forked from digio/terraform-google-gitlab-runner
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
163 lines (142 loc) · 6.71 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
/**
* Copyright 2021 Mantel Group Pty Ltd
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# Compute the runner name to use for registration in GitLab. We provide a default based on the GCP project name but it
# can be overridden if desired.
locals {
ci_runner_gitlab_name_final = (var.ci_runner_gitlab_name != "" ? var.ci_runner_gitlab_name : "gcp-${var.gcp_project}")
network_name = reverse(split("/", var.ci_runner_network))[0]
}
# Service account for the Gitlab CI runner. It doesn't run builds but it spawns other instances that do.
resource "google_service_account" "ci_runner" {
project = var.gcp_project
account_id = "${var.gcp_resource_prefix}-runner"
display_name = "GitLab CI Runner"
}
resource "google_project_iam_member" "instanceadmin_ci_runner" {
project = var.gcp_project
role = "roles/compute.instanceAdmin.v1"
member = "serviceAccount:${google_service_account.ci_runner.email}"
}
resource "google_project_iam_member" "networkadmin_ci_runner" {
project = var.gcp_project
role = "roles/compute.networkAdmin"
member = "serviceAccount:${google_service_account.ci_runner.email}"
}
resource "google_project_iam_member" "securityadmin_ci_runner" {
project = var.gcp_project
role = "roles/compute.securityAdmin"
member = "serviceAccount:${google_service_account.ci_runner.email}"
}
resource "google_project_iam_member" "logwriter_ci_runner" {
project = var.gcp_project
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.ci_runner.email}"
}
# Service account for Gitlab CI build instances that are dynamically spawned by the runner.
resource "google_service_account" "ci_worker" {
project = var.gcp_project
account_id = "${var.gcp_resource_prefix}-worker"
display_name = "GitLab CI Worker"
}
# Allow GitLab CI runner to use the worker service account.
resource "google_service_account_iam_member" "ci_worker_ci_runner" {
service_account_id = google_service_account.ci_worker.name
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:${google_service_account.ci_runner.email}"
}
resource "google_compute_instance" "ci_runner" {
project = var.gcp_project
name = "${var.gcp_resource_prefix}-runner"
machine_type = var.ci_runner_instance_type
zone = var.gcp_zone
allow_stopping_for_update = true
boot_disk {
initialize_params {
image = "centos-cloud/centos-7"
size = var.ci_runner_disk_size
type = "pd-balanced"
}
}
network_interface {
network = var.ci_runner_network
subnetwork = var.ci_runner_subnetwork
// no public access
//access_config {
//}
}
tags = [var.ci_runner_instance_tags]
metadata_startup_script = <<SCRIPT
set -e
echo "Installing GitLab CI Runner"
curl -L https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh | sudo bash
sudo yum install -y gitlab-runner
echo "Installing docker machine."
curl -L https://github.com/docker/machine/releases/download/v0.16.2/docker-machine-Linux-x86_64 -o /tmp/docker-machine
sudo install /tmp/docker-machine /usr/local/bin/docker-machine
echo "Verifying docker-machine and generating SSH keys ahead of time."
docker-machine create --driver google \
--google-project ${var.gcp_project} \
--google-machine-type f1-micro \
--google-zone ${var.gcp_zone} \
--google-service-account ${google_service_account.ci_worker.email} \
--google-scopes https://www.googleapis.com/auth/cloud-platform \
--google-disk-type pd-ssd \
--google-disk-size ${var.ci_worker_disk_size} \
--google-machine-image ubuntu-os-cloud/global/images/ubuntu-2004-focal-v20220419 \
--google-tags ${var.ci_worker_instance_tags} \
--google-use-internal-ip \
--google-network ${var.ci_runner_network} \
%{if var.ci_runner_subnetwork != ""}--google-subnetwork ${var.ci_runner_subnetwork}%{endif} \
${var.gcp_resource_prefix}-test-machine
docker-machine rm -y ${var.gcp_resource_prefix}-test-machine
echo "Setting GitLab concurrency"
sed -i "s/concurrent = .*/concurrent = ${var.ci_concurrency}/" /etc/gitlab-runner/config.toml
echo "Registering GitLab CI runner with GitLab instance."
sudo gitlab-runner register -n \
--url ${var.gitlab_url} \
--token ${var.ci_token} \
--executor "docker+machine" \
--docker-image "alpine:latest" \
--tag-list "${var.ci_runner_gitlab_tags}" \
--machine-machine-driver google \
--docker-privileged=${var.docker_privileged} \
--machine-idle-time ${var.ci_worker_idle_time} \
--machine-machine-name "${var.gcp_resource_prefix}-worker-%s" \
--machine-machine-options "google-project=${var.gcp_project}" \
--machine-machine-options "google-machine-type=${var.ci_worker_instance_type}" \
--machine-machine-options "google-machine-image=ubuntu-os-cloud/global/images/ubuntu-2004-focal-v20220419" \
--machine-machine-options "google-zone=${var.gcp_zone}" \
--machine-machine-options "google-service-account=${google_service_account.ci_worker.email}" \
--machine-machine-options "google-scopes=https://www.googleapis.com/auth/cloud-platform" \
--machine-machine-options "google-disk-type=pd-ssd" \
--machine-machine-options "google-disk-size=${var.ci_worker_disk_size}" \
--machine-machine-options "google-tags=${var.ci_worker_instance_tags}" \
--machine-machine-options "google-use-internal-ip" \
--machine-machine-options "google-network=${var.ci_runner_network}" \
%{if var.ci_runner_subnetwork != ""}--machine-machine-options "google-subnetwork=${var.ci_runner_subnetwork}"%{endif} \
%{if var.pre_clone_script != ""}--pre-clone-script ${replace(format("%q", var.pre_clone_script), "$", "\\$")}%{endif} \
%{if var.post_clone_script != ""}--post-clone-script ${replace(format("%q", var.post_clone_script), "$", "\\$")}%{endif} \
%{if var.pre_build_script != ""}--pre-build-script ${replace(format("%q", var.pre_build_script), "$", "\\$")}%{endif} \
%{if var.post_build_script != ""}--post-build-script ${replace(format("%q", var.post_build_script), "$", "\\$")}%{endif} \
&& true
sudo gitlab-runner verify
echo "GitLab CI Runner installation complete"
SCRIPT
service_account {
email = google_service_account.ci_runner.email
scopes = ["cloud-platform"]
}
}