feat(runners): add ec2_custom_allowed_tags variable and update create_tag policy to support custom tags

Author: stuartp44

modules/runners/policies-runner.tf

@@ -60,7 +60,9 @@ resource "aws_iam_role_policy" "describe_tags" {
 resource "aws_iam_role_policy" "create_tag" {
   name   = "runner-create-tags"
   role   = aws_iam_role.runner.name
-  policy = templatefile("${path.module}/policies/instance-create-tags-policy.json", {})
+  policy = templatefile("${path.module}/policies/instance-create-tags-policy.json", {
+    ec2_custom_allowed_tags = var.ec2_custom_allowed_tags
+  })
 }
 
 resource "aws_iam_role_policy_attachment" "managed_policies" {

modules/runners/policies/instance-create-tags-policy.json

@@ -5,9 +5,7 @@
             "Action": "ec2:CreateTags",
             "Condition": {
                 "ForAllValues:StringEquals": {
-                    "aws:TagKeys": [
-                        "ghr:github_runner_id"
-                    ]
+                    "aws:TagKeys": ${jsonencode(concat(["ghr:github_runner_id"], ec2_custom_allowed_tags))}
                 },
                 "StringEquals": {
                     "aws:ARN": "$${ec2:SourceInstanceARN}"

modules/runners/variables.tf

@@ -761,3 +761,9 @@ variable "user_agent" {
   type        = string
   default     = null
 }
+
+variable "ec2_custom_allowed_tags" {
+  description = "Allows the EC2 instance to create tags listed here."
+  type        = list(string)
+  default     = []
+}