diff --git a/.gitignore b/.gitignore index 0da0020..4d1596f 100644 --- a/.gitignore +++ b/.gitignore @@ -44,10 +44,12 @@ override.tf.json terraform.rc image-pipeline-ansible-playbooks/image-pipeline-ansible-playbooks/ image-pipeline-goss-testing/image-pipeline-goss-testing/ -**/runner.log -**/runner_error.log +**/runner.log* +**/runner_error.log* aws-image-pipeline/aws-image-pipeline/ windows-image-pipeline/windows-image-pipeline/ linux-image-pipeline/linux-image-pipeline/ automation-repos/automation-repos ghe-runners/ghe-runners +docker-image-pipeline/docker-image-pipeline +plans diff --git a/docker-image-pipeline/config.sh b/docker-image-pipeline/config.sh new file mode 100755 index 0000000..14cc6ba --- /dev/null +++ b/docker-image-pipeline/config.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +user_id=`id -u` + +# we want to snapshot the environment of the config user +if [ $user_id -eq 0 -a -z "$RUNNER_ALLOW_RUNASROOT" ]; then + echo "Must not run with sudo" + exit 1 +fi + +# Check dotnet Core 6.0 dependencies for Linux +if [[ (`uname` == "Linux") ]] +then + command -v ldd > /dev/null + if [ $? -ne 0 ] + then + echo "Can not find 'ldd'. Please install 'ldd' and try again." + exit 1 + fi + + message="Execute sudo ./bin/installdependencies.sh to install any missing Dotnet Core 6.0 dependencies." + + ldd ./bin/libcoreclr.so | grep 'not found' + if [ $? -eq 0 ]; then + echo "Dependencies is missing for Dotnet Core 6.0" + echo $message + exit 1 + fi + + ldd ./bin/libSystem.Security.Cryptography.Native.OpenSsl.so | grep 'not found' + if [ $? -eq 0 ]; then + echo "Dependencies is missing for Dotnet Core 6.0" + echo $message + exit 1 + fi + + ldd ./bin/libSystem.IO.Compression.Native.so | grep 'not found' + if [ $? -eq 0 ]; then + echo "Dependencies is missing for Dotnet Core 6.0" + echo $message + exit 1 + fi + + if ! [ -x "$(command -v ldconfig)" ]; then + LDCONFIG_COMMAND="/sbin/ldconfig" + if ! [ -x "$LDCONFIG_COMMAND" ]; then + echo "Can not find 'ldconfig' in PATH and '/sbin/ldconfig' doesn't exists either. Please install 'ldconfig' and try again." + exit 1 + fi + else + LDCONFIG_COMMAND="ldconfig" + fi + + libpath=${LD_LIBRARY_PATH:-} + $LDCONFIG_COMMAND -NXv ${libpath//:/ } 2>&1 | grep libicu >/dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "Libicu's dependencies is missing for Dotnet Core 6.0" + echo $message + exit 1 + fi +fi + +# Change directory to the script root directory +# https://stackoverflow.com/questions/59895/getting-the-source-directory-of-a-bash-script-from-within +SOURCE="${BASH_SOURCE[0]}" +while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located +done +DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" +cd "$DIR" + +source ./env.sh + +shopt -s nocasematch +if [[ "$1" == "remove" ]]; then + ./bin/Runner.Listener "$@" +else + ./bin/Runner.Listener configure "$@" +fi diff --git a/docker-image-pipeline/env.sh b/docker-image-pipeline/env.sh new file mode 100755 index 0000000..641d244 --- /dev/null +++ b/docker-image-pipeline/env.