. Currently supports `docker+machine` or `docker`. | `string` | `"docker+machine"` | no | -| [runners\_extra\_hosts](#input\_runners\_extra\_hosts) | Extra hosts that will be used in the runner config.toml, e.g other-host:127.0.0.1 | `list(any)` | `[]` | no | -| [runners\_gitlab\_certificate](#input\_runners\_gitlab\_certificate) | Certificate of the GitLab instance to connect to. Example: `file("${path.module}/my-gitlab.crt")` | `string` | `""` | no | -| [runners\_gitlab\_url](#input\_runners\_gitlab\_url) | URL of the GitLab instance to connect to. | `string` | n/a | yes | -| [runners\_helper\_image](#input\_runners\_helper\_image) | Overrides the default helper image used to clone repos and upload artifacts, will be used in the runner config.toml | `string` | `""` | no | -| [runners\_iam\_instance\_profile\_name](#input\_runners\_iam\_instance\_profile\_name) | IAM instance profile name of the runners, will be used in the runner config.toml | `string` | `""` | no | -| [runners\_idle\_count](#input\_runners\_idle\_count) | Idle count of the runners, will be used in the runner config.toml. | `number` | `0` | no | -| [runners\_idle\_time](#input\_runners\_idle\_time) | Idle time of the runners, will be used in the runner config.toml. | `number` | `600` | no | -| [runners\_image](#input\_runners\_image) | Image to run builds, will be used in the runner config.toml | `string` | `"docker:18.03.1-ce"` | no | -| [runners\_install\_amazon\_ecr\_credential\_helper](#input\_runners\_install\_amazon\_ecr\_credential\_helper) | Install amazon-ecr-credential-helper inside `userdata_pre_install` script | `bool` | `false` | no | -| [runners\_limit](#input\_runners\_limit) | Limit for the runners, will be used in the runner config.toml. | `number` | `0` | no | -| [runners\_machine\_autoscaling](#input\_runners\_machine\_autoscaling) | Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section | 
list(object({
    periods    = list(string)
    idle_count = number
    idle_time  = number
    timezone   = string
  }))
| `[]` | no | -| [runners\_max\_builds](#input\_runners\_max\_builds) | Max builds for each runner after which it will be removed, will be used in the runner config.toml. By default set to 0, no maxBuilds will be set in the configuration. | `number` | `0` | no | -| [runners\_monitoring](#input\_runners\_monitoring) | Enable detailed cloudwatch monitoring for spot instances. | `bool` | `false` | no | -| [runners\_name](#input\_runners\_name) | Name of the runner, will be used in the runner config.toml. | `string` | n/a | yes | -| [runners\_output\_limit](#input\_runners\_output\_limit) | Sets the maximum build log size in kilobytes, by default set to 4096 (4MB). | `number` | `4096` | no | -| [runners\_post\_build\_script](#input\_runners\_post\_build\_script) | Commands to be executed on the Runner just after executing the build, but before executing after\_script. | `string` | `"\"\""` | no | -| [runners\_pre\_build\_script](#input\_runners\_pre\_build\_script) | Script to execute in the pipeline just before the build, will be used in the runner config.toml | `string` | `"\"\""` | no | -| [runners\_pre\_clone\_script](#input\_runners\_pre\_clone\_script) | Commands to be executed on the Runner before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | `string` | `"\"\""` | no | -| [runners\_privileged](#input\_runners\_privileged) | Runners will run in privileged mode, will be used in the runner config.toml | `bool` | `true` | no | -| [runners\_pull\_policies](#input\_runners\_pull\_policies) | pull policies for the runners, will be used in the runner config.toml, for Gitlab Runner >= 13.8, see https://docs.gitlab.com/runner/executors/docker.html#using-multiple-pull-policies | `list(string)` | 
[
  "always"
]
| no | -| [runners\_request\_concurrency](#input\_runners\_request\_concurrency) | Limit number of concurrent requests for new jobs from GitLab (default 1). | `number` | `1` | no | -| [runners\_request\_spot\_instance](#input\_runners\_request\_spot\_instance) | Whether or not to request spot instances via docker-machine | `bool` | `true` | no | -| [runners\_root\_size](#input\_runners\_root\_size) | Runner instance root size in GB. | `number` | `16` | no | -| [runners\_services\_volumes\_tmpfs](#input\_runners\_services\_volumes\_tmpfs) | Mount a tmpfs in gitlab service container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram | 
list(object({
    volume  = string
    options = string
  }))
