Showing preview only (310K chars total). Download the full file or copy to clipboard to get everything.
Repository: terraform-google-modules/terraform-google-github-actions-runners
Branch: main
Commit: 9fef9375cbd3
Files: 129
Total size: 279.1 KB
Directory structure:
gitextract_4sc7vs8z/
├── .dockerignore
├── .github/
│ ├── release-please.yml
│ ├── renovate.json
│ ├── trusted-contribution.yml
│ └── workflows/
│ ├── lint.yaml
│ └── stale.yml
├── .gitignore
├── CHANGELOG.md
├── CODEOWNERS
├── CONTRIBUTING.md
├── LICENSE
├── Makefile
├── README.md
├── build/
│ ├── int.cloudbuild.yaml
│ └── lint.cloudbuild.yaml
├── docs/
│ └── upgrading_to_v4.0.md
├── examples/
│ ├── gh-org-runner-mig-native-simple/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ └── variables.tf
│ ├── gh-runner-gke-dind/
│ │ ├── .dockerignore
│ │ ├── .gcloudignore
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-gke-dind-rootless/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── values.yaml
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-gke-simple/
│ │ ├── .dockerignore
│ │ ├── .gcloudignore
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-container-vm-dind/
│ │ ├── .dockerignore
│ │ ├── .gcloudignore
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ ├── cloudbuild.yaml
│ │ ├── entrypoint.sh
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-container-vm-simple/
│ │ ├── .dockerignore
│ │ ├── .gcloudignore
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ ├── cloudbuild.yaml
│ │ ├── entrypoint.sh
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-native-packer/
│ │ ├── .gcloudignore
│ │ ├── README.md
│ │ ├── cloudbuild.yaml
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── packer.json
│ │ ├── shutdown.sh
│ │ ├── startup.sh
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-native-simple/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── oidc-simple/
│ ├── README.md
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf
├── metadata.yaml
├── modules/
│ ├── gh-oidc/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── metadata.yaml
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-gke/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── metadata.yaml
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-container-vm/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── metadata.yaml
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── gh-runner-mig-vm/
│ ├── README.md
│ ├── main.tf
│ ├── metadata.yaml
│ ├── outputs.tf
│ ├── scripts/
│ │ ├── shutdown.sh
│ │ └── startup.sh
│ ├── variables.tf
│ └── versions.tf
└── test/
├── .gitignore
├── fixtures/
│ └── gh-runner-mig-container-vm/
│ ├── main.tf
│ ├── outputs.tf
│ └── variables.tf
├── integration/
│ ├── discover_test.go
│ ├── gh-runner-gke-dind/
│ │ └── gh_runner_gke_dind_test.go
│ ├── gh-runner-gke-dind-rootless/
│ │ └── gh_runner_gke_dind_rootless_test.go
│ ├── gh-runner-gke-simple/
│ │ └── gh_runner_gke_simple_test.go
│ ├── gh-runner-mig-container-vm/
│ │ └── gh_runner_mig_container_vm_test.go
│ ├── go.mod
│ ├── go.sum
│ └── oidc-simple/
│ └── oidc_simple_test.go
└── setup/
├── .gitignore
├── iam.tf
├── main.tf
├── outputs.tf
├── variables.tf
└── versions.tf
================================================
FILE CONTENTS
================================================
================================================
FILE: .dockerignore
================================================
.git
.terraform
.terraform.d
.kitchen
terraform.tfstate.d
test/fixtures/*/.terraform
test/fixtures/*/terraform.tfstate.d
examples/.kitchen
examples/*/.terraform
examples/*/terraform.tfstate.d
================================================
FILE: .github/release-please.yml
================================================
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
releaseType: terraform-module
handleGHRelease: true
================================================
FILE: .github/renovate.json
================================================
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["github>GoogleCloudPlatform/cloud-foundation-toolkit//infra/terraform/test-org/github/resources/renovate"]
}
================================================
FILE: .github/trusted-contribution.yml
================================================
# Copyright 2023-2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# NOTE: This file is automatically generated from:
# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github
annotations:
- type: comment
text: "/gcbrun"
trustedContributors:
- release-please[bot]
- renovate[bot]
- renovate-bot
- forking-renovate[bot]
- dependabot[bot]
================================================
FILE: .github/workflows/lint.yaml
================================================
# Copyright 2023-2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# NOTE: This file is automatically generated from values at:
# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf
name: 'lint'
on:
workflow_dispatch:
pull_request:
types: [opened, edited, reopened, synchronize]
branches: [main]
permissions:
contents: read
concurrency:
group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
cancel-in-progress: true
jobs:
lint:
name: 'lint'
runs-on: 'ubuntu-latest'
steps:
- uses: 'actions/checkout@v6'
- id: variables
run: |
MAKEFILE=$(find . -name Makefile -print -quit)
if [ -z "$MAKEFILE" ]; then
echo dev-tools=gcr.io/cloud-foundation-cicd/cft/developer-tools:1 >> "$GITHUB_OUTPUT"
else
VERSION=$(grep "DOCKER_TAG_VERSION_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3)
IMAGE=$(grep "DOCKER_IMAGE_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3)
REGISTRY=$(grep "REGISTRY_URL := " $MAKEFILE | cut -d\ -f3)
echo dev-tools=${REGISTRY}/${IMAGE}:${VERSION} >> "$GITHUB_OUTPUT"
fi
- run: docker run --rm -v ${{ github.workspace }}:/workspace ${STEPS_VARIABLES_OUTPUTS_DEV_TOOLS} module-swapper
env:
STEPS_VARIABLES_OUTPUTS_DEV_TOOLS: ${{ steps.variables.outputs.dev-tools }}
- run: docker run --rm -v ${{ github.workspace }}:/workspace ${STEPS_VARIABLES_OUTPUTS_DEV_TOOLS} /usr/local/bin/test_lint.sh
env:
STEPS_VARIABLES_OUTPUTS_DEV_TOOLS: ${{ steps.variables.outputs.dev-tools }}
commitlint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup node
uses: actions/setup-node@v6
with:
node-version: lts/*
- name: Install commitlint
run: |
npm install -D @commitlint/cli@20.2.0 @commitlint/config-conventional@20.2.0
echo "module.exports = { extends: ['@commitlint/config-conventional'], rules: {'subject-case': [0], 'header-max-length': [0]} };" > commitlint.config.js
npx commitlint --version
- name: Validate PR commits with commitlint
if: github.event_name == 'pull_request'
env:
TITLE: ${{ github.event.pull_request.title }}
run: 'echo "$TITLE" | npx commitlint --verbose'
================================================
FILE: .github/workflows/stale.yml
================================================
# Copyright 2022-2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# NOTE: This file is automatically generated from:
# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github
name: "Close stale issues"
on:
schedule:
- cron: "0 23 * * *"
permissions:
contents: read
issues: write
pull-requests: write
actions: write
jobs:
stale:
if: github.repository_owner == 'GoogleCloudPlatform' || github.repository_owner == 'terraform-google-modules'
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v10
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
exempt-issue-labels: 'triaged'
exempt-pr-labels: 'dependencies,autorelease: pending'
operations-per-run: 100
================================================
FILE: .gitignore
================================================
# OSX leaves these everywhere on SMB shares
._*
# OSX trash
.DS_Store
# Python
*.pyc
# Emacs save files
*~
\#*\#
.\#*
# Vim-related files
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist
### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# test.out files
test.out
# Crash log files
crash.log
# Kitchen files
**/inspec.lock
**/.kitchen
**/kitchen.local.yml
**/Gemfile.lock
# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
# .tfvars files are managed as part of configuration and so should be included in
# version control.
**/*.tfvars
credentials.json
# tf lock file
.terraform.lock.hcl
================================================
FILE: CHANGELOG.md
================================================
# Changelog
All notable changes to this project will be documented in this file.
The format is based on
[Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
This changelog is generated automatically based on [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/).
## [5.1.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v5.0.0...v5.1.0) (2025-09-09)
### Features
* **deps:** Update Terraform Google Provider to v7 (major) ([#223](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/223)) ([411f391](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/411f39135eab709760c0fd9894f04c7cdcd9a6b4))
## [5.0.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v4.0.0...v5.0.0) (2025-01-10)
### ⚠ BREAKING CHANGES
* **TF>=1.3:** Update Terraform ([#201](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/201))
* **deps:** Update Terraform terraform-google-modules/vm/google to v13 ([#204](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/204))
* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v35 ([#205](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/205))
* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v33 ([#183](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/183))
* **deps:** Update Terraform terraform-google-modules/vm/google to v12 ([#184](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/184))
### Features
* **deps:** Update Terraform Google Provider to v6 (major) ([#191](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/191)) ([0364375](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/0364375e2b90f407ea526df3c0bddedee1fc1bc3))
* support private GKE nodes ([#192](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/192)) ([730f92b](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/730f92b8e207cb35acbdc4c134c954f011f877d3))
### Bug Fixes
* add real attribute condition for OIDC example ([658acb0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/658acb014d06e54757e60302aa9da91c37669c13))
* constrain provider version for GKE examples to <5.44 ([658acb0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/658acb014d06e54757e60302aa9da91c37669c13))
* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v33 ([#183](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/183)) ([a47589e](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/a47589e5b10eab4d3f639fb42ccc4f0f07f8fc6f))
* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v35 ([#205](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/205)) ([35a6060](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/35a606014656d3bb7b34c4f52818084f90021d7a))
* **deps:** Update Terraform terraform-google-modules/vm/google to v12 ([#184](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/184)) ([0929277](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/09292776abe17a7f878b6d271e4b0b22b1138dca))
* **deps:** Update Terraform terraform-google-modules/vm/google to v13 ([#204](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/204)) ([de8d3f5](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/de8d3f531685bf4e340b69cccf059d99d282e621))
* reformat subnetwork secondary range block ([#187](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/187)) ([658acb0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/658acb014d06e54757e60302aa9da91c37669c13))
* set sensitive for gh-runner-gke ca_certificate output ([#196](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/196)) ([5367df3](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/5367df3f0fed5acd6dad9002a641409acd243317))
* **TF>=1.3:** Update Terraform ([#201](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/201)) ([2364424](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/236442442a61be9e7c975d80390c42be8f7f5da4))
## [4.0.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v3.1.2...v4.0.0) (2024-08-27)
### ⚠ BREAKING CHANGES
* **deps:** Update Terraform terraform-google-modules/vm/google to v11 ([#152](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/152))
* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v32 ([#178](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/178))
* migrate to ARC ([#173](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/173))
### Features
* Add custom tags option to mig-vm-module ([#177](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/177)) ([5e1a3c6](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/5e1a3c6f44acd68d9ad160621dbd6cd8a5fe8f79))
* **deps:** Update Terraform Google Provider to v6 (major) ([#181](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/181)) ([3c94fa5](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/3c94fa50403bcf567113547ddea3d00818a350f0))
* migrate to ARC ([#173](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/173)) ([0b1299b](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/0b1299b802cafa1e331bb54b7c7dc6e7a23a1a0c))
### Bug Fixes
* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v32 ([#178](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/178)) ([999330d](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/999330dd53362a1e9f92821d858a0f13cf067594))
* **deps:** Update Terraform terraform-google-modules/vm/google to v11 ([#152](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/152)) ([42e5161](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/42e516109356cf66803d42bfea2a6df46fe8e7b4))
## [3.1.2](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v3.1.1...v3.1.2) (2023-10-10)
### Bug Fixes
* upgraded versions.tf to include minor bumps from tpg v5 ([#124](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/124)) ([ede4426](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/ede4426a9268ad50524d3b0d23cb1dbf52ab99d3))
## [3.1.1](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v3.1.0...v3.1.1) (2022-12-29)
### Bug Fixes
* **deps:** update terraform terraform-google-modules/kubernetes-engine/google to v24 ([#85](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/85)) ([980e5d5](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/980e5d50cd89ed0e84f120e0e263bd9700ffa3ca))
* fixes lint issues and generates metadata ([#89](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/89)) ([935368c](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/935368cf54df02eba97596bc21226c63bca2bf4c))
## [3.1.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v3.0.0...v3.1.0) (2022-07-20)
### Features
* Issuer URI has been passed through variable ([#62](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/62)) ([c9da327](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/c9da3279e9af3e195f3ad089efdfb425b8e9032f))
## [3.0.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v2.0.1...v3.0.0) (2022-02-02)
### ⚠ BREAKING CHANGES
* update examples, bump gke module version ([#52](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/52)). `gh-runner-gke` now uses [v19](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/releases/tag/v19.0.0) of the GKE module. Please refer to the [GKE module upgrade guide](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/docs/upgrading_to_v19.0.md) for more details.
### Features
* Update TPG version constraints to allow 4.0 ([#50](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/50)) ([1aebd31](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/1aebd31f0548374ac061a58cdca7bc98e51eb760))
### Bug Fixes
* update examples, bump gke module version ([#52](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/52)) ([882578e](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/882578e59bf2f5a808abd63ed5dcc74524aa30fa))
### [2.0.1](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v2.0.0...v2.0.1) (2021-11-26)
### Bug Fixes
* bump minimum provider version for gh oidc module ([#45](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/45)) ([204a546](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/204a5463a48237fbd2bf118459db7dbb7742bb8a))
## [2.0.0](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v1.1.0...v2.0.0) (2021-11-09)
### ⚠ BREAKING CHANGES
* Remove the default allowed audience in `gh-oidc` (#42)
* update issuer_uri for gh provider (#36)
* Support org runners, update images and autoscaling config (#34)
### Features
* Add example for org runner & update shutdown script ([#37](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/37)) ([76115f9](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/76115f9587a048de26086116d6e3a3eb0ae6aa2c))
* Remove the default allowed audience in `gh-oidc` ([#42](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/42)) ([1ec0ec2](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/1ec0ec201a6a063d27fea8fd62e6a028fb9fc5e6))
* Support org runners, update images and autoscaling config ([#34](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/34)) ([280ca8a](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/280ca8a79266d00d6ec8fe84413de0d23cbdc791))
* update issuer_uri for gh provider ([#36](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/36)) ([2ca3e6c](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/2ca3e6c4ea2a9987f8c5ac6191bbe925df4dd12b))
## [1.1.0](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v1.0.1...v1.1.0) (2021-09-20)
### Features
* add gh oidc module ([#32](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/32)) ([1f10847](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/1f10847dc69246166bd68a3149d2fefb5a43bf3b))
### [1.0.1](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v1.0.0...v1.0.1) (2021-08-17)
### Bug Fixes
* Switched to use google_project_iam_member, which is non-authoritative ([#27](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/27)) ([281a737](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/281a737a59046735577178052f584c3c9749239b))
* use machine_type in mig-runner ([#30](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/30)) ([4f940f6](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/4f940f69a4bad949213250ba3b42ae905da5d2ca))
## [1.0.0](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v0.1.0...v1.0.0) (2021-04-24)
### ⚠ BREAKING CHANGES
* add Terraform 0.13 constraint and module attribution (#22)
### Features
* add Terraform 0.13 constraint and module attribution ([#22](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/22)) ([11d7179](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/11d7179773abf41e1f4a101dd729edaf1773929a))
## 0.1.0 (2020-11-24)
### Features
* add network project for svpc, expose cooldown period, default scripts ([#15](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/15)) ([048156a](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/048156ae1708ccef39d36be55270048153fc8081))
* remove api enablement and update docs ([#13](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/13)) ([5c01d64](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/5c01d64fdb47e84aa8bbe082f2af80669a0fcc32))
## [0.1.0](https://github.com/terraform-google-modules/terraform-google-terraform-google-github-actions-runners/releases/tag/v0.1.0) - 20XX-YY-ZZ
### Features
- Initial release
[0.1.0]: https://github.com/terraform-google-modules/terraform-google-terraform-google-github-actions-runners/releases/tag/v0.1.0
================================================
FILE: CODEOWNERS
================================================
# NOTE: This file is automatically generated from values at:
# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf
* @terraform-google-modules/cft-admins
# NOTE: GitHub CODEOWNERS locations:
# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection
CODEOWNERS @terraform-google-modules/cft-admins
.github/CODEOWNERS @terraform-google-modules/cft-admins
docs/CODEOWNERS @terraform-google-modules/cft-admins
================================================
FILE: CONTRIBUTING.md
================================================
# Contributing
This document provides guidelines for contributing to the module.
