From 642924b0cd09d67283aa0349011f3894e710a75b Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:26:43 +0200 Subject: [PATCH 01/31] Remove variable secure_parameter_store_runner_token_key --- README.md | 17 ----------------- locals.tf | 2 +- variables.tf | 6 ------ 3 files changed, 1 insertion(+), 24 deletions(-) diff --git a/README.md b/README.md index 11359fa5c..d1ddaf397 100644 --- a/README.md +++ b/README.md @@ -127,22 +127,6 @@ gitlab_runner_registration_config = { } ``` -For migration to the new setup simply add the runner token to the parameter store. Once the runner is started it will lookup the required values via the parameter store. If the value is `null` a new runner will be registered and a new token created/stored. - -```sh -# set the following variables, look up the variables in your Terraform config. -# see your Terraform variables to fill in the vars below. -aws-region=<${var.aws_region}> -token= -parameter-name=<${var.environment}>-<${var.secure_parameter_store_runner_token_key}> - -aws ssm put-parameter --overwrite --type SecureString --name "${parameter-name}" --value ${token} --region "${aws-region}" -``` - -Once you have created the parameter, you must remove the variable `runners_token` from your config. The next time your GitLab runner instance is created it will look up the token from the SSM parameter store. - -Finally, the runner still supports the manual runner creation. No changes are required. Please keep in mind that this setup will be removed in future releases. - ### Access runner instance A few option are provided to access the runner instance: @@ -423,7 +407,6 @@ terraform destroy | [runners\_volumes\_tmpfs](#input\_runners\_volumes\_tmpfs) | n/a | 
list(object({
    volume  = string
    options = string
  }))
| `[]` | no | | [schedule\_config](#input\_schedule\_config) | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable\_schedule is set to true. | `map(any)` | 
{
  "scale_in_count": 0,
  "scale_in_recurrence": "0 18 * * 1-5",
  "scale_out_count": 1,
  "scale_out_recurrence": "0 8 * * 1-5"
}
| no | | [secure\_parameter\_store\_runner\_sentry\_dsn](#input\_secure\_parameter\_store\_runner\_sentry\_dsn) | The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store | `string` | `"sentry-dsn"` | no | -| [secure\_parameter\_store\_runner\_token\_key](#input\_secure\_parameter\_store\_runner\_token\_key) | The key name used store the Gitlab runner token in Secure Parameter Store | `string` | `"runner-token"` | no | | [sentry\_dsn](#input\_sentry\_dsn) | Sentry DSN of the project for the runner to use (uses legacy DSN format) | `string` | `"__SENTRY_DSN_REPLACED_BY_USER_DATA__"` | no | | [ssh\_key\_pair](#input\_ssh\_key\_pair) | Set this to use existing AWS key pair | `string` | `null` | no | | [subnet\_id\_runners](#input\_subnet\_id\_runners) | List of subnets used for hosting the gitlab-runners. | `string` | n/a | yes | diff --git a/locals.tf b/locals.tf index 8ff1f3654..a38a4d24e 100644 --- a/locals.tf +++ b/locals.tf @@ -9,7 +9,7 @@ locals { runners_max_builds_string = var.runners_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runners_max_builds) // Define key for runner token for SSM - secure_parameter_store_runner_token_key = "${var.environment}-${var.secure_parameter_store_runner_token_key}" + secure_parameter_store_runner_token_key = "${var.environment}-runner-token" secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.secure_parameter_store_runner_sentry_dsn}" // custom names for instances and security groups diff --git a/variables.tf b/variables.tf index f508e9c50..5a9e9cc80 100644 --- a/variables.tf +++ b/variables.tf @@ -555,12 +555,6 @@ variable "gitlab_runner_registration_config" { } } -variable "secure_parameter_store_runner_token_key" { - description = "The key name used store the Gitlab runner token in Secure Parameter Store" - type = string - default = "runner-token" -} - variable "secure_parameter_store_runner_sentry_dsn" { description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" type = string From 00a94937abcc975a08fe828a40c39f8528a0e0fd Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:36:50 +0200 Subject: [PATCH 02/31] Add documentation on how to provide the Gitlab token safely --- README.md | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index d1ddaf397..8347d6557 100644 --- a/README.md +++ b/README.md @@ -116,16 +116,35 @@ By default the runner is registered on initial deployment. In previous versions To register the runner automatically set the variable `gitlab_runner_registration_config["registration_token"]`. This token value can be found in your GitLab project, group, or global settings. For a generic runner you can find the token in the admin section. By default the runner will be locked to the target project, not run untagged. Below is an example of the configuration map. ```hcl -gitlab_runner_registration_config = { - registration_token = "" - tag_list = "" - description = "" - locked_to_project = "true" - run_untagged = "false" - maximum_timeout = "3600" - access_level = "" +module "gitlab_runner" { + ... + + gitlab_runner_registration_config = { + registration_token = aws_ssm_parameter.gitlab_runner_registration_token.value + tag_list = "" + description = "" + locked_to_project = "true" + run_untagged = "false" + maximum_timeout = "3600" + access_level = "" + } } -``` + +# obtain this token from your Gitlab instance and store it manually in the SSM parameter + +resource "aws_ssm_parameter" "gitlab_runner_registration_token" { + name = "gitlab-registration-token" + type = "SecureString" + value = "Please fill manually." + description = "Gitlab registration token for a new runner." + + lifecycle { + # the secret is set manually + ignore_changes = [value] + } +}``` + +After deploying this infrastructure, fill in the token manually and kill the agents. After the automatic restart, all runners register automatically. ### Access runner instance From 74763a4c1af2c80abc45bc52f4dabf23d381c9b4 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:37:56 +0200 Subject: [PATCH 03/31] Remove documentation about SSH and EC2 key pairs --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 8347d6557..5a5805923 100644 --- a/README.md +++ b/README.md @@ -150,8 +150,6 @@ After deploying this infrastructure, fill in the token manually and kill the age A few option are provided to access the runner instance: -1. Provide a public ssh key to access the runner by setting \`\`. -2. Provide a EC2 key pair to access the runner by setting \`\`. 