| `[]` | no | -| [runners\_shm\_size](#input\_runners\_shm\_size) | shm\_size for the runners, will be used in the runner config.toml | `number` | `0` | no | -| [runners\_token](#input\_runners\_token) | Token for the runner, will be used in the runner config.toml. | `string` | `"__REPLACED_BY_USER_DATA__"` | no | -| [runners\_use\_private\_address](#input\_runners\_use\_private\_address) | Restrict runners to the use of a private IP address. If `runner_agent_uses_private_address` is set to `true`(default), `runners_use_private_address` will also apply for the agent. | `bool` | `true` | no | -| [runners\_userdata](#input\_runners\_userdata) | Cloud-init user data that will be passed to the runner ec2 instance. Available only for `docker+machine` driver. Should not be base64 encrypted. | `string` | `""` | no | -| [runners\_volume\_type](#input\_runners\_volume\_type) | Runner instance volume type | `string` | `"gp2"` | no | -| [runners\_volumes\_tmpfs](#input\_runners\_volumes\_tmpfs) | Mount a tmpfs in runner container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram | 
list(object({
    volume  = string
    options = string
  }))
| `[]` | no | -| [runners\_wait\_for\_services\_timeout](#input\_runners\_wait\_for\_services\_timeout) | How long to wait for Docker services. Set to -1 to disable. Default is 30. | `number` | `30` | no | -| [schedule\_config](#input\_schedule\_config) | Map containing the configuration of the ASG scale-out and scale-in for the runner instance. Will only be used if enable\_schedule is set to true. | `map(any)` | 
{
  "scale_in_count": 0,
  "scale_in_recurrence": "0 18 * * 1-5",
  "scale_in_time_zone": "Etc/UTC",
  "scale_out_count": 1,
  "scale_out_recurrence": "0 8 * * 1-5",
  "scale_out_time_zone": "Etc/UTC"
}
| no | -| [secure\_parameter\_store\_gitlab\_runner\_registration\_token\_name](#input\_secure\_parameter\_store\_gitlab\_runner\_registration\_token\_name) | The name of the SSM parameter to read the GitLab Runner registration token from. | `string` | `"gitlab-runner-registration-token"` | no | -| [secure\_parameter\_store\_runner\_sentry\_dsn](#input\_secure\_parameter\_store\_runner\_sentry\_dsn) | The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store | `string` | `"sentry-dsn"` | no | -| [secure\_parameter\_store\_runner\_token\_key](#input\_secure\_parameter\_store\_runner\_token\_key) | The key name used store the Gitlab runner token in Secure Parameter Store | `string` | `"runner-token"` | no | -| [sentry\_dsn](#input\_sentry\_dsn) | Sentry DSN of the project for the runner to use (uses legacy DSN format) | `string` | `"__SENTRY_DSN_REPLACED_BY_USER_DATA__"` | no | -| [show\_user\_data\_in\_plan](#input\_show\_user\_data\_in\_plan) | When enabled, shows the diff for agent configuration files in Terraform plan: `config.toml` and user data script | `bool` | `false` | no | -| [subnet\_id](#input\_subnet\_id) | Subnet id used for the runner and executors. Must belong to the VPC specified above. | `string` | `""` | no | -| [subnet\_id\_runners](#input\_subnet\_id\_runners) | Deprecated! Use subnet\_id instead. List of subnets used for hosting the gitlab-runners. | `string` | `""` | no | -| [subnet\_ids\_gitlab\_runner](#input\_subnet\_ids\_gitlab\_runner) | Deprecated! Use subnet\_id instead. Subnet used for hosting the GitLab runner. | `list(string)` | `[]` | no | -| [suppressed\_tags](#input\_suppressed\_tags) | List of tag keys which are removed from tags, agent\_tags and runner\_tags and never added as default tag by the module. | `list(string)` | `[]` | no | +| [iam\_object\_prefix](#input\_iam\_object\_prefix) | Set the name prefix of all AWS IAM resources. | `string` | `""` | no | +| [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | Name of permissions boundary policy to attach to AWS IAM roles | `string` | `""` | no | +| [kms\_key\_id](#input\_kms\_key\_id) | KMS key id to encrypt the resources. Ensure that CloudWatch and Runner/Runner Workers have access to the provided KMS key. | `string` | `""` | no | +| [kms\_managed\_alias\_name](#input\_kms\_managed\_alias\_name) | Alias added to the created KMS key. | `string` | `""` | no | +| [kms\_managed\_deletion\_rotation\_window\_in\_days](#input\_kms\_managed\_deletion\_rotation\_window\_in\_days) | Key deletion/rotation window for the created KMS key. Set to 0 for no rotation/deletion window. | `number` | `7` | no | +| [runner\_ami\_filter](#input\_runner\_ami\_filter) | List of maps used to create the AMI filter for the Runner AMI. Must resolve to an Amazon Linux 1 or 2 image. | `map(list(string))` | 
{
  "name": [
    "amzn2-ami-hvm-2.*-x86_64-ebs"
  ]
}
| no | +| [runner\_ami\_owners](#input\_runner\_ami\_owners) | The list of owners used to select the AMI of the Runner instance. | `list(string)` | 
[
  "amazon"
]
| no | +| [runner\_cloudwatch](#input\_runner\_cloudwatch) | enable = Boolean used to enable or disable the CloudWatch logging.