## Dependencies
The following dependencies must be installed on the development system:
- [Docker Engine][docker-engine]
- [Google Cloud SDK][google-cloud-sdk]
- [make]
## Generating Documentation for Inputs and Outputs
The Inputs and Outputs tables in the READMEs of the root module,
submodules, and example modules are automatically generated based on
the `variables` and `outputs` of the respective modules. These tables
must be refreshed if the module interfaces are changed.
### Execution
Run `make generate_docs` to generate new Inputs and Outputs tables.
## Integration Testing
Integration tests are used to verify the behaviour of the root module,
submodules, and example modules. Additions, changes, and fixes should
be accompanied with tests.
The integration tests are run using [Kitchen][kitchen],
[Kitchen-Terraform][kitchen-terraform], and [InSpec][inspec]. These
tools are packaged within a Docker image for convenience.
The general strategy for these tests is to verify the behaviour of the
[example modules](./examples/), thus ensuring that the root module,
submodules, and example modules are all functionally correct.
### Test Environment
The easiest way to test the module is in an isolated test project. The setup for such a project is defined in [test/setup](./test/setup/) directory.
To use this setup, you need a service account with these permissions (on a Folder or Organization):
- Project Creator
- Project Billing Manager
The project that the service account belongs to must have the following APIs enabled (the setup won't
create any resources on the service account's project):
- Cloud Resource Manager
- Cloud Billing
- Service Usage
- Identity and Access Management (IAM)
Export the Service Account credentials to your environment like so:
```
export SERVICE_ACCOUNT_JSON=$(< credentials.json)
```
You will also need to set a few environment variables:
```
export TF_VAR_org_id="your_org_id"
export TF_VAR_folder_id="your_folder_id"
export TF_VAR_billing_account="your_billing_account_id"
```
With these settings in place, you can prepare a test project using Docker:
```
make docker_test_prepare
```
### Noninteractive Execution
Run `make docker_test_integration` to test all of the example modules
noninteractively, using the prepared test project.
### Interactive Execution
1. Run `make docker_run` to start the testing Docker container in
interactive mode.
1. Run `kitchen_do create <EXAMPLE_NAME>` to initialize the working
directory for an example module.
1. Run `kitchen_do converge <EXAMPLE_NAME>` to apply the example module.
1. Run `kitchen_do verify <EXAMPLE_NAME>` to test the example module.
1. Run `kitchen_do destroy <EXAMPLE_NAME>` to destroy the example module
state.
## Linting and Formatting
Many of the files in the repository can be linted or formatted to
maintain a standard of quality.
### Execution
Run `make docker_test_lint`.
[docker-engine]: https://www.docker.com/products/docker-engine
[flake8]: http://flake8.pycqa.org/en/latest/
[gofmt]: https://golang.org/cmd/gofmt/
[google-cloud-sdk]: https://cloud.google.com/sdk/install
[hadolint]: https://github.com/hadolint/hadolint
[inspec]: https://inspec.io/
[kitchen-terraform]: https://github.com/newcontext-oss/kitchen-terraform
[kitchen]: https://kitchen.ci/
[make]: https://en.wikipedia.org/wiki/Make_(software)
[shellcheck]: https://www.shellcheck.net/
[terraform-docs]: https://github.com/segmentio/terraform-docs
[terraform]: https://terraform.io/
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: Makefile
================================================
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Please note that this file was generated from [terraform-google-module-template](https://github.com/terraform-google-modules/terraform-google-module-template).
# Please make sure to contribute relevant changes upstream!
# Make will use bash instead of sh
SHELL := /usr/bin/env bash
DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25
DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
REGISTRY_URL := gcr.io/cloud-foundation-cicd
# Enter docker container for local development
.PHONY: docker_run
docker_run:
docker run --rm -it \
-e SERVICE_ACCOUNT_JSON \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
/bin/bash
# Execute prepare tests within the docker container
.PHONY: docker_test_prepare
docker_test_prepare:
docker run --rm -it \
-e SERVICE_ACCOUNT_JSON \
-e TF_VAR_org_id \
-e TF_VAR_folder_id \
-e TF_VAR_billing_account \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
/usr/local/bin/execute_with_credentials.sh prepare_environment
# Clean up test environment within the docker container
.PHONY: docker_test_cleanup
docker_test_cleanup:
docker run --rm -it \
-e SERVICE_ACCOUNT_JSON \
-e TF_VAR_org_id \
-e TF_VAR_folder_id \
-e TF_VAR_billing_account \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
/usr/local/bin/execute_with_credentials.sh cleanup_environment
# Execute integration tests within the docker container
.PHONY: docker_test_integration
docker_test_integration:
docker run --rm -it \
-e SERVICE_ACCOUNT_JSON \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
/usr/local/bin/test_integration.sh
# Execute lint tests within the docker container
.PHONY: docker_test_lint
docker_test_lint:
docker run --rm -it \
-e EXCLUDE_LINT_DIRS \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
/usr/local/bin/test_lint.sh
# Generate documentation
.PHONY: docker_generate_docs
docker_generate_docs:
docker run --rm -it \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
# Alias for backwards compatibility
.PHONY: generate_docs
generate_docs: docker_generate_docs
================================================
FILE: README.md
================================================
# terraform-google-github-actions-runners
[](https://github.com/jonico/awesome-runners)
## Description
Using these Terraform modules you can quickly deploy self-hosted GitHub Runners for jobs in your GitHub Actions workflows
## Modules
### [Self Hosted Runners on GKE](modules/gh-runner-gke/)
The `gh-runner-gke` module provisions the resources required to deploy Self Hosted Runners on GCP infrastructure using GKE. This module follows the guidance for using [Actions Runner Controller](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller#installing-actions-runner-controller) provided by GitHub
Examples:
- [Simple Self Hosted Runners on GKE](examples/gh-runner-gke-simple/)
- [Self Hosted runners on GKE that support Docker Workflows](examples/gh-runner-gke-dind/)
- [Self Hosted runners on GKE that support Docker Workflows in rootless configuration](examples/gh-runner-gke-dind-rootless/)
More examples of [Self Hosted Runners on GKE/Anthos](https://github.com/github-developer/self-hosted-runners-anthos).
### [Self Hosted Runners on Managed Instance Groups using VMs](modules/gh-runner-mig-vm/)
The `gh-runner-mig-vm` module provisions the resources required to deploy Self Hosted Runners on GCP infrastructure using Managed Instance Groups.
Examples:
- [Simple Self Hosted Runner on MIG VMs](examples/gh-runner-mig-native-simple/)
- [Self Hosted Runner on MIG VMs from Packer Image](examples/gh-runner-mig-native-packer/)
### [Self Hosted Runners on Managed Instance Groups using Container VMs](modules/gh-runner-mig-container-vm/)
The `gh-runner-mig-container-vm` module provisions the resources required to deploy Self Hosted Runners on GCP infrastructure using Managed Instance Groups.
Examples:
- [Simple Self Hosted Runner on MIG Container VMs](examples/gh-runner-mig-container-vm-simple/)
- [Self Hosted runners on MIG Container VMs that support Docker Workflows](examples/gh-runner-mig-container-vm-dind/)
### [GitHub OIDC](modules/gh-oidc/)
This module handles the opinionated creation of infrastructure necessary to configure [Workload Identity pools](https://cloud.google.com/iam/docs/workload-identity-federation#pools) and [providers](https://cloud.google.com/iam/docs/workload-identity-federation#providers) for authenticating to GCP using GitHub Actions OIDC tokens.
Examples:
- [Simple Workload Identity configuration for GitHub OIDC](examples/oidc-simple/)
## Requirements
These sections describe requirements for using this module.
### Software
The following dependencies must be available:
- [Terraform][terraform] v0.13
- [Terraform Provider for GCP][terraform-provider-gcp]
## Contributing
Refer to the [contribution guidelines](./CONTRIBUTING.md) for
information on contributing to this module.
[iam-module]: https://registry.terraform.io/modules/terraform-google-modules/iam/google
[project-factory-module]: https://registry.terraform.io/modules/terraform-google-modules/project-factory/google
[terraform-provider-gcp]: https://www.terraform.io/docs/providers/google/index.html
[terraform]: https://www.terraform.io/downloads.html
## Security Disclosures
Please see our [security disclosure process](./SECURITY.md).
================================================
FILE: build/int.cloudbuild.yaml
================================================
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
timeout: 3600s
steps:
- id: swap-module-refs
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['module-swapper']
- id: prepare
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment && chmod 600 /builder/home/.netrc']
env:
- 'TF_VAR_org_id=$_ORG_ID'
- 'TF_VAR_folder_id=$_FOLDER_ID'
- 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
- id: init-all
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']
waitFor:
- prepare
# test/fixtures/gh-runner-mig-container-vm
- id: apply-gh-runner-mig-container-vm
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGHRunnerMIGContainerVM --stage apply --verbose']
waitFor:
- init-all
- id: verify-gh-runner-mig-container-vm
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGHRunnerMIGContainerVM --stage verify --verbose']
waitFor:
- apply-gh-runner-mig-container-vm
- id: destroy-gh-runner-mig-container-vm
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGHRunnerMIGContainerVM --stage destroy --verbose']
waitFor:
- verify-gh-runner-mig-container-vm
# TestAll/examples/gh-runner-gke-simple
- id: apply-gh-runner-gke-simple
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeSimple --stage apply --verbose']
waitFor:
- init-all
- id: verify-gh-runner-gke-simple
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeSimple --stage verify --verbose']
waitFor:
- apply-gh-runner-gke-simple
- id: destroy-gh-runner-gke-simple
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeSimple --stage destroy --verbose']
waitFor:
- verify-gh-runner-gke-simple
# TestAll/examples/gh-runner-gke-dind
- id: apply-gh-runner-gke-dind
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDind --stage apply --verbose']
waitFor:
- init-all
- id: verify-gh-runner-gke-dind
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDind --stage verify --verbose']
waitFor:
- apply-gh-runner-gke-dind
- id: destroy-gh-runner-gke-dind
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDind --stage destroy --verbose']
waitFor:
- verify-gh-runner-gke-dind
# TestAll/examples/gh-runner-gke-dind-rootless
- id: apply-gh-runner-gke-dind-rootless
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDindRootless --stage apply --verbose']
waitFor:
- init-all
- id: verify-gh-runner-gke-dind-rootless
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDindRootless --stage verify --verbose']
waitFor:
- apply-gh-runner-gke-dind-rootless
- id: destroy-gh-runner-gke-dind-rootless
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDindRootless --stage destroy --verbose']
waitFor:
- verify-gh-runner-gke-dind-rootless
# examples/oidc-simple
- id: apply-oidc
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestOIDCSimple --stage apply --verbose']
waitFor:
- init-all
- id: verify-oidc
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestOIDCSimple --stage verify --verbose']
waitFor:
- apply-oidc
- id: destroy-oidc
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestOIDCSimple --stage destroy --verbose']
waitFor:
- verify-oidc
tags:
- 'ci'
- 'integration'
substitutions:
_DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
_DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.25'
================================================
FILE: build/lint.cloudbuild.yaml
================================================
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
steps:
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
id: 'lint'
args: ['/usr/local/bin/test_lint.sh']
tags:
- 'ci'
- 'lint'
substitutions:
_DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
_DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.25'
================================================
FILE: docs/upgrading_to_v4.0.md
================================================
# Upgrading to v4.0
The v4.0 release of the `gh-runner-gke` module contains breaking changes.
## Migration Instructions
### `gh-runner-gke` module
```diff
module "runner-gke" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke"
- version = "~> 3.0"
+ version = "~> 4.0"
project_id = var.project_id
create_network = true
+ cluster_suffix = "repo"
- repo_name = "repo"
- repo_owner = "repo_owner"
- repo_url = "repo_url"
- gh_token = "gh_token"
+ gh_app_id = "123456"
+ gh_app_installation_id = "12345678"
+ gh_app_private_key = "sample"
+ gh_config_url = "https://github.com/ORGANIZATION"
}
```
- Previously, the name of the created GKE cluster appended `repo_name` as a suffix. Now, the value of the suffix is set via `cluster_suffix`, as runner clusters can be created for workflows more than one GitHub repo. To prevent cluster deletion when upgrading, set the value of `cluster_suffix` to the previous value of `repo_name`.
- The module now prefers authentication via GitHub App installation. Follow the instructions for [authenticating to ARC via GitHub App](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app), and provide the necessary values to the module instead of the previous repo authentication values. Upgrading will destroy the previously created `runner_k8s_config` kubernetes secret, so previous GitHub Runner images may fail.
- Previously, the GKE cluster service account was provided with the `roles/storage.objectViewer` role to enable pulling images from Container Registry. The module no longer requires access to Container Registry, and so IAM membership has been removed. If your cluster relies on this role, you will need to add it again manually.
================================================
FILE: examples/gh-org-runner-mig-native-simple/README.md
================================================
# Example Org Runners that support Docker Workflows
## Overview
This example showcases how to use startup scripts to deploy organisation runners using the `gh-runner-mig` module.
We use startup/shutdown scripts to install the runner binary, register the runner when it comes online and de-register when shut down.
## Steps to deploy this example
- Step 1: Create terraform.tfvars file with the necessary values.
GitHub Apps must have the `organization_self_hosted_runners` permission for organizations. Authenticated users must have admin access to the organization to use this API.
You must authenticate using an access token with the admin:org scope to use this endpoint.
More info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/) and [here](https://docs.github.com/en/rest/reference/actions#create-a-registration-token-for-an-organization).
```sh
project_id = "your-project-id"
gh_token = "your-github-token"
repo_owner = "owner"
```
- Step 2: Create the infrastructure
```sh
$ terraform init
$ terraform plan
$ terraform apply
```
- Step 3: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| gh\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |
| project\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |
| repo\_owner | Owner of the organisation for the Github Action | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| mig\_instance\_group | The instance group url of the created MIG |
| mig\_instance\_template | The name of the MIG Instance Template |
| mig\_name | The name of the MIG |
| service\_account | Service account email for GCE |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: examples/gh-org-runner-mig-native-simple/main.tf
================================================
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "runner_mig" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-vm"
version = "~> 5.0"
create_network = true
project_id = var.project_id
repo_owner = var.repo_owner
gh_token = var.gh_token
}
================================================
FILE: examples/gh-org-runner-mig-native-simple/outputs.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "mig_instance_group" {
description = "The instance group url of the created MIG"
value = module.runner_mig.mig_instance_group
}
output "mig_name" {
description = "The name of the MIG"
value = module.runner_mig.mig_name
}
output "service_account" {
description = "Service account email for GCE"
value = module.runner_mig.service_account
}
output "mig_instance_template" {
description = "The name of the MIG Instance Template"
value = module.runner_mig.mig_instance_template
}
================================================
FILE: examples/gh-org-runner-mig-native-simple/providers.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.0"
}
}
required_version = ">= 0.13"
}
================================================
FILE: examples/gh-org-runner-mig-native-simple/variables.tf
================================================
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to deploy Github Runner MIG"
}
variable "repo_owner" {
type = string
description = "Owner of the organisation for the Github Action"
}
variable "gh_token" {
type = string
description = "Github token that is used for generating Self Hosted Runner Token"
}
================================================
FILE: examples/gh-runner-gke-dind/.dockerignore
================================================
.terraform
*.tf*
*.tfvars
================================================
FILE: examples/gh-runner-gke-dind/.gcloudignore
================================================
.terraform
*.tfstate
*.tf
*.out
sample-manifests
================================================
FILE: examples/gh-runner-gke-dind/README.md
================================================
# Self Hosted runners on GKE that support Docker Workflows
## Overview
This example shows how to deploy runners that support Docker Workflows on GKE.