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +varCheckList=( + 'LANG' + 'JAVA_HOME' + 'ANT_HOME' + 'M2_HOME' + 'ANDROID_HOME' + 'ANDROID_SDK_ROOT' + 'GRADLE_HOME' + 'NVM_BIN' + 'NVM_PATH' + 'LD_LIBRARY_PATH' + 'PERL5LIB' + ) + +envContents="" + +if [ -f ".env" ]; then + envContents=`cat .env` +else + touch .env +fi + +function writeVar() +{ + checkVar="$1" + checkDelim="${1}=" + if test "${envContents#*$checkDelim}" = "$envContents" + then + if [ ! -z "${!checkVar}" ]; then + echo "${checkVar}=${!checkVar}">>.env + fi + fi +} + +echo $PATH>.path + +for var_name in ${varCheckList[@]} +do + writeVar "${var_name}" +done diff --git a/docker-image-pipeline/run-helper.cmd.template b/docker-image-pipeline/run-helper.cmd.template new file mode 100644 index 0000000..23e4246 --- /dev/null +++ b/docker-image-pipeline/run-helper.cmd.template @@ -0,0 +1,53 @@ +@echo off +SET UPDATEFILE=update.finished +"%~dp0\bin\Runner.Listener.exe" run %* + +rem using `if %ERRORLEVEL% EQU N` insterad of `if ERRORLEVEL N` +rem `if ERRORLEVEL N` means: error level is N or MORE + +if %ERRORLEVEL% EQU 0 ( + echo "Runner listener exit with 0 return code, stop the service, no retry needed." + exit /b 0 +) + +if %ERRORLEVEL% EQU 1 ( + echo "Runner listener exit with terminated error, stop the service, no retry needed." + exit /b 0 +) + +if %ERRORLEVEL% EQU 2 ( + echo "Runner listener exit with retryable error, re-launch runner in 5 seconds." + ping 127.0.0.1 -n 6 -w 1000 >NUL + exit /b 1 +) + +if %ERRORLEVEL% EQU 3 ( + rem Wait for 30 seconds or for flag file to exists for the ephemeral runner update process finish + echo "Runner listener exit because of updating, re-launch runner after successful update" + FOR /L %%G IN (1,1,30) DO ( + IF EXIST %UPDATEFILE% ( + echo "Update finished successfully." + del %FILE% + exit /b 1 + ) + ping 127.0.0.1 -n 2 -w 1000 >NUL + ) + exit /b 1 +) + +if %ERRORLEVEL% EQU 4 ( + rem Wait for 30 seconds or for flag file to exists for the runner update process finish + echo "Runner listener exit because of updating, re-launch runner after successful update" + FOR /L %%G IN (1,1,30) DO ( + IF EXIST %UPDATEFILE% ( + echo "Update finished successfully." + del %FILE% + exit /b 1 + ) + ping 127.0.0.1 -n 2 -w 1000 >NUL + ) + exit /b 1 +) + +echo "Exiting after unknown error code: %ERRORLEVEL%" +exit /b 0 \ No newline at end of file diff --git a/docker-image-pipeline/run-helper.sh b/docker-image-pipeline/run-helper.sh new file mode 100755 index 0000000..743fd8b --- /dev/null +++ b/docker-image-pipeline/run-helper.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# Validate not sudo +user_id=`id -u` +if [ $user_id -eq 0 -a -z "$RUNNER_ALLOW_RUNASROOT" ]; then + echo "Must not run interactively with sudo" + exit 1 +fi + +# Run +shopt -s nocasematch + +SOURCE="${BASH_SOURCE[0]}" +while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located +done +DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + +# Wait for docker to start +if [ ! -z "$RUNNER_WAIT_FOR_DOCKER_IN_SECONDS" ]; then + if [ "$RUNNER_WAIT_FOR_DOCKER_IN_SECONDS" -gt 0 ]; then + echo "Waiting for docker to be ready." + for i in $(seq "$RUNNER_WAIT_FOR_DOCKER_IN_SECONDS"); do + if docker ps > /dev/null 2>&1; then + echo "Docker is ready." + break + fi + "$DIR"/safe_sleep.sh 1 + done + fi +fi + +updateFile="update.finished" +"$DIR"/bin/Runner.Listener run $* + +returnCode=$? +if [[ $returnCode == 0 ]]; then + echo "Runner listener exit with 0 return code, stop the service, no retry needed." + exit 0 +elif [[ $returnCode == 1 ]]; then + echo "Runner listener exit with terminated error, stop the service, no retry needed." + exit 0 +elif [[ $returnCode == 2 ]]; then + echo "Runner listener exit with retryable error, re-launch runner in 5 seconds." + "$DIR"/safe_sleep.sh 5 + exit 2 +elif [[ $returnCode == 3 ]]; then + # Wait for 30 seconds or for flag file to exists for the runner update process finish + echo "Runner listener exit because of updating, re-launch runner after successful update" + for i in {0..30}; do + if test -f "$updateFile"; then + echo "Update finished successfully." + rm "$updateFile" + break + fi + "$DIR"/safe_sleep.sh 1 + done + exit 2 +elif [[ $returnCode == 4 ]]; then + # Wait for 30 seconds or for flag file to exists for the ephemeral runner update process finish + echo "Runner listener exit because of updating, re-launch runner after successful update" + for i in {0..30}; do + if test -f "$updateFile"; then + echo "Update finished successfully." + rm "$updateFile" + break + fi + "$DIR"/safe_sleep.sh 1 + done + exit 2 +else + echo "Exiting with unknown error code: ${returnCode}" + exit 0 +fi diff --git a/docker-image-pipeline/run-helper.sh.template b/docker-image-pipeline/run-helper.sh.template new file mode 100755 index 0000000..743fd8b --- /dev/null +++ b/docker-image-pipeline/run-helper.sh.template @@ -0,0 +1,76 @@ +#!/bin/bash + +# Validate not sudo +user_id=`id -u` +if [ $user_id -eq 0 -a -z "$RUNNER_ALLOW_RUNASROOT" ]; then + echo "Must not run interactively with sudo" + exit 1 +fi + +# Run +shopt -s nocasematch + +SOURCE="${BASH_SOURCE[0]}" +while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located +done +DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + +# Wait for docker to start +if [ ! -z "$RUNNER_WAIT_FOR_DOCKER_IN_SECONDS" ]; then + if [ "$RUNNER_WAIT_FOR_DOCKER_IN_SECONDS" -gt 0 ]; then + echo "Waiting for docker to be ready." + for i in $(seq "$RUNNER_WAIT_FOR_DOCKER_IN_SECONDS"); do + if docker ps > /dev/null 2>&1; then + echo "Docker is ready." + break + fi + "$DIR"/safe_sleep.sh 1 + done + fi +fi + +updateFile="update.finished" +"$DIR"/bin/Runner.Listener run $* + +returnCode=$? +if [[ $returnCode == 0 ]]; then + echo "Runner listener exit with 0 return code, stop the service, no retry needed." + exit 0 +elif [[ $returnCode == 1 ]]; then + echo "Runner listener exit with terminated error, stop the service, no retry needed." + exit 0 +elif [[ $returnCode == 2 ]]; then + echo "Runner listener exit with retryable error, re-launch runner in 5 seconds." + "$DIR"/safe_sleep.sh 5 + exit 2 +elif [[ $returnCode == 3 ]]; then + # Wait for 30 seconds or for flag file to exists for the runner update process finish + echo "Runner listener exit because of updating, re-launch runner after successful update" + for i in {0..30}; do + if test -f "$updateFile"; then + echo "Update finished successfully." + rm "$updateFile" + break + fi + "$DIR"/safe_sleep.sh 1 + done + exit 2 +elif [[ $returnCode == 4 ]]; then + # Wait for 30 seconds or for flag file to exists for the ephemeral runner update process finish + echo "Runner listener exit because of updating, re-launch runner after successful update" + for i in {0..30}; do + if test -f "$updateFile"; then + echo "Update finished successfully." + rm "$updateFile" + break + fi + "$DIR"/safe_sleep.sh 1 + done + exit 2 +else + echo "Exiting with unknown error code: ${returnCode}" + exit 0 +fi diff --git a/docker-image-pipeline/run.sh b/docker-image-pipeline/run.sh new file mode 100755 index 0000000..6b02ea1 --- /dev/null +++ b/docker-image-pipeline/run.