3. Access via the Session Manager (SSM) by setting `enable_runner_ssm_access` to `true`. The policy to allow access via SSM is not very restrictive. 4. By setting none of the above, no keys or extra policies will be attached to the instance. You can still configure you own policies by attaching them to `runner_agent_role_arn`. From 991198af7194272845f79f7f573eb63fb7eafe19 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:39:51 +0200 Subject: [PATCH 04/31] Amend documentation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5a5805923..fd414d07c 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,7 @@ resource "aws_iam_service_linked_role" "autoscaling" { By default the runner is registered on initial deployment. In previous versions of this module this was a manual process. The manual process is still supported but will be removed in future releases. The runner token will be stored in the AWS SSM parameter store. See [example](examples/runner-pre-registered/) for more details. -To register the runner automatically set the variable `gitlab_runner_registration_config["registration_token"]`. This token value can be found in your GitLab project, group, or global settings. For a generic runner you can find the token in the admin section. By default the runner will be locked to the target project, not run untagged. Below is an example of the configuration map. +To register the runner automatically set the variable `gitlab_runner_registration_config["registration_token"]`. This token value can be found in your GitLab project, group, or global settings. For a generic runner you can find the token in the admin section. By default the runner will be locked to the target project, not run untagged. Below is an example of the configuration map. As this token should not appear in your source code management tool, use a SSM parameter which is set manually. ```hcl module "gitlab_runner" { From 70b2032819af913652b8929541a03a72cbfc8bc9 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:40:24 +0200 Subject: [PATCH 05/31] Remove pre-registered example. No longer supported. --- examples/runner-pre-registered/README.md | 30 ---------- .../runner-pre-registered/_docs/README.md | 7 --- .../runner-pre-registered/_docs/TF_MODULE.md | 23 -------- .../runner-pre-registered/generated/.gitkeep | 0 examples/runner-pre-registered/main.tf | 55 ------------------- examples/runner-pre-registered/providers.tf | 11 ---- examples/runner-pre-registered/variables.tf | 40 -------------- examples/runner-pre-registered/versions.tf | 26 --------- 8 files changed, 192 deletions(-) delete mode 100644 examples/runner-pre-registered/README.md delete mode 100644 examples/runner-pre-registered/_docs/README.md delete mode 100644 examples/runner-pre-registered/_docs/TF_MODULE.md delete mode 100644 examples/runner-pre-registered/generated/.gitkeep delete mode 100644 examples/runner-pre-registered/main.tf delete mode 100644 examples/runner-pre-registered/providers.tf delete mode 100644 examples/runner-pre-registered/variables.tf delete mode 100644 examples/runner-pre-registered/versions.tf diff --git a/examples/runner-pre-registered/README.md b/examples/runner-pre-registered/README.md deleted file mode 100644 index b4f78bde5..000000000 --- a/examples/runner-pre-registered/README.md +++ /dev/null @@ -1,30 +0,0 @@ -# Example - Spot Runner - Private subnets - -This is the previous default example. For this example you need to register the runner before running terraform and provide the runner token. Since version 3+ the runner can register itself by providing the registration token. This example is provided to showcase backwards compatibility. - -## Prerequisite - -The terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. - -## Providers - -| Name | Version | -|------|---------| -| aws | 2.52 | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:-----:| -| aws\_region | AWS region. | `string` | `"eu-west-1"` | no | -| environment | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"ci-runners"` | no | -| gitlab\_url | URL of the gitlab instance to connect to. | `string` | n/a | yes | -| private\_ssh\_key\_filename | n/a | `string` | `"generated/id_rsa"` | no | -| public\_ssh\_key\_filename | n/a | `string` | `"generated/id_rsa.pub"` | no | -| runner\_name | Name of the runner, will be used in the runner config.toml | `string` | n/a | yes | -| runner\_token | Token for the runner, will be used in the runner config.toml | `string` | n/a | yes | -| timezone | Name of the timezone that the runner will be used in. | `string` | `"Europe/Amsterdam"` | no | - -## Outputs - -No output. diff --git a/examples/runner-pre-registered/_docs/README.md b/examples/runner-pre-registered/_docs/README.md deleted file mode 100644 index 611be28b1..000000000 --- a/examples/runner-pre-registered/_docs/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Example - Spot Runner - Private subnets - -This is the previous default example. For this example you need to register the runner before running terraform and provide the runner token. Since version 3+ the runner can register itself by providing the registration token. This example is provided to showcase backwards compatibility. - -## Prerequisite - -The terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. diff --git a/examples/runner-pre-registered/_docs/TF_MODULE.md b/examples/runner-pre-registered/_docs/TF_MODULE.md deleted file mode 100644 index 6f66c49f7..000000000 --- a/examples/runner-pre-registered/_docs/TF_MODULE.md +++ /dev/null @@ -1,23 +0,0 @@ -## Providers - -| Name | Version | -|------|---------| -| aws | 2.52 | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:-----:| -| aws\_region | AWS region. | `string` | `"eu-west-1"` | no | -| environment | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"ci-runners"` | no | -| gitlab\_url | URL of the gitlab instance to connect to. | `string` | n/a | yes | -| private\_ssh\_key\_filename | n/a | `string` | `"generated/id_rsa"` | no | -| public\_ssh\_key\_filename | n/a | `string` | `"generated/id_rsa.pub"` | no | -| runner\_name | Name of the runner, will be used in the runner config.toml | `string` | n/a | yes | -| runner\_token | Token for the runner, will be used in the runner config.toml | `string` | n/a | yes | -| timezone | Name of the timezone that the runner will be used in. | `string` | `"Europe/Amsterdam"` | no | - -## Outputs - -No output. - diff --git a/examples/runner-pre-registered/generated/.gitkeep b/examples/runner-pre-registered/generated/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf deleted file mode 100644 index 941d02adb..000000000 --- a/examples/runner-pre-registered/main.tf +++ /dev/null @@ -1,55 +0,0 @@ -data "aws_availability_zones" "available" { - state = "available" -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "2.70" - - name = "vpc-${var.environment}" - cidr = "10.0.0.0/16" - - azs = [data.aws_availability_zones.available.names[0]] - private_subnets = ["10.0.1.0/24"] - public_subnets = ["10.0.101.0/24"] - - enable_nat_gateway = true - single_nat_gateway = true - - enable_s3_endpoint = true - - tags = { - Environment = var.environment - } -} - -module "key_pair" { - source = "../../modules/key-pair" - - environment = var.environment - name = var.runner_name -} - -module "runner" { - source = "../../" - - aws_region = var.aws_region - environment = var.environment - - ssh_key_pair = module.key_pair.key_pair.key_name - - vpc_id = module.vpc.vpc_id - subnet_ids_gitlab_runner = module.vpc.private_subnets - subnet_id_runners = element(module.vpc.private_subnets, 0) - - runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url - runners_token = var.runner_token - - runners_off_peak_timezone = var.timezone - runners_off_peak_idle_count = 0 - runners_off_peak_idle_time = 60 - - # working 9 to 5 :) - runners_off_peak_periods = "[\"* * 0-9,17-23 * * mon-fri *\", \"* * * * * sat,sun *\"]" -} diff --git a/examples/runner-pre-registered/providers.tf b/examples/runner-pre-registered/providers.tf deleted file mode 100644 index 161b858de..000000000 --- a/examples/runner-pre-registered/providers.tf +++ /dev/null @@ -1,11 +0,0 @@ -provider "aws" { - region = var.aws_region -} - -provider "local" {} - -provider "null" {} - -provider "tls" {} - -provider "random" {} diff --git a/examples/runner-pre-registered/variables.tf b/examples/runner-pre-registered/variables.tf deleted file mode 100644 index 10329a319..000000000 --- a/examples/runner-pre-registered/variables.tf +++ /dev/null @@ -1,40 +0,0 @@ -variable "aws_region" { - description = "AWS region." - type = string - default = "eu-west-1" -} - -variable "environment" { - description = "A name that identifies the environment, will used as prefix and for tagging." - default = "ci-runners" - type = string -} - -variable "public_ssh_key_filename" { - default = "generated/id_rsa.pub" -} - -variable "private_ssh_key_filename" { - default = "generated/id_rsa" -} - -variable "runner_name" { - description = "Name of the runner, will be used in the runner config.toml" - type = string -} - -variable "gitlab_url" { - description = "URL of the gitlab instance to connect to." - type = string -} - -variable "runner_token" { - description = "Token for the runner, will be used in the runner config.toml" - type = string -} - -variable "timezone" { - description = "Name of the timezone that the runner will be used in." - type = string - default = "Europe/Amsterdam" -} diff --git a/examples/runner-pre-registered/versions.tf b/examples/runner-pre-registered/versions.tf deleted file mode 100644 index e690e4f58..000000000 --- a/examples/runner-pre-registered/versions.tf +++ /dev/null @@ -1,26 +0,0 @@ - -terraform { - required_version = ">= 0.13" - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.35" - } - local = { - source = "hashicorp/local" - version = "~> 1.4" - } - null = { - source = "hashicorp/null" - version = "~> 3.0" - } - tls = { - source = "hashicorp/tls" - version = "~> 2.2" - } - random = { - source = "hashicorp/random" - version = "~> 3.0" - } - } -} From a5b44f8f13130076c2410d4c6c1e6e7ad752d086 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:43:17 +0200 Subject: [PATCH 06/31] Amend runner-default example --- examples/runner-default/variables.tf | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/examples/runner-default/variables.tf b/examples/runner-default/variables.tf index 2e25de338..22b732839 100644 --- a/examples/runner-default/variables.tf +++ b/examples/runner-default/variables.tf @@ -10,14 +10,6 @@ variable "environment" { default = "runners-default" } -variable "public_ssh_key_filename" { - default = "generated/id_rsa.pub" -} - -variable "private_ssh_key_filename" { - default = "generated/id_rsa" -} - variable "runner_name" { description = "Name of the runner, will be used in the runner config.toml" type = string @@ -31,6 +23,8 @@ variable "gitlab_url" { } variable "registration_token" { + description = "The registration token obtained from your Gitlab instance." + type = string } variable "timezone" { From d56b788cc151a962ca8e14b9960ab6967ce2643c Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:45:37 +0200 Subject: [PATCH 07/31] Ammend runner-docker example --- examples/runner-docker/variables.tf | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/examples/runner-docker/variables.tf b/examples/runner-docker/variables.tf index c69522933..074f5dde0 100644 --- a/examples/runner-docker/variables.tf +++ b/examples/runner-docker/variables.tf @@ -10,14 +10,6 @@ variable "environment" { type = string } -# variable "public_ssh_key_filename" { -# default = "generated/id_rsa.pub" -# } - -# variable "private_ssh_key_filename" { -# default = "generated/id_rsa" -# } - variable "runner_name" { description = "Name of the runner, will be used in the runner config.toml" type = string @@ -31,5 +23,6 @@ variable "gitlab_url" { } variable "registration_token" { + description = "The registration token obtained from your Gitlab instance." + type = string } - From cb2b0f106b643ff3edd783af942dd8b1ae26030c Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:47:13 +0200 Subject: [PATCH 08/31] Amend runner-public example --- examples/runner-public/variables.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/runner-public/variables.tf b/examples/runner-public/variables.tf index e0d93bc47..3f96e856f 100644 --- a/examples/runner-public/variables.tf +++ b/examples/runner-public/variables.tf @@ -31,5 +31,6 @@ variable "gitlab_url" { } variable "registration_token" { + description = "The registration token obtained from your Gitlab instance." + type = string } - From fbaf149c1872213f6ecd721c6a2c9bb5915469a5 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:52:19 +0200 Subject: [PATCH 09/31] Remove the check of the pre-registered example. It's no longer there. --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62cd59170..757f09981 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,5 @@ name: CI -on: +on: push: branches: - master @@ -11,7 +11,7 @@ jobs: name: Verify module strategy: matrix: - terraform: [1.0.8] + terraform: [1.0.8] runs-on: ubuntu-latest container: image: hashicorp/terraform:${{ matrix.terraform }} @@ -26,14 +26,14 @@ jobs: fail-fast: false matrix: terraform: [0.13.0, 0.14.0, 0.15.0, 1.0.8] - example: ["runner-default", "runner-docker", "runner-pre-registered", "runner-public"] + example: ["runner-default", "runner-docker", "runner-public"] defaults: run: working-directory: examples/${{ matrix.example }} runs-on: ubuntu-latest container: image: hashicorp/terraform:${{ matrix.terraform }} - steps: + steps: - uses: actions/checkout@v2 - run: terraform init -get -backend=false -input=false - if: contains(matrix.terraform, '1.0.') @@ -66,5 +66,5 @@ jobs: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | cp .release/* . - yarn + yarn yarn release --repositoryUrl https://x-access-token:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY.git From 1c52c8df647271f607e639be7b2cd42f7116ac4f Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:26:43 +0200 Subject: [PATCH 10/31] Remove variable secure_parameter_store_runner_token_key --- README.md | 17 ----------------- locals.tf | 2 +- variables.tf | 6 ------ 3 files changed, 1 insertion(+), 24 deletions(-) diff --git a/README.md b/README.md index eee1aab5f..5cedb0926 100644 --- a/README.md +++ b/README.md @@ -127,22 +127,6 @@ gitlab_runner_registration_config = { } ``` -For migration to the new setup simply add the runner token to the parameter store. Once the runner is started it will lookup the required values via the parameter store. If the value is `null` a new runner will be registered and a new token created/stored. - -```sh -# set the following variables, look up the variables in your Terraform config. -# see your Terraform variables to fill in the vars below. -aws-region=<${var.aws_region}> -token= -parameter-name=<${var.environment}>-<${var.secure_parameter_store_runner_token_key}> - -aws ssm put-parameter --overwrite --type SecureString --name "${parameter-name}" --value ${token} --region "${aws-region}" -``` - -Once you have created the parameter, you must remove the variable `runners_token` from your config. The next time your GitLab runner instance is created it will look up the token from the SSM parameter store. - -Finally, the runner still supports the manual runner creation. No changes are required. Please keep in mind that this setup will be removed in future releases. - ### Access runner instance A few option are provided to access the runner instance: @@ -422,7 +406,6 @@ terraform destroy | [runners\_volumes\_tmpfs](#input\_runners\_volumes\_tmpfs) | n/a | 
list(object({
    volume  = string
    options = string
  }))
| `[]` | no | | [schedule\_config](#input\_schedule\_config) | Map containing the configuration of the ASG scale-in and scale-up for the runner instance. Will only be used if enable\_schedule is set to true. | `map(any)` | 
{
  "scale_in_count": 0,
  "scale_in_recurrence": "0 18 * * 1-5",
  "scale_out_count": 1,
  "scale_out_recurrence": "0 8 * * 1-5"
}
