[ { "path": ".dockerignore", "content": ".git\n.terraform\n.terraform.d\n.kitchen\nterraform.tfstate.d\ntest/fixtures/*/.terraform\ntest/fixtures/*/terraform.tfstate.d\nexamples/.kitchen\nexamples/*/.terraform\nexamples/*/terraform.tfstate.d\n" }, { "path": ".github/release-please.yml", "content": "# Copyright 2021 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nreleaseType: terraform-module\nhandleGHRelease: true\n" }, { "path": ".github/renovate.json", "content": "{\n \"$schema\": \"https://docs.renovatebot.com/renovate-schema.json\",\n \"extends\": [\"github>GoogleCloudPlatform/cloud-foundation-toolkit//infra/terraform/test-org/github/resources/renovate\"]\n}\n" }, { "path": ".github/trusted-contribution.yml", "content": "# Copyright 2023-2025 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# NOTE: This file is automatically generated from:\n# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github\n\nannotations:\n - type: comment\n text: \"/gcbrun\"\ntrustedContributors:\n - release-please[bot]\n - renovate[bot]\n - renovate-bot\n - forking-renovate[bot]\n - dependabot[bot]\n" }, { "path": ".github/workflows/lint.yaml", "content": "# Copyright 2023-2025 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# NOTE: This file is automatically generated from values at:\n# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf\n\nname: 'lint'\n\non:\n workflow_dispatch:\n pull_request:\n types: [opened, edited, reopened, synchronize]\n branches: [main]\n\npermissions:\n contents: read\n\nconcurrency:\n group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'\n cancel-in-progress: true\n\njobs:\n lint:\n name: 'lint'\n runs-on: 'ubuntu-latest'\n steps:\n - uses: 'actions/checkout@v6'\n - id: variables\n run: |\n MAKEFILE=$(find . -name Makefile -print -quit)\n if [ -z \"$MAKEFILE\" ]; then\n echo dev-tools=gcr.io/cloud-foundation-cicd/cft/developer-tools:1 >> \"$GITHUB_OUTPUT\"\n else\n VERSION=$(grep \"DOCKER_TAG_VERSION_DEVELOPER_TOOLS := \" $MAKEFILE | cut -d\\ -f3)\n IMAGE=$(grep \"DOCKER_IMAGE_DEVELOPER_TOOLS := \" $MAKEFILE | cut -d\\ -f3)\n REGISTRY=$(grep \"REGISTRY_URL := \" $MAKEFILE | cut -d\\ -f3)\n echo dev-tools=${REGISTRY}/${IMAGE}:${VERSION} >> \"$GITHUB_OUTPUT\"\n fi\n - run: docker run --rm -v ${{ github.workspace }}:/workspace ${STEPS_VARIABLES_OUTPUTS_DEV_TOOLS} module-swapper\n env:\n STEPS_VARIABLES_OUTPUTS_DEV_TOOLS: ${{ steps.variables.outputs.dev-tools }}\n - run: docker run --rm -v ${{ github.workspace }}:/workspace ${STEPS_VARIABLES_OUTPUTS_DEV_TOOLS} /usr/local/bin/test_lint.sh\n env:\n STEPS_VARIABLES_OUTPUTS_DEV_TOOLS: ${{ steps.variables.outputs.dev-tools }}\n commitlint:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v6\n with:\n fetch-depth: 0\n - name: Setup node\n uses: actions/setup-node@v6\n with:\n node-version: lts/*\n - name: Install commitlint\n run: |\n npm install -D @commitlint/cli@20.2.0 @commitlint/config-conventional@20.2.0\n echo \"module.exports = { extends: ['@commitlint/config-conventional'], rules: {'subject-case': [0], 'header-max-length': [0]} };\" > commitlint.config.js\n npx commitlint --version\n - name: Validate PR commits with commitlint\n if: github.event_name == 'pull_request'\n env:\n TITLE: ${{ github.event.pull_request.title }}\n run: 'echo \"$TITLE\" | npx commitlint --verbose'\n" }, { "path": ".github/workflows/stale.yml", "content": "# Copyright 2022-2025 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# NOTE: This file is automatically generated from:\n# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github\n\nname: \"Close stale issues\"\non:\n schedule:\n - cron: \"0 23 * * *\"\n\npermissions:\n contents: read\n issues: write\n pull-requests: write\n actions: write\n\njobs:\n stale:\n if: github.repository_owner == 'GoogleCloudPlatform' || github.repository_owner == 'terraform-google-modules'\n runs-on: ubuntu-latest\n steps:\n - uses: actions/stale@v10\n with:\n repo-token: ${{ secrets.GITHUB_TOKEN }}\n stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'\n stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'\n exempt-issue-labels: 'triaged'\n exempt-pr-labels: 'dependencies,autorelease: pending'\n operations-per-run: 100\n" }, { "path": ".gitignore", "content": "# OSX leaves these everywhere on SMB shares\n._*\n\n# OSX trash\n.DS_Store\n\n# Python\n*.pyc\n\n# Emacs save files\n*~\n\\#*\\#\n.