log\_group\_name = Option to override the default name (`environment`) of the log group. Requires `enable = true`.
retention\_days = Retention for cloudwatch logs. Defaults to unlimited. Requires `enable = true`. | 
object({
    enable         = optional(bool, true)
    log_group_name = optional(string, null)
    retention_days = optional(number, 0)
  })
| `{}` | no | +| [runner\_enable\_asg\_recreation](#input\_runner\_enable\_asg\_recreation) | Enable automatic redeployment of the Runner's ASG when the Launch Configs change. | `bool` | `true` | no | +| [runner\_gitlab](#input\_runner\_gitlab) | ca\_certificate = Trusted CA certificate bundle (PEM format).
certificate = Certificate of the GitLab instance to connect to (PEM format).
registration\_token = Registration token to use to register the Runner. Do not use. This is replaced by the `registration_token` in `runner_gitlab_registration_config`.
runner\_version = Version of the [GitLab Runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases).
url = URL of the GitLab instance to connect to.
url\_clone = URL of the GitLab instance to clone from. Use only if the agent can’t connect to the GitLab URL. | 
object({
    ca_certificate     = optional(string, "")
    certificate        = optional(string, "")
    registration_token = optional(string, "__REPLACED_BY_USER_DATA__")
    runner_version     = optional(string, "15.8.2")
    url                = optional(string, "")
    url_clone          = optional(string, "")
  })
| n/a | yes | +| [runner\_gitlab\_registration\_config](#input\_runner\_gitlab\_registration\_config) | Configuration used to register the Runner. See the README for an example, or reference the examples in the examples directory of this repo. There is also a good GitLab documentation available at: https://docs.gitlab.com/ee/ci/runners/configure_runners.html | 
object({
    registration_token = optional(string, "")
    tag_list           = optional(string, "")
    description        = optional(string, "")
    locked_to_project  = optional(string, "")
    run_untagged       = optional(string, "")
    maximum_timeout    = optional(string, "")
    access_level       = optional(string, "not_protected") # this is the only mandatory field calling the GitLab get token for executor operation
  })
| `{}` | no | +| [runner\_gitlab\_registration\_token\_secure\_parameter\_store\_name](#input\_runner\_gitlab\_registration\_token\_secure\_parameter\_store\_name) | The name of the SSM parameter to read the GitLab Runner registration token from. | `string` | `"gitlab-runner-registration-token"` | no | +| [runner\_gitlab\_token\_secure\_parameter\_store](#input\_runner\_gitlab\_token\_secure\_parameter\_store) | Name of the Secure Parameter Store entry to hold the GitLab Runner token. | `string` | `"runner-token"` | no | +| [runner\_install](#input\_runner\_install) | amazon\_ecr\_credentials\_helper = Install amazon-ecr-credential-helper inside `userdata_pre_install` script
docker\_machine\_download\_url = URL to download docker machine binary. If not set, the docker machine version will be used to download the binary.
docker\_machine\_version = By default docker\_machine\_download\_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases
pre\_install\_script = Script to run before installing the Runner
post\_install\_script = Script to run after installing the Runner
start\_script = Script to run after starting the Runner
yum\_update = Update the yum packages before installing the Runner | 
object({
    amazon_ecr_credential_helper = optional(bool, false)
    docker_machine_download_url  = optional(string, "")
    docker_machine_version       = optional(string, "0.16.2-gitlab.19-cki.2")
    pre_install_script           = optional(string, "")
    post_install_script          = optional(string, "")
    start_script                 = optional(string, "")
    yum_update                   = optional(bool, true)
  })
| `{}` | no | +| [runner\_instance](#input\_runner\_instance) | additional\_tags = Map of tags that will be added to the Runner instance.
collect\_autoscaling\_metrics = A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances.
ebs\_optimized = Enable EBS optimization for the Runner instance.
max\_lifetime\_seconds = The maximum time a Runner should live before it is killed.
monitoring = Enable the detailed monitoring on the Runner instance.
name = Name of the Runner instance.
name\_prefix = Set the name prefix and override the `Name` tag for the Runner instance.
private\_address\_only = Restrict the Runner to use private IP addresses only. If this is set to `true` the Runner will use a private IP address only in case the Runner Workers use private addresses only.