| no | | [secure\_parameter\_store\_runner\_sentry\_dsn](#input\_secure\_parameter\_store\_runner\_sentry\_dsn) | The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store | `string` | `"sentry-dsn"` | no | -| [secure\_parameter\_store\_runner\_token\_key](#input\_secure\_parameter\_store\_runner\_token\_key) | The key name used store the Gitlab runner token in Secure Parameter Store | `string` | `"runner-token"` | no | | [sentry\_dsn](#input\_sentry\_dsn) | Sentry DSN of the project for the runner to use (uses legacy DSN format) | `string` | `"__SENTRY_DSN_REPLACED_BY_USER_DATA__"` | no | | [subnet\_id\_runners](#input\_subnet\_id\_runners) | List of subnets used for hosting the gitlab-runners. | `string` | n/a | yes | | [subnet\_ids\_gitlab\_runner](#input\_subnet\_ids\_gitlab\_runner) | Subnet used for hosting the GitLab runner. | `list(string)` | n/a | yes | diff --git a/locals.tf b/locals.tf index 2e0262eee..3e06b4f65 100644 --- a/locals.tf +++ b/locals.tf @@ -9,7 +9,7 @@ locals { runners_max_builds_string = var.runners_max_builds == 0 ? "" : format("MaxBuilds = %d", var.runners_max_builds) // Define key for runner token for SSM - secure_parameter_store_runner_token_key = "${var.environment}-${var.secure_parameter_store_runner_token_key}" + secure_parameter_store_runner_token_key = "${var.environment}-runner-token" secure_parameter_store_runner_sentry_dsn = "${var.environment}-${var.secure_parameter_store_runner_sentry_dsn}" // custom names for instances and security groups diff --git a/variables.tf b/variables.tf index 25fd35d86..10d820e2c 100644 --- a/variables.tf +++ b/variables.tf @@ -513,12 +513,6 @@ variable "gitlab_runner_registration_config" { } } -variable "secure_parameter_store_runner_token_key" { - description = "The key name used store the Gitlab runner token in Secure Parameter Store" - type = string - default = "runner-token" -} - variable "secure_parameter_store_runner_sentry_dsn" { description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" type = string From 1a2eedba60350cc47de4bb1bcd7be470ac00ac39 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:36:50 +0200 Subject: [PATCH 11/31] Add documentation on how to provide the Gitlab token safely --- README.md | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 5cedb0926..2abdd2c82 100644 --- a/README.md +++ b/README.md @@ -116,16 +116,35 @@ By default the runner is registered on initial deployment. In previous versions To register the runner automatically set the variable `gitlab_runner_registration_config["registration_token"]`. This token value can be found in your GitLab project, group, or global settings. For a generic runner you can find the token in the admin section. By default the runner will be locked to the target project, not run untagged. Below is an example of the configuration map. ```hcl -gitlab_runner_registration_config = { - registration_token = "" - tag_list = "" - description = "" - locked_to_project = "true" - run_untagged = "false" - maximum_timeout = "3600" - access_level = "" +module "gitlab_runner" { + ... + + gitlab_runner_registration_config = { + registration_token = aws_ssm_parameter.gitlab_runner_registration_token.value + tag_list = "" + description = "" + locked_to_project = "true" + run_untagged = "false" + maximum_timeout = "3600" + access_level = "" + } } -``` + +# obtain this token from your Gitlab instance and store it manually in the SSM parameter + +resource "aws_ssm_parameter" "gitlab_runner_registration_token" { + name = "gitlab-registration-token" + type = "SecureString" + value = "Please fill manually." + description = "Gitlab registration token for a new runner." + + lifecycle { + # the secret is set manually + ignore_changes = [value] + } +}``` + +After deploying this infrastructure, fill in the token manually and kill the agents. After the automatic restart, all runners register automatically. ### Access runner instance From d704b3c81a276f51500c06fe766c25933dce95cf Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:37:56 +0200 Subject: [PATCH 12/31] Remove documentation about SSH and EC2 key pairs --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 2abdd2c82..5eaf96a88 100644 --- a/README.md +++ b/README.md @@ -150,7 +150,6 @@ After deploying this infrastructure, fill in the token manually and kill the age A few option are provided to access the runner instance: -2. Provide a EC2 key pair to access the runner by setting \`\`. 3. Access via the Session Manager (SSM) by setting `enable_runner_ssm_access` to `true`. The policy to allow access via SSM is not very restrictive. 4. By setting none of the above, no keys or extra policies will be attached to the instance. You can still configure you own policies by attaching them to `runner_agent_role_arn`. From 24a102690aca6edb126594b8bf1792e0ecfb2c3c Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:39:51 +0200 Subject: [PATCH 13/31] Amend documentation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5eaf96a88..a3f573fc0 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,7 @@ resource "aws_iam_service_linked_role" "autoscaling" { By default the runner is registered on initial deployment. In previous versions of this module this was a manual process. The manual process is still supported but will be removed in future releases. The runner token will be stored in the AWS SSM parameter store. See [example](examples/runner-pre-registered/) for more details. -To register the runner automatically set the variable `gitlab_runner_registration_config["registration_token"]`. This token value can be found in your GitLab project, group, or global settings. For a generic runner you can find the token in the admin section. By default the runner will be locked to the target project, not run untagged. Below is an example of the configuration map. +To register the runner automatically set the variable `gitlab_runner_registration_config["registration_token"]`. This token value can be found