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# Change directory to the script root directory +# https://stackoverflow.com/questions/59895/getting-the-source-directory-of-a-bash-script-from-within +SOURCE="${BASH_SOURCE[0]}" +while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located +done +DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + +run() { + # run the helper process which keep the listener alive + while :; + do + cp -f "$DIR"/run-helper.sh.template "$DIR"/run-helper.sh + "$DIR"/run-helper.sh $* + returnCode=$? + if [[ $returnCode -eq 2 ]]; then + echo "Restarting runner..." + else + echo "Exiting runner..." + exit 0 + fi + done +} + +runWithManualTrap() { + # Set job control + set -m + + trap 'kill -INT -$PID' INT TERM + + # run the helper process which keep the listener alive + while :; + do + cp -f "$DIR"/run-helper.sh.template "$DIR"/run-helper.sh + "$DIR"/run-helper.sh $* & + PID=$! + wait -f $PID + returnCode=$? + if [[ $returnCode -eq 2 ]]; then + echo "Restarting runner..." + else + echo "Exiting runner..." + # Unregister signal handling before exit + trap - INT TERM + # wait for last parts to be logged + wait $PID + exit $returnCode + fi + done +} + +function updateCerts() { + local sudo_prefix="" + local user_id=`id -u` + + if [ $user_id -ne 0 ]; then + if [[ ! -x "$(command -v sudo)" ]]; then + echo "Warning: failed to update certificate store: sudo is required but not found" + return 1 + else + sudo_prefix="sudo" + fi + fi + + if [[ -x "$(command -v update-ca-certificates)" ]]; then + eval $sudo_prefix "update-ca-certificates" + elif [[ -x "$(command -v update-ca-trust)" ]]; then + eval $sudo_prefix "update-ca-trust" + else + echo "Warning: failed to update certificate store: update-ca-certificates or update-ca-trust not found. This can happen if you're using a different runner base image." + return 1 + fi +} + +if [[ ! -z "$RUNNER_UPDATE_CA_CERTS" ]]; then + updateCerts +fi + +if [[ -z "$RUNNER_MANUALLY_TRAP_SIG" ]]; then + run $* +else + runWithManualTrap $* +fi \ No newline at end of file diff --git a/docker-image-pipeline/safe_sleep.sh b/docker-image-pipeline/safe_sleep.sh new file mode 100755 index 0000000..7ba5be3 --- /dev/null +++ b/docker-image-pipeline/safe_sleep.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +SECONDS=0 +while [[ $SECONDS != $1 ]]; do + : +done diff --git a/docker-image-pipeline/svc.sh b/docker-image-pipeline/svc.sh new file mode 100755 index 0000000..edc720a --- /dev/null +++ b/docker-image-pipeline/svc.sh @@ -0,0 +1,179 @@ +#!/bin/bash + +SVC_NAME="actions.runner._services.docker-image-pipeline.service" +SVC_NAME=${SVC_NAME// /_} +SVC_DESCRIPTION="GitHub Actions Runner (_services.docker-image-pipeline)" + +SVC_CMD=$1 +arg_2=${2} + +RUNNER_ROOT=`pwd` + +UNIT_PATH=/etc/systemd/system/${SVC_NAME} +TEMPLATE_PATH=$GITHUB_ACTIONS_RUNNER_SERVICE_TEMPLATE +IS_CUSTOM_TEMPLATE=0 +if [[ -z $TEMPLATE_PATH ]]; then + TEMPLATE_PATH=./bin/actions.runner.service.template +else + IS_CUSTOM_TEMPLATE=1 +fi +TEMP_PATH=./bin/actions.runner.service.temp +CONFIG_PATH=.service + +user_id=`id -u` + +# systemctl must run as sudo +# this script is a convenience wrapper around systemctl +if [ $user_id -ne 0 ]; then + echo "Must run as sudo" + exit 1 +fi + +function failed() +{ + local error=${1:-Undefined error} + echo "Failed: $error" >&2 + exit 1 +} + +if [ ! -f "${TEMPLATE_PATH}" ]; then + if [[ $IS_CUSTOM_TEMPLATE = 0 ]]; then + failed "Must run from runner root or install is corrupt" + else + failed "Service file at '$GITHUB_ACTIONS_RUNNER_SERVICE_TEMPLATE' using GITHUB_ACTIONS_RUNNER_SERVICE_TEMPLATE env variable is not found" + fi +fi + +#check if we run as root +if [[ $(id -u) != "0" ]]; then + echo "Failed: This script requires to run with sudo." >&2 + exit 1 +fi + +function install() +{ + echo "Creating launch runner in ${UNIT_PATH}" + if [ -f "${UNIT_PATH}" ]; then + failed "error: exists ${UNIT_PATH}" + fi + + if [ -f "${TEMP_PATH}" ]; then + rm "${TEMP_PATH}" || failed "failed to delete ${TEMP_PATH}" + fi + + # can optionally use username supplied + run_as_user=${arg_2:-$SUDO_USER} + echo "Run as user: ${run_as_user}" + + run_as_uid=$(id -u ${run_as_user}) || failed "User does not exist" + echo "Run as uid: ${run_as_uid}" + + run_as_gid=$(id -g ${run_as_user}) || failed "Group not available" + echo "gid: ${run_as_gid}" + + sed "s/{{User}}/${run_as_user}/g; s/{{Description}}/$(echo ${SVC_DESCRIPTION} | sed -e 's/[\/&]/\\&/g')/g; s/{{RunnerRoot}}/$(echo ${RUNNER_ROOT} | sed -e 's/[\/&]/\\&/g')/g;" "${TEMPLATE_PATH}" > "${TEMP_PATH}" || failed "failed to create replacement temp file" + mv "${TEMP_PATH}" "${UNIT_PATH}" || failed "failed to copy unit file" + + # Recent Fedora based Linux (CentOS/Redhat) has SELinux enabled by default + # We need to restore security context on the unit file we added otherwise SystemD have no access to it. + command -v getenforce > /dev/null + if [ $? -eq 0 ] + then + selinuxEnabled=$(getenforce) + if [[ $selinuxEnabled == "Enforcing" ]] + then + # SELinux is enabled, we will need to Restore SELinux Context for the service file + restorecon -r -v "${UNIT_PATH}" || failed "failed to restore SELinux context on ${UNIT_PATH}" + fi + fi + + # unit file should not be executable and world writable + chmod 664 "${UNIT_PATH}" || failed "failed to set permissions on ${UNIT_PATH}" + systemctl daemon-reload || failed "failed to reload daemons" + + # Since we started with sudo, runsvc.sh will be owned by root. Change this to current login user. + cp ./bin/runsvc.sh ./runsvc.sh || failed "failed to copy runsvc.sh" + chown ${run_as_uid}:${run_as_gid} ./runsvc.sh || failed "failed to set owner for runsvc.sh" + chmod 755 ./runsvc.sh || failed "failed to set permission for runsvc.sh" + + systemctl enable ${SVC_NAME} || failed "failed to enable ${SVC_NAME}" + + echo "${SVC_NAME}" > ${CONFIG_PATH} || failed "failed to create .service file" + chown ${run_as_uid}:${run_as_gid} ${CONFIG_PATH} || failed "failed to set permission for ${CONFIG_PATH}" +} + +function start() +{ + systemctl start ${SVC_NAME} || failed "failed to start ${SVC_NAME}" + status +} + +function stop() +{ + systemctl stop ${SVC_NAME} || failed "failed to stop ${SVC_NAME}" + status +} + +function uninstall() +{ + if service_exists; then + stop + systemctl disable ${SVC_NAME} || failed "failed to disable ${SVC_NAME}" + rm "${UNIT_PATH}" || failed "failed to delete ${UNIT_PATH}" + else + echo "Service ${SVC_NAME} is not installed" + fi + if [ -f "${CONFIG_PATH}" ]; then + rm "${CONFIG_PATH}" || failed "failed to delete ${CONFIG_PATH}" + fi + systemctl daemon-reload || failed "failed to reload daemons" +} + +function service_exists() { + if [ -f "${UNIT_PATH}" ]; then + return 0 + else + return 1 + fi +} + +function status() +{ + if service_exists; then + echo + echo "${UNIT_PATH}" + else + echo + echo "not installed" + echo + exit 1 + fi + + systemctl --no-pager status ${SVC_NAME} +} + +function