Skip to content

Commit e2c4013

Browse files
committed
Comments
1 parent 5b05422 commit e2c4013

File tree

5 files changed

+41
-11
lines changed

5 files changed

+41
-11
lines changed

modules/multi-runner/variables.tf

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -756,6 +756,16 @@ variable "iam_overrides" {
756756
override_runner_role = false
757757
runner_role_arn = null
758758
}
759+
760+
validation {
761+
condition = !var.iam_overrides.override_instance_profile || var.iam_overrides.instance_profile_name != null
762+
error_message = "instance_profile_name must be provided when override_instance_profile is true."
763+
}
764+
765+
validation {
766+
condition = !var.iam_overrides.override_runner_role || var.iam_overrides.runner_role_arn != null
767+
error_message = "runner_role_arn must be provided when override_runner_role is true."
768+
}
759769
}
760770

761771
variable "lambda_event_source_mapping_batch_size" {

modules/runners/policies-runner.tf

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -10,22 +10,22 @@ resource "aws_iam_role" "runner" {
1010
}
1111

1212
resource "aws_iam_instance_profile" "runner" {
13-
count = var.iam_overrides["override_instance_profile"] ? 0 : 1
13+
count = (var.iam_overrides["override_instance_profile"] || var.iam_overrides["override_runner_role"]) ? 0 : 1
1414
name = "${var.prefix}-runner-profile"
1515
role = aws_iam_role.runner[0].name
1616
path = local.instance_profile_path
1717
tags = local.tags
1818
}
1919

2020
resource "aws_iam_role_policy" "runner_session_manager_aws_managed" {
21-
count = var.iam_overrides["override_runner_role"] ? 0 : (var.enable_ssm_on_runners ? 1 : 0)
21+
count = (var.iam_overrides["override_runner_role"] || var.iam_overrides["override_instance_profile"]) ? 0 : (var.enable_ssm_on_runners ? 1 : 0)
2222
name = "runner-ssm-session"
2323
role = aws_iam_role.runner[0].name
2424
policy = templatefile("${path.module}/policies/instance-ssm-policy.json", {})
2525
}
2626

2727
resource "aws_iam_role_policy" "ssm_parameters" {
28-
count = var.iam_overrides["override_runner_role"] ? 0 : 1
28+
count = (var.iam_overrides["override_runner_role"] || var.iam_overrides["override_instance_profile"]) ? 0 : 1
2929
name = "runner-ssm-parameters"
3030
role = aws_iam_role.runner[0].name
3131
policy = templatefile("${path.module}/policies/instance-ssm-parameters-policy.json",
@@ -37,7 +37,7 @@ resource "aws_iam_role_policy" "ssm_parameters" {
3737
}
3838

3939
resource "aws_iam_role_policy" "dist_bucket" {
40-
count = var.iam_overrides["override_runner_role"] ? 0 : (var.enable_runner_binaries_syncer ? 1 : 0)
40+
count = (var.iam_overrides["override_runner_role"] || var.iam_overrides["override_instance_profile"]) ? 0 : (var.enable_runner_binaries_syncer ? 1 : 0)
4141

4242
name = "distribution-bucket"
4343
role = aws_iam_role.runner[0].name
@@ -49,33 +49,33 @@ resource "aws_iam_role_policy" "dist_bucket" {
4949
}
5050

5151
resource "aws_iam_role_policy_attachment" "xray_tracing" {
52-
count = var.iam_overrides["override_runner_role"] ? 0 : (var.tracing_config.mode != null ? 1 : 0)
52+
count = (var.iam_overrides["override_runner_role"] || var.iam_overrides["override_instance_profile"]) ? 0 : (var.tracing_config.mode != null ? 1 : 0)
5353
role = aws_iam_role.runner[0].name
5454
policy_arn = "arn:${var.aws_partition}:iam::aws:policy/AWSXRayDaemonWriteAccess"
5555
}
5656

5757
resource "aws_iam_role_policy" "describe_tags" {
58-
count = var.iam_overrides["override_runner_role"] ? 0 : 1
58+
count = (var.iam_overrides["override_runner_role"] || var.iam_overrides["override_instance_profile"]) ? 0 : 1
5959
name = "runner-describe-tags"
6060
role = aws_iam_role.runner[0].name
6161
policy = file("${path.module}/policies/instance-describe-tags-policy.json")
6262
}
6363