in your GitLab project, group, or global settings. For a generic runner you can find the token in the admin section. By default the runner will be locked to the target project, not run untagged. Below is an example of the configuration map. As this token should not appear in your source code management tool, use a SSM parameter which is set manually. ```hcl module "gitlab_runner" { From b531f3998b7220054a9baa4e48bb4bc2113aa9d8 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:40:24 +0200 Subject: [PATCH 14/31] Remove pre-registered example. No longer supported. --- examples/runner-pre-registered/README.md | 28 ----------- .../runner-pre-registered/_docs/README.md | 7 --- .../runner-pre-registered/_docs/TF_MODULE.md | 23 --------- .../runner-pre-registered/generated/.gitkeep | 0 examples/runner-pre-registered/main.tf | 49 ------------------- examples/runner-pre-registered/providers.tf | 11 ----- examples/runner-pre-registered/variables.tf | 32 ------------ examples/runner-pre-registered/versions.tf | 26 ---------- 8 files changed, 176 deletions(-) delete mode 100644 examples/runner-pre-registered/README.md delete mode 100644 examples/runner-pre-registered/_docs/README.md delete mode 100644 examples/runner-pre-registered/_docs/TF_MODULE.md delete mode 100644 examples/runner-pre-registered/generated/.gitkeep delete mode 100644 examples/runner-pre-registered/main.tf delete mode 100644 examples/runner-pre-registered/providers.tf delete mode 100644 examples/runner-pre-registered/variables.tf delete mode 100644 examples/runner-pre-registered/versions.tf diff --git a/examples/runner-pre-registered/README.md b/examples/runner-pre-registered/README.md deleted file mode 100644 index 508382371..000000000 --- a/examples/runner-pre-registered/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# Example - Spot Runner - Private subnets - -This is the previous default example. For this example you need to register the runner before running terraform and provide the runner token. Since version 3+ the runner can register itself by providing the registration token. This example is provided to showcase backwards compatibility. - -## Prerequisite - -The terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. - -## Providers - -| Name | Version | -|------|---------| -| aws | 2.52 | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:-----:| -| aws\_region | AWS region. | `string` | `"eu-west-1"` | no | -| environment | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"ci-runners"` | no | -| gitlab\_url | URL of the gitlab instance to connect to. | `string` | n/a | yes | -| runner\_name | Name of the runner, will be used in the runner config.toml | `string` | n/a | yes | -| runner\_token | Token for the runner, will be used in the runner config.toml | `string` | n/a | yes | -| timezone | Name of the timezone that the runner will be used in. | `string` | `"Europe/Amsterdam"` | no | - -## Outputs - -No output. diff --git a/examples/runner-pre-registered/_docs/README.md b/examples/runner-pre-registered/_docs/README.md deleted file mode 100644 index 611be28b1..000000000 --- a/examples/runner-pre-registered/_docs/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Example - Spot Runner - Private subnets - -This is the previous default example. For this example you need to register the runner before running terraform and provide the runner token. Since version 3+ the runner can register itself by providing the registration token. This example is provided to showcase backwards compatibility. - -## Prerequisite - -The terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using `tfenv` please check `.terraform-version` for the tested version. diff --git a/examples/runner-pre-registered/_docs/TF_MODULE.md b/examples/runner-pre-registered/_docs/TF_MODULE.md deleted file mode 100644 index 6f66c49f7..000000000 --- a/examples/runner-pre-registered/_docs/TF_MODULE.md +++ /dev/null @@ -1,23 +0,0 @@ -## Providers - -| Name | Version | -|------|---------| -| aws | 2.52 | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:-----:| -| aws\_region | AWS region. | `string` | `"eu-west-1"` | no | -| environment | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"ci-runners"` | no | -| gitlab\_url | URL of the gitlab instance to connect to. | `string` | n/a | yes | -| private\_ssh\_key\_filename | n/a | `string` | `"generated/id_rsa"` | no | -| public\_ssh\_key\_filename | n/a | `string` | `"generated/id_rsa.pub"` | no | -| runner\_name | Name of the runner, will be used in the runner config.toml | `string` | n/a | yes | -| runner\_token | Token for the runner, will be used in the runner config.toml | `string` | n/a | yes | -| timezone | Name of the timezone that the runner will be used in. | `string` | `"Europe/Amsterdam"` | no | - -## Outputs - -No output. - diff --git a/examples/runner-pre-registered/generated/.gitkeep b/examples/runner-pre-registered/generated/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/examples/runner-pre-registered/main.tf b/examples/runner-pre-registered/main.tf deleted file mode 100644 index 0f4bc1204..000000000 --- a/examples/runner-pre-registered/main.tf +++ /dev/null @@ -1,49 +0,0 @@ -data "aws_availability_zones" "available" { - state = "available" -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "2.70" - - name = "vpc-${var.environment}" - cidr = "10.0.0.0/16" - - azs = [data.aws_availability_zones.available.names[0]] - private_subnets = ["10.0.1.0/24"] - public_subnets = ["10.0.101.0/24"] - - enable_nat_gateway = true - single_nat_gateway = true - - enable_s3_endpoint = true - - tags = { - Environment = var.environment - } -} - -module "runner" { - source = "../../" - - aws_region = var.aws_region - environment = var.environment - - vpc_id = module.vpc.vpc_id - subnet_ids_gitlab_runner = module.vpc.private_subnets - subnet_id_runners = element(module.vpc.private_subnets, 0) - - runners_name = var.runner_name - runners_gitlab_url = var.gitlab_url - runners_token = var.runner_token - - # working 9 to 5 :) - runners_machine_autoscaling = [ - { - periods = ["\"* * 0-9,17-23 * * mon-fri *\"", "\"* * * * * sat,sun *\""] - idle_count = 0 - idle_time = 60 - timezone = var.timezone - } - ] -} diff --git a/examples/runner-pre-registered/providers.tf b/examples/runner-pre-registered/providers.tf deleted file mode 100644 index 161b858de..000000000 --- a/examples/runner-pre-registered/providers.tf +++ /dev/null @@ -1,11 +0,0 @@ -provider "aws" { - region = var.aws_region -} - -provider "local" {} - -provider "null" {} - -provider "tls" {} - -provider "random" {} diff --git a/examples/runner-pre-registered/variables.tf b/examples/runner-pre-registered/variables.tf deleted file mode 100644 index c5d14159e..000000000 --- a/examples/runner-pre-registered/variables.tf +++ /dev/null @@ -1,32 +0,0 @@ -variable "aws_region" { - description = "AWS region." - type = string - default = "eu-west-1" -} - -variable "environment" { - description = "A name that identifies the environment, will used as prefix and for tagging." - default = "ci-runners" - type = string -} - -variable "runner_name" { - description = "Name of the runner, will be used in the runner config.toml" - type = string -} - -variable "gitlab_url" { - description = "URL of the gitlab instance to connect to." - type = string -} - -variable "runner_token" { - description = "Token for the runner, will be used in the runner config.toml" - type = string -} - -variable "timezone" { - description = "Name of the timezone that the runner will be used in." - type = string - default = "Europe/Amsterdam" -} diff --git a/examples/runner-pre-registered/versions.tf b/examples/runner-pre-registered/versions.tf deleted file mode 100644 index e690e4f58..000000000 --- a/examples/runner-pre-registered/versions.tf +++ /dev/null @@ -1,26 +0,0 @@ - -terraform { - required_version = ">= 0.13" - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.35" - } - local = { - source = "hashicorp/local" - version = "~> 1.4" - } - null = { - source = "hashicorp/null" - version = "~> 3.0" - } - tls = { - source = "hashicorp/tls" - version = "~> 2.2" - } - random = { - source = "hashicorp/random" - version = "~> 3.0" - } - } -} From 35a98eaeb071c376302d222d5579ca177c148c0a Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:43:17 +0200 Subject: [PATCH 15/31] Amend runner-default example --- examples/runner-default/variables.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/runner-default/variables.tf b/examples/runner-default/variables.tf index 717a7a897..22b732839 100644 --- a/examples/runner-default/variables.tf +++ b/examples/runner-default/variables.tf @@ -23,6 +23,8 @@ variable "gitlab_url" { } variable "registration_token" { + description = "The registration token obtained from your Gitlab instance." + type = string } variable "timezone" { From 9e9bd12e6ef4563221ec89a8bf8f1b7f53464bbc Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:45:37 +0200 Subject: [PATCH 16/31] Ammend runner-docker example --- examples/runner-docker/variables.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/runner-docker/variables.tf b/examples/runner-docker/variables.tf index 44a4b5be5..074f5dde0 100644 --- a/examples/runner-docker/variables.tf +++ b/examples/runner-docker/variables.tf @@ -23,4 +23,6 @@ variable "gitlab_url" { } variable "registration_token" { + description = "The registration token obtained from your Gitlab instance." + type = string } From 7d924cdab9332b27a1ebd1a0dcb3691d24fb0e38 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:47:13 +0200 Subject: [PATCH 17/31] Amend runner-public example --- examples/runner-public/variables.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/runner-public/variables.tf b/examples/runner-public/variables.tf index ea2535fcb..a3d9cd432 100644 --- a/examples/runner-public/variables.tf +++ b/examples/runner-public/variables.tf @@ -23,4 +23,6 @@ variable "gitlab_url" { } variable "registration_token" { + description = "The registration token obtained from your Gitlab instance." + type = string } From 9e3eb378ed2b0420e87861193d49300fd0147cbf Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:52:19 +0200 Subject: [PATCH 18/31] Remove the check of the pre-registered example. It's no longer there. --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62cd59170..757f09981 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,5 @@ name: CI -on: +on: push: branches: - master @@ -11,7 +11,7 @@ jobs: name: Verify module strategy: matrix: - terraform: [1.0.8] + terraform: [1.0.8] runs-on: ubuntu-latest container: image: hashicorp/terraform:${{ matrix.terraform }} @@ -26,14 +26,14 @@ jobs: fail-fast: false matrix: terraform: [0.13.0, 0.14.0, 0.15.0, 1.0.8] - example: ["runner-default", "runner-docker", "runner-pre-registered", "runner-public"] + example: ["runner-default", "runner-docker", "runner-public"] defaults: run: working-directory: examples/${{ matrix.example }} runs-on: ubuntu-latest container: image: hashicorp/terraform:${{ matrix.terraform }} - steps: + steps: - uses: actions/checkout@v2 - run: terraform init -get -backend=false -input=false - if: contains(matrix.terraform, '1.0.') @@ -66,5 +66,5 @@ jobs: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: | cp .release/* . - yarn + yarn yarn release --repositoryUrl https://x-access-token:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY.git From 