More examples of [Self Hosted Runners on GKE/Anthos](https://github.com/github-developer/self-hosted-runners-anthos).
## Deployment
1. Follow the instructions in the [GitHub documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) to create a GitHub App for authenticating ARC
1. Gather the values for your GitHub App ID, GitHub App Installation ID, and GitHub App Private Key from the instructions linked above.
1. Substitute your values into the example [`main.tf`](main.tf). Modify any other values as needed. For a full list of available variables, refer to the [module documentation](../../modules/gh-runner-gke/).
1. Execute Terraform commands to create the required resources.
```sh
terraform init
terraform apply
```
1. Your runners should become active at `https://github.com/organizations/ORGANIZATION/settings/actions/runners`.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| project\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| cluster\_name | Cluster name |
| location | Cluster location |
| project\_id | The project in which resources are created |
| service\_account | The default service account used for running nodes. |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: examples/gh-runner-gke-dind/main.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "runner-gke" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke"
version = "~> 5.0"
project_id = var.project_id
create_network = true
network_name = "runner-network-dind"
subnet_name = "runner-subnet-dind"
cluster_suffix = "dind"
gh_app_id = "123456"
gh_app_installation_id = "12345678"
gh_app_private_key = "sample"
gh_config_url = "https://github.com/ORGANIZATION"
arc_container_mode = "dind"
enable_private_nodes = true
}
================================================
FILE: examples/gh-runner-gke-dind/outputs.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "service_account" {
description = "The default service account used for running nodes."
value = module.runner-gke.service_account
}
output "cluster_name" {
description = "Cluster name"
value = module.runner-gke.cluster_name
}
output "location" {
description = "Cluster location"
value = module.runner-gke.location
}
output "project_id" {
value = var.project_id
description = "The project in which resources are created"
}
================================================
FILE: examples/gh-runner-gke-dind/providers.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*****************************************
Kubernetes provider configuration
*****************************************/
data "google_client_config" "default" {
}
provider "kubernetes" {
host = "https://${module.runner-gke.kubernetes_endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
}
provider "helm" {
kubernetes = {
host = "https://${module.runner-gke.kubernetes_endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
exec = {
api_version = "client.authentication.k8s.io/v1beta1"
command = "gke-gcloud-auth-plugin"
}
}
}
================================================
FILE: examples/gh-runner-gke-dind/variables.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to deploy Github Runner MIG"
}
================================================
FILE: examples/gh-runner-gke-dind/versions.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
google-beta = {
source = "hashicorp/google-beta"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.0"
}
}
required_version = ">= 0.13"
}
================================================
FILE: examples/gh-runner-gke-dind-rootless/README.md
================================================
# Self Hosted runners on GKE that support dind-rootless
## Overview
This example shows how to deploy runners that support Docker Workflows on GKE in a rootless configuration. This example is based on the instructions published in [Deploying GitHub Action Runners on GKE with dind-rootless](https://medium.com/google-cloud/github-action-runners-on-gke-with-dind-rootless-bd54e23516c9).
More examples of [Self Hosted Runners on GKE/Anthos](https://github.com/github-developer/self-hosted-runners-anthos).
## Deployment
1. Follow the instructions in the [GitHub documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) to create a GitHub App for authenticating ARC
1. Gather the values for your GitHub App ID, GitHub App Installation ID, and GitHub App Private Key from the instructions linked above.
1. Substitute your values into the example [`main.tf`](main.tf). Modify any other values as needed. For a full list of available variables, refer to the [module documentation](../../modules/gh-runner-gke/).
1. Execute Terraform commands to create the required resources.
```sh
terraform init
terraform apply
```
1. Your runners should become active at `https://github.com/organizations/ORGANIZATION/settings/actions/runners`.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| project\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| cluster\_name | Cluster name |
| location | Cluster location |
| project\_id | The project in which resources are created |
| service\_account | The default service account used for running nodes. |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: examples/gh-runner-gke-dind-rootless/main.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "runner-gke" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke"
version = "~> 5.0"
project_id = var.project_id
create_network = true
network_name = "runner-network-dind-r"
subnet_name = "runner-subnet-dind-r"
cluster_suffix = "dind-rootless"
gh_app_id = "123456"
gh_app_installation_id = "12345678"
gh_app_private_key = "sample"
gh_config_url = "https://github.com/ORGANIZATION"
enable_private_nodes = true
# pass values.yaml for dind-rootless runners configuratin
arc_runners_values = [
file("${path.module}/values.yaml")
]
}
================================================
FILE: examples/gh-runner-gke-dind-rootless/outputs.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "service_account" {
description = "The default service account used for running nodes."
value = module.runner-gke.service_account
}
output "cluster_name" {
description = "Cluster name"
value = module.runner-gke.cluster_name
}
output "location" {
description = "Cluster location"
value = module.runner-gke.location
}
output "project_id" {
value = var.project_id
description = "The project in which resources are created"
}
================================================
FILE: examples/gh-runner-gke-dind-rootless/providers.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*****************************************
Kubernetes provider configuration
*****************************************/
data "google_client_config" "default" {
}
provider "kubernetes" {
host = "https://${module.runner-gke.kubernetes_endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
}
provider "helm" {
kubernetes = {
host = "https://${module.runner-gke.kubernetes_endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
exec = {
api_version = "client.authentication.k8s.io/v1beta1"
command = "gke-gcloud-auth-plugin"
}
}
}
================================================
FILE: examples/gh-runner-gke-dind-rootless/values.yaml
================================================
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## githubConfigUrl is the GitHub url for where you want to configure runners
## ex: https://github.com/myorg/myrepo or https://github.com/myorg
## githubConfigUrl: "https://github.com/[user]/[repo]"
## Note: specified on command line outside of values.yml
## githubConfigSecret is the k8s secrets to use when auth with GitHub API.
## You can choose to use GitHub App or a PAT token
## githubConfigSecret: "my-token"
## Note: specified on command line outside of values.yml
## maxRunners is the max number of runners the autoscaling runner set will scale up to.
maxRunners: 5
## minRunners is the min number of idle runners. The target number of runners created will be
## calculated as a sum of minRunners and the number of jobs assigned to the scale set.
minRunners: 0
#runnerGroup: "my-custom-runner-group"
## name of the runner scale set to create. Defaults to the helm release name
runnerScaleSetName: "arc-runner-set"
## template is the PodSpec for each runner Pod
## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
template:
spec:
initContainers:
- name: init-dind-externals
image: ghcr.io/actions/actions-runner:latest
command: ["cp", "-r", "-v", "/home/runner/externals/.", "/home/runner/tmpDir/"]
volumeMounts:
- name: dind-externals
mountPath: /home/runner/tmpDir
- name: init-dind-rootless
image: docker:dind-rootless
command:
- sh
- -c
- |
set -x
cp -a /etc/. /dind-etc/
echo 'runner:x:1001:1001:runner:/home/runner:/bin/ash' >> /dind-etc/passwd
echo 'runner:x:1001:' >> /dind-etc/group
echo 'runner:100000:65536' >> /dind-etc/subgid
echo 'runner:100000:65536' >> /dind-etc/subuid
chmod 755 /dind-etc;
chmod u=rwx,g=rx+s,o=rx /dind-home
chown 1001:1001 /dind-home
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /dind-etc
name: dind-etc
- mountPath: /dind-home
name: dind-home
containers:
- name: runner
image: ghcr.io/actions/actions-runner:latest
command: ["/home/runner/run.sh"]
env:
- name: DOCKER_HOST
value: unix:///home/runner/var/run/docker.sock
securityContext:
privileged: true
runAsUser: 1001
runAsGroup: 1001
volumeMounts:
- name: work
mountPath: /home/runner/_work
- name: dind-sock
mountPath: /home/runner/var/run
- name: dind
image: docker:dind-rootless
args: ["dockerd", "--host=unix:///home/runner/var/run/docker.sock"]
securityContext:
privileged: true
runAsUser: 1001
runAsGroup: 1001
volumeMounts:
- name: work
mountPath: /home/runner/_work
- name: dind-sock
mountPath: /home/runner/var/run
- name: dind-externals
mountPath: /home/runner/externals
- name: dind-etc
mountPath: /etc
- name: dind-home
mountPath: /home/runner
volumes:
- name: work
emptyDir: {}
- name: dind-externals
emptyDir: {}
- name: dind-sock
emptyDir: {}
- name: dind-etc
emptyDir: {}
- name: dind-home
emptyDir: {}
================================================
FILE: examples/gh-runner-gke-dind-rootless/variables.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to deploy Github Runner MIG"
}
================================================
FILE: examples/gh-runner-gke-dind-rootless/versions.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
google-beta = {
source = "hashicorp/google-beta"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.0"
}
}
required_version = ">= 0.13"
}
================================================
FILE: examples/gh-runner-gke-simple/.dockerignore
================================================
.terraform
*.tf*
*.tfvars
================================================
FILE: examples/gh-runner-gke-simple/.gcloudignore
================================================
.terraform
*.tfstate
*.tf
*.out
sample-manifests
================================================
FILE: examples/gh-runner-gke-simple/README.md
================================================
# Simple Self Hosted runners on GKE
## Overview
This example shows how to deploy ARC runners on GKE.
More examples of [Self Hosted Runners on GKE/Anthos](https://github.com/github-developer/self-hosted-runners-anthos).
## Deployment
1. Follow the instructions in the [GitHub documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) to create a GitHub App for authenticating ARC
1. Gather the values for your GitHub App ID, GitHub App Installation ID, and GitHub App Private Key from the instructions linked above.
1. Substitute your values into the example [`main.tf`](main.tf). Modify any other values as needed. For a full list of available variables, refer to the [module documentation](../../modules/gh-runner-gke/).
1. Execute Terraform commands to create the required resources.
```sh
terraform init
terraform apply
```
1. Your runners should become active at `https://github.com/organizations/ORGANIZATION/settings/actions/runners`.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| project\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| cluster\_name | Cluster name |
| location | Cluster location |
| network\_name | Name of VPC |
| project\_id | The project in which resources are created |
| service\_account | The default service account used for running nodes. |
| subnet\_name | Name of VPC |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: examples/gh-runner-gke-simple/main.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "runner-gke" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke"
version = "~> 5.0"
project_id = var.project_id
create_network = true
cluster_suffix = "k8s"
gh_app_id = "123456"
gh_app_installation_id = "12345678"
gh_app_private_key = "sample"
gh_config_url = "https://github.com/ORGANIZATION"
}
================================================
FILE: examples/gh-runner-gke-simple/outputs.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "service_account" {
description = "The default service account used for running nodes."
value = module.runner-gke.service_account
}
output "cluster_name" {
description = "Cluster name"
value = module.runner-gke.cluster_name
}
output "network_name" {
description = "Name of VPC"
value = module.runner-gke.network_name
}
output "subnet_name" {
description = "Name of VPC"
value = module.runner-gke.subnet_name
}
output "location" {
description = "Cluster location"
value = module.runner-gke.location
}
output "project_id" {
value = var.project_id
description = "The project in which resources are created"
}
================================================
FILE: examples/gh-runner-gke-simple/providers.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*****************************************
Kubernetes provider configuration
*****************************************/
data "google_client_config" "default" {
}
provider "kubernetes" {
host = "https://${module.runner-gke.kubernetes_endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
}
provider "helm" {
kubernetes = {
host = "https://${module.runner-gke.kubernetes_endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
exec = {
api_version = "client.authentication.k8s.io/v1beta1"
command = "gke-gcloud-auth-plugin"
}
}
}
================================================
FILE: examples/gh-runner-gke-simple/variables.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to deploy Github Runner MIG"
}
================================================
FILE: examples/gh-runner-gke-simple/versions.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
google-beta = {
source = "hashicorp/google-beta"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.0"
}
}
required_version = ">= 0.13"
}
================================================
FILE: examples/gh-runner-mig-container-vm-dind/.dockerignore
================================================
.terraform
*.tf*
*.tfvars
================================================
FILE: examples/gh-runner-mig-container-vm-dind/.gcloudignore
================================================
.terraform
*.tfstate
*.tf
*.out
================================================
FILE: examples/gh-runner-mig-container-vm-dind/Dockerfile
================================================
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Download and verify the integrity of the download first
FROM ubuntu:24.04
RUN apt-get update && \
apt-get -y install apt-transport-https \
ca-certificates \
curl \
tar \
jq \
build-essential \
gnupg2 \
iputils-ping \
software-properties-common
RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable" && \
apt-get update && \
apt-get -y install docker-ce
ARG GH_RUNNER_VERSION="2.169.0"
WORKDIR /runner
RUN curl -o actions.tar.gz --location "https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-x64-${GH_RUNNER_VERSION}.tar.gz" && \
tar -zxf actions.tar.gz && \
rm -f actions.tar.gz && \
./bin/installdependencies.sh
COPY entrypoint.sh .
ENV RUNNER_ALLOW_RUNASROOT=1
RUN chmod +x entrypoint.sh
ENTRYPOINT ["/runner/entrypoint.sh"]
================================================
FILE: examples/gh-runner-mig-container-vm-dind/README.md
================================================
# Example Runners on MIG Container VM that support Docker Workflows
## Overview
This example shows how to deploy a runner that supports Docker Workflows on GCE Container VM.
## Steps to deploy this example
- Step 1: Build the example runner image using Google Cloud Build. Alternatively, you can also use a prebuilt image or build using a local docker daemon.
```sh
$ gcloud config set project $PROJECT_ID
$ gcloud services enable containerregistry.googleapis.com cloudbuild.googleapis.com
$ gcloud builds submit --config=cloudbuild.yaml
```
- Step 2: Create terraform.tfvars file with the necessary values.
Access tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the administration permission to use this API. Authenticated users must have admin access to the repository to use this API.
More info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/).
```tf
project_id = "your-project-id"
image = "your-image-registry/image:tag"
gh_token = "your-github-token"
repo_url = "https://github.com/owner/your-repo-name"
repo_name = "your-repo-name"
repo_owner = "owner"
```
- Step 3: Create the infrastructure.
```sh
$ terraform init
$ terraform plan
$ terraform apply
```
- Step 4: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| gh\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |
| image | The github runner image | `string` | n/a | yes |
| project\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |
| repo\_name | Name of the repo for the Github Action | `string` | n/a | yes |
| repo\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |
| repo\_url | Repo URL for the Github Action | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| mig\_instance\_group | The instance group url of the created MIG |
| mig\_name | The name of the MIG |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: examples/gh-runner-mig-container-vm-dind/cloudbuild.yaml
================================================
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
steps:
- name: "gcr.io/cloud-builders/docker"
args:
[
"build",
"-t",
"gcr.io/$PROJECT_ID/runner:latest",
"-t",
"gcr.io/$PROJECT_ID/runner:0.1",
".",
]
images:
- "gcr.io/$PROJECT_ID/runner"
================================================
FILE: examples/gh-runner-mig-container-vm-dind/entrypoint.sh
================================================
#!/bin/bash
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#remove runner on stop signal
remove_runner() {
/runner/config.sh remove --unattended --token "$(curl -sS --request POST --url "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/remove-token" --header "authorization: Bearer ${GITHUB_TOKEN}" --header "content-type: application/json" | jq -r .token)"
exit 0
}
#Trap SIGTERM
trap 'remove_runner' SIGTERM
#Trap SIGINT
trap 'remove_runner' SIGINT
# shellcheck disable=SC2034
#ACTIONS_RUNNER_INPUT_NAME is read by config.sh
#set name for this runner as the hostname
ACTIONS_RUNNER_INPUT_NAME=$HOSTNAME
#get regsistration token for this runnner
ACTIONS_RUNNER_INPUT_TOKEN="$(curl -sS --request POST --url "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/registration-token" --header "authorization: Bearer ${GITHUB_TOKEN}" --header 'content-type: application/json' | jq -r .token)"
#configure runner
/runner/config.sh --unattended --replace --work "/tmp" --url "$ACTIONS_RUNNER_INPUT_URL" --token "$ACTIONS_RUNNER_INPUT_TOKEN"
#start runner
#https://github.com/actions/runner/issues/246#issuecomment-615293718
/runner/bin/runsvc.sh & wait $!