\\#*\n\n# Vim-related files\n[._]*.s[a-w][a-z]\n[._]s[a-w][a-z]\n*.un~\nSession.vim\n.netrwhist\n\n### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore\n\n# Local .terraform directories\n**/.terraform/*\n\n# .tfstate files\n*.tfstate\n*.tfstate.*\n\n# test.out files\ntest.out\n\n# Crash log files\ncrash.log\n\n# Kitchen files\n**/inspec.lock\n**/.kitchen\n**/kitchen.local.yml\n**/Gemfile.lock\n\n# Ignore any .tfvars files that are generated automatically for each Terraform run. Most\n# .tfvars files are managed as part of configuration and so should be included in\n# version control.\n**/*.tfvars\n\ncredentials.json\n\n# tf lock file\n.terraform.lock.hcl\n" }, { "path": "CHANGELOG.md", "content": "# Changelog\n\nAll notable changes to this project will be documented in this file.\n\nThe format is based on\n[Keep a Changelog](https://keepachangelog.com/en/1.0.0/),\nand this project adheres to\n[Semantic Versioning](https://semver.org/spec/v2.0.0.html).\nThis changelog is generated automatically based on [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/).\n\n## [5.1.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v5.0.0...v5.1.0) (2025-09-09)\n\n\n### Features\n\n* **deps:** Update Terraform Google Provider to v7 (major) ([#223](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/223)) ([411f391](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/411f39135eab709760c0fd9894f04c7cdcd9a6b4))\n\n## [5.0.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v4.0.0...v5.0.0) (2025-01-10)\n\n\n### ⚠ BREAKING CHANGES\n\n* **TF>=1.3:** Update Terraform ([#201](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/201))\n* **deps:** Update Terraform terraform-google-modules/vm/google to v13 ([#204](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/204))\n* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v35 ([#205](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/205))\n* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v33 ([#183](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/183))\n* **deps:** Update Terraform terraform-google-modules/vm/google to v12 ([#184](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/184))\n\n### Features\n\n* **deps:** Update Terraform Google Provider to v6 (major) ([#191](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/191)) ([0364375](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/0364375e2b90f407ea526df3c0bddedee1fc1bc3))\n* support private GKE nodes ([#192](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/192)) ([730f92b](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/730f92b8e207cb35acbdc4c134c954f011f877d3))\n\n\n### Bug Fixes\n\n* add real attribute condition for OIDC example ([658acb0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/658acb014d06e54757e60302aa9da91c37669c13))\n* constrain provider version for GKE examples to <5.44 ([658acb0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/658acb014d06e54757e60302aa9da91c37669c13))\n* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v33 ([#183](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/183)) ([a47589e](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/a47589e5b10eab4d3f639fb42ccc4f0f07f8fc6f))\n* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v35 ([#205](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/205)) ([35a6060](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/35a606014656d3bb7b34c4f52818084f90021d7a))\n* **deps:** Update Terraform terraform-google-modules/vm/google to v12 ([#184](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/184)) ([0929277](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/09292776abe17a7f878b6d271e4b0b22b1138dca))\n* **deps:** Update Terraform terraform-google-modules/vm/google to v13 ([#204](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/204)) ([de8d3f5](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/de8d3f531685bf4e340b69cccf059d99d282e621))\n* reformat subnetwork secondary range block ([#187](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/187)) ([658acb0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/658acb014d06e54757e60302aa9da91c37669c13))\n* set sensitive for gh-runner-gke ca_certificate output ([#196](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/196)) ([5367df3](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/5367df3f0fed5acd6dad9002a641409acd243317))\n* **TF>=1.3:** Update Terraform ([#201](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/201)) ([2364424](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/236442442a61be9e7c975d80390c42be8f7f5da4))\n\n## [4.0.