4a29aef78b08fb5f542321992e144e203098616e Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:36:50 +0200 Subject: [PATCH 19/31] Add documentation on how to provide the Gitlab token safely From 7017ac0ef64433f55aaf6529a38f2d45a77a65de Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:37:56 +0200 Subject: [PATCH 20/31] Remove documentation about SSH and EC2 key pairs From 53dc94574ab212873b61747fe8bdf7289a82195b Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:39:51 +0200 Subject: [PATCH 21/31] Amend documentation From 68d84888a4b7464cba68f79f0f49fcc483043aa3 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:40:24 +0200 Subject: [PATCH 22/31] Remove pre-registered example. No longer supported. From 226ba9b99fc8120fb6fb7a828248848a4d8df284 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:43:17 +0200 Subject: [PATCH 23/31] Amend runner-default example From 330638dda51e4e1ccf60143940f8220b799abb71 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:45:37 +0200 Subject: [PATCH 24/31] Ammend runner-docker example From a0729f0ff69fca9f21e6c8e0d7136168cd2c3b3a Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:47:13 +0200 Subject: [PATCH 25/31] Amend runner-public example From bfe6a2185987686614956c32b4bbbdd0128c32f5 Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 14 Oct 2021 14:52:19 +0200 Subject: [PATCH 26/31] Remove the check of the pre-registered example. It's no longer there. From bb8bd3e6ceed6e0bccb80b33f80fc94357bba2fc Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Sun, 27 Feb 2022 17:29:20 +0100 Subject: [PATCH 27/31] remove check for pre-registered runner --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71989dce2..af16ed3f1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,6 @@ jobs: "runner-default", "runner-docker", "runner-multi-region", - "runner-pre-registered", "runner-public", ] defaults: From 6bde737a077133366d400c135ba2e8b1c8ecbe9d Mon Sep 17 00:00:00 2001 From: kayma Date: Tue, 23 Aug 2022 23:29:58 +0200 Subject: [PATCH 28/31] small documentation changes --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index ba2fe2694..608438c43 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ resource "aws_iam_service_linked_role" "autoscaling" { By default the runner is registered on initial deployment. In previous versions of this module this was a manual process. The manual process is still supported but will be removed in future releases. The runner token will be stored in the AWS SSM parameter store. See [example](examples/runner-pre-registered/) for more details. -To register the runner automatically set the variable `gitlab_runner_registration_config["registration_token"]`. This token value can be found in your GitLab project, group, or global settings. For a generic runner you can find the token in the admin section. By default the runner will be locked to the target project, not run untagged. Below is an example of the configuration map. As this token should not appear in your source code management tool, use a SSM parameter which is set manually. +To register the runner automatically set the variable `gitlab_runner_registration_config["registration_token"]`. This token value can be found in your GitLab project, group, or global settings. For a generic runner you can find the token in the admin section. By default the runner will be locked to the target project, not run untagged. Below is an example of the configuration map. ```hcl module "gitlab_runner" { @@ -143,8 +143,6 @@ resource "aws_ssm_parameter" "gitlab_runner_registration_token" { } }``` -After deploying this infrastructure, fill in the token manually and kill the agents. After the automatic restart, all runners register automatically. - ### Auto Scaling Group Instance Termination The Auto Scaling Group may be configured with a From d04eb7a9d33dd0035bba14c2be692defcb1fc38c Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 1 Dec 2022 11:26:11 +0100 Subject: [PATCH 29/31] fix docs --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b39288a57..61d421568 100644 --- a/README.md +++ b/README.md @@ -136,7 +136,6 @@ module "gitlab_runner" { } # obtain this token from your Gitlab instance and store it manually in the SSM parameter - resource "aws_ssm_parameter" "gitlab_runner_registration_token" { name = "gitlab-registration-token" type = "SecureString" @@ -147,7 +146,8 @@ resource "aws_ssm_parameter" "gitlab_runner_registration_token" { # the secret is set manually ignore_changes = [value] } -}``` +} +``` ### Auto Scaling Group Instance Termination From 9ff9f8778fd43a056a6a824aaace71dd0260aebb Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 2 Mar 2023 16:24:52 +0100 Subject: [PATCH 30/31] undo variable deletion to avoid breaking change --- variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.tf b/variables.tf index f29ea3221..da3779ba6 100644 --- a/variables.tf +++ b/variables.tf @@ -591,6 +591,12 @@ variable "gitlab_runner_registration_config" { } } +variable "secure_parameter_store_runner_token_key" { + description = "(Deprecated and not used) The key name used store the Gitlab runner token in Secure Parameter Store" + type = string + default = "runner-token" +} + variable "secure_parameter_store_runner_sentry_dsn" { description = "The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store" type = string From faedae2062bd11062b7bdc13e9d2cc9424a5678a Mon Sep 17 00:00:00 2001 From: Matthias Kay Date: Thu, 30 Nov 2023 10:48:01 +0100 Subject: [PATCH 31/31] remove multi-region example again --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 587e45606..98dc01465 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,7 +39,6 @@ jobs: [ "runner-default", "runner-docker", - "runner-multi-region", "runner-public", "runner-certificates", ]