================================================
FILE: examples/gh-runner-mig-container-vm-dind/main.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "runner-mig-dind" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-container-vm"
version = "~> 5.0"
create_network = true
project_id = var.project_id
image = var.image
repo_name = var.repo_name
repo_url = var.repo_url
repo_owner = var.repo_owner
gh_token = var.gh_token
dind = true
}
================================================
FILE: examples/gh-runner-mig-container-vm-dind/outputs.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "mig_instance_group" {
description = "The instance group url of the created MIG"
value = module.runner-mig-dind.mig_instance_group
}
output "mig_name" {
description = "The name of the MIG"
value = module.runner-mig-dind.mig_name
}
================================================
FILE: examples/gh-runner-mig-container-vm-dind/variables.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to deploy Github Runner MIG"
}
variable "image" {
type = string
description = "The github runner image"
}
variable "repo_url" {
type = string
description = "Repo URL for the Github Action"
}
variable "repo_name" {
type = string
description = "Name of the repo for the Github Action"
}
variable "repo_owner" {
type = string
description = "Owner of the repo for the Github Action"
}
variable "gh_token" {
type = string
description = "Github token that is used for generating Self Hosted Runner Token"
}
================================================
FILE: examples/gh-runner-mig-container-vm-dind/versions.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
google-beta = {
source = "hashicorp/google-beta"
}
}
required_version = ">= 0.13"
}
================================================
FILE: examples/gh-runner-mig-container-vm-simple/.dockerignore
================================================
.terraform
*.tf*
*.tfvars
================================================
FILE: examples/gh-runner-mig-container-vm-simple/.gcloudignore
================================================
.terraform
*.tfstate
*.tf
*.out
================================================
FILE: examples/gh-runner-mig-container-vm-simple/Dockerfile
================================================
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Download and verify the integrity of the download first
FROM ubuntu:24.04
RUN apt-get update && \
apt-get -y install curl \
iputils-ping \
tar \
jq
ARG GH_RUNNER_VERSION="2.169.0"
WORKDIR /runner
RUN curl -o actions.tar.gz --location "https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-x64-${GH_RUNNER_VERSION}.tar.gz" && \
tar -zxf actions.tar.gz && \
rm -f actions.tar.gz && \
./bin/installdependencies.sh
COPY entrypoint.sh .
RUN chmod +x entrypoint.sh
RUN useradd ghrunner && chown -R ghrunner: /runner
USER ghrunner
ENTRYPOINT ["/runner/entrypoint.sh"]
================================================
FILE: examples/gh-runner-mig-container-vm-simple/README.md
================================================
# Example Runners on MIG Container VM
## Overview
This example shows how to deploy a runner on GCE Container VM.
## Steps to deploy this example
- Step 1: Build the example runner image using Google Cloud Build. Alternatively, you can also use a prebuilt image or build using a local docker daemon.
```sh
$ gcloud config set project $PROJECT_ID
$ gcloud services enable containerregistry.googleapis.com cloudbuild.googleapis.com
$ gcloud builds submit --config=cloudbuild.yaml
```
- Step 2: Create terraform.tfvars file with the necessary values.
Access tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the administration permission to use this API. Authenticated users must have admin access to the repository to use this API.
More info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/).
```tf
project_id = "your-project-id"
image = "your-image-registry/image:tag"
gh_token = "your-github-token"
repo_url = "https://github.com/owner/your-repo-name"
repo_name = "your-repo-name"
repo_owner = "owner"
```
- Step 3: Create the infrastructure.
```sh
$ terraform init
$ terraform plan
$ terraform apply
```
- Step 4: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| gh\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |
| image | The github runner image | `string` | n/a | yes |
| project\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |
| repo\_name | Name of the repo for the Github Action | `string` | n/a | yes |
| repo\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |
| repo\_url | Repo URL for the Github Action | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| mig\_instance\_group | The instance group url of the created MIG |
| mig\_instance\_template | The name of the MIG Instance Template |
| mig\_name | The name of the MIG |
| service\_account | Service account email for GCE |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: examples/gh-runner-mig-container-vm-simple/cloudbuild.yaml
================================================
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
steps:
- name: "gcr.io/cloud-builders/docker"
args:
[
"build",
"-t",
"gcr.io/$PROJECT_ID/runner:latest",
"-t",
"gcr.io/$PROJECT_ID/runner:0.1",
".",
]
images:
- "gcr.io/$PROJECT_ID/runner"
================================================
FILE: examples/gh-runner-mig-container-vm-simple/entrypoint.sh
================================================
#!/bin/bash
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#remove runner on stop signal
remove_runner() {
/runner/config.sh remove --unattended --token "$(curl -sS --request POST --url "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/remove-token" --header "authorization: Bearer ${GITHUB_TOKEN}" --header "content-type: application/json" | jq -r .token)"
exit 0
}
#Trap SIGTERM
trap 'remove_runner' SIGTERM
#Trap SIGINT
trap 'remove_runner' SIGINT
#set name for this runner as the hostname
# shellcheck disable=SC2034
# ACTIONS_RUNNER_INPUT_NAME is used by config.sh
ACTIONS_RUNNER_INPUT_NAME=$HOSTNAME
#get regsistration token for this runnner
ACTIONS_RUNNER_INPUT_TOKEN="$(curl -sS --request POST --url "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/registration-token" --header "authorization: Bearer ${GITHUB_TOKEN}" --header 'content-type: application/json' | jq -r .token)"
#configure runner
/runner/config.sh --unattended --work "/tmp" --url "$ACTIONS_RUNNER_INPUT_URL" --token "$ACTIONS_RUNNER_INPUT_TOKEN"
#start runner
#https://github.com/actions/runner/issues/246#issuecomment-615293718
/runner/bin/runsvc.sh & wait $!
================================================
FILE: examples/gh-runner-mig-container-vm-simple/main.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "runner-mig" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-container-vm"
version = "~> 5.0"
create_network = true
project_id = var.project_id
image = var.image
repo_name = var.repo_name
repo_owner = var.repo_owner
repo_url = var.repo_url
gh_token = var.gh_token
}
================================================
FILE: examples/gh-runner-mig-container-vm-simple/outputs.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "mig_instance_group" {
description = "The instance group url of the created MIG"
value = module.runner-mig.mig_instance_group
}
output "mig_name" {
description = "The name of the MIG"
value = module.runner-mig.mig_name
}
output "service_account" {
description = "Service account email for GCE"
value = module.runner-mig.service_account
}
output "mig_instance_template" {
description = "The name of the MIG Instance Template"
value = module.runner-mig.mig_instance_template
}
================================================
FILE: examples/gh-runner-mig-container-vm-simple/variables.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to deploy Github Runner MIG"
}
variable "image" {
type = string
description = "The github runner image"
}
variable "repo_url" {
type = string
description = "Repo URL for the Github Action"
}
variable "repo_name" {
type = string
description = "Name of the repo for the Github Action"
}
variable "repo_owner" {
type = string
description = "Owner of the repo for the Github Action"
}
variable "gh_token" {
type = string
description = "Github token that is used for generating Self Hosted Runner Token"
}
================================================
FILE: examples/gh-runner-mig-container-vm-simple/versions.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
google-beta = {
source = "hashicorp/google-beta"
}
}
required_version = ">= 0.13"
}
================================================
FILE: examples/gh-runner-mig-native-packer/.gcloudignore
================================================
.terraform
*.tfstate
*.tf
*.out
================================================
FILE: examples/gh-runner-mig-native-packer/README.md
================================================
# Example Runners that support Docker Workflows
## Overview
This example showcases how to use Packer to pre-bake a Google VM Image with the necessary toolchain including Github Actions Runner and deploy this image using the `gh-runner-mig` module.
We use startup/shutdown scripts to register the runner when it comes online and de-register when it is shut down.
In this example, Packer creates a VM image that has the following:
- curl
- jq
- Docker
- Github Actions Runner
## Steps to deploy this example
- Step 1: Enable APIs necessary to build an GCE VM image using Packer and Google Cloud Build.
```sh
$ gcloud config set project $PROJECT_ID
$ gcloud services enable compute.googleapis.com cloudbuild.googleapis.com
```
- Step 2: Give Cloud Build Service Account necessary permissions to create a new GCE VM Image using Packer.
```sh
$ CLOUD_BUILD_ACCOUNT=$(gcloud projects get-iam-policy $PROJECT_ID --filter="(bindings.role:roles/cloudbuild.builds.builder)" --flatten="bindings[].members" --format="value(bindings.members[])")
$ gcloud projects add-iam-policy-binding $PROJECT_ID --member $CLOUD_BUILD_ACCOUNT --role roles/compute.instanceAdmin.v1
$ gcloud projects add-iam-policy-binding $PROJECT_ID --member $CLOUD_BUILD_ACCOUNT --role roles/iam.serviceAccountUser
```
- Step 3: Build GCE VM image. When the build finishes, the image id of the form `gh-actions-image-*` will be displayed. We will use this in the tfvars we create in step 4.
```sh
$ gcloud builds submit --config=cloudbuild.yaml
```
- Step 4: Create terraform.tfvars file with the necessary values.
Access tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the administration permission to use this API. Authenticated users must have admin access to the repository to use this API.
More info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/)
```tf
project_id = "your-project-id"
source_image = "image-id-from-step-3"
gh_token = "your-github-token"
repo_url = "https://github.com/owner/your-repo-name"
repo_name = "your-repo-name"
repo_owner = "owner"
```
- Step 5: Create the infrastructure
```sh
$ terraform init
$ terraform plan
$ terraform apply
```
- Step 4: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| gh\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |
| project\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |
| repo\_name | Name of the repo for the Github Action | `string` | n/a | yes |
| repo\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |
| source\_image | Source disk image | `string` | n/a | yes |
| source\_image\_project | Project where the source image comes from | `string` | `null` | no |
## Outputs
| Name | Description |
|------|-------------|
| mig\_instance\_group | The instance group url of the created MIG |
| mig\_instance\_template | The name of the MIG Instance Template |
| mig\_name | The name of the MIG |
| service\_account | Service account email for GCE |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: examples/gh-runner-mig-native-packer/cloudbuild.yaml
================================================
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
steps:
- name: "hashicorp/packer:1.14.1"
args:
- build
- -var
- project_id=$PROJECT_ID
- packer.json
================================================
FILE: examples/gh-runner-mig-native-packer/main.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "runner-mig" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-vm"
version = "~> 5.0"
create_network = true
project_id = var.project_id
repo_name = var.repo_name
repo_owner = var.repo_owner
gh_token = var.gh_token
startup_script = file("${path.cwd}/startup.sh")
shutdown_script = file("${path.cwd}/shutdown.sh")
source_image_project = var.source_image_project != null ? var.source_image_project : var.project_id
source_image = var.source_image
}
================================================
FILE: examples/gh-runner-mig-native-packer/outputs.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "mig_instance_group" {
description = "The instance group url of the created MIG"
value = module.runner-mig.mig_instance_group
}
output "mig_name" {
description = "The name of the MIG"
value = module.runner-mig.mig_name
}
output "service_account" {
description = "Service account email for GCE"
value = module.runner-mig.service_account
}
output "mig_instance_template" {
description = "The name of the MIG Instance Template"
value = module.runner-mig.mig_instance_template
}
================================================
FILE: examples/gh-runner-mig-native-packer/packer.json
================================================
{
"variables": {
"source_image_family": "ubuntu-1804-lts",
"source_image_project_id": "ubuntu-os-cloud",
"machine_type": "n1-standard-4",
"disk_size": "50",
"disk_type": "pd-ssd",
"image_name": "gh-actions-image-{{timestamp}}",
"image_family": "gh-actions-image",
"ssh_username": "ubuntu",
"region": "us-central1",
"zone": "us-central1-a",
"project_id": "{{env `PACKER_PROJECT_ID`}}",
"gh_runner_version": "2.168.0"
},
"builders": [
{
"type": "googlecompute",
"project_id": "{{user `project_id`}}",
"source_image_family": "{{user `source_image_family`}}",
"source_image_project_id": "{{user `source_image_project_id`}}",
"zone": "{{user `zone`}}",
"machine_type": "{{user `machine_type`}}",
"disk_size": "{{user `disk_size`}}",
"ssh_username": "{{user `ssh_username`}}",
"image_name": "{{user `image_name`}}",
"image_family": "{{user `source_image_family`}}",
"disable_default_service_account": false,
"metadata": {
"enable-oslogin": "true",
"new_nodes_topic": "new-instances-0001"
}
}
],
"provisioners": [
{
"type": "shell",
"environment_vars": ["DEBIAN_FRONTEND=noninteractive"],
"inline": [
"apt-get update",
"apt-get dist-upgrade -y",
"apt-get install -y apt-transport-https ca-certificates curl tar jq build-essential gnupg2 software-properties-common",
"curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -",
"add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"",
"apt-get update",
"apt-get install -y docker-ce",
"usermod -aG docker ubuntu"
],
"execute_command": "sudo -S sh -c '{{ .Vars }} {{ .Path }}'"
},
{
"type": "shell",
"environment_vars": ["DEBIAN_FRONTEND=noninteractive"],
"inline": [
"curl -o actions.tar.gz --location \"https://github.com/actions/runner/releases/download/v{{user `gh_runner_version`}}/actions-runner-linux-x64-{{user `gh_runner_version`}}.tar.gz\"",
"mkdir /runner",
"mkdir /runner-tmp",
"tar -zxf actions.tar.gz --directory /runner",
"rm -f actions.tar.gz",
"/runner/bin/installdependencies.sh"
],
"execute_command": "sudo -S sh -c '{{ .Vars }} {{ .Path }}'"
}
]
}
================================================
FILE: examples/gh-runner-mig-native-packer/shutdown.sh
================================================
#!/bin/bash
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
secretUri=$(curl -sS "http://metadata.google.internal/computeMetadata/v1/instance/attributes/secret-id" -H "Metadata-Flavor: Google")
#secrets URI is of the form projects/$PROJECT_NUMBER/secrets/$SECRET_NAME/versions/$SECRET_VERSION
#split into array based on `/` delimeter
IFS="/" read -r -a secretsConfig <<< "$secretUri"
#get SECRET_NAME and SECRET_VERSION
SECRET_NAME=${secretsConfig[3]}
SECRET_VERSION=${secretsConfig[5]}
#access secret from secretsmanager
secrets=$(gcloud secrets versions access "$SECRET_VERSION" --secret="$SECRET_NAME")
#set secrets as env vars
# shellcheck disable=SC2046
# we want to use wordsplitting
export $(echo "$secrets" | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]")
#stop and uninstall the runner service
cd /runner || exit
./svc.sh stop
./svc.sh uninstall
#remove the runner configuration
RUNNER_ALLOW_RUNASROOT=1 /runner/config.sh remove --unattended --token "$(curl -sS --request POST --url "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/remove-token" --header "authorization: Bearer ${GITHUB_TOKEN}" --header "content-type: application/json" | jq -r .token)"
================================================
FILE: examples/gh-runner-mig-native-packer/startup.sh
================================================
#!/bin/bash
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
secretUri=$(curl -sS "http://metadata.google.internal/computeMetadata/v1/instance/attributes/secret-id" -H "Metadata-Flavor: Google")
#secrets URI is of the form projects/$PROJECT_NUMBER/secrets/$SECRET_NAME/versions/$SECRET_VERSION
#split into array based on `/` delimeter
IFS="/" read -r -a secretsConfig <<< "$secretUri"
#get SECRET_NAME and SECRET_VERSION
SECRET_NAME=${secretsConfig[3]}
SECRET_VERSION=${secretsConfig[5]}
#access secret from secretsmanager
secrets=$(gcloud secrets versions access "$SECRET_VERSION" --secret="$SECRET_NAME")
#set secrets as env vars
# shellcheck disable=SC2046
# we want to use wordsplitting
export $(echo "$secrets" | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]")
#get actions token
# shellcheck disable=SC2034
# ACTIONS_RUNNER_INPUT_NAME is used by config.sh
ACTIONS_RUNNER_INPUT_NAME=$HOSTNAME
ACTIONS_RUNNER_INPUT_TOKEN="$(curl -sS --request POST --url "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/registration-token" --header "authorization: Bearer ${GITHUB_TOKEN}" --header 'content-type: application/json' | jq -r .token)"
#configure runner
RUNNER_ALLOW_RUNASROOT=1 /runner/config.sh --unattended --replace --work "/runner-tmp" --url "$REPO_URL" --token "$ACTIONS_RUNNER_INPUT_TOKEN"
#install and start runner service
cd /runner || exit
./svc.sh install
./svc.sh start
================================================
FILE: examples/gh-runner-mig-native-packer/variables.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to deploy Github Runner MIG"
}
variable "repo_name" {
type = string
description = "Name of the repo for the Github Action"
}
variable "repo_owner" {
type = string
description = "Owner of the repo for the Github Action"
}
variable "gh_token" {
type = string
description = "Github token that is used for generating Self Hosted Runner Token"
}
variable "source_image_project" {
type = string
description = "Project where the source image comes from"
default = null
}
variable "source_image" {
type = string
description = "Source disk image"
}
================================================
FILE: examples/gh-runner-mig-native-packer/versions.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
google-beta = {
source = "hashicorp/google-beta"
}
}
required_version = ">= 0.13"
}
================================================
FILE: examples/gh-runner-mig-native-simple/README.md
================================================
# Example Runners that support Docker Workflows
## Overview
This example showcases how to use startup scripts to deploy runners using the `gh-runner-mig` module.