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v3.1.2...v4.0.0) (2024-08-27)\n\n\n### ⚠ BREAKING CHANGES\n\n* **deps:** Update Terraform terraform-google-modules/vm/google to v11 ([#152](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/152))\n* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v32 ([#178](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/178))\n* migrate to ARC ([#173](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/173))\n\n### Features\n\n* Add custom tags option to mig-vm-module ([#177](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/177)) ([5e1a3c6](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/5e1a3c6f44acd68d9ad160621dbd6cd8a5fe8f79))\n* **deps:** Update Terraform Google Provider to v6 (major) ([#181](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/181)) ([3c94fa5](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/3c94fa50403bcf567113547ddea3d00818a350f0))\n* migrate to ARC ([#173](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/173)) ([0b1299b](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/0b1299b802cafa1e331bb54b7c7dc6e7a23a1a0c))\n\n\n### Bug Fixes\n\n* **deps:** Update Terraform terraform-google-modules/kubernetes-engine/google to v32 ([#178](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/178)) ([999330d](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/999330dd53362a1e9f92821d858a0f13cf067594))\n* **deps:** Update Terraform terraform-google-modules/vm/google to v11 ([#152](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/152)) ([42e5161](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/42e516109356cf66803d42bfea2a6df46fe8e7b4))\n\n## [3.1.2](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v3.1.1...v3.1.2) (2023-10-10)\n\n\n### Bug Fixes\n\n* upgraded versions.tf to include minor bumps from tpg v5 ([#124](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/124)) ([ede4426](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/ede4426a9268ad50524d3b0d23cb1dbf52ab99d3))\n\n## [3.1.1](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v3.1.0...v3.1.1) (2022-12-29)\n\n\n### Bug Fixes\n\n* **deps:** update terraform terraform-google-modules/kubernetes-engine/google to v24 ([#85](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/85)) ([980e5d5](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/980e5d50cd89ed0e84f120e0e263bd9700ffa3ca))\n* fixes lint issues and generates metadata ([#89](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/89)) ([935368c](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/935368cf54df02eba97596bc21226c63bca2bf4c))\n\n## [3.1.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v3.0.0...v3.1.0) (2022-07-20)\n\n\n### Features\n\n* Issuer URI has been passed through variable ([#62](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/62)) ([c9da327](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/c9da3279e9af3e195f3ad089efdfb425b8e9032f))\n\n## [3.0.0](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v2.0.1...v3.0.0) (2022-02-02)\n\n\n### ⚠ BREAKING CHANGES\n\n* update examples, bump gke module version ([#52](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/52)). `gh-runner-gke` now uses [v19](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/releases/tag/v19.0.0) of the GKE module. Please refer to the [GKE module upgrade guide](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/docs/upgrading_to_v19.0.md) for more details.\n\n### Features\n\n* Update TPG version constraints to allow 4.0 ([#50](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/50)) ([1aebd31](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/1aebd31f0548374ac061a58cdca7bc98e51eb760))\n\n\n### Bug Fixes\n\n* update examples, bump gke module version ([#52](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/52)) ([882578e](https://github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/882578e59bf2f5a808abd63ed5dcc74524aa30fa))\n\n### [2.0.1](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v2.0.0...v2.0.1) (2021-11-26)\n\n\n### Bug Fixes\n\n* bump minimum provider version for gh oidc module ([#45](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/45)) ([204a546](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/204a5463a48237fbd2bf118459db7dbb7742bb8a))\n\n## [2.0.0](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v1.1.0...v2.0.0) (2021-11-09)\n\n\n### ⚠ BREAKING CHANGES\n\n* Remove the default allowed audience in `gh-oidc` (#42)\n* update issuer_uri for gh provider (#36)\n* Support org runners, update images and autoscaling config (#34)\n\n### Features\n\n* Add example for org runner & update shutdown script ([#37](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/37)) ([76115f9](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/76115f9587a048de26086116d6e3a3eb0ae6aa2c))\n* Remove the default allowed audience in `gh-oidc` ([#42](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/42)) ([1ec0ec2](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/1ec0ec201a6a063d27fea8fd62e6a028fb9fc5e6))\n* Support org runners, update images and autoscaling config ([#34](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/34)) ([280ca8a](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/280ca8a79266d00d6ec8fe84413de0d23cbdc791))\n* update issuer_uri for gh provider ([#36](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/36)) ([2ca3e6c](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/2ca3e6c4ea2a9987f8c5ac6191bbe925df4dd12b))\n\n## [1.1.0](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v1.0.1...v1.1.0) (2021-09-20)\n\n\n### Features\n\n* add gh oidc module ([#32](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/32)) ([1f10847](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/1f10847dc69246166bd68a3149d2fefb5a43bf3b))\n\n### [1.0.1](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v1.0.0...v1.0.1) (2021-08-17)\n\n\n### Bug Fixes\n\n* Switched to use google_project_iam_member, which is non-authoritative ([#27](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/27)) ([281a737](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/281a737a59046735577178052f584c3c9749239b))\n* use machine_type in mig-runner ([#30](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/30)) ([4f940f6](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/4f940f69a4bad949213250ba3b42ae905da5d2ca))\n\n## [1.0.0](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/compare/v0.1.0...v1.0.0) (2021-04-24)\n\n\n### ⚠ BREAKING CHANGES\n\n* add Terraform 0.13 constraint and module attribution (#22)\n\n### Features\n\n* add Terraform 0.13 constraint and module attribution ([#22](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/22)) ([11d7179](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/11d7179773abf41e1f4a101dd729edaf1773929a))\n\n## 0.1.0 (2020-11-24)\n\n\n### Features\n\n* add network project for svpc, expose cooldown period, default scripts ([#15](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/15)) ([048156a](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/048156ae1708ccef39d36be55270048153fc8081))\n* remove api enablement and update docs ([#13](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/issues/13)) ([5c01d64](https://www.github.com/terraform-google-modules/terraform-google-github-actions-runners/commit/5c01d64fdb47e84aa8bbe082f2af80669a0fcc32))\n\n## [0.1.0](https://github.com/terraform-google-modules/terraform-google-terraform-google-github-actions-runners/releases/tag/v0.1.0) - 20XX-YY-ZZ\n\n### Features\n\n- Initial release\n\n[0.1.0]: https://github.com/terraform-google-modules/terraform-google-terraform-google-github-actions-runners/releases/tag/v0.1.0\n" }, { "path": "CODEOWNERS", "content": "# NOTE: This file is automatically generated from values at:\n# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf\n\n* @terraform-google-modules/cft-admins\n\n# NOTE: GitHub CODEOWNERS locations:\n# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection\n\nCODEOWNERS @terraform-google-modules/cft-admins\n.github/CODEOWNERS @terraform-google-modules/cft-admins\ndocs/CODEOWNERS @terraform-google-modules/cft-admins\n\n" }, { "path": "CONTRIBUTING.md", "content": "# Contributing\n\nThis document provides guidelines for contributing to the module.