-
Notifications
You must be signed in to change notification settings - Fork 722
Expand file tree
/
Copy pathscale-up.tf
More file actions
175 lines (160 loc) · 8.91 KB
/
scale-up.tf
File metadata and controls
175 lines (160 loc) · 8.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
locals {
job_retry_config = local.job_retry_enabled ? {
enable = var.job_retry.enable
maxAttempts = var.job_retry.max_attempts
delayInSeconds = var.job_retry.delay_in_seconds
delayBackoff = var.job_retry.delay_backoff
queueUrl = module.job_retry[0].job_retry_check_queue.url
} : {}
}
resource "aws_lambda_function" "scale_up" {
s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
s3_key = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
function_name = "${var.prefix}-scale-up"
role = aws_iam_role.scale_up.arn
handler = "index.scaleUpHandler"
runtime = var.lambda_runtime
timeout = var.lambda_timeout_scale_up
reserved_concurrent_executions = var.scale_up_reserved_concurrent_executions
memory_size = var.lambda_scale_up_memory_size
tags = merge(local.tags, var.lambda_tags)
architectures = [var.lambda_architecture]
environment {
variables = {
AMI_ID_SSM_PARAMETER_NAME = local.ami_id_ssm_parameter_name
DISABLE_RUNNER_AUTOUPDATE = var.disable_runner_autoupdate
ENABLE_EPHEMERAL_RUNNERS = var.enable_ephemeral_runners
ENABLE_JIT_CONFIG = var.enable_jit_config
ENABLE_JOB_QUEUED_CHECK = local.enable_job_queued_check
ENABLE_METRIC_GITHUB_APP_RATE_LIMIT = var.metrics.enable && var.metrics.metric.enable_github_app_rate_limit
ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners
ENVIRONMENT = var.prefix
GHES_URL = var.ghes_url
USER_AGENT = var.user_agent
INSTANCE_ALLOCATION_STRATEGY = var.instance_allocation_strategy
INSTANCE_MAX_SPOT_PRICE = var.instance_max_spot_price
INSTANCE_TARGET_CAPACITY_TYPE = var.instance_target_capacity_type
INSTANCE_TYPES = join(",", var.instance_types)
LAUNCH_TEMPLATE_NAME = aws_launch_template.runner.name
LOG_LEVEL = var.log_level
MINIMUM_RUNNING_TIME_IN_MINUTES = coalesce(var.minimum_running_time_in_minutes, local.min_runtime_defaults[var.runner_os])
NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1
PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
POWERTOOLS_METRICS_NAMESPACE = var.metrics.namespace
POWERTOOLS_TRACE_ENABLED = var.tracing_config.mode != null ? true : false
POWERTOOLS_TRACER_CAPTURE_HTTPS_REQUESTS = var.tracing_config.capture_http_requests
POWERTOOLS_TRACER_CAPTURE_ERROR = var.tracing_config.capture_error
RUNNER_LABELS = lower(join(",", var.runner_labels))
RUNNER_GROUP_NAME = var.runner_group_name
RUNNER_NAME_PREFIX = var.runner_name_prefix
RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count
POWERTOOLS_SERVICE_NAME = "${var.prefix}-scale-up"
SSM_TOKEN_PATH = local.token_path
SSM_CONFIG_PATH = "${var.ssm_paths.root}/${var.ssm_paths.config}"
SSM_PARAMETER_STORE_TAGS = local.parameter_store_tags
SUBNET_IDS = join(",", var.subnet_ids)
ENABLE_ON_DEMAND_FAILOVER_FOR_ERRORS = jsonencode(var.enable_on_demand_failover_for_errors)
SCALE_ERRORS = jsonencode(var.scale_errors)
JOB_RETRY_CONFIG = jsonencode(local.job_retry_config)
}
}
dynamic "vpc_config" {
for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
content {
security_group_ids = var.lambda_security_group_ids
subnet_ids = var.lambda_subnet_ids
}
}
dynamic "tracing_config" {
for_each = var.tracing_config.mode != null ? [true] : []
content {
mode = var.tracing_config.mode
}
}
}
resource "aws_cloudwatch_log_group" "scale_up" {
name = "/aws/lambda/${aws_lambda_function.scale_up.function_name}"
retention_in_days = var.logging_retention_in_days
kms_key_id = var.logging_kms_key_id
log_group_class = var.log_class
tags = var.tags
}
resource "aws_lambda_event_source_mapping" "scale_up" {
event_source_arn = var.sqs_build_queue.arn
function_name = aws_lambda_function.scale_up.arn
function_response_types = ["ReportBatchItemFailures"]
batch_size = var.lambda_event_source_mapping_batch_size
maximum_batching_window_in_seconds = var.lambda_event_source_mapping_maximum_batching_window_in_seconds
tags = var.tags
}
resource "aws_lambda_permission" "scale_runners_lambda" {
statement_id = "AllowExecutionFromSQS"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.scale_up.function_name
principal = "sqs.amazonaws.com"
source_arn = var.sqs_build_queue.arn
}
resource "aws_iam_role" "scale_up" {
name = "${substr("${var.prefix}-scale-up-lambda", 0, 54)}-${substr(md5("${var.prefix}-scale-up-lambda"), 0, 8)}"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
path = local.role_path
permissions_boundary = var.role_permissions_boundary
tags = local.tags
}
resource "aws_iam_role_policy" "scale_up" {
name = "scale-up-policy"
role = aws_iam_role.scale_up.name
policy = templatefile("${path.module}/policies/lambda-scale-up.json", {
arn_runner_instance_role = var.iam_overrides["override_runner_role"] ? var.iam_overrides["runner_role_arn"] : aws_iam_role.runner[0].arn
sqs_arn = var.sqs_build_queue.arn
github_app_id_arn = var.github_app_parameters.id.arn
github_app_key_base64_arn = var.github_app_parameters.key_base64.arn
ssm_config_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter${var.ssm_paths.root}/${var.ssm_paths.config}"
kms_key_arn = local.kms_key_arn
ami_kms_key_arn = local.ami_kms_key_arn
ssm_ami_id_parameter_arn = local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami.id_ssm_parameter_arn
})
}
resource "aws_iam_role_policy" "scale_up_logging" {
name = "logging-policy"
role = aws_iam_role.scale_up.name
policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
log_group_arn = aws_cloudwatch_log_group.scale_up.arn
})
}
resource "aws_iam_role_policy" "service_linked_role" {
count = var.create_service_linked_role_spot ? 1 : 0
name = "service_linked_role"
role = aws_iam_role.scale_up.name
policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition })
}
resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" {
count = length(var.lambda_subnet_ids) > 0 ? 1 : 0
role = aws_iam_role.scale_up.name
policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
resource "aws_iam_role_policy_attachment" "ami_id_ssm_parameter_read" {
count = local.ami_id_ssm_parameter_name != null ? 1 : 0
role = aws_iam_role.scale_up.name
policy_arn = aws_iam_policy.ami_id_ssm_parameter_read[0].arn
}
resource "aws_iam_role_policy" "scale_up_xray" {
count = var.tracing_config.mode != null ? 1 : 0
name = "xray-policy"
policy = data.aws_iam_policy_document.lambda_xray[0].json
role = aws_iam_role.scale_up.name
}
resource "aws_iam_role_policy" "job_retry_sqs_publish" {
count = local.job_retry_enabled ? 1 : 0
name = "publish-retry-check-sqs-policy"
role = aws_iam_role.scale_up.name
policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
sqs_resource_arns = jsonencode([module.job_retry[0].job_retry_check_queue.arn])
kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : ""
})
}