We use startup/shutdown scripts to install the runner binary, register the runner when it comes online and de-register when shut down.
## Steps to deploy this example
- Step 1: Create terraform.tfvars file with the necessary values.
Access tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the administration permission to use this API. Authenticated users must have admin access to the repository to use this API.
More info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/).
```sh
project_id = "your-project-id"
gh_token = "your-github-token"
repo_name = "your-repo-name"
repo_owner = "owner"
```
- Step 2: Create the infrastructure
```sh
$ terraform init
$ terraform plan
$ terraform apply
```
- Step 3: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| gh\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |
| project\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |
| repo\_name | Name of the repo for the Github Action | `string` | n/a | yes |
| repo\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| mig\_instance\_group | The instance group url of the created MIG |
| mig\_instance\_template | The name of the MIG Instance Template |
| mig\_name | The name of the MIG |
| service\_account | Service account email for GCE |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: examples/gh-runner-mig-native-simple/main.tf
================================================
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "runner-mig" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-vm"
version = "~> 5.0"
create_network = true
project_id = var.project_id
repo_name = var.repo_name
repo_owner = var.repo_owner
gh_token = var.gh_token
}
================================================
FILE: examples/gh-runner-mig-native-simple/outputs.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "mig_instance_group" {
description = "The instance group url of the created MIG"
value = module.runner-mig.mig_instance_group
}
output "mig_name" {
description = "The name of the MIG"
value = module.runner-mig.mig_name
}
output "service_account" {
description = "Service account email for GCE"
value = module.runner-mig.service_account
}
output "mig_instance_template" {
description = "The name of the MIG Instance Template"
value = module.runner-mig.mig_instance_template
}
================================================
FILE: examples/gh-runner-mig-native-simple/variables.tf
================================================
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to deploy Github Runner MIG"
}
variable "repo_name" {
type = string
description = "Name of the repo for the Github Action"
}
variable "repo_owner" {
type = string
description = "Owner of the repo for the Github Action"
}
variable "gh_token" {
type = string
description = "Github token that is used for generating Self Hosted Runner Token"
}
================================================
FILE: examples/gh-runner-mig-native-simple/versions.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
google-beta = {
source = "hashicorp/google-beta"
}
}
required_version = ">= 0.13"
}
================================================
FILE: examples/oidc-simple/README.md
================================================
# OIDC Simple Example
## Overview
This example showcases how to configure [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) using the [gh-oidc module](../../modules/gh-oidc/README.md) for a sample Service Account.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| project\_id | The project id to create WIF pool and example SA | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| pool\_name | Pool name |
| provider\_name | Provider name |
| sa\_email | Example SA email |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: examples/oidc-simple/main.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
resource "google_service_account" "sa" {
project = var.project_id
account_id = "test-storage-sa"
}
resource "google_project_iam_member" "project" {
project = var.project_id
role = "roles/storage.admin"
member = "serviceAccount:${google_service_account.sa.email}"
}
module "oidc" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
version = "~> 5.0"
project_id = var.project_id
pool_id = "example-pool"
provider_id = "example-gh-provider"
attribute_condition = "assertion.repository_owner_id=='1342004'"
sa_mapping = {
(google_service_account.sa.account_id) = {
sa_name = google_service_account.sa.name
attribute = "attribute.repository/user/repo"
}
}
}
================================================
FILE: examples/oidc-simple/outputs.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "pool_name" {
description = "Pool name"
value = module.oidc.pool_name
}
output "provider_name" {
description = "Provider name"
value = module.oidc.provider_name
}
output "sa_email" {
description = "Example SA email"
value = google_service_account.sa.email
}
================================================
FILE: examples/oidc-simple/variables.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to create WIF pool and example SA"
}
================================================
FILE: examples/oidc-simple/versions.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
google-beta = {
source = "hashicorp/google-beta"
}
}
required_version = ">= 0.13"
}
================================================
FILE: metadata.yaml
================================================
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: blueprints.cloud.google.com/v1alpha1
kind: BlueprintMetadata
metadata:
name: terraform-google-github-actions-runners
annotations:
config.kubernetes.io/local-config: "true"
spec:
title: terraform-google-github-actions-runners
source:
repo: https://github.com/terraform-google-modules/terraform-google-github-actions-runners
sourceType: git
subBlueprints:
- name: gh-oidc
location: modules/gh-oidc
- name: gh-runner-gke
location: modules/gh-runner-gke
- name: gh-runner-mig-container-vm
location: modules/gh-runner-mig-container-vm
- name: gh-runner-mig-vm
location: modules/gh-runner-mig-vm
examples:
- name: gh-org-runner-mig-native-simple
location: examples/gh-org-runner-mig-native-simple
- name: gh-runner-gke-dind
location: examples/gh-runner-gke-dind
- name: gh-runner-gke-simple
location: examples/gh-runner-gke-simple
- name: gh-runner-mig-container-vm-dind
location: examples/gh-runner-mig-container-vm-dind
- name: gh-runner-mig-container-vm-simple
location: examples/gh-runner-mig-container-vm-simple
- name: gh-runner-mig-native-packer
location: examples/gh-runner-mig-native-packer
- name: gh-runner-mig-native-simple
location: examples/gh-runner-mig-native-simple
- name: oidc-simple
location: examples/oidc-simple
roles:
- level: Project
roles:
- roles/owner
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
- iam.googleapis.com
- container.googleapis.com
- serviceusage.googleapis.com
================================================
FILE: modules/gh-oidc/README.md
================================================
## GitHub OIDC
This module handles the opinionated creation of infrastructure necessary to configure [Workload Identity pools](https://cloud.google.com/iam/docs/workload-identity-federation#pools) and [providers](https://cloud.google.com/iam/docs/workload-identity-federation#providers) for authenticating to GCP using GitHub Actions OIDC tokens.
This includes:
- Creation of a Workload Identity pool
- Configuring a Workload Identity provider
- Granting external identities necessary IAM roles on Service Accounts
### Example Usage
```terraform
module "gh_oidc" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
project_id = var.project_id
pool_id = "example-pool"
provider_id = "example-gh-provider"
sa_mapping = {
"foo-service-account" = {
sa_name = "projects/my-project/serviceAccounts/foo-service-account@my-project.iam.gserviceaccount.com"
attribute = "attribute.repository/${USER/ORG}/<repo>"
}
}
}
```
Below are some examples:
### [OIDC Simple](../../examples/oidc-simple/README.md)
This example shows how to use this module along with a Service Account to access storage buckets.
### GitHub Workflow
Once provisioned, you can use the [google-github-actions/auth](https://github.com/google-github-actions/auth) Action in a workflow as shown below
```yaml
# Example workflow
# .github/workflows/example.yml
name: 'example oidc'
on:
push:
branches:
- 'main'
jobs:
run:
name: 'example to list bucket contents'
permissions:
id-token: write
contents: read
runs-on: 'ubuntu-latest'
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v1'
with:
token_format: 'access_token'
workload_identity_provider: ${{ secrets.PROVIDER_NAME }} # this is the output provider_name from the TF module
service_account: ${{ secrets.SA_EMAIL }} # this is a SA email configured using the TF module with access to YOUR-GCS-BUCKET
- id: 'list-buckets-contents'
run: |-
curl -sSf https://storage.googleapis.com/storage/v1/b/YOUR-GCS-BUCKET/o \
--header "Authorization: Bearer ${{ steps.auth.outputs.access_token }}"
```
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| allowed\_audiences | Workload Identity Pool Provider allowed audiences. | `list(string)` | `[]` | no |
| attribute\_condition | Workload Identity Pool Provider attribute condition expression. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition) | `string` | `null` | no |
| attribute\_mapping | Workload Identity Pool Provider attribute mapping. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_mapping) | `map(any)` | <pre>{<br> "attribute.actor": "assertion.actor",<br> "attribute.aud": "assertion.aud",<br> "attribute.repository": "assertion.repository",<br> "google.subject": "assertion.sub"<br>}</pre> | no |
| issuer\_uri | Workload Identity Pool Issuer URL | `string` | `"https://token.actions.githubusercontent.com"` | no |
| pool\_description | Workload Identity Pool description | `string` | `"Workload Identity Pool managed by Terraform"` | no |
| pool\_display\_name | Workload Identity Pool display name | `string` | `null` | no |
| pool\_id | Workload Identity Pool ID | `string` | n/a | yes |
| project\_id | The project id to create Workload Identity Pool | `string` | n/a | yes |
| provider\_description | Workload Identity Pool Provider description | `string` | `"Workload Identity Pool Provider managed by Terraform"` | no |
| provider\_display\_name | Workload Identity Pool Provider display name | `string` | `null` | no |
| provider\_id | Workload Identity Pool Provider id | `string` | n/a | yes |
| sa\_mapping | Service Account resource names and corresponding WIF provider attributes. If attribute is set to `*` all identities in the pool are granted access to SAs. | <pre>map(object({<br> sa_name = string<br> attribute = string<br> }))</pre> | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| pool\_name | Pool name |
| provider\_name | Provider name |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:
1. Required APIs are activated
```
"iam.googleapis.com",
"cloudresourcemanager.googleapis.com",
"iamcredentials.googleapis.com",
"sts.googleapis.com",
```
1. Service Account used to deploy this module has the following roles
```
roles/iam.workloadIdentityPoolAdmin
roles/iam.serviceAccountAdmin
```
================================================
FILE: modules/gh-oidc/main.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
resource "google_iam_workload_identity_pool" "main" {
provider = google-beta
project = var.project_id
workload_identity_pool_id = var.pool_id
display_name = var.pool_display_name
description = var.pool_description
disabled = false
}
resource "google_iam_workload_identity_pool_provider" "main" {
provider = google-beta
project = var.project_id
workload_identity_pool_id = google_iam_workload_identity_pool.main.workload_identity_pool_id
workload_identity_pool_provider_id = var.provider_id
display_name = var.provider_display_name
description = var.provider_description
attribute_condition = var.attribute_condition
attribute_mapping = var.attribute_mapping
oidc {
allowed_audiences = var.allowed_audiences
issuer_uri = var.issuer_uri
}
}
resource "google_service_account_iam_member" "wif-sa" {
for_each = var.sa_mapping
service_account_id = each.value.sa_name
role = "roles/iam.workloadIdentityUser"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.main.name}/${each.value.attribute}"
}
================================================
FILE: modules/gh-oidc/metadata.yaml
================================================
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: blueprints.cloud.google.com/v1alpha1
kind: BlueprintMetadata
metadata:
name: terraform-google-github-actions-runners
annotations:
config.kubernetes.io/local-config: "true"
spec:
title: ""
source:
repo: https://github.com/terraform-google-modules/terraform-google-github-actions-runners
sourceType: git
version: 5.1.0
actuationTool:
type: Terraform
version: '>= 0.13'
examples:
- name: gh-org-runner-mig-native-simple
location: examples/gh-org-runner-mig-native-simple
- name: gh-runner-gke-dind
location: examples/gh-runner-gke-dind
- name: gh-runner-gke-simple
location: examples/gh-runner-gke-simple
- name: gh-runner-mig-container-vm-dind
location: examples/gh-runner-mig-container-vm-dind
- name: gh-runner-mig-container-vm-simple
location: examples/gh-runner-mig-container-vm-simple
- name: gh-runner-mig-native-packer
location: examples/gh-runner-mig-native-packer
- name: gh-runner-mig-native-simple
location: examples/gh-runner-mig-native-simple
- name: oidc-simple
location: examples/oidc-simple
variables:
- name: allowed_audiences
description: Workload Identity Pool Provider allowed audiences.
type: list(string)
default: []
required: false
- name: attribute_condition
description: Workload Identity Pool Provider attribute condition expression. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition)
type: string
required: false
- name: attribute_mapping
description: Workload Identity Pool Provider attribute mapping. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_mapping)
type: map(any)
default:
attribute.actor: assertion.actor
attribute.aud: assertion.aud
attribute.repository: assertion.repository
google.subject: assertion.sub
required: false
- name: issuer_uri
description: Workload Identity Pool Issuer URL
type: string
default: https://token.actions.githubusercontent.com
required: false
- name: pool_description
description: Workload Identity Pool description
type: string
default: Workload Identity Pool managed by Terraform
required: false
- name: pool_display_name
description: Workload Identity Pool display name
type: string
required: false
- name: pool_id
description: Workload Identity Pool ID
type: string
required: true
- name: project_id
description: The project id to create Workload Identity Pool
type: string
required: true
- name: provider_description
description: Workload Identity Pool Provider description
type: string
default: Workload Identity Pool Provider managed by Terraform
required: false
- name: provider_display_name
description: Workload Identity Pool Provider display name
type: string
required: false
- name: provider_id
description: Workload Identity Pool Provider id
type: string
required: true
- name: sa_mapping
description: Service Account resource names and corresponding WIF provider attributes. If attribute is set to `*` all identities in the pool are granted access to SAs.
type: |-
map(object({
sa_name = string
attribute = string
}))
default: {}
required: false
outputs:
- name: pool_name
description: Pool name
- name: provider_name
description: Provider name
roles:
- level: Project
roles:
- roles/owner
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
- iam.googleapis.com
- container.googleapis.com
- serviceusage.googleapis.com
================================================
FILE: modules/gh-oidc/outputs.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "pool_name" {
description = "Pool name"
value = google_iam_workload_identity_pool.main.name
}
output "provider_name" {
description = "Provider name"
value = google_iam_workload_identity_pool_provider.main.name
}
================================================
FILE: modules/gh-oidc/variables.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to create Workload Identity Pool"
}
variable "pool_id" {
type = string
description = "Workload Identity Pool ID"
}
variable "pool_display_name" {
type = string
description = "Workload Identity Pool display name"
default = null
}
variable "pool_description" {
type = string
description = "Workload Identity Pool description"
default = "Workload Identity Pool managed by Terraform"
}
variable "provider_id" {
type = string
description = "Workload Identity Pool Provider id"
}
variable "issuer_uri" {
type = string
description = "Workload Identity Pool Issuer URL"
default = "https://token.actions.githubusercontent.com"
}
variable "provider_display_name" {
type = string
description = "Workload Identity Pool Provider display name"
default = null
}
variable "provider_description" {
type = string
description = "Workload Identity Pool Provider description"
default = "Workload Identity Pool Provider managed by Terraform"
}
variable "attribute_condition" {
type = string
description = "Workload Identity Pool Provider attribute condition expression. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition)"
default = null
}
variable "attribute_mapping" {
type = map(any)
description = "Workload Identity Pool Provider attribute mapping. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_mapping)"
default = {
"google.subject" = "assertion.sub"
"attribute.actor" = "assertion.actor"
"attribute.aud" = "assertion.aud"
"attribute.repository" = "assertion.repository"
}
}
variable "allowed_audiences" {
type = list(string)
description = "Workload Identity Pool Provider allowed audiences."
default = []
}
variable "sa_mapping" {
type = map(object({
sa_name = string
attribute = string
}))
description = "Service Account resource names and corresponding WIF provider attributes. If attribute is set to `*` all identities in the pool are granted access to SAs."
default = {}
}
================================================
FILE: modules/gh-oidc/versions.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_version = ">= 1.3"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 3.64, < 8"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 3.64, < 8"
}
}
provider_meta "google" {
module_name = "blueprints/terraform/terraform-google-github-actions-runners:gh-oidc/v5.1.0"
}
provider_meta "google-beta" {
module_name = "blueprints/terraform/terraform-google-github-actions-runners:gh-oidc/v5.1.0"
}
}
================================================
FILE: modules/gh-runner-gke/README.md
================================================
# Self Hosted Runners on GKE
This module handles the opinionated creation of infrastructure necessary to deploy GitHub Actions Runners on GKE. This module follows the guide provided by GitHub for [Quickstart for Actions Runner Controller](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).