\n\n## Dependencies\n\nThe following dependencies must be installed on the development system:\n\n- [Docker Engine][docker-engine]\n- [Google Cloud SDK][google-cloud-sdk]\n- [make]\n\n## Generating Documentation for Inputs and Outputs\n\nThe Inputs and Outputs tables in the READMEs of the root module,\nsubmodules, and example modules are automatically generated based on\nthe `variables` and `outputs` of the respective modules. These tables\nmust be refreshed if the module interfaces are changed.\n\n### Execution\n\nRun `make generate_docs` to generate new Inputs and Outputs tables.\n\n## Integration Testing\n\nIntegration tests are used to verify the behaviour of the root module,\nsubmodules, and example modules. Additions, changes, and fixes should\nbe accompanied with tests.\n\nThe integration tests are run using [Kitchen][kitchen],\n[Kitchen-Terraform][kitchen-terraform], and [InSpec][inspec]. These\ntools are packaged within a Docker image for convenience.\n\nThe general strategy for these tests is to verify the behaviour of the\n[example modules](./examples/), thus ensuring that the root module,\nsubmodules, and example modules are all functionally correct.\n\n### Test Environment\nThe easiest way to test the module is in an isolated test project. The setup for such a project is defined in [test/setup](./test/setup/) directory.\n\nTo use this setup, you need a service account with these permissions (on a Folder or Organization):\n- Project Creator\n- Project Billing Manager\n\nThe project that the service account belongs to must have the following APIs enabled (the setup won't\ncreate any resources on the service account's project):\n- Cloud Resource Manager\n- Cloud Billing\n- Service Usage\n- Identity and Access Management (IAM)\n\nExport the Service Account credentials to your environment like so:\n\n```\nexport SERVICE_ACCOUNT_JSON=$(< credentials.json)\n```\n\nYou will also need to set a few environment variables:\n```\nexport TF_VAR_org_id=\"your_org_id\"\nexport TF_VAR_folder_id=\"your_folder_id\"\nexport TF_VAR_billing_account=\"your_billing_account_id\"\n```\n\nWith these settings in place, you can prepare a test project using Docker:\n```\nmake docker_test_prepare\n```\n\n### Noninteractive Execution\n\nRun `make docker_test_integration` to test all of the example modules\nnoninteractively, using the prepared test project.\n\n### Interactive Execution\n\n1. Run `make docker_run` to start the testing Docker container in\n interactive mode.\n\n1. Run `kitchen_do create ` to initialize the working\n directory for an example module.\n\n1. Run `kitchen_do converge ` to apply the example module.\n\n1. Run `kitchen_do verify ` to test the example module.\n\n1. Run `kitchen_do destroy ` to destroy the example module\n state.\n\n## Linting and Formatting\n\nMany of the files in the repository can be linted or formatted to\nmaintain a standard of quality.\n\n### Execution\n\nRun `make docker_test_lint`.\n\n[docker-engine]: https://www.docker.com/products/docker-engine\n[flake8]: http://flake8.pycqa.org/en/latest/\n[gofmt]: https://golang.org/cmd/gofmt/\n[google-cloud-sdk]: https://cloud.google.com/sdk/install\n[hadolint]: https://github.com/hadolint/hadolint\n[inspec]: https://inspec.io/\n[kitchen-terraform]: https://github.com/newcontext-oss/kitchen-terraform\n[kitchen]: https://kitchen.ci/\n[make]: https://en.wikipedia.org/wiki/Make_(software)\n[shellcheck]: https://www.shellcheck.net/\n[terraform-docs]: https://github.com/segmentio/terraform-docs\n[terraform]: https://terraform.io/\n" }, { "path": "LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "Makefile", "content": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# Please note that this file was generated from [terraform-google-module-template](https://github.com/terraform-google-modules/terraform-google-module-template).\n# Please make sure to contribute relevant changes upstream!\n\n# Make will use bash instead of sh\nSHELL := /usr/bin/env bash\n\nDOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25\nDOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools\nREGISTRY_URL := gcr.io/cloud-foundation-cicd\n\n# Enter docker container for local development\n.PHONY: docker_run\ndocker_run:\n\tdocker run --rm -it \\\n\t\t-e SERVICE_ACCOUNT_JSON \\\n\t\t-v \"$(CURDIR)\":/workspace \\\n\t\t$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \\\n\t\t/bin/bash\n\n# Execute prepare tests within the docker container\n.PHONY: docker_test_prepare\ndocker_test_prepare:\n\tdocker run --rm -it \\\n\t\t-e SERVICE_ACCOUNT_JSON \\\n\t\t-e