root\_device\_config = The Runner's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`
spot\_price = By setting a spot price bid price the Runner is created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \"on-demand-price\" to pay up to the current on demand price for the instance type chosen.
ssm\_access = Allows to connect to the Runner via SSM.
type = EC2 instance type used.
use\_eip = Assigns an EIP to the Runner. | 
object({
    additional_tags             = optional(map(string))
    collect_autoscaling_metrics = optional(list(string), null)
    ebs_optimized               = optional(bool, true)
    max_lifetime_seconds        = optional(number, null)
    monitoring                  = optional(bool, true)
    name                        = string
    name_prefix                 = optional(string)
    private_address_only        = optional(bool, true)
    root_device_config          = optional(map(string), {})
    spot_price                  = optional(string, null)
    ssm_access                  = optional(bool, false)
    type                        = optional(string, "t3.micro")
    use_eip                     = optional(bool, false)
  })
| 
{
  "name": "gitlab-runner"
}
| no | +| [runner\_manager](#input\_runner\_manager) | For details check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section

gitlab\_check\_interval = Number of seconds between checking for available jobs (check\_interval)
maximum\_concurrent\_jobs = The maximum number of jobs which can be processed by all Runners at the same time (concurrent).
prometheus\_listen\_address = Defines an address (:) the Prometheus metrics HTTP server should listen on (listen\_address).
sentry\_dsn = Sentry DSN of the project for the Runner Manager to use (uses legacy DSN format) (sentry\_dsn) | 
object({
    gitlab_check_interval     = optional(number, 3)
    maximum_concurrent_jobs   = optional(number, 10)
    prometheus_listen_address = optional(string, "")
    sentry_dsn                = optional(string, "__SENTRY_DSN_REPLACED_BY_USER_DATA__")
  })
| `{}` | no | +| [runner\_metadata\_options](#input\_runner\_metadata\_options) | Enable the Runner instance metadata service. IMDSv2 is enabled by default. | 
object({
    http_endpoint               = string
    http_tokens                 = string
    http_put_response_hop_limit = number
    instance_metadata_tags      = string
  })
| 
{
  "http_endpoint": "enabled",
  "http_put_response_hop_limit": 2,
  "http_tokens": "required",
  "instance_metadata_tags": "disabled"
}
| no | +| [runner\_networking](#input\_runner\_networking) | allow\_incoming\_ping = Allow ICMP Ping to the Runner. Specify `allow_incoming_ping_security_group_ids` too!
allow\_incoming\_ping\_security\_group\_ids = A list of security group ids that are allowed to ping the Runner.
security\_group\_description = A description for the Runner's security group
security\_group\_ids = IDs of security groups to add to the Runner. | 
object({
    allow_incoming_ping                    = optional(bool, false)
    allow_incoming_ping_security_group_ids = optional(list(string), [])
    security_group_description             = optional(string, "A security group containing gitlab-runner agent instances")
    security_group_ids                     = optional(list(string), [])
  })
| `{}` | no | +| [runner\_networking\_egress\_rules](#input\_runner\_networking\_egress\_rules) | List of egress rules for the Runner. | 
list(object({
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    prefix_list_ids  = list(string)
    from_port        = number
    protocol         = string
    security_groups  = list(string)
    self             = bool
    to_port          = number
    description      = string
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": null,
    "from_port": 0,
    "ipv6_cidr_blocks": [
      "::/0"
    ],
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "self": null,
    "to_port": 0
  }
]
| no | +| [runner\_role](#input\_runner\_role) | additional\_tags = Map of tags that will be added to the role created. Useful for tag based authorization.
allow\_iam\_service\_linked\_role\_creation = Boolean used to control attaching the policy to the Runner to create service linked roles.
assume\_role\_policy\_json = The assume role policy for the Runner.
create\_role\_profile = Whether to create the IAM role/profile for the Runner. If you provide your own role, make sure that it has the required permissions.
policy\_arns = List of policy ARNs to be added to the instance profile of the Runner.