This includes:
- Enabling necessary APIs
- VPC
- GKE Cluster
- Kubernetes Secret
- Installation via Helm Chart
## Usage
See below for example usage of this module:
```tf
module "runner-gke" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke"
version = "~> 5.1"
project_id = "PROJECT_ID"
create_network = true
cluster_suffix = "k8s"
gh_app_id = "123456"
gh_app_installation_id = "12345678"
gh_app_private_key = "sample"
gh_config_url = "https://github.com/ORGANIZATION"
}
```
### Authenticating to GitHub
It's recommended to authenticate to GitHub via a GitHub App. Follow the instructions at [Authenticating ARC with a GitHub App](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) to retrieve the necessary prerequisites:
- GitHub App ID
- GitHub App Installation ID
- GitHub App Private Key
Install the app in the organization or account for which the runners should be available.
Substitute these values gathered from creating the GitHub App installation into the variables in the module.
## Requirements
Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:
1. Required APIs are activated
```
"cloudresourcemanager.googleapis.com",
"storage-api.googleapis.com",
"iam.googleapis.com",
"container.googleapis.com",
"serviceusage.googleapis.com"
```
## Examples
### [Simple Self Hosted Runners on GKE](../../examples/gh-runner-gke-simple/README.md)
This example shows how to deploy a simple GKE Self Hosted Runner.
Below are some examples:
### [Self Hosted runners on GKE that support Docker workflows](../../examples/gh-runner-gke-dind/README.md)
This example shows how to deploy Self Hosted Runners on GKE that supports Docker Workflows.
### [Self Hosted runners on GKE that support Docker Workflows in rootless configuration](examples/gh-runner-gke-dind-rootless/)
This example shows how to deploy Self Hosted Runners on GKE that supports Docker Workflows in a rootless configuration.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| arc\_container\_mode | value of containerMode.type in ARC runner scale set helm chart. If set, value can be `dind` or `kubernetes` | `string` | `""` | no |
| arc\_controller\_values | List of values in raw yaml format to pass to helm for ARC runners scale set controller chart | `list(string)` | `[]` | no |
| arc\_controller\_version | Version tag for the ARC image. See [https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set-controller](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set-controller) for releases. | `string` | `"0.9.3"` | no |
| arc\_runners\_namespace | Namespace created for the ARC runner pods. | `string` | `"arc-runners"` | no |
| arc\_runners\_values | List of values in raw yaml format to pass to helm for ARC runners scale set chart | `list(string)` | `[]` | no |
| arc\_runners\_version | Version tag for the ARC image. See [https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set) for releases. | `string` | `"0.9.3"` | no |
| arc\_systems\_namespace | Namespace created for the ARC operator pods. | `string` | `"arc-systems"` | no |
| cluster\_suffix | Name of the GitHub organization associated with this runner cluster. | `string` | `"arc"` | no |
| create\_network | When set to true, VPC will be auto created | `bool` | `true` | no |
| enable\_private\_nodes | Whether nodes have internal IP addresses only. | `bool` | `false` | no |
| gh\_app\_id | After creating the GitHub App, on the GitHub App's page, note the value for "App ID". | `string` | n/a | yes |
| gh\_app\_installation\_id | You can find the app installation ID on the app installation page, which has the following URL format: `https://github.com/organizations/ORGANIZATION/settings/installations/INSTALLATION_ID` | `string` | n/a | yes |
| gh\_app\_pre\_defined\_secret\_name | Name for the k8s secret required to configure gh runners on GKE via GitHub App authentication | `string` | `"gh-app-pre-defined-secret"` | no |
| gh\_app\_private\_key | Under "Private keys", click Generate a private key, and save the .pem file. Use the contents of this file for this variable. | `string` | n/a | yes |
| gh\_config\_url | URL of GitHub App config. If installed in an organization, this is in the format "https://github.com/ORGANIZATION" | `string` | n/a | yes |
| ip\_range\_pods\_cidr | The secondary ip range cidr to use for pods | `string` | `"192.168.0.0/18"` | no |
| ip\_range\_pods\_name | The secondary ip range to use for pods | `string` | `"ip-range-pods"` | no |
| ip\_range\_services\_cider | The secondary ip range cidr to use for services | `string` | `"192.168.64.0/18"` | no |
| ip\_range\_services\_name | The secondary ip range to use for services | `string` | `"ip-range-scv"` | no |
| machine\_type | Machine type for runner node pool | `string` | `"n1-standard-4"` | no |
| max\_node\_count | Maximum number of nodes in the runner node pool | `number` | `4` | no |
| min\_node\_count | Minimum number of nodes in the runner node pool | `number` | `2` | no |
| network\_name | Name for the VPC network | `string` | `"runner-network"` | no |
| project\_id | The project id to deploy Github Runner cluster | `string` | n/a | yes |
| region | The GCP region to deploy instances into | `string` | `"us-east4"` | no |
| service\_account | Optional Service Account for the nodes | `string` | `""` | no |
| spot | A boolean that represents whether the underlying node VMs are spot | `bool` | `false` | no |
| subnet\_ip | IP range for the subnet | `string` | `"10.0.0.0/17"` | no |
| subnet\_name | Name for the subnet | `string` | `"runner-subnet"` | no |
| subnetwork\_project | The ID of the project in which the subnetwork belongs. If it is not provided, the project\_id is used. | `string` | `""` | no |
| zones | The GCP zone to deploy gke into | `list(string)` | <pre>[<br> "us-east4-a"<br>]</pre> | no |
## Outputs
| Name | Description |
|------|-------------|
| ca\_certificate | The cluster ca certificate (base64 encoded) |
| client\_token | The bearer token for auth |
| cluster\_name | Cluster name |
| kubernetes\_endpoint | The cluster endpoint |
| location | Cluster location |
| network\_name | Name of VPC |
| service\_account | The default service account used for running nodes. |
| subnet\_name | Name of VPC |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
================================================
FILE: modules/gh-runner-gke/main.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
network_name = var.create_network ? google_compute_network.gh-network[0].name : var.network_name
subnet_name = var.create_network ? google_compute_subnetwork.gh-subnetwork[0].name : var.subnet_name
service_account = var.service_account == "" ? "create" : var.service_account
}
/*****************************************
Optional Network
*****************************************/
resource "google_compute_network" "gh-network" {
count = var.create_network ? 1 : 0
name = var.network_name
project = var.project_id
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "gh-subnetwork" {
count = var.create_network ? 1 : 0
project = var.project_id
name = var.subnet_name
ip_cidr_range = var.subnet_ip
region = var.region
network = google_compute_network.gh-network[0].name
secondary_ip_range {
range_name = var.ip_range_pods_name
ip_cidr_range = var.ip_range_pods_cidr
}
secondary_ip_range {
range_name = var.ip_range_services_name
ip_cidr_range = var.ip_range_services_cider
}
}
/*****************************************
Runner GKE
*****************************************/
module "runner-cluster" {
source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster/"
version = "~> 35.0"
project_id = var.project_id
name = "gh-runner-${var.cluster_suffix}"
regional = false
region = var.region
zones = var.zones
network = local.network_name
network_project_id = var.subnetwork_project != "" ? var.subnetwork_project : var.project_id
subnetwork = local.subnet_name
ip_range_pods = var.ip_range_pods_name
ip_range_services = var.ip_range_services_name
logging_service = "logging.googleapis.com/kubernetes"
monitoring_service = "monitoring.googleapis.com/kubernetes"
remove_default_node_pool = true
service_account = local.service_account
gce_pd_csi_driver = true
deletion_protection = false
node_pools = [
{
name = "runner-pool"
min_count = var.min_node_count
max_count = var.max_node_count
auto_upgrade = true
machine_type = var.machine_type
enable_private_nodes = var.enable_private_nodes
spot = var.spot
}
]
}
data "google_client_config" "default" {
}
resource "kubernetes_namespace" "arc_systems" {
metadata {
name = var.arc_systems_namespace
}
}
resource "kubernetes_namespace" "arc_runners" {
metadata {
name = var.arc_runners_namespace
}
depends_on = [helm_release.arc]
}
/*****************************************
K8S secrets for configuring k8s runners
*****************************************/
resource "kubernetes_secret" "gh_app_pre_defined_secret" {
metadata {
name = var.gh_app_pre_defined_secret_name
namespace = kubernetes_namespace.arc_runners.metadata[0].name
}
data = {
github_app_id = var.gh_app_id
github_app_installation_id = var.gh_app_installation_id
github_app_private_key = var.gh_app_private_key
}
}
resource "helm_release" "arc" {
name = "arc"
namespace = kubernetes_namespace.arc_systems.metadata[0].name
chart = "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller"
version = var.arc_controller_version
wait = true
values = var.arc_controller_values
}
resource "helm_release" "arc_runners_set" {
name = "arc-runners"
namespace = kubernetes_namespace.arc_runners.metadata[0].name
chart = "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set"
version = var.arc_runners_version
set = concat(
[
{
name = "githubConfigSecret"
value = kubernetes_secret.gh_app_pre_defined_secret.metadata[0].name
},
{
name = "githubConfigUrl"
value = var.gh_config_url
}
],
var.arc_container_mode == "" ? [] : [
{
name = "containerMode.type"
value = var.arc_container_mode
}
]
)
values = var.arc_runners_values
}
================================================
FILE: modules/gh-runner-gke/metadata.yaml
================================================
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: blueprints.cloud.google.com/v1alpha1
kind: BlueprintMetadata
metadata:
name: terraform-google-github-actions-runners
annotations:
config.kubernetes.io/local-config: "true"
spec:
title: ""
source:
repo: https://github.com/terraform-google-modules/terraform-google-github-actions-runners
sourceType: git
version: 5.1.0
actuationTool:
type: Terraform
version: '>= 0.13'
examples:
- name: gh-org-runner-mig-native-simple
location: examples/gh-org-runner-mig-native-simple
- name: gh-runner-gke-dind
location: examples/gh-runner-gke-dind
- name: gh-runner-gke-simple
location: examples/gh-runner-gke-simple
- name: gh-runner-mig-container-vm-dind
location: examples/gh-runner-mig-container-vm-dind
- name: gh-runner-mig-container-vm-simple
location: examples/gh-runner-mig-container-vm-simple
- name: gh-runner-mig-native-packer
location: examples/gh-runner-mig-native-packer
- name: gh-runner-mig-native-simple
location: examples/gh-runner-mig-native-simple
- name: oidc-simple
location: examples/oidc-simple
variables:
- name: create_network
description: When set to true, VPC will be auto created
type: bool
default: true
required: false
- name: gh_token
description: Github token that is used for generating Self Hosted Runner Token
type: string
required: true
- name: ip_range_pods_cidr
description: The secondary ip range cidr to use for pods
type: string
default: 192.168.0.0/18
required: false
- name: ip_range_pods_name
description: The secondary ip range to use for pods
type: string
default: ip-range-pods
required: false
- name: ip_range_services_cider
description: The secondary ip range cidr to use for services
type: string
default: 192.168.64.0/18
required: false
- name: ip_range_services_name
description: The secondary ip range to use for services
type: string
default: ip-range-scv
required: false
- name: machine_type
description: Machine type for runner node pool
type: string
default: n1-standard-4
required: false
- name: max_node_count
description: Maximum number of nodes in the runner node pool
type: number
default: 4
required: false
- name: min_node_count
description: Minimum number of nodes in the runner node pool
type: number
default: 2
required: false
- name: network_name
description: Name for the VPC network
type: string
default: runner-network
required: false
- name: project_id
description: The project id to deploy Github Runner cluster
type: string
required: true
- name: region
description: The GCP region to deploy instances into
type: string
default: us-east4
required: false
- name: repo_name
description: Name of the repo for the Github Action
type: string
required: true
- name: repo_owner
description: Owner of the repo for the Github Action
type: string
required: true
- name: repo_url
description: Repo URL for the Github Action
type: string
required: true
- name: runner_k8s_config
description: Name for the k8s secret required to configure gh runners on GKE
type: string
default: runner-k8s-config
required: false
- name: service_account
description: Optional Service Account for the nodes
type: string
default: ""
required: false
- name: subnet_ip
description: IP range for the subnet
type: string
default: 10.0.0.0/17
required: false
- name: subnet_name
description: Name for the subnet
type: string
default: runner-subnet
required: false
- name: subnetwork_project
description: The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used.
type: string
default: ""
required: false
- name: zones
description: The GCP zone to deploy gke into
type: list(string)
default:
- us-east4-a
required: false
outputs:
- name: ca_certificate
description: The cluster ca certificate (base64 encoded)
- name: client_token
description: The bearer token for auth
- name: cluster_name
description: Cluster name
- name: kubernetes_endpoint
description: The cluster endpoint
- name: location
description: Cluster location
- name: network_name
description: Name of VPC
- name: service_account
description: The default service account used for running nodes.