TF_VAR_org_id \\\n\t\t-e TF_VAR_folder_id \\\n\t\t-e TF_VAR_billing_account \\\n\t\t-v \"$(CURDIR)\":/workspace \\\n\t\t$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \\\n\t\t/usr/local/bin/execute_with_credentials.sh prepare_environment\n\n# Clean up test environment within the docker container\n.PHONY: docker_test_cleanup\ndocker_test_cleanup:\n\tdocker run --rm -it \\\n\t\t-e SERVICE_ACCOUNT_JSON \\\n\t\t-e TF_VAR_org_id \\\n\t\t-e TF_VAR_folder_id \\\n\t\t-e TF_VAR_billing_account \\\n\t\t-v \"$(CURDIR)\":/workspace \\\n\t\t$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \\\n\t\t/usr/local/bin/execute_with_credentials.sh cleanup_environment\n\n# Execute integration tests within the docker container\n.PHONY: docker_test_integration\ndocker_test_integration:\n\tdocker run --rm -it \\\n\t\t-e SERVICE_ACCOUNT_JSON \\\n\t\t-v \"$(CURDIR)\":/workspace \\\n\t\t$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \\\n\t\t/usr/local/bin/test_integration.sh\n\n# Execute lint tests within the docker container\n.PHONY: docker_test_lint\ndocker_test_lint:\n\tdocker run --rm -it \\\n\t\t-e EXCLUDE_LINT_DIRS \\\n\t\t-v \"$(CURDIR)\":/workspace \\\n\t\t$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \\\n\t\t/usr/local/bin/test_lint.sh\n\n# Generate documentation\n.PHONY: docker_generate_docs\ndocker_generate_docs:\n\tdocker run --rm -it \\\n\t\t-v \"$(CURDIR)\":/workspace \\\n\t\t$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \\\n\t\t/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'\n\n# Alias for backwards compatibility\n.PHONY: generate_docs\ngenerate_docs: docker_generate_docs\n" }, { "path": "README.md", "content": "# terraform-google-github-actions-runners\n[![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners)\n\n## Description\nUsing these Terraform modules you can quickly deploy self-hosted GitHub Runners for jobs in your GitHub Actions workflows\n\n## Modules\n\n### [Self Hosted Runners on GKE](modules/gh-runner-gke/)\nThe `gh-runner-gke` module provisions the resources required to deploy Self Hosted Runners on GCP infrastructure using GKE. This module follows the guidance for using [Actions Runner Controller](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller#installing-actions-runner-controller) provided by GitHub\n\nExamples:\n- [Simple Self Hosted Runners on GKE](examples/gh-runner-gke-simple/)\n- [Self Hosted runners on GKE that support Docker Workflows](examples/gh-runner-gke-dind/)\n- [Self Hosted runners on GKE that support Docker Workflows in rootless configuration](examples/gh-runner-gke-dind-rootless/)\n\nMore examples of [Self Hosted Runners on GKE/Anthos](https://github.com/github-developer/self-hosted-runners-anthos).\n\n\n### [Self Hosted Runners on Managed Instance Groups using VMs](modules/gh-runner-mig-vm/)\nThe `gh-runner-mig-vm` module provisions the resources required to deploy Self Hosted Runners on GCP infrastructure using Managed Instance Groups.\n\nExamples:\n- [Simple Self Hosted Runner on MIG VMs](examples/gh-runner-mig-native-simple/)\n- [Self Hosted Runner on MIG VMs from Packer Image](examples/gh-runner-mig-native-packer/)\n\n### [Self Hosted Runners on Managed Instance Groups using Container VMs](modules/gh-runner-mig-container-vm/)\nThe `gh-runner-mig-container-vm` module provisions the resources required to deploy Self Hosted Runners on GCP infrastructure using Managed Instance Groups.\n\nExamples:\n- [Simple Self Hosted Runner on MIG Container VMs](examples/gh-runner-mig-container-vm-simple/)\n- [Self Hosted runners on MIG Container VMs that support Docker Workflows](examples/gh-runner-mig-container-vm-dind/)\n\n### [GitHub OIDC](modules/gh-oidc/)\nThis module handles the opinionated creation of infrastructure necessary to configure [Workload Identity pools](https://cloud.google.com/iam/docs/workload-identity-federation#pools) and [providers](https://cloud.google.com/iam/docs/workload-identity-federation#providers) for authenticating to GCP using GitHub Actions OIDC tokens.\n\nExamples:\n- [Simple Workload Identity configuration for GitHub OIDC](examples/oidc-simple/)\n\n\n## Requirements\n\nThese sections describe requirements for using this module.\n\n### Software\n\nThe following dependencies must be available:\n\n- [Terraform][terraform] v0.13\n- [Terraform Provider for GCP][terraform-provider-gcp]\n\n## Contributing\n\nRefer to the [contribution guidelines](./CONTRIBUTING.md) for\ninformation on contributing to this module.