Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow to manage github app secret manually #3703

Closed
wants to merge 3 commits into from
Closed

feat: Allow to manage github app secret manually #3703

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f65021c
feat: Allow to manage github app secret manually
NadavOps Feb 27, 2024
db76459
Merge branch 'main' into github_app_secret_data
npalm Mar 13, 2024
9fdedbd
Merge branch 'main' into github_app_secret_data
npalm Apr 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,15 @@ To be able to support a number of use-cases, the module has quite a lot of confi

## AWS SSM Parameters

The module uses the AWS System Manager Parameter Store to store configuration for the runners, as well as registration tokens and secrets for the Lambdas. Paths for the parameters can be configured via the variable `ssm_paths`. The location of the configuration parameters is retrieved by the runners via the instance tag `ghr:ssm_config_path`. The following default paths will be used. Tokens or JIT config stored in the token path will be deleted after retrieval by instance, data not deleted after a day will be deleted by a SSM housekeeper lambda.
The module uses the AWS System Manager Parameter Store to store configuration for the runners, as well as registration tokens and secrets for the Lambdas. Paths for the parameters can be configured via the variables `ssm_paths` and `prefix`. The location of the configuration parameters is retrieved by the runners via the instance tag `ghr:ssm_config_path`. The following default paths will be used. Tokens or JIT config stored in the token path will be deleted after retrieval by instance, data not deleted after a day will be deleted by a SSM housekeeper lambda.

| Path | Description |
| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ssm_paths.root/var.prefix?/app/` | App secrets used by Lambda's |
| `ssm_paths.root/var.prefix?/runners/config/<name>` | Configuration parameters used by runner start script |
| `ssm_paths.root/var.prefix?/runners/tokens/<ec2-instance-id>` | Either JIT configuration (ephemeral runners) or registration tokens (non ephemeral runners) generated by the control plane (scale-up lambda), and consumed by the start script on the runner to activate / register the runner. |
| `ssm_paths.root/var.prefix?/webhook/runner-matcher-config` | Runner matcher config used by webhook to decide the target for the webhook event. |
| `ssm_paths.root/var.prefix?/ssm_paths.app/github_app_key_base64` | The github app secret key as base64. either you provide the secret key using the variable `var.github_app.key_base64` which will create the parameter or you create the parameter manually in the expected path and pass null to the variable |
Available configuration parameters:

| Parameter name | Description |
Expand Down
4 changes: 2 additions & 2 deletions modules/ssm/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ output "parameters" {
arn = aws_ssm_parameter.github_app_id.arn
}
github_app_key_base64 = {
name = aws_ssm_parameter.github_app_key_base64.name
arn = aws_ssm_parameter.github_app_key_base64.arn
name = var.github_app.key_base64 == null ? data.aws_ssm_parameter.github_app_key_base64[0].name : aws_ssm_parameter.github_app_key_base64[0].name
arn = var.github_app.key_base64 == null ? data.aws_ssm_parameter.github_app_key_base64[0].arn : aws_ssm_parameter.github_app_key_base64[0].arn
}
github_app_webhook_secret = {
name = aws_ssm_parameter.github_app_webhook_secret.name
Expand Down
6 changes: 6 additions & 0 deletions modules/ssm/ssm.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,19 @@ resource "aws_ssm_parameter" "github_app_id" {
}

resource "aws_ssm_parameter" "github_app_key_base64" {
count = var.github_app.key_base64 == null ? 0 : 1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How did you test this by setting the variable explicit to null? In the app object?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@NadavOps is this PR still relevant for you. How to test this?

name = "${var.path_prefix}/github_app_key_base64"
type = "SecureString"
value = var.github_app.key_base64
key_id = local.kms_key_arn
tags = var.tags
}

data "aws_ssm_parameter" "github_app_key_base64" {
count = var.github_app.key_base64 == null ? 1 : 0
name = "${var.path_prefix}/github_app_key_base64"
}

resource "aws_ssm_parameter" "github_app_webhook_secret" {
name = "${var.path_prefix}/github_app_webhook_secret"
type = "SecureString"
Expand Down