- name: subnet_name
description: Name of VPC
roles:
- level: Project
roles:
- roles/owner
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
- iam.googleapis.com
- container.googleapis.com
- serviceusage.googleapis.com
================================================
FILE: modules/gh-runner-gke/outputs.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "kubernetes_endpoint" {
description = "The cluster endpoint"
sensitive = true
value = module.runner-cluster.endpoint
}
output "client_token" {
description = "The bearer token for auth"
sensitive = true
value = base64encode(data.google_client_config.default.access_token)
}
output "ca_certificate" {
description = "The cluster ca certificate (base64 encoded)"
sensitive = true
value = module.runner-cluster.ca_certificate
}
output "service_account" {
description = "The default service account used for running nodes."
value = module.runner-cluster.service_account
}
output "cluster_name" {
description = "Cluster name"
value = module.runner-cluster.name
}
output "network_name" {
description = "Name of VPC"
value = local.network_name
}
output "subnet_name" {
description = "Name of VPC"
value = local.subnet_name
}
output "location" {
description = "Cluster location"
value = module.runner-cluster.location
}
================================================
FILE: modules/gh-runner-gke/variables.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_id" {
type = string
description = "The project id to deploy Github Runner cluster"
}
variable "region" {
type = string
description = "The GCP region to deploy instances into"
default = "us-east4"
}
variable "zones" {
type = list(string)
description = "The GCP zone to deploy gke into"
default = ["us-east4-a"]
}
variable "ip_range_pods_name" {
type = string
description = "The secondary ip range to use for pods"
default = "ip-range-pods"
}
variable "ip_range_services_name" {
type = string
description = "The secondary ip range to use for services"
default = "ip-range-scv"
}
variable "ip_range_pods_cidr" {
type = string
description = "The secondary ip range cidr to use for pods"
default = "192.168.0.0/18"
}
variable "ip_range_services_cider" {
type = string
description = "The secondary ip range cidr to use for services"
default = "192.168.64.0/18"
}
variable "network_name" {
type = string
description = "Name for the VPC network"
default = "runner-network"
}
variable "subnet_ip" {
type = string
description = "IP range for the subnet"
default = "10.0.0.0/17"
}
variable "subnet_name" {
type = string
description = "Name for the subnet"
default = "runner-subnet"
}
variable "create_network" {
type = bool
description = "When set to true, VPC will be auto created"
default = true
}
variable "subnetwork_project" {
type = string
description = "The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used."
default = ""
}
variable "machine_type" {
type = string
description = "Machine type for runner node pool"
default = "n1-standard-4"
}
variable "max_node_count" {
type = number
description = "Maximum number of nodes in the runner node pool"
default = 4
}
variable "min_node_count" {
type = number
description = "Minimum number of nodes in the runner node pool"
default = 2
}
variable "gh_app_pre_defined_secret_name" {
type = string
description = "Name for the k8s secret required to configure gh runners on GKE via GitHub App authentication"
default = "gh-app-pre-defined-secret"
}
variable "gh_app_id" {
type = string
description = "After creating the GitHub App, on the GitHub App's page, note the value for \"App ID\"."
}
variable "gh_app_installation_id" {
type = string
description = "You can find the app installation ID on the app installation page, which has the following URL format: `https://github.com/organizations/ORGANIZATION/settings/installations/INSTALLATION_ID`"
}
variable "gh_app_private_key" {
type = string
description = "Under \"Private keys\", click Generate a private key, and save the .pem file. Use the contents of this file for this variable."
sensitive = true
}
variable "service_account" {
type = string
description = "Optional Service Account for the nodes"
default = ""
}
variable "arc_systems_namespace" {
type = string
description = "Namespace created for the ARC operator pods."
default = "arc-systems"
}
variable "arc_runners_namespace" {
type = string
description = "Namespace created for the ARC runner pods."
default = "arc-runners"
}
variable "cluster_suffix" {
type = string
description = "Name of the GitHub organization associated with this runner cluster."
default = "arc"
}
variable "gh_config_url" {
type = string
description = "URL of GitHub App config. If installed in an organization, this is in the format \"https://github.com/ORGANIZATION\""
}
variable "arc_runners_version" {
type = string
description = "Version tag for the ARC image. See [https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set) for releases."
default = "0.9.3"
}
variable "arc_controller_version" {
type = string
description = "Version tag for the ARC image. See [https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set-controller](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set-controller) for releases."
default = "0.9.3"
}
variable "arc_container_mode" {
type = string
description = "value of containerMode.type in ARC runner scale set helm chart. If set, value can be `dind` or `kubernetes`"
default = ""
}
variable "arc_controller_values" {
type = list(string)
description = "List of values in raw yaml format to pass to helm for ARC runners scale set controller chart"
default = []
}
variable "arc_runners_values" {
type = list(string)
description = "List of values in raw yaml format to pass to helm for ARC runners scale set chart"
default = []
}
variable "enable_private_nodes" {
type = bool
description = "Whether nodes have internal IP addresses only."
default = false
}
variable "spot" {
type = bool
description = "A boolean that represents whether the underlying node VMs are spot"
default = false
}
================================================
FILE: modules/gh-runner-gke/versions.tf
================================================
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_version = ">= 1.3"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.3.0, < 8"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.3.0, < 8"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.0"
}
helm = {
source = "hashicorp/helm"
version = "~> 3.0"
}
}
provider_meta "google" {
module_name = "blueprints/terraform/terraform-google-github-actions-runners:gh-runner-gke/v5.1.0"
}
}
================================================
FILE: modules/gh-runner-mig-container-vm/README.md
================================================
## Self Hosted Runners on Managed Instance Group
This module handles the opinionated creation of infrastructure necessary to deploy Github Self Hosted Runners on MIG Container VMs.
This includes:
- Enabling necessary APIs
- VPC
- NAT & Cloud Router
- MIG Container Instance Template
- MIG Instance Manager
- FW Rules
Below are some examples:
### [Self Hosted runners that support Docker Workflows](../../examples/gh-runner-mig-container-vm-dind/README.md)
This example shows how to deploy a Self Hosted Runner that supports Docker Workflows on MIG Container VMs.
### [Simple Self Hosted Runner](../../examples/gh-runner-mig-container-vm-simple/README.md)
This example shows how to deploy a Self Hosted Runner on MIG Container VMs.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| additional\_metadata | Additional metadata to attach to the instance | `map(any)` | `{}` | no |
| cooldown\_period | The number of seconds that the autoscaler should wait before it starts collecting information from a new instance. | `number` | `60` | no |
| create\_network | When set to true, VPC,router and NAT will be auto created | `bool` | `true` | no |
| dind | Flag to determine whether to expose dockersock | `bool` | `false` | no |
| disk\_size\_gb | Instance disk size in GB | `number` | `100` | no |
| disk\_type | Instance disk type, can be either pd-ssd, local-ssd, or pd-standard | `string` | `"pd-ssd"` | no |
| gh\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |
| image | The github runner image | `string` | n/a | yes |
| instance\_name | The gce instance name | `string` | `"gh-runner"` | no |
| network\_name | Name for the VPC network | `string` | `"gh-runner-network"` | no |
| project\_id | The project id to deploy Github Runner | `string` | n/a | yes |
| region | The GCP region to deploy instances into | `string` | `"us-east4"` | no |
| repo\_name | Name of the repo for the Github Action | `string` | n/a | yes |
| repo\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |
| repo\_url | Repo URL for the Github Action | `string` | n/a | yes |
| restart\_policy | The desired Docker restart policy for the runner image | `string` | `"Always"` | no |
| service\_account | Service account email address | `string` | `""` | no |
| spot | Provision a SPOT instance | `bool` | `false` | no |
| spot\_instance\_termination\_action | Action to take when Compute Engine preempts a Spot VM. | `string` | `"STOP"` | no |
| subnet\_ip | IP range for the subnet | `string` | `"10.10.10.0/24"` | no |
| subnet\_name | Name for the subnet | `string` | `"gh-runner-subnet"` | no |
| subnetwork\_project | The ID of the project in which the subnetwork belongs. If it is not provided, the project\_id is used. | `string` | `""` | no |
| target\_size | The number of runner instances | `number` | `2` | no |
## Outputs
| Name | Description |
|------|-------------|
| mig\_instance\_group | The instance group url of the created MIG |
| mig\_instance\_template | The name of the MIG Instance Template |
| mig\_name | The name of the MIG |
| network\_name | Name of VPC |
| service\_account | Service account email for GCE |
| subnet\_name | Name of VPC |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:
1. Required APIs are activated
```
"iam.googleapis.com",
"cloudresourcemanager.googleapis.com",
"containerregistry.googleapis.com",
"storage-component.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com"
```
================================================
FILE: modules/gh-runner-mig-container-vm/main.tf
================================================
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
dindVolumeMounts = var.dind ? [{
mountPath = "/var/run/docker.sock"
name = "dockersock"
readOnly = false
}] : []
dindVolumes = var.dind ? [
{
name = "dockersock"
hostPath = {
path = "/var/run/docker.sock"
}
}] : []
network_name = var.create_network ? google_compute_network.gh-network[0].self_link : var.network_name
subnet_name = var.create_network ? google_compute_subnetwork.gh-subnetwork[0].self_link : var.subnet_name
service_account = var.service_account == "" ? google_service_account.runner_service_account[0].email : var.service_account
# location = var.regional ? var.region : var.zones[0]
}
/*****************************************
Optional Runner Networking
*****************************************/
resource "google_compute_network" "gh-network" {
count = var.create_network ? 1 : 0
name = var.network_name
project = var.project_id
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "gh-subnetwork" {
count = var.create_network ? 1 : 0
project = var.project_id
name = var.subnet_name
ip_cidr_range = var.subnet_ip
region = var.region
network = google_compute_network.gh-network[0].name
}
resource "google_compute_router" "default" {
count = var.create_network ? 1 : 0
name = "${var.network_name}-router"
network = google_compute_network.gh-network[0].self_link
region = var.region
project = var.project_id
}
resource "google_compute_router_nat" "nat" {
count = var.create_network ? 1 : 0
project = var.project_id
name = "${var.network_name}-nat"
router = google_compute_router.default[0].name
region = google_compute_router.default[0].region
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
}
/*****************************************
IAM Bindings GCE SVC
*****************************************/
resource "google_service_account" "runner_service_account" {
count = var.service_account == "" ? 1 : 0
project = var.project_id
account_id = "runner-service-account"
display_name = "Github Runner GCE Service Account"
}
# allow GCE to pull images from GCR
resource "google_project_iam_binding" "gce" {
count = var.service_account == "" ? 1 : 0
project = var.project_id
role = "roles/storage.objectViewer"
members = [
"serviceAccount:${local.service_account}",
]
}
/*****************************************
Runner GCE Instance Template
*****************************************/
locals {
instance_name = format("%s-%s", var.instance_name, substr(md5(module.gce-container.container.image), 0, 8))
}
module "gce-container" {
source = "terraform-google-modules/container-vm/google"
version = "~> 3.0"
container = {
image = var.image
env = [
{
name = "ACTIONS_RUNNER_INPUT_URL"
value = var.repo_url
},
{
name = "GITHUB_TOKEN"
value = var.gh_token
},
{
name = "REPO_OWNER"
value = var.repo_owner
},
{
name = "REPO_NAME"
value = var.repo_name
}
]
# Declare volumes to be mounted
# This is similar to how Docker volumes are mounted
volumeMounts = concat([
{
mountPath = "/cache"
name = "tempfs-0"
readOnly = false
}
], local.dindVolumeMounts)
}
# Declare the volumes
volumes = concat([
{
name = "tempfs-0"
emptyDir = {
medium = "Memory"
}
}
], local.dindVolumes)
restart_policy = var.restart_policy
}
module "mig_template" {
source = "terraform-google-modules/vm/google//modules/instance_template"
version = "~> 13.0"
project_id = var.project_id
region = var.region
network = local.network_name
subnetwork = local.subnet_name
subnetwork_project = var.subnetwork_project != "" ? var.subnetwork_project : var.project_id
service_account = {
email = local.service_account
scopes = [
"https://www.googleapis.com/auth/cloud-platform",
]
}
disk_size_gb = var.disk_size_gb
disk_type = var.disk_type
auto_delete = true
name_prefix = "gh-runner"
source_image_family = "cos-stable"
source_image_project = "cos-cloud"
startup_script = "export TEST_ENV='hello'"
source_image = reverse(split("/", module.gce-container.source_image))[0]
spot = var.spot
spot_instance_termination_action = var.spot_instance_termination_action
metadata = merge(var.additional_metadata, { "gce-container-declaration" = module.gce-container.metadata_value })
tags = [
"gh-runner-vm"
]
labels = {
container-vm = module.gce-container.vm_container_label
}
}
/*****************************************
Runner MIG
*****************************************/
module "mig" {
source = "terraform-google-modules/vm/google//modules/mig"
version = "~> 13.0"
project_id = var.project_id
hostname = local.instance_name
region = var.region
instance_template = module.mig_template.self_link
target_size = var.target_size
/* autoscaler */
autoscaling_enabled = true
cooldown_period = var.cooldown_period
}
================================================
FILE: modules/gh-runner-mig-container-vm/metadata.yaml
================================================
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: blueprints.cloud.google.com/v1alpha1
kind: BlueprintMetadata
metadata:
name: terraform-google-github-actions-runners
annotations:
config.kubernetes.io/local-config: "true"
spec:
title: ""
source:
repo: https://github.com/terraform-google-modules/terraform-google-github-actions-runners
sourceType: git
version: 5.1.0
actuationTool:
type: Terraform
version: '>= 0.13'
e
gitextract_4sc7vs8z/
├── .dockerignore
├── .github/
│ ├── release-please.yml
│ ├── renovate.json
│ ├── trusted-contribution.yml
│ └── workflows/
│ ├── lint.yaml
│ └── stale.yml
├── .gitignore
├── CHANGELOG.md
├── CODEOWNERS
├── CONTRIBUTING.md
├── LICENSE
├── Makefile
├── README.md
├── build/
│ ├── int.cloudbuild.yaml
│ └── lint.cloudbuild.yaml
├── docs/
│ └── upgrading_to_v4.0.md
├── examples/
│ ├── gh-org-runner-mig-native-simple/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ └── variables.tf
│ ├── gh-runner-gke-dind/
│ │ ├── .dockerignore
│ │ ├── .gcloudignore
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-gke-dind-rootless/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── values.yaml
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-gke-simple/
│ │ ├── .dockerignore
│ │ ├── .gcloudignore
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-container-vm-dind/
│ │ ├── .dockerignore
│ │ ├── .gcloudignore
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ ├── cloudbuild.yaml
│ │ ├── entrypoint.sh
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-container-vm-simple/
│ │ ├── .dockerignore
│ │ ├── .gcloudignore
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ ├── cloudbuild.yaml
│ │ ├── entrypoint.sh
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-native-packer/
│ │ ├── .gcloudignore
│ │ ├── README.md
│ │ ├── cloudbuild.yaml
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── packer.json
│ │ ├── shutdown.sh
│ │ ├── startup.sh
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-native-simple/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── oidc-simple/
│ ├── README.md
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf
├── metadata.yaml
├── modules/
│ ├── gh-oidc/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── metadata.yaml
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-gke/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── metadata.yaml
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── gh-runner-mig-container-vm/
│ │ ├── README.md
│ │ ├── main.tf
│ │ ├── metadata.yaml
│ │ ├── outputs.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── gh-runner-mig-vm/
│ ├── README.md
│ ├── main.tf
│ ├── metadata.yaml
│ ├── outputs.tf
│ ├── scripts/
│ │ ├── shutdown.sh
│ │ └── startup.sh
│ ├── variables.tf
│ └── versions.tf
└── test/
├── .gitignore
├── fixtures/
│ └── gh-runner-mig-container-vm/
│ ├── main.tf
│ ├── outputs.tf
│ └── variables.tf
├── integration/
│ ├── discover_test.go
│ ├── gh-runner-gke-dind/
│ │ └── gh_runner_gke_dind_test.go
│ ├── gh-runner-gke-dind-rootless/
│ │ └── gh_runner_gke_dind_rootless_test.go
│ ├── gh-runner-gke-simple/
│ │ └── gh_runner_gke_simple_test.go
│ ├── gh-runner-mig-container-vm/
│ │ └── gh_runner_mig_container_vm_test.go
│ ├── go.mod
│ ├── go.sum
│ └── oidc-simple/
│ └── oidc_simple_test.go
└── setup/
├── .gitignore
├── iam.tf
├── main.tf
├── outputs.tf
├── variables.tf
└── versions.tf
SYMBOL INDEX (9 symbols across 6 files)
FILE: test/integration/discover_test.go
function TestAll (line 23) | func TestAll(t *testing.T) {
FILE: test/integration/gh-runner-gke-dind-rootless/gh_runner_gke_dind_rootless_test.go
function TestGhRunnerGkeDindRootless (line 27) | func TestGhRunnerGkeDindRootless(t *testing.T) {
function CheckPodsRunningInNamespace (line 53) | func CheckPodsRunningInNamespace(namespace string, t *testing.T, k8sOpts...