\n\n[iam-module]: https://registry.terraform.io/modules/terraform-google-modules/iam/google\n[project-factory-module]: https://registry.terraform.io/modules/terraform-google-modules/project-factory/google\n[terraform-provider-gcp]: https://www.terraform.io/docs/providers/google/index.html\n[terraform]: https://www.terraform.io/downloads.html\n\n## Security Disclosures\n\nPlease see our [security disclosure process](./SECURITY.md).\n" }, { "path": "build/int.cloudbuild.yaml", "content": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\ntimeout: 3600s\nsteps:\n- id: swap-module-refs\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['module-swapper']\n- id: prepare\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment && chmod 600 /builder/home/.netrc']\n env:\n - 'TF_VAR_org_id=$_ORG_ID'\n - 'TF_VAR_folder_id=$_FOLDER_ID'\n - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'\n- id: init-all\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']\n waitFor:\n - prepare\n# test/fixtures/gh-runner-mig-container-vm\n- id: apply-gh-runner-mig-container-vm\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGHRunnerMIGContainerVM --stage apply --verbose']\n waitFor:\n - init-all\n- id: verify-gh-runner-mig-container-vm\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGHRunnerMIGContainerVM --stage verify --verbose']\n waitFor:\n - apply-gh-runner-mig-container-vm\n- id: destroy-gh-runner-mig-container-vm\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGHRunnerMIGContainerVM --stage destroy --verbose']\n waitFor:\n - verify-gh-runner-mig-container-vm\n# TestAll/examples/gh-runner-gke-simple\n- id: apply-gh-runner-gke-simple\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeSimple --stage apply --verbose']\n waitFor:\n - init-all\n- id: verify-gh-runner-gke-simple\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeSimple --stage verify --verbose']\n waitFor:\n - apply-gh-runner-gke-simple\n- id: destroy-gh-runner-gke-simple\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeSimple --stage destroy --verbose']\n waitFor:\n - verify-gh-runner-gke-simple\n# TestAll/examples/gh-runner-gke-dind\n- id: apply-gh-runner-gke-dind\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDind --stage apply --verbose']\n waitFor:\n - init-all\n- id: verify-gh-runner-gke-dind\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDind --stage verify --verbose']\n waitFor:\n - apply-gh-runner-gke-dind\n- id: destroy-gh-runner-gke-dind\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDind --stage destroy --verbose']\n waitFor:\n - verify-gh-runner-gke-dind\n# TestAll/examples/gh-runner-gke-dind-rootless\n- id: apply-gh-runner-gke-dind-rootless\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDindRootless --stage apply --verbose']\n waitFor:\n - init-all\n- id: verify-gh-runner-gke-dind-rootless\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDindRootless --stage verify --verbose']\n waitFor:\n - apply-gh-runner-gke-dind-rootless\n- id: destroy-gh-runner-gke-dind-rootless\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestGhRunnerGkeDindRootless --stage destroy --verbose']\n waitFor:\n - verify-gh-runner-gke-dind-rootless\n# examples/oidc-simple\n- id: apply-oidc\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestOIDCSimple --stage apply --verbose']\n waitFor:\n - init-all\n- id: verify-oidc\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestOIDCSimple --stage verify --verbose']\n waitFor:\n - apply-oidc\n- id: destroy-oidc\n name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n args: ['/bin/bash', '-c', 'cft test run TestOIDCSimple --stage destroy --verbose']\n waitFor:\n - verify-oidc\ntags:\n- 'ci'\n- 'integration'\nsubstitutions:\n _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'\n _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.25'\n" }, { "path": "build/lint.cloudbuild.yaml", "content": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nsteps:\n- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'\n id: 'lint'\n args: ['/usr/local/bin/test_lint.sh']\ntags:\n- 'ci'\n- 'lint'\nsubstitutions:\n _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'\n _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.25'\n" }, { "path": "docs/upgrading_to_v4.0.md", "content": "# Upgrading to v4.0\n\nThe v4.0 release of the `gh-runner-gke` module contains breaking changes.