feat(github-runner): add terraform for github runner (#64)

feat(github-runner): add terraform for github runner chore: update promtail priority to 90 chore: add nomad format hook fix(promtail): add an update stanza to promtail fix(github-runner): redesign the nomad job template to use different orgs Provide different job names and group names --------- Signed-off-by: Bruce Becker <brucellino@protonmail.com>
brucellino · Oct 24, 2023 · 04a123d · 04a123d
1 parent 69554e8
commit 04a123d
Show file tree

Hide file tree

Showing 7 changed files with 482 additions and 125 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -26,5 +26,16 @@ repos:
     rev: v1.26.3
     hooks:
       - id: tfsec-system
+  - repo: local
+    hooks:
+      - id: format-jobspec
+        name: Format jobspec
+        language: system
+        entry: nomad
+        args:
+          - fmt
+        files: nomad
+        exclude: ".*tpl"
+
 ci:
   autoupdate_branch: main
diff --git a/github-runner/.terraform.lock.hcl b/github-runner/.terraform.lock.hcl
diff --git a/github-runner/github-runner.nomad b/github-runner/github-runner.nomad
@@ -0,0 +1,69 @@
+variable "runner_version" {
+  description = "Version to use for the github runner.\nSee https://github.com/actions/runner/releases/"
+  default = "2.310.2"
+  type = string
+}
+
+variable "github_org" {
+  description = "Name of the github org we attach the runner to"
+  default = "SouthAfricaDigitalScience"
+  type = string
+}
+
+variable "token" {
+  description = "Github Personal Access Token"
+  default = "AAQEOZFGCRNN2DT7DBTYXMTEGKUB2"
+  type = string
+}
+job "github-runner" {
+  datacenters = ["dc1"]
+  group "main" {
+    task "configure" {
+      driver = "exec"
+      artifact {
+        source = "https://github.com/actions/runner/releases/download/v${var.runner_version}/actions-runner-linux-${attr.cpu.arch}-${var.runner_version}.tar.gz"
+      }
+      lifecycle {
+        hook = "prestart"
+        sidecar = false
+      }
+      config {
+        command = "/bin/bash"
+        args = [
+          "local/config.sh",
+          "--unattended",
+          "--url https://github.com/${var.github_org}",
+          "--token  ${var.token}",
+          "--labels test"
+        ]
+      }
+    }
+    task "run" {
+      env {
+        RUNNER_CFG_PAT = var.token
+      }
+      driver = "exec"
+      config {
+        command = "/bin/bash"
+        args = [
+          "local/run.sh"
+        ]
+      }
+    }
+    task "remove" {
+      lifecycle {
+        hook = "poststop"
+        sidecar = false
+      }
+      driver = "exec"
+      config {
+        command = "config.sh"
+        args = [
+          "remove",
+          "--token",
+          var.token
+        ]
+      }
+    }
+  }
+}
diff --git a/github-runner/github-runner.nomad.tpl b/github-runner/github-runner.nomad.tpl
@@ -0,0 +1,68 @@
+job "github-runner-${org}" {
+  name = "github-runner-${org}"
+  datacenters = ["dc1"]
+  group "${org}" {
+
+    task "configure" {
+      env {
+        RUNNER_CFG_PAT = "${token}"
+      }
+      lifecycle {
+        hook = "prestart"
+      }
+      driver = "exec"
+      artifact {
+        source = "https://github.com/actions/runner/releases/download/v${runner_version}/actions-runner-linux-$${attr.cpu.arch}-${runner_version}.tar.gz"
+        destination = "$${NOMAD_ALLOC_DIR}/actions-runner"
+        mode = "dir"
+      }
+      config {
+        command = "$${NOMAD_ALLOC_DIR}/actions-runner/config.sh"
+        args = [
+          "config.sh",
+          "--unattended",
+          "--url", "https://github.com/${org}",
+          "--token", "${token}",
+          "--labels", "hah",
+          "--ephemeral"
+        ]
+      }
+    }
+
+    task "launch" {
+      driver = "exec"
+      config {
+        command = "$${NOMAD_ALLOC_DIR}/actions-runner/run.sh"
+      }
+      scaling "cpu" {
+        enabled = true
+        min     = 100
+        max     = 150
+
+        policy {
+          cooldown = "5m"
+          evaluation_interval = "10s"
+          strategy "target-value" {
+            target = 2
+          }
+        }
+      }
+    }
+
+    task "remove" {
+      lifecycle {
+        hook = "poststop"
+        sidecar = false
+      }
+      driver = "exec"
+      config {
+        command = "$${NOMAD_ALLOC_DIR}/actions-runner/config.sh"
+        args = [
+          "remove",
+          "--token",
+          "${token}"
+        ]
+      }
+    } // remove task
+  } // task group
+}
diff --git a/github-runner/main.tf b/github-runner/main.tf
@@ -0,0 +1,112 @@
+terraform {
+  backend "consul" {
+    scheme = "http"
+    path   = "terraform/personal/github-runners"
+  }
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 3.0"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "~> 5.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = "~> 3.0"
+    }
+    nomad = {
+      source  = "hashicorp/nomad"
+      version = "~> 2.0"
+    }
+  }
+}
+
+variable "org_name" {
+  description = "Name of the Github organisation"
+  default     = "SouthAfricaDigitalScience"
+  sensitive   = false
+  type        = string
+}
+
+provider "vault" {
+  address = "http://sense:8200"
+}
+
+provider "nomad" {}
+
+data "vault_kv_secret_v2" "name" {
+  mount = "kv"
+  name  = "github"
+}
+
+provider "github" {
+  token = data.vault_kv_secret_v2.name.data.personal
+}
+
+data "github_organization" "sads" {
+  name = var.org_name
+}
+
+locals {
+  runners_api_url = "https://api.github.com/orgs/${var.org_name}/actions/runners"
+  headers = {
+    "Accept"               = "application/vnd.github+json"
+    "Authorization"        = "Bearer ${data.vault_kv_secret_v2.name.data.personal}"
+    "X-GitHub-Api-Version" = "2022-11-28"
+  }
+}
+
+provider "http" {}
+
+data "http" "runners" {
+  url             = local.runners_api_url
+  request_headers = local.headers
+  lifecycle {
+    postcondition {
+      condition     = contains([200], self.status_code)
+      error_message = "Error"
+    }
+  }
+}
+
+data "http" "runner_reg_token" {
+  url             = "${local.runners_api_url}/registration-token"
+  request_headers = local.headers
+  method          = "POST"
+  lifecycle {
+    postcondition {
+      condition     = contains([201, 204], self.status_code)
+      error_message = tostring(self.response_body)
+    }
+  }
+}
+
+resource "vault_kv_secret_v2" "runner_registration_token" {
+  mount = "kv"
+  name  = "github_runner"
+  # cas                 = 1
+  # delete_all_versions = true
+  data_json = data.http.runner_reg_token.response_body
+  custom_metadata {
+    data = {
+      created_by = "Terraform"
+    }
+  }
+}
+
+resource "nomad_job" "runner" {
+  jobspec = templatefile("github-runner.nomad.tpl", {
+    token          = jsondecode(vault_kv_secret_v2.runner_registration_token.data_json).token,
+    runner_version = "2.310.2",
+    org_name       = var.org_name
+  })
+}
+
+resource "github_actions_runner_group" "arm64" {
+  allows_public_repositories = false
+  name                       = "hashi-at-home"
+  visibility                 = "private"
+  # default                    = false
+}