terraform-aws-github-runner/examples/permissions-boundary/main.tf at a007628ff06bdb4111b2b554aedf1c9683d7d65d · github-aws-runners/terraform-aws-github-runner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
locals {
  environment = "boundaries"
  aws_region  = "eu-west-1"
}

resource "random_id" "random" {
  byte_length = 20
}

data "terraform_remote_state" "iam" {
  backend = "local"

  config = {
    path = "${path.module}/setup/terraform.tfstate"
  }
}

resource "aws_kms_key" "github" {
  is_enabled = true
}

resource "aws_kms_alias" "github" {
  name          = "alias/github/action-runners"
  target_key_id = aws_kms_key.github.key_id
}
module "base" {
  source = "../base"

  prefix     = local.environment
  aws_region = local.aws_region
}

module "runners" {
  source = "../../"
  providers = {
    aws = aws.terraform_role
  }

  aws_region  = local.aws_region
  vpc_id      = module.base.vpc.vpc_id
  subnet_ids  = module.base.vpc.private_subnets
  kms_key_arn = aws_kms_key.github.key_id

  prefix = local.environment
  tags = {
    Project = "ProjectX"
  }

  github_app = {
    key_base64     = var.github_app.key_base64
    id             = var.github_app.id
    webhook_secret = random_id.random.hex
  }

  webhook_lambda_zip                = "../lambdas-download/webhook.zip"
  runner_binaries_syncer_lambda_zip = "../lambdas-download/runner-binaries-syncer.zip"
  runners_lambda_zip                = "../lambdas-download/runners.zip"
  runner_registration_level         = "repo"
  runner_extra_labels               = ["default", "example"]

  instance_profile_path     = "/runners/"
  role_path                 = "/runners/"
  role_permissions_boundary = data.terraform_remote_state.iam.outputs.boundary
}