role\_profile\_name = IAM role/profile name for the Runner. If unspecified then `${var.iam_object_prefix}-instance` is used. | 
object({
    additional_tags                        = optional(map(string))
    allow_iam_service_linked_role_creation = optional(bool, true)
    assume_role_policy_json                = optional(string, "")
    create_role_profile                    = optional(bool, true)
    policy_arns                            = optional(list(string), [])
    role_profile_name                      = optional(string)
  })
| `{}` | no | +| [runner\_schedule\_config](#input\_runner\_schedule\_config) | Map containing the configuration of the ASG scale-out and scale-in for the Runner. Will only be used if `agent_schedule_enable` is set to `true`. | `map(any)` | 
{
  "scale_in_count": 0,
  "scale_in_recurrence": "0 18 * * 1-5",
  "scale_in_time_zone": "Etc/UTC",
  "scale_out_count": 1,
  "scale_out_recurrence": "0 8 * * 1-5",
  "scale_out_time_zone": "Etc/UTC"
}
| no | +| [runner\_schedule\_enable](#input\_runner\_schedule\_enable) | Set to `true` to enable the auto scaling group schedule for the Runner. | `bool` | `false` | no | +| [runner\_sentry\_secure\_parameter\_store\_name](#input\_runner\_sentry\_secure\_parameter\_store\_name) | The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store | `string` | `"sentry-dsn"` | no | +| [runner\_terminate\_ec2\_lifecycle\_hook\_name](#input\_runner\_terminate\_ec2\_lifecycle\_hook\_name) | Specifies a custom name for the ASG terminate lifecycle hook and related resources. | `string` | `null` | no | +| [runner\_terraform\_timeout\_delete\_asg](#input\_runner\_terraform\_timeout\_delete\_asg) | Timeout when trying to delete the Runner ASG. | `string` | `"10m"` | no | +| [runner\_worker](#input\_runner\_worker) | For detailed information, check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section.

environment\_variables = List of environment variables to add to the Runner Worker (environment).
max\_jobs = Number of jobs which can be processed in parallel by the Runner Worker.
output\_limit = Sets the maximum build log size in kilobytes. Default is 4MB (output\_limit).
request\_concurrency = Limit number of concurrent requests for new jobs from GitLab (default 1) (request\_concurrency).
ssm\_access = Allows to connect to the Runner Worker via SSM.
type = The Runner Worker type to use. Currently supports `docker+machine` or `docker`. | 
object({
    environment_variables = optional(list(string), [])
    max_jobs              = optional(number, 0)
    output_limit          = optional(number, 4096)
    request_concurrency   = optional(number, 1)
    ssm_access            = optional(bool, false)
    type                  = optional(string, "docker+machine")
  })
| `{}` | no | +| [runner\_worker\_cache](#input\_runner\_worker\_cache) | Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared
cache. To use the same cache across multiple Runner Worker disable the creation of the cache and provide a policy and
bucket name. See the public runner example for more details."

For detailed documentation check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscaches3-section

access\_log\_bucker\_id = The ID of the bucket where the access logs are stored.
access\_log\_bucket\_prefix = The bucket prefix for the access logs.
authentication\_type = A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'
bucket = Name of the cache bucket. Requires `create = false`.
bucket\_prefix = Prefix for s3 cache bucket name. Requires `create = true`.
create = Boolean used to enable or disable the creation of the cache bucket.
expiration\_days = Number of days before cache objects expire. Requires `create = true`.
include\_account\_id = Boolean used to include the account id in the cache bucket name. Requires `create = true`.
policy = Policy to use for the cache bucket. Requires `create = false`.
random\_suffix = Boolean used to enable or disable the use of a random string suffix on the cache bucket name. Requires `create = true`.
shared = Boolean used to enable or disable the use of the cache bucket as shared cache.
versioning = Boolean used to enable versioning on the cache bucket. Requires `create = true`. | 
object({
    access_log_bucket_id     = optional(string, null)
    access_log_bucket_prefix = optional(string, null)
    authentication_type      = optional(string, "iam")
    bucket                   = optional(string, "")
    bucket_prefix            = optional(string, "")
    create                   = optional(bool, true)
    expiration_days          = optional(number, 1)
    include_account_id       = optional(bool, true)
    policy                   = optional(string, "")
    random_suffix            = optional(bool, false)
    shared                   = optional(bool, false)
    versioning               = optional(bool, false)
  })
| `{}` | no | +| [runner\_worker\_docker\_add\_dind\_volumes](#input\_runner\_worker\_docker\_add\_dind\_volumes) | Add certificates and docker.sock to the volumes to support docker-in-docker (dind) | `bool` | `false` | no | +| [runner\_worker\_docker\_machine\_ami\_filter](#input\_runner\_worker\_docker\_machine\_ami\_filter) | List of maps used to create the AMI filter for the Runner Worker. | `map(list(string))` | 
{
  "name": [
    "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"
  ]
}
| no | +| [runner\_worker\_docker\_machine\_ami\_owners](#input\_runner\_worker\_docker\_machine\_ami\_owners) | The list of owners used to select the AMI of the Runner Worker. | `list(string)` | 