FILE: test/integration/gh-runner-gke-dind/gh_runner_gke_dind_test.go
function TestGhRunnerGkeDind (line 27) | func TestGhRunnerGkeDind(t *testing.T) {
function CheckPodsRunningInNamespace (line 53) | func CheckPodsRunningInNamespace(namespace string, t *testing.T, k8sOpts...
FILE: test/integration/gh-runner-gke-simple/gh_runner_gke_simple_test.go
function TestGhRunnerGkeSimple (line 27) | func TestGhRunnerGkeSimple(t *testing.T) {
function CheckPodsRunningInNamespace (line 53) | func CheckPodsRunningInNamespace(namespace string, t *testing.T, k8sOpts...
FILE: test/integration/gh-runner-mig-container-vm/gh_runner_mig_container_vm_test.go
function TestGHRunnerMIGContainerVM (line 25) | func TestGHRunnerMIGContainerVM(t *testing.T) {
FILE: test/integration/oidc-simple/oidc_simple_test.go
function TestOIDCSimple (line 26) | func TestOIDCSimple(t *testing.T) {
Condensed preview — 129 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (305K chars).
[
{
"path": ".dockerignore",
"chars": 192,
"preview": ".git\n.terraform\n.terraform.d\n.kitchen\nterraform.tfstate.d\ntest/fixtures/*/.terraform\ntest/fixtures/*/terraform.tfstate.d"
},
{
"path": ".github/release-please.yml",
"chars": 628,
"preview": "# Copyright 2021 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": ".github/renovate.json",
"chars": 191,
"preview": "{\n \"$schema\": \"https://docs.renovatebot.com/renovate-schema.json\",\n \"extends\": [\"github>GoogleCloudPlatform/cloud-foun"
},
{
"path": ".github/trusted-contribution.yml",
"chars": 918,
"preview": "# Copyright 2023-2025 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use t"
},
{
"path": ".github/workflows/lint.yaml",
"chars": 2960,
"preview": "# Copyright 2023-2025 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use t"
},
{
"path": ".github/workflows/stale.yml",
"chars": 1609,
"preview": "# Copyright 2022-2025 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use t"
},
{
"path": ".gitignore",
"chars": 793,
"preview": "# OSX leaves these everywhere on SMB shares\n._*\n\n# OSX trash\n.DS_Store\n\n# Python\n*.pyc\n\n# Emacs save files\n*~\n\\#*\\#\n.\\#*"
},
{
"path": "CHANGELOG.md",
"chars": 14981,
"preview": "# Changelog\n\nAll notable changes to this project will be documented in this file.\n\nThe format is based on\n[Keep a Change"
},
{
"path": "CODEOWNERS",
"chars": 582,
"preview": "# NOTE: This file is automatically generated from values at:\n# https://github.com/GoogleCloudPlatform/cloud-foundation-t"
},
{
"path": "CONTRIBUTING.md",
"chars": 3585,
"preview": "# Contributing\n\nThis document provides guidelines for contributing to the module.\n\n## Dependencies\n\nThe following depend"
},
{
"path": "LICENSE",
"chars": 11358,
"preview": "\n Apache License\n Version 2.0, January 2004\n "
},
{
"path": "Makefile",
"chars": 3103,
"preview": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "README.md",
"chars": 3364,
"preview": "# terraform-google-github-actions-runners\n[![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-"
},
{
"path": "build/int.cloudbuild.yaml",
"chars": 5747,
"preview": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "build/lint.cloudbuild.yaml",
"chars": 881,
"preview": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "docs/upgrading_to_v4.0.md",
"chars": 1980,
"preview": "# Upgrading to v4.0\n\nThe v4.0 release of the `gh-runner-gke` module contains breaking changes.\n## Migration Instructions"
},
{
"path": "examples/gh-org-runner-mig-native-simple/README.md",
"chars": 1971,
"preview": "# Example Org Runners that support Docker Workflows\n\n## Overview\n\nThis example showcases how to use startup scripts to d"
},
{
"path": "examples/gh-org-runner-mig-native-simple/main.tf",
"chars": 862,
"preview": "/**\n * Copyright 2019 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-org-runner-mig-native-simple/outputs.tf",
"chars": 1122,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-org-runner-mig-native-simple/providers.tf",
"chars": 841,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-org-runner-mig-native-simple/variables.tf",
"chars": 955,
"preview": "/**\n * Copyright 2019 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind/.dockerignore",
"chars": 26,
"preview": ".terraform\n*.tf*\n*.tfvars\n"
},
{
"path": "examples/gh-runner-gke-dind/.gcloudignore",
"chars": 49,
"preview": ".terraform\n*.tfstate\n*.tf\n*.out\nsample-manifests\n"
},
{
"path": "examples/gh-runner-gke-dind/README.md",
"chars": 1706,
"preview": "# Self Hosted runners on GKE that support Docker Workflows\n\n## Overview\n\nThis example shows how to deploy runners that s"
},
{
"path": "examples/gh-runner-gke-dind/main.tf",
"chars": 1177,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind/outputs.tf",
"chars": 1069,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind/providers.tf",
"chars": 1413,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind/variables.tf",
"chars": 706,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind/versions.tf",
"chars": 878,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind-rootless/README.md",
"chars": 1941,
"preview": "# Self Hosted runners on GKE that support dind-rootless\n\n## Overview\n\nThis example shows how to deploy runners that supp"
},
{
"path": "examples/gh-runner-gke-dind-rootless/main.tf",
"chars": 1285,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind-rootless/outputs.tf",
"chars": 1069,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind-rootless/providers.tf",
"chars": 1413,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind-rootless/values.yaml",
"chars": 3909,
"preview": "# Copyright 2024 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "examples/gh-runner-gke-dind-rootless/variables.tf",
"chars": 706,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-dind-rootless/versions.tf",
"chars": 878,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-simple/.dockerignore",
"chars": 26,
"preview": ".terraform\n*.tf*\n*.tfvars\n"
},
{
"path": "examples/gh-runner-gke-simple/.gcloudignore",
"chars": 49,
"preview": ".terraform\n*.tfstate\n*.tf\n*.out\nsample-manifests\n"
},
{
"path": "examples/gh-runner-gke-simple/README.md",
"chars": 1720,
"preview": "# Simple Self Hosted runners on GKE\n\n## Overview\n\nThis example shows how to deploy ARC runners on GKE.\n\nMore examples of"
},
{
"path": "examples/gh-runner-gke-simple/main.tf",
"chars": 1013,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-simple/outputs.tf",
"chars": 1275,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-simple/providers.tf",
"chars": 1413,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-simple/variables.tf",
"chars": 707,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-gke-simple/versions.tf",
"chars": 878,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/.dockerignore",
"chars": 26,
"preview": ".terraform\n*.tf*\n*.tfvars\n"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/.gcloudignore",
"chars": 32,
"preview": ".terraform\n*.tfstate\n*.tf\n*.out\n"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/Dockerfile",
"chars": 1531,
"preview": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/README.md",
"chars": 2238,
"preview": "# Example Runners on MIG Container VM that support Docker Workflows\n\n## Overview\n\nThis example shows how to deploy a run"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/cloudbuild.yaml",
"chars": 833,
"preview": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/entrypoint.sh",
"chars": 1733,
"preview": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may no"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/main.tf",
"chars": 995,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/outputs.tf",
"chars": 856,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/variables.tf",
"chars": 1239,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-container-vm-dind/versions.tf",
"chars": 789,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/.dockerignore",
"chars": 26,
"preview": ".terraform\n*.tf*\n*.tfvars\n"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/.gcloudignore",
"chars": 32,
"preview": ".terraform\n*.tfstate\n*.tf\n*.out\n"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/Dockerfile",
"chars": 1212,
"preview": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/README.md",
"chars": 2298,
"preview": "# Example Runners on MIG Container VM\n\n## Overview\n\nThis example shows how to deploy a runner on GCE Container VM.\n\n## S"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/cloudbuild.yaml",
"chars": 833,
"preview": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/entrypoint.sh",
"chars": 1722,
"preview": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may no"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/main.tf",
"chars": 966,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/outputs.tf",
"chars": 1122,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/variables.tf",
"chars": 1236,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-container-vm-simple/versions.tf",
"chars": 789,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-native-packer/.gcloudignore",
"chars": 32,
"preview": ".terraform\n*.tfstate\n*.tf\n*.out\n"
},
{
"path": "examples/gh-runner-mig-native-packer/README.md",
"chars": 3362,
"preview": "# Example Runners that support Docker Workflows\n\n## Overview\n\nThis example showcases how to use Packer to pre-bake a Goo"
},
{
"path": "examples/gh-runner-mig-native-packer/cloudbuild.yaml",
"chars": 707,
"preview": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "examples/gh-runner-mig-native-packer/main.tf",
"chars": 1182,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-native-packer/outputs.tf",
"chars": 1122,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-native-packer/packer.json",
"chars": 2431,
"preview": "{\n \"variables\": {\n \"source_image_family\": \"ubuntu-1804-lts\",\n \"source_image_project_id\": \"ubuntu-os-cloud\",\n \""
},
{
"path": "examples/gh-runner-mig-native-packer/shutdown.sh",
"chars": 1730,
"preview": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may no"
},
{
"path": "examples/gh-runner-mig-native-packer/startup.sh",
"chars": 1945,
"preview": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may no"
},
{
"path": "examples/gh-runner-mig-native-packer/variables.tf",
"chars": 1283,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-native-packer/versions.tf",
"chars": 789,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-native-simple/README.md",
"chars": 1923,
"preview": "# Example Runners that support Docker Workflows\n\n## Overview\n\nThis example showcases how to use startup scripts to deplo"
},
{
"path": "examples/gh-runner-mig-native-simple/main.tf",
"chars": 895,
"preview": "/**\n * Copyright 2019 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-native-simple/outputs.tf",
"chars": 1122,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-native-simple/variables.tf",
"chars": 1053,
"preview": "/**\n * Copyright 2019 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/gh-runner-mig-native-simple/versions.tf",
"chars": 789,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/oidc-simple/README.md",
"chars": 720,
"preview": "# OIDC Simple Example\n\n## Overview\n\nThis example showcases how to configure [Workload Identity Federation](https://cloud"
},
{
"path": "examples/oidc-simple/main.tf",
"chars": 1373,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/oidc-simple/outputs.tf",
"chars": 894,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/oidc-simple/variables.tf",
"chars": 713,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "examples/oidc-simple/versions.tf",
"chars": 789,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "metadata.yaml",
"chars": 2136,
"preview": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "modules/gh-oidc/README.md",
"chars": 4888,
"preview": "## GitHub OIDC\n\nThis module handles the opinionated creation of infrastructure necessary to configure [Workload Identity"
},
{
"path": "modules/gh-oidc/main.tf",
"chars": 1927,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-oidc/metadata.yaml",
"chars": 4372,
"preview": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "modules/gh-oidc/outputs.tf",
"chars": 837,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-oidc/variables.tf",
"chars": 2947,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-oidc/versions.tf",
"chars": 1115,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-gke/README.md",
"chars": 7516,
"preview": "# Self Hosted Runners on GKE\n\nThis module handles the opinionated creation of infrastructure necessary to deploy GitHub "
},
{
"path": "modules/gh-runner-gke/main.tf",
"chars": 4996,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-gke/metadata.yaml",
"chars": 5380,
"preview": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "modules/gh-runner-gke/outputs.tf",
"chars": 1613,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-gke/variables.tf",
"chars": 6071,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-gke/versions.tf",
"chars": 1159,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-mig-container-vm/README.md",
"chars": 3782,
"preview": "## Self Hosted Runners on Managed Instance Group\n\nThis module handles the opinionated creation of infrastructure necessa"
},
{
"path": "modules/gh-runner-mig-container-vm/main.tf",
"chars": 6333,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-mig-container-vm/metadata.yaml",
"chars": 4894,
"preview": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "modules/gh-runner-mig-container-vm/outputs.tf",
"chars": 1261,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-mig-container-vm/variables.tf",
"chars": 3631,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-mig-container-vm/versions.tf",
"chars": 904,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-mig-vm/README.md",
"chars": 4604,
"preview": "## Self Hosted Runners on Managed Instance Group\n\nThis module handles the opinionated creation of infrastructure necessa"
},
{
"path": "modules/gh-runner-mig-vm/main.tf",
"chars": 5996,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-mig-vm/metadata.yaml",
"chars": 5879,
"preview": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this f"
},
{
"path": "modules/gh-runner-mig-vm/outputs.tf",
"chars": 1261,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-mig-vm/scripts/shutdown.sh",
"chars": 1965,
"preview": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may no"
},
{
"path": "modules/gh-runner-mig-vm/scripts/startup.sh",
"chars": 2734,
"preview": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may no"
},
{
"path": "modules/gh-runner-mig-vm/variables.tf",
"chars": 4745,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "modules/gh-runner-mig-vm/versions.tf",
"chars": 1133,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "test/.gitignore",
"chars": 10,
"preview": "source.sh\n"
},
{
"path": "test/fixtures/gh-runner-mig-container-vm/main.tf",
"chars": 892,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "test/fixtures/gh-runner-mig-container-vm/outputs.tf",
"chars": 1218,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "test/fixtures/gh-runner-mig-container-vm/variables.tf",
"chars": 723,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "test/integration/discover_test.go",
"chars": 774,
"preview": "// Copyright 2022 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use th"
},
{
"path": "test/integration/gh-runner-gke-dind/gh_runner_gke_dind_test.go",
"chars": 2248,
"preview": "// Copyright 2024 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use th"
},
{
"path": "test/integration/gh-runner-gke-dind-rootless/gh_runner_gke_dind_rootless_test.go",
"chars": 2265,
"preview": "// Copyright 2024 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use th"
},
{
"path": "test/integration/gh-runner-gke-simple/gh_runner_gke_simple_test.go",
"chars": 2252,
"preview": "// Copyright 2024 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use th"
},
{
"path": "test/integration/gh-runner-mig-container-vm/gh_runner_mig_container_vm_test.go",
"chars": 1543,
"preview": "// Copyright 2021 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use th"
},
{
"path": "test/integration/go.mod",
"chars": 7562,
"preview": "module github.com/terraform-google-modules/terraform-google-github-actions-runners/test/integration\n\ngo 1.24.0\n\ntoolchai"
},
{
"path": "test/integration/go.sum",
"chars": 33435,
"preview": "filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=\nfilippo.io/edwards25519 v1.1.0/go.mod h1:"
},
{
"path": "test/integration/oidc-simple/oidc_simple_test.go",
"chars": 2862,
"preview": "// Copyright 2021 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use th"
},
{
"path": "test/setup/.gitignore",
"chars": 27,
"preview": "terraform.tfvars\nsource.sh\n"
},
{
"path": "test/setup/iam.tf",
"chars": 1724,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "test/setup/main.tf",
"chars": 2218,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "test/setup/outputs.tf",
"chars": 920,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "test/setup/variables.tf",
"chars": 860,
"preview": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
},
{
"path": "test/setup/versions.tf",
"chars": 858,
"preview": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not us"
}
]
About this extraction
This page contains the full source code of the terraform-google-modules/terraform-google-github-actions-runners GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 129 files (279.1 KB), approximately 84.9k tokens, and a symbol index with 9 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.