Skip to content

Commit

Permalink
Code for create IAM policy and role for github-runner
Browse files Browse the repository at this point in the history
  • Loading branch information
Valentin Khramtsov committed Aug 20, 2024
1 parent df797d6 commit ede5e96
Show file tree
Hide file tree
Showing 4 changed files with 59 additions and 2 deletions.
5 changes: 5 additions & 0 deletions terraform/modules/aws-ecr/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,8 @@ output "ecr_repository_url" {
value = var.create_ecr_repository ? aws_ecr_repository.this[0].repository_url : ""
description = "The URL of the ECR repository, or empty if not created."
}

output "ecr_repository_arn" {
value = var.create_ecr_repository ? aws_ecr_repository.this[0].arn : ""
description = "The ARN of the ECR repository, or empty if not created."
}
52 changes: 52 additions & 0 deletions terraform/modules/k8s-addons/eks-gha-runner-scale-set.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ locals {
namespace = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].namespace
}
kube_github_runner_github_token = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "github_pat_token", "")
service_account_name = "gha-runner-scale-set-gha-rs-no-permission"

gha_runner_scale_set_values = <<VALUES
githubConfigUrl: "https://github.com/madopsio/madactions"
Expand Down Expand Up @@ -57,3 +58,54 @@ resource "helm_release" "gha_runner_scale_set" {
]
depends_on = [module.gha_runner_scale_set_controller_namespace]
}

resource "aws_iam_role" "github_actions_runner_role" {
count = local.gha_runner_scale_set.enabled ? 1 : 0
name = "${local.gha_runner_scale_set.name}-role"

assume_role_policy = data.aws_iam_policy_document.github_actions_runner_assume_role_policy.json
}

data "aws_iam_policy_document" "github_actions_runner_assume_role_policy" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
effect = "Allow"

principals {
type = "Federated"
identifiers = [local.eks_oidc_provider_arn]
}

condition {
test = "StringEquals"
variable = "${local.eks_oidc_provider_arn}:sub"
values = ["system:serviceaccount:${module.gha_runner_scale_set_controller_namespace[0].name}:${local.service_account_name}"]
}
}
}

resource "aws_iam_role_policy" "github_actions_runner_policy" {
count = local.gha_runner_scale_set.enabled ? 1 : 0
name = "${local.gha_runner_scale_set.name}-policy"
role = aws_iam_role.github_actions_runner_role[0].id

policy = data.aws_iam_policy_document.github_actions_runner_policy.json
}

data "aws_iam_policy_document" "github_actions_runner_policy" {
statement {
actions = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:ListImages"
]
resources = ["*"]
}
}

Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ include "env" {
}

dependencies {
paths = ["../k8s-addons"]
paths = ["../karpenter"]
}

generate "providers_versions" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ dependency "aws-r53" {
}

dependencies {
paths = ["../karpenter"]
paths = ["../karpenter", "../aws-ecr"]
}

generate "providers_versions" {
Expand Down

0 comments on commit ede5e96

Please sign in to comment.