[
  "099720109477"
]
| no | +| [runner\_worker\_docker\_machine\_autoscaling\_options](#input\_runner\_worker\_docker\_machine\_autoscaling\_options) | Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section | 
list(object({
    periods           = list(string)
    idle_count        = optional(number)
    idle_scale_factor = optional(number)
    idle_count_min    = optional(number)
    idle_time         = optional(number)
    timezone          = optional(string, "UTC")
  }))
| `[]` | no | +| [runner\_worker\_docker\_machine\_ec2\_metadata\_options](#input\_runner\_worker\_docker\_machine\_ec2\_metadata\_options) | Enable the Runner Worker metadata service. Requires you use CKI maintained docker machines. | 
object({
    http_tokens                 = string
    http_put_response_hop_limit = number
  })
| 
{
  "http_put_response_hop_limit": 2,
  "http_tokens": "required"
}
| no | +| [runner\_worker\_docker\_machine\_ec2\_options](#input\_runner\_worker\_docker\_machine\_ec2\_options) | List of additional options for the docker+machine config. Each element of this list must be a key=value pair. E.g. '["amazonec2-zone=a"]' | `list(string)` | `[]` | no | +| [runner\_worker\_docker\_machine\_extra\_egress\_rules](#input\_runner\_worker\_docker\_machine\_extra\_egress\_rules) | List of egress rules for the Runner Workers. | 
list(object({
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    prefix_list_ids  = list(string)
    from_port        = number
    protocol         = string
    security_groups  = list(string)
    self             = bool
    to_port          = number
    description      = string
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "Allow all egress traffic for Runner Workers.",
    "from_port": 0,
    "ipv6_cidr_blocks": [
      "::/0"
    ],
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "self": null,
    "to_port": 0
  }
]
| no | +| [runner\_worker\_docker\_machine\_fleet](#input\_runner\_worker\_docker\_machine\_fleet) | enable = Activates the fleet mode on the Runner. https://gitlab.com/cki-project/docker-machine/-/blob/v0.16.2-gitlab.19-cki.2/docs/drivers/aws.md#fleet-mode
key\_pair\_name = The name of the key pair used by the Runner to connect to the docker-machine Runner Workers. This variable is only supported when `enables` is set to `true`. | 
object({
    enable        = bool
    key_pair_name = optional(string, "fleet-key")
  })
| 
{
  "enable": false
}
| no | +| [runner\_worker\_docker\_machine\_instance](#input\_runner\_worker\_docker\_machine\_instance) | For detailed documentation check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section

docker\_registry\_mirror\_url = The URL of the Docker registry mirror to use for the Runner Worker.
destroy\_after\_max\_builds = Destroy the instance after the maximum number of builds has been reached.
ebs\_optimized = Enable EBS optimization for the Runner Worker.
idle\_count = Number of idle Runner Worker instances (not working for the Docker Runner Worker) (IdleCount).
idle\_time = Idle time of the Runner Worker before they are destroyed (not working for the Docker Runner Worker) (IdleTime).
monitoring = Enable detailed monitoring for the Runner Worker.
name\_prefix = Set the name prefix and override the `Name` tag for the Runner Worker.
private\_address\_only = Restrict Runner Worker to the use of a private IP address. If `runner_instance.use_private_address_only` is set to `true` (default), `runner_worker_docker_machine_instance.private_address_only` will also apply for the Runner.
root\_size = The size of the root volume for the Runner Worker.
start\_script = Cloud-init user data that will be passed to the Runner Worker. Should not be base64 encrypted.
subnet\_ids = The list of subnet IDs to use for the Runner Worker when the fleet mode is enabled.
types = The type of instance to use for the Runner Worker. In case of fleet mode, multiple instance types are supported.
volume\_type = The type of volume to use for the Runner Worker. | 
object({
    destroy_after_max_builds   = optional(number, 0)
    docker_registry_mirror_url = optional(string, "")
    ebs_optimized              = optional(bool, true)
    idle_count                 = optional(number, 0)
    idle_time                  = optional(number, 600)
    monitoring                 = optional(bool, false)
    name_prefix                = optional(string, "")
    private_address_only       = optional(bool, true)
    root_size                  = optional(number, 8)
    start_script               = optional(string, "")
    subnet_ids                 = optional(list(string), [])
    types                      = optional(list(string), ["m5.large"])
    volume_type                = optional(string, "gp2")
  })
| `{}` | no | +| [runner\_worker\_docker\_machine\_instance\_spot](#input\_runner\_worker\_docker\_machine\_instance\_spot) | enable = Enable spot instances for the Runner Worker.
max\_price = The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen. | 
object({
    enable    = optional(bool, true)
    max_price = optional(string, "on-demand-price")
  })
| `{}` | no | +| [runner\_worker\_docker\_machine\_role](#input\_runner\_worker\_docker\_machine\_role) | additional\_tags = Map of tags that will be added to the Runner Worker.
assume\_role\_policy\_json = Assume role policy for the Runner Worker.
policy\_arns = List of ARNs of IAM policies to attach to the Runner Workers.
