diff --git a/github-runner/.terraform.lock.hcl b/github-runner/.terraform.lock.hcl new file mode 100644 index 0000000..8d1a734 --- /dev/null +++ b/github-runner/.terraform.lock.hcl @@ -0,0 +1,84 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/http" { + version = "3.4.0" + constraints = "~> 3.0" + hashes = [ + "h1:h3URn6qAnP36OlSqI1tTuKgPL3GriZaJia9ZDrUvRdg=", + "zh:56712497a87bc4e91bbaf1a5a2be4b3f9cfa2384baeb20fc9fad0aff8f063914", + "zh:6661355e1090ebacab16a40ede35b029caffc279d67da73a000b6eecf0b58eba", + "zh:67b92d343e808b92d7e6c3bbcb9b9d5475fecfed0836963f7feb9d9908bd4c4f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:86ebb9be9b685c96dbb5c024b55d87526d57a4b127796d6046344f8294d3f28e", + "zh:902be7cfca4308cba3e1e7ba6fc292629dfd150eb9a9f054a854fa1532b0ceba", + "zh:9ba26e0215cd53b21fe26a0a98c007de1348b7d13a75ae3cfaf7729e0f2c50bb", + "zh:a195c941e1f1526147134c257ff549bea4c89c953685acd3d48d9de7a38f39dc", + "zh:a7967b3d2a8c3e7e1dc9ae381ca753268f9fce756466fe2fc9e414ca2d85a92e", + "zh:bde56542e9a093434d96bea21c341285737c6d38fea2f05e12ba7b333f3e9c05", + "zh:c0306f76903024c497fd01f9fd9bace5854c263e87a97bc2e89dcc96d35ca3cc", + "zh:f9335a6c336171e85f8e3e99c3d31758811a19aeb21fa8c9013d427e155ae2a9", + ] +} + +provider "registry.terraform.io/hashicorp/nomad" { + version = "2.0.0" + constraints = "~> 2.0" + hashes = [ + "h1:lIHIxA6ZmfyTGL3J9YIddhxlfit4ipSS09BLxkwo6L0=", + "zh:09b897d64db293f9a904a4a0849b11ec1e3fff5c638f734d82ae36d8dc044b72", + "zh:435cc106799290f64078ec24b6c59cb32b33784d609088638ed32c6d12121199", + "zh:7073444bd064e8c4ec115ca7d9d7f030cc56795c0a83c27f6668bba519e6849a", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:79d238c35d650d2d83a439716182da63f3b2767e72e4cbd0b69cb13d9b1aebfc", + "zh:7ef5f49344278fe0bbc5447424e6aa5425ff1821d010d944a444d7fa2c751acf", + "zh:92179091638c8ba03feef371c4361a790190f9955caea1fa59de2055c701a251", + "zh:a8a34398851761368eb8e7c171f24e55efa6e9fdbb5c455f6dec34dc17f631bc", + "zh:b38fd5338625ebace5a4a94cea1a28b11bd91995d834e318f47587cfaf6ec599", + "zh:b71b273a2aca7ad5f1e07c767b25b5a888881ba9ca93b30044ccc39c2937f03c", + "zh:cd14357e520e0f09fb25badfb4f2ee37d7741afdc3ed47c7bcf54c1683772543", + "zh:e05e025f4bb95138c3c8a75c636e97cd7cfd2fc1525b0c8bd097db8c5f02df6e", + ] +} + +provider "registry.terraform.io/hashicorp/vault" { + version = "3.21.0" + constraints = "~> 3.0" + hashes = [ + "h1:QVDIGe1ZHq97ymVJlZw76h+bVxU+xvDYafyXYJdCJ+4=", + "zh:00ff2d3b7b4a516ab883640256f3b1b612faf55902cae5fd614ac546452308d7", + "zh:179074d94db888f1f30afd1567140b2c9f2ab5f1dfb3f110e15193a93b33963f", + "zh:1ebf2ba457eec518d0cf0302641fdaffef36dbae8726551241807c7a06e19544", + "zh:1ee696fc57284c75b94f45e9bd71f9d9dd040491f4d882f18c1f5b3dda3ffdfb", + "zh:3093f2fd2429a4aecb80bc4fe148cae63da9871d36fd0d5e84c621f1fa65e8c9", + "zh:43346defacf9051af4fe123185b9d8e796d145a9e037a432278b2b65f521214c", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:868000939a0e5027809941962cdfce4d0d3b8d02b212e91867aecf0031793381", + "zh:c7570f5409f9f647c5d70202ce64da3bb0a142e8dbe9e98a7bda0fde94886d72", + "zh:cb5e39cc981d61b530939ba1ff4804bc19e217f7317c0f691c69b9e2127cd596", + "zh:d3251b1b73d8b89c40587aee649daf10382613bb59a6615fc16df8838678733d", + "zh:d5434cd4d9028082745b7078f0deb67635258c7c1477ea9fdc4f9dd9fce233a7", + ] +} + +provider "registry.terraform.io/integrations/github" { + version = "5.40.0" + constraints = "~> 5.0" + hashes = [ + "h1:pbFq74DVEMbu5xYUM2R2ouIjzlIA2WGg8u5jrmvecwk=", + "zh:02922b9eb54dcdbad524caaef7901a800759ae5d3a6c8cbdf934d4cfce395d5d", + "zh:282b9736c2afa9f4a7817d5da9ac0caeddb4edc085c7236b71f3ecbb539b2132", + "zh:49275a2a1b523da1794f0ea19dfc0f595d1ac8c711d24c6887bb672a5a571e01", + "zh:521bdef1fdd3211be6ba30edb3092acbed5974b62497d83028f0e8fd2d7bcd24", + "zh:62e8e8de673859a3c0c1e9fb0fd623e0012c8d9b44d45728ad1aa04d744b724c", + "zh:6fc1fbecf16b896f791d5708208295267f20cf4a62e393ecb93f70538306f30e", + "zh:6fef1d1c77ca2f77501a6ffd63640e0174905c7ae88aca516ede1a7263af8bc3", + "zh:923968a2eb3856db4e02b2e87dd0f09555531d09ad707c6dd53b1c9c3af0ff82", + "zh:95e409dfb3437171f66c97493c6ae9a75a7329c90a1d4c489663c6e3823d32af", + "zh:a45d0f1449bc2833974ba88e238a5ec0b41da64b18da626153ec0b650bf90e4c", + "zh:af5d8e506f3280ecf22824549c5b2b68ec047a0df9da0a19721b1a6303f77d5a", + "zh:ba03a3a81ebc68cc452930bca9289a5feb2b0d22d7997bea7f9e59bfd89babed", + "zh:d941df409e689f3deb06f912a57f2ee36ab223e1f48d395e3d43937e62a7fbea", + "zh:eaf71e9586b98c631218a67b1f1d7295ff224ba31b0c899e88e4aa217a160116", + ] +} diff --git a/github-runner/github-runner.nomad b/github-runner/github-runner.nomad new file mode 100644 index 0000000..03025bd --- /dev/null +++ b/github-runner/github-runner.nomad @@ -0,0 +1,69 @@ +variable "runner_version" { + description = "Version to use for the github runner.\nSee https://github.com/actions/runner/releases/" + default = "2.310.2" + type = string +} + +variable "github_org" { + description = "Name of the github org we attach the runner to" + default = "SouthAfricaDigitalScience" + type = string +} + +variable "token" { + description = "Github Personal Access Token" + default = "AAQEOZFGCRNN2DT7DBTYXMTEGKUB2" + type = string +} +job "github-runner" { + datacenters = ["dc1"] + group "main" { + task "configure" { + driver = "exec" + artifact { + source = "https://github.com/actions/runner/releases/download/v${var.runner_version}/actions-runner-linux-${attr.cpu.arch}-${var.runner_version}.tar.gz" + } + lifecycle { + hook = "prestart" + sidecar = false + } + config { + command = "/bin/bash" + args = [ + "local/config.sh", + "--unattended", + "--url https://github.com/${var.github_org}", + "--token ${var.token}", + "--labels test" + ] + } + } + task "run" { + env { + RUNNER_CFG_PAT = var.token + } + driver = "exec" + config { + command = "/bin/bash" + args = [ + "local/run.sh" + ] + } + } + task "remove" { + lifecycle { + hook = "poststop" + sidecar = false + } + driver = "exec" + config { + command = "config.sh" + args = [ + "remove", + "--token", + var.token + ] + } + } + } +} diff --git a/github-runner/github-runner.nomad.tpl b/github-runner/github-runner.nomad.tpl new file mode 100644 index 0000000..39de511 --- /dev/null +++ b/github-runner/github-runner.nomad.tpl @@ -0,0 +1,60 @@ +variable "runner_version" { + description = "Version to use for the github runner.