6464
resource "aws_iam_role_policy" "create_tag" {
65-
count = var.iam_overrides["override_runner_role"] ? 0 : 1
65+
count = (var.iam_overrides["override_runner_role"] || var.iam_overrides["override_instance_profile"]) ? 0 : 1
6666
name = "runner-create-tags"
6767
role = aws_iam_role.runner[0].name
6868
policy = templatefile("${path.module}/policies/instance-create-tags-policy.json", {})
6969
}
7070

7171
resource "aws_iam_role_policy_attachment" "managed_policies" {
72-
count = var.iam_overrides["override_runner_role"] ? 0 : length(var.runner_iam_role_managed_policy_arns)
72+
count = (var.iam_overrides["override_runner_role"] || var.iam_overrides["override_instance_profile"]) ? 0 : length(var.runner_iam_role_managed_policy_arns)
7373
role = aws_iam_role.runner[0].name
7474
policy_arn = element(var.runner_iam_role_managed_policy_arns, count.index)
7575
}
7676

7777
resource "aws_iam_role_policy" "ec2" {
78-
count = var.iam_overrides["override_runner_role"] ? 0 : 1
78+
count = (var.iam_overrides["override_runner_role"] || var.iam_overrides["override_instance_profile"]) ? 0 : 1
7979
name = "ec2"
8080
role = aws_iam_role.runner[0].name
8181
policy = templatefile("${path.module}/policies/instance-ec2.json", {})

modules/runners/pool.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ module "pool" {
4848
group_name = var.runner_group_name
4949
name_prefix = var.runner_name_prefix
5050
pool_owner = var.pool_runner_owner
51-
role = var.iam_overrides["override_runner_role"] ? var.iam_overrides["runner_role_arn"] : aws_iam_role.runner[0].name
51+
role = var.iam_overrides["override_runner_role"] ? { arn = var.iam_overrides["runner_role_arn"] } : aws_iam_role.runner[0]
5252
}
5353
subnet_ids = var.subnet_ids
5454
ssm_token_path = "${var.ssm_paths.root}/${var.ssm_paths.tokens}"

modules/runners/variables.tf

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,16 @@ variable "iam_overrides" {
6060
override_runner_role = false
6161
runner_role_arn = null
6262
}
63+
64+
validation {
65+
condition = !var.iam_overrides.override_instance_profile || var.iam_overrides.instance_profile_name != null
66+
error_message = "instance_profile_name must be provided when override_instance_profile is true."
67+
}
68+
69+
validation {
70+
condition = !var.iam_overrides.override_runner_role || var.iam_overrides.runner_role_arn != null
71+
error_message = "runner_role_arn must be provided when override_runner_role is true."
72+
}
6373
}
6474

6575
variable "tags" {

variables.tf

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,7 @@ variable "runner_group_name" {
109109
}
110110

111111
variable "iam_overrides" {
112-
description = "This map provides the possibility to override some IAM defaults. Note that when using this variable, you are responsible for ensuring the role has necessary permissions to access required resources; `override_instance_profile`: When set to true, the instance profile name provided in `instance_profile_name` will be used for the runners. `override_runner_role`: When set to true, the role ARN provided in `runner_role_arn` will be used for the runners."
112+
description = "This map provides the possibility to override some IAM defaults. Note that when using this variable, you are responsible for ensuring the role has necessary permissions to access required resources. `override_instance_profile`: When set to true, uses the instance profile name specified in `instance_profile_name` instead of creating a new instance profile. `override_runner_role`: When set to true, uses the role ARN specified in `runner_role_arn` instead of creating a new IAM role."
113113
type = object({
114114
override_instance_profile = optional(bool, null)
115115
instance_profile_name = optional(string, null)
@@ -123,6 +123,16 @@ variable "iam_overrides" {
123123
override_runner_role = false
124124
runner_role_arn = null
125125
}
126+
127+
validation {
128+
condition = !var.iam_overrides.override_instance_profile || var.iam_overrides.instance_profile_name != null
129+
error_message = "instance_profile_name must be provided when override_instance_profile is true."
130+
}
131+
132+
validation {
133+
condition = !var.iam_overrides.override_runner_role || var.iam_overrides.runner_role_arn != null
134+
error_message = "runner_role_arn must be provided when override_runner_role is true."
135+
}
126136
}
127137

128138
variable "scale_up_reserved_concurrent_executions" {

0 commit comments

Comments
 (0)