profile\_name = Name of the IAM profile to attach to the Runner Workers. | 
object({
    additional_tags         = optional(map(string), {})
    assume_role_policy_json = optional(string, "")
    policy_arns             = optional(list(string), [])
    profile_name            = optional(string, "")
  })
| `{}` | no | +| [runner\_worker\_docker\_machine\_security\_group\_description](#input\_runner\_worker\_docker\_machine\_security\_group\_description) | A description for the Runner Worker security group | `string` | `"A security group containing Runner Worker instances"` | no | +| [runner\_worker\_docker\_options](#input\_runner\_worker\_docker\_options) | Options added to the [runners.docker] section of config.toml to configure the Docker container of the Runner Worker. For
details check https://docs.gitlab.com/runner/configuration/advanced-configuration.html

Default values if the option is not given:
disable\_cache = "false"
image = "docker:18.03.1-ce"
privileged = "true"
pull\_policy = "always"
shm\_size = 0
tls\_verify = "false"
volumes = "/cache" | 
object({
    allowed_images               = optional(list(string))
    allowed_pull_policies        = optional(list(string))
    allowed_services             = optional(list(string))
    cache_dir                    = optional(string)
    cap_add                      = optional(list(string))
    cap_drop                     = optional(list(string))
    container_labels             = optional(list(string))
    cpuset_cpus                  = optional(string)
    cpu_shares                   = optional(number)
    cpus                         = optional(string)
    devices                      = optional(list(string))
    device_cgroup_rules          = optional(list(string))
    disable_cache                = optional(bool, false)
    disable_entrypoint_overwrite = optional(bool)
    dns                          = optional(list(string))
    dns_search                   = optional(list(string))
    extra_hosts                  = optional(list(string))
    gpus                         = optional(string)
    helper_image                 = optional(string)
    helper_image_flavor          = optional(string)
    host                         = optional(string)
    hostname                     = optional(string)
    image                        = optional(string, "docker:18.03.1-ce")
    isolation                    = optional(string)
    links                        = optional(list(string))
    mac_address                  = optional(string)
    memory                       = optional(string)
    memory_swap                  = optional(string)
    memory_reservation           = optional(string)
    network_mode                 = optional(string)
    oom_kill_disable             = optional(bool)
    oom_score_adjust             = optional(number)
    privileged                   = optional(bool, true)
    pull_policies                = optional(list(string), ["always"])
    runtime                      = optional(string)
    security_opt                 = optional(list(string))
    shm_size                     = optional(number, 0)
    sysctls                      = optional(list(string))
    tls_cert_path                = optional(string)
    tls_verify                   = optional(bool, false)
    user                         = optional(string)
    userns_mode                  = optional(string)
    volumes                      = optional(list(string), ["/cache"])
    volumes_from                 = optional(list(string))
    volume_driver                = optional(string)
    wait_for_services_timeout    = optional(number)
  })
| 
{
  "disable_cache": "false",
  "image": "docker:18.03.1-ce",
  "privileged": "true",
  "pull_policy": "always",
  "shm_size": 0,
  "tls_verify": "false",
  "volumes": [
    "/cache"
  ]
}
| no | +| [runner\_worker\_docker\_services](#input\_runner\_worker\_docker\_services) | Starts additional services with the Docker container. All fields must be set (examine the Dockerfile of the service image for the entrypoint - see ./examples/runner-default/main.tf) | 
list(object({
    name       = string
    alias      = string
    entrypoint = list(string)
    command    = list(string)
  }))
| `[]` | no | +| [runner\_worker\_docker\_services\_volumes\_tmpfs](#input\_runner\_worker\_docker\_services\_volumes\_tmpfs) | Mount a tmpfs in gitlab service container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram | 
list(object({
    volume  = string
    options = string
  }))
| `[]` | no | +| [runner\_worker\_docker\_volumes\_tmpfs](#input\_runner\_worker\_docker\_volumes\_tmpfs) | Mount a tmpfs in Executor container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram | 
list(object({
    volume  = string
    options = string
  }))
| `[]` | no | +| [runner\_worker\_gitlab\_pipeline](#input\_runner\_worker\_gitlab\_pipeline) | post\_build\_script = Script to execute in the pipeline just after the build, but before executing after\_script.
pre\_build\_script = Script to execute in the pipeline just before the build.
