updating stuff, hoping that Im not checking in garbage

CSVD · Sep 23, 2024 · 363afd1 · 363afd1
1 parent b41e717
commit 363afd1
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 115 deletions.
diff --git a/external_actions.tf b/external_actions.tf
diff --git a/iam.tf b/iam.tf
@@ -0,0 +1,6 @@
+resource "aws_iam_policy" "policy" {
+  name        = "${var.repo_org}-state-access"
+  path        = "/"
+  description = "Enables Github Actions access to State Config"
+  policy      = file("${path.module}/iam_policy/session_configuration.json")
+}
diff --git a/main.tf b/main.tf
@@ -1,5 +1,10 @@
 
 locals {
+  proxy_vars = {
+     HTTP_PROXY  = "http://proxy.tco.census.gov:3128"
+     NO_PROXY    = ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev"
+     HTTPS_PROXY = "http://proxy.tco.census.gov:3128"
+  }
   pipeline_repos = [
     "aws-image-pipeline",
     "linux-image-pipeline",
@@ -39,7 +44,7 @@ resource "aws_cloudwatch_log_group" "function_log_group" {
 resource "aws_vpc_endpoint" "ecr" {
   for_each = var.create_vpc_endpoint ? toset([
     "com.amazonaws.${data.aws_region.current.name}.ecr.api",
-    "com.amazonaws.${data.aws_region.current.name}.ecr.dkr"
+    "com.amazonaws.${data.aws_region.current.name}.ecr.dkr",
   ]) : toset([])
   vpc_id            = var.vpc_id
   service_name      = each.value
@@ -70,50 +75,63 @@ locals {
 }
 
 module "github-runner" {
-  for_each     = toset([for repo in local.all_repos : repo])
-  source       = "HappyPathway/github-runner/ecs"
-  ecs_cluster  = data.aws_ecs_cluster.github-runner.cluster_name
-  hostname     = each.value
-  image        = "229685449397.dkr.ecr.us-gov-west-1.amazonaws.com/github-runners/${var.image_name}:${var.image_version}"
-  repo_org     = var.repo_org
-  repo_name    = each.value
-  namespace    = "${terraform.workspace}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
-  log_group    = aws_cloudwatch_log_group.function_log_group.name
-  runner_group = { create = false }
-  server_url   = var.server_url
+  # for_each     = toset([for repo in local.all_repos : repo])
+  source      = "HappyPathway/github-runner/ecs"
+  ecs_cluster = data.aws_ecs_cluster.github-runner.cluster_name
+  hostname    = "CSVD"
+  image       = "229685449397.dkr.ecr.us-gov-west-1.amazonaws.com/github-runners/${var.image_name}:${var.image_version}"
+  repo_org    = var.repo_org
+  # repo_name    = each.value
+  namespace = "csvd-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
+  log_group = aws_cloudwatch_log_group.function_log_group.name
+  runner_group = {
+    create                     = true
+    name                       = data.aws_caller_identity.current.account_id
+    allows_public_repositories = true
+    restricted_to_workflows    = false
+    visibility                 = "all"
+  }
+
+  extra_environment_vars = local.proxy_vars  
+  github_runner_permissions_arn = aws_iam_policy.policy.arn
+
+  server_url = var.server_url
   runner_labels = [
-    each.value,
+    "csvd",
     "${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}",
     data.aws_caller_identity.current.account_id,
     data.aws_region.current.name,
     "ecs-github-runner"
   ]
   certs = var.certs
   network_configuration = {
-    subnets = var.subnets
-    security_groups = var.security_groups
+    subnets          = var.subnets
+    security_groups  = var.security_groups
     assign_public_ip = var.assign_public_ip
   }
   tag = "github-runner"
-}
-
-module "env_var" {
-  source   = "HappyPathway/var/env"
-  for_each = toset(local.secrets)
-  env_var  = each.value
-}
-
-module "repo_secrets" {
-  source   = "HappyPathway/vars/repo"
-  for_each = toset(local.all_repos)
-  repo = {
-    name = each.value
-  }
-  secrets = [
-    for secret in local.secrets :
-    {
-      name  = replace(secret, "GITHUB", "GH")
-      value = lookup(module.env_var, secret).value
-    }
+  depends_on = [
+    aws_iam_policy.policy
   ]
 }
+
+#module "env_var" {
+#  source   = "HappyPathway/var/env"
+#  for_each = toset(local.secrets)
+#  env_var  = each.value
+#}
+#
+#module "repo_secrets" {
+#  source   = "HappyPathway/vars/repo"
+#  for_each = toset(local.all_repos)
+#  repo = {
+#    name = each.value
+#  }
+#  secrets = [
+#    for secret in local.secrets :
+#    {
+#      name  = replace(secret, "GITHUB", "GH")
+#      value = lookup(module.env_var, secret).value
+#    }
+#  ]
+#}
diff --git a/terraform.tfstate b/terraform.tfstate