\nSee https://github.com/actions/runner/releases/" + default = "2.303.0" + type = string +} + +// variable "github_org" { +// description = "Name of the github org we attach the runner to" +// default = "SouthAfricaDigitalScience" +// type = string +// } +job "github-runner" { + datacenters = ["dc1"] + group "main" { + task "dependencies" { + driver = "exec" + artifact { + source = "https://github.com/actions/runner/releases/download/v${runner_version}/actions-runner-linux-arm64-${runner_version}.tar.gz" + } + config { + command = "./bin/installdependencies.sh" + args = [] + } + } + task "launch" { + env { + RUNNER_CFG_PAT = "${token}" + } + driver = "exec" + artifact { + source = "https://github.com/actions/runner/releases/download/v${runner_version}/actions-runner-linux-arm64-${runner_version}.tar.gz" + } + config { + command = "config.sh" + args = [ + "config.sh", + "--unattended", + "--url", "https://github.com/${org_name}", + "--token", "${token}", + "--labels", "test" + ] + } + } + task "remove" { + lifecycle { + hook = "poststop" + sidecar = false + } + driver = "exec" + config { + command = "config.sh" + args = [ + "remove", + "--token", + "${token}" + ] + } + } + } +} diff --git a/github-runner/main.tf b/github-runner/main.tf new file mode 100644 index 0000000..c94ce6e --- /dev/null +++ b/github-runner/main.tf @@ -0,0 +1,112 @@ +terraform { + backend "consul" { + scheme = "http" + path = "terraform/personal/github-runners" + } + required_providers { + vault = { + source = "hashicorp/vault" + version = "~> 3.0" + } + github = { + source = "integrations/github" + version = "~> 5.0" + } + http = { + source = "hashicorp/http" + version = "~> 3.0" + } + nomad = { + source = "hashicorp/nomad" + version = "~> 2.0" + } + } +} + +variable "org_name" { + description = "Name of the Github organisation" + default = "SouthAfricaDigitalScience" + sensitive = false + type = string +} + +provider "vault" { + address = "http://sense:8200" +} + +provider "nomad" {} + +data "vault_kv_secret_v2" "name" { + mount = "kv" + name = "github" +} + +provider "github" { + token = data.vault_kv_secret_v2.name.data.personal +} + +data "github_organization" "sads" { + name = var.org_name +} + +locals { + runners_api_url = "https://api.github.com/orgs/${var.org_name}/actions/runners" + headers = { + "Accept" = "application/vnd.github+json" + "Authorization" = "Bearer ${data.vault_kv_secret_v2.name.data.personal}" + "X-GitHub-Api-Version" = "2022-11-28" + } +} + +provider "http" {} + +data "http" "runners" { + url = local.runners_api_url + request_headers = local.headers + lifecycle { + postcondition { + condition = contains([200], self.status_code) + error_message = "Error" + } + } +} + +data "http" "runner_reg_token" { + url = "${local.runners_api_url}/registration-token" + request_headers = local.headers + method = "POST" + lifecycle { + postcondition { + condition = contains([201, 204], self.status_code) + error_message = tostring(self.response_body) + } + } +} + +resource "vault_kv_secret_v2" "runner_registration_token" { + mount = "kv" + name = "github_runner" + # cas = 1 + # delete_all_versions = true + data_json = data.http.runner_reg_token.response_body + custom_metadata { + data = { + created_by = "Terraform" + } + } +} + +resource "nomad_job" "runner" { + jobspec = templatefile("github-runner.nomad.tpl", { + token = jsondecode(vault_kv_secret_v2.runner_registration_token.data_json).token, + runner_version = "2.310.2", + org_name = var.org_name + }) +} + +resource "github_actions_runner_group" "arm64" { + allows_public_repositories = false + name = "hashi-at-home" + visibility = "private" + # default = false +}