usage() +{ + echo + echo Usage: + echo "./svc.sh [install, start, stop, status, uninstall]" + echo "Commands:" + echo " install [user]: Install runner service as Root or specified user." + echo " start: Manually start the runner service." + echo " stop: Manually stop the runner service." + echo " status: Display status of runner service." + echo " uninstall: Uninstall runner service." + echo +} + +case $SVC_CMD in + "install") install;; + "status") status;; + "uninstall") uninstall;; + "start") start;; + "stop") stop;; + "status") status;; + *) usage;; +esac + +exit 0 diff --git a/external_actions.tf b/external_actions.tf index 94c1669..ae62523 100644 --- a/external_actions.tf +++ b/external_actions.tf @@ -1,26 +1,26 @@ -module github_script { - source = "HappyPathway/gh-actions/importer" - version = "0.0.15" - git_repo_url = "https://github.com/actions/github-script.git" +module "github_script" { + source = "HappyPathway/gh-actions/importer" + version = "0.0.15" + git_repo_url = "https://github.com/actions/github-script.git" git_repo_path = "/home/a/arnol377/git/gh-actions-github-script" - repo_name = "gh-actions-github-script" - repo_org = "CSVD" + repo_name = "gh-actions-github-script" + repo_org = "CSVD" } -module github_checkout { - source = "HappyPathway/gh-actions/importer" - version = "0.0.15" - git_repo_url = "https://github.com/actions/checkout.git" +module "github_checkout" { + source = "HappyPathway/gh-actions/importer" + version = "0.0.15" + git_repo_url = "https://github.com/actions/checkout.git" git_repo_path = "/home/a/arnol377/git/gh-actions-checkout" - repo_name = "gh-actions-checkout" - repo_org = "CSVD" + repo_name = "gh-actions-checkout" + repo_org = "CSVD" } -module setup_python { - source = "HappyPathway/gh-actions/importer" - version = "0.0.15" - git_repo_url = "https://github.com/actions/setup-python.git" +module "setup_python" { + source = "HappyPathway/gh-actions/importer" + version = "0.0.15" + git_repo_url = "https://github.com/actions/setup-python.git" git_repo_path = "/home/a/arnol377/git/gh-actions-setup-python" - repo_name = "gh-actions-setup-python" - repo_org = "CSVD" + repo_name = "gh-actions-setup-python" + repo_org = "CSVD" } diff --git a/iam_policy/session_configuration.json b/iam_policy/session_configuration.json new file mode 100644 index 0000000..e0b8197 --- /dev/null +++ b/iam_policy/session_configuration.json @@ -0,0 +1,27 @@ +{ + "Statement": [ + { + "Action": "s3:*", + "Effect": "Allow", + "Resource": [ + "arn:aws-us-gov:s3:::inf-test-08230846-acc4-7788-94df-5730ed20c008/*" + ] + }, + { + "Action": "ssm:*", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "secretsmanager:*", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "dynamodb:*", + "Effect": "Allow", + "Resource": "arn:aws-us-gov:dynamodb:us-gov-west-1:229685449397:table/tf_remote_state" + } + ], + "Version": "2012-10-17" +} diff --git a/main.tf b/main.tf index 1389279..3a030d4 100644 --- a/main.tf +++ b/main.tf @@ -1,13 +1,13 @@ locals { - pipeline_repos = [ + pipeline_repos = [ "aws-image-pipeline", "linux-image-pipeline", "windows-image-pipeline", "image-pipeline-goss-testing", "image-pipeline-ansible-playbooks", ] - workspace_repos = [ + workspace_repos = [ "automation-repos", "ghe-runners" ] @@ -16,65 +16,65 @@ locals { local.workspace_repos ) secrets = [ - "AWS_SECRET_ACCESS_KEY", - "AWS_SESSION_TOKEN", - "AWS_ACCESS_KEY_ID", - "GITHUB_TOKEN" + "AWS_SECRET_ACCESS_KEY", + "AWS_SESSION_TOKEN", + "AWS_ACCESS_KEY_ID", + "GITHUB_TOKEN" ] } module "runner" { - source = "HappyPathway/runner/ghe" + source = "HappyPathway/runner/ghe" github_base_url = "https://github.e.it.census.gov" github_owner = "CSVD" runner_basedir = "/apps/terraform/workspaces/arnol377/git/ghe-runner" runner_tarball = "/apps/terraform/workspaces/arnol377/actions-runner-linux-x64-2.304.0.tar.gz" - repos = local.pipeline_repos + repos = local.pipeline_repos runner_labels = [ "image-pipeline" ] } module "tf_workspace_runners" { - source = "HappyPathway/runner/ghe" + source = "HappyPathway/runner/ghe" github_base_url = "https://github.e.it.census.gov" github_owner = "CSVD" runner_basedir = "/apps/terraform/workspaces/arnol377/git/ghe-runner" runner_tarball = "/apps/terraform/workspaces/arnol377/actions-runner-linux-x64-2.304.0.tar.gz" - repos = local.workspace_repos + repos = local.workspace_repos runner_labels = [ "terraform-workspaces" ] } -module env_var { - source = "HappyPathway/var/env" +module "env_var" { + source = "HappyPathway/var/env" for_each = toset(local.secrets) - env_var = each.value + env_var = each.value } -module repo_secrets { - source = "HappyPathway/vars/repo" +module "repo_secrets" { + source = "HappyPathway/vars/repo" for_each = toset(local.all_repos) repo = { name = each.value } secrets = [ - for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"]: - { - name = replace(secret, "GITHUB", "GH") - value = lookup(module.env_var, secret).value - } + for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : + { + name = replace(secret, "GITHUB", "GH") + value = lookup(module.env_var, secret).value + } ] vars = [ { - name = "AWS_ACCESS_KEY_ID" - value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value + name = "AWS_ACCESS_KEY_ID" + value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value } ] - + } -output secrets { +output "secrets" { value = module.env_var } diff --git a/supervisor/docker-image-pipeline.conf b/supervisor/docker-image-pipeline.conf new file mode 100755 index 0000000..2e0a6de --- /dev/null +++ b/supervisor/docker-image-pipeline.conf @@ -0,0 +1,16 @@ +[program:docker-image-pipeline] +directory=/apps/terraform/workspaces/arnol377/git/ghe-runner/docker-image-pipeline ; directory to cwd to before exec (def no cwd) +command=/apps/terraform/workspaces/arnol377/git/ghe-runner/docker-image-pipeline/run.sh +;numprocs=1 ; number of processes copies to start (def 1) +autostart=true ; start at supervisord start (default: true) +;startsecs=1 ; # of secs prog must stay up to be running (def. 1) +startretries=3 ; max # of serial start failures when starting (default 3) +autorestart=true +stdout_logfile=/apps/terraform/workspaces/arnol377/git/ghe-runner/docker-image-pipeline/runner.log ; stdout log path, NONE for none; default AUTO +stdout_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) +stdout_logfile_backups=10 ; # of stdout logfile backups (0 means none, default 10) +stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) +stderr_logfile=/apps/terraform/workspaces/arnol377/git/ghe-runner/docker-image-pipeline/runner_error.log ; stderr log path, NONE for none; default AUTO +stderr_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) +stderr_logfile_backups=10 ; # of stderr logfile backups (0 means none, default 10) +stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) \ No newline at end of file