pre\_clone\_script = Script to execute in the pipeline before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | 
object({
    post_build_script = optional(string, "\"\"")
    pre_build_script  = optional(string, "\"\"")
    pre_clone_script  = optional(string, "\"\"")
  })
| `{}` | no | +| [security\_group\_prefix](#input\_security\_group\_prefix) | Set the name prefix and overwrite the `Name` tag for all security groups. | `string` | `""` | no | +| [subnet\_id](#input\_subnet\_id) | Subnet id used for the Runner and Runner Workers. Must belong to the `vpc_id`. In case the fleet mode is used, multiple subnets for
the Runner Workers can be provided with runner\_worker\_docker\_machine\_instance.subnet\_ids. | `string` | n/a | yes | +| [suppressed\_tags](#input\_suppressed\_tags) | List of tag keys which are automatically removed and never added as default tag by the module. | `list(string)` | `[]` | no | | [tags](#input\_tags) | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no | -| [use\_fleet](#input\_use\_fleet) | Use the fleet mode for agents. https://gitlab.com/cki-project/docker-machine/-/blob/v0.16.2-gitlab.19-cki.2/docs/drivers/aws.md#fleet-mode | `bool` | `false` | no | -| [userdata\_post\_install](#input\_userdata\_post\_install) | User-data script snippet to insert after GitLab runner install | `string` | `""` | no | -| [userdata\_pre\_install](#input\_userdata\_pre\_install) | User-data script snippet to insert before GitLab runner install | `string` | `""` | no | -| [vpc\_id](#input\_vpc\_id) | The target VPC for the docker-machine and runner instances. | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | The VPC used for the runner and runner workers. | `string` | n/a | yes | ## Outputs @@ -722,6 +635,7 @@ Made with [contributors-img](https://contrib.rocks). | [runner\_as\_group\_name](#output\_runner\_as\_group\_name) | Name of the autoscaling group for the gitlab-runner instance | | [runner\_cache\_bucket\_arn](#output\_runner\_cache\_bucket\_arn) | ARN of the S3 for the build cache. | | [runner\_cache\_bucket\_name](#output\_runner\_cache\_bucket\_name) | Name of the S3 for the build cache. | +| [runner\_config\_toml\_rendered](#output\_runner\_config\_toml\_rendered) | The rendered config.toml given to the Runner Manager. | | [runner\_eip](#output\_runner\_eip) | EIP of the Gitlab Runner | | [runner\_launch\_template\_name](#output\_runner\_launch\_template\_name) | The name of the runner's launch template. | | [runner\_role\_arn](#output\_runner\_role\_arn) | ARN of the role used for the docker machine runners. | diff --git a/examples/runner-default/README.md b/examples/runner-default/README.md index d90f1b95f..268bccd50 100644 --- a/examples/runner-default/README.md +++ b/examples/runner-default/README.md @@ -40,7 +40,7 @@ check `.terraform-version` for the tested version. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.14.0 | +| [aws](#provider\_aws) | 5.15.0 | ## Modules diff --git a/examples/runner-default/versions.tf b/examples/runner-default/versions.tf index 3d853efdc..4bb418db4 100644 --- a/examples/runner-default/versions.tf +++ b/examples/runner-default/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.15.0" + version = "5.14.0" } local = { source = "hashicorp/local" diff --git a/examples/runner-docker/README.md b/examples/runner-docker/README.md index cec847c35..ad0843ee8 100644 --- a/examples/runner-docker/README.md +++ b/examples/runner-docker/README.md @@ -36,7 +36,7 @@ check `.terraform-version` for the tested version. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1 | -| [aws](#requirement\_aws) | 5.14.0 | +| [aws](#requirement\_aws) | 5.15.0 | | [local](#requirement\_local) | 2.4.0 | | [null](#requirement\_null) | 3.2.1 | | [random](#requirement\_random) | 3.5.1 | @@ -46,7 +46,7 @@ check `.terraform-version` for the tested version. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.14.0 | +| [aws](#provider\_aws) | 5.15.0 | ## Modules @@ -60,7 +60,7 @@ check `.terraform-version` for the tested version. | Name | Type | |------|------| -| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/availability_zones) | data source | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.15.0/docs/data-sources/availability_zones) | data source | ## Inputs diff --git a/modules/terminate-agent-hook/README.md b/modules/terminate-agent-hook/README.md index 42f9a6963..56295ab9d 100644 --- a/modules/terminate-agent-hook/README.md +++ b/modules/terminate-agent-hook/README.md @@ -150,7 +150,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [arn\_format](#input\_arn\_format) | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | `string` | `"arn:aws"` | no | | [asg\_arn](#input\_asg\_arn) | The ARN of the Auto Scaling Group to attach to. | `string` | n/a | yes | | [asg\_name](#input\_asg\_name) | The name of the Auto Scaling Group to attach to. The 'environment' will be prefixed to this. | `string` | n/a | yes | | [cloudwatch\_logging\_retention\_in\_days](#input\_cloudwatch\_logging\_retention\_in\_days) | The number of days to retain logs in CloudWatch. | `number` | `30` | no |