\n## Migration Instructions\n\n### `gh-runner-gke` module\n\n```diff\n module \"runner-gke\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke\"\n- version = \"~> 3.0\"\n+ version = \"~> 4.0\"\n\n project_id = var.project_id\n create_network = true\n+ cluster_suffix = \"repo\"\n- repo_name = \"repo\"\n- repo_owner = \"repo_owner\"\n- repo_url = \"repo_url\"\n- gh_token = \"gh_token\"\n+ gh_app_id = \"123456\"\n+ gh_app_installation_id = \"12345678\"\n+ gh_app_private_key = \"sample\"\n+ gh_config_url = \"https://github.com/ORGANIZATION\"\n}\n```\n\n- Previously, the name of the created GKE cluster appended `repo_name` as a suffix. Now, the value of the suffix is set via `cluster_suffix`, as runner clusters can be created for workflows more than one GitHub repo. To prevent cluster deletion when upgrading, set the value of `cluster_suffix` to the previous value of `repo_name`.\n- The module now prefers authentication via GitHub App installation. Follow the instructions for [authenticating to ARC via GitHub App](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app), and provide the necessary values to the module instead of the previous repo authentication values. Upgrading will destroy the previously created `runner_k8s_config` kubernetes secret, so previous GitHub Runner images may fail.\n- Previously, the GKE cluster service account was provided with the `roles/storage.objectViewer` role to enable pulling images from Container Registry. The module no longer requires access to Container Registry, and so IAM membership has been removed. If your cluster relies on this role, you will need to add it again manually.\n" }, { "path": "examples/gh-org-runner-mig-native-simple/README.md", "content": "# Example Org Runners that support Docker Workflows\n\n## Overview\n\nThis example showcases how to use startup scripts to deploy organisation runners using the `gh-runner-mig` module.\n\nWe use startup/shutdown scripts to install the runner binary, register the runner when it comes online and de-register when shut down.\n\n## Steps to deploy this example\n\n- Step 1: Create terraform.tfvars file with the necessary values.\n\nGitHub Apps must have the `organization_self_hosted_runners` permission for organizations. Authenticated users must have admin access to the organization to use this API.\nYou must authenticate using an access token with the admin:org scope to use this endpoint.\n\nMore info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/) and [here](https://docs.github.com/en/rest/reference/actions#create-a-registration-token-for-an-organization).\n\n```sh\nproject_id = \"your-project-id\"\ngh_token = \"your-github-token\"\nrepo_owner = \"owner\"\n```\n\n- Step 2: Create the infrastructure\n\n```sh\n$ terraform init\n$ terraform plan\n$ terraform apply\n```\n\n- Step 3: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.\n\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| gh\\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |\n| project\\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |\n| repo\\_owner | Owner of the organisation for the Github Action | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| mig\\_instance\\_group | The instance group url of the created MIG |\n| mig\\_instance\\_template | The name of the MIG Instance Template |\n| mig\\_name | The name of the MIG |\n| service\\_account | Service account email for GCE |\n\n\n" }, { "path": "examples/gh-org-runner-mig-native-simple/main.tf", "content": "/**\n * Copyright 2019 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"runner_mig\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-vm\"\n version = \"~> 5.0\"\n\n create_network = true\n project_id = var.project_id\n repo_owner = var.repo_owner\n gh_token = var.gh_token\n}\n" }, { "path": "examples/gh-org-runner-mig-native-simple/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"mig_instance_group\" {\n description = \"The instance group url of the created MIG\"\n value = module.runner_mig.mig_instance_group\n}\n\noutput \"mig_name\" {\n description = \"The name of the MIG\"\n value = module.runner_mig.mig_name\n}\n\noutput \"service_account\" {\n description = \"Service account email for GCE\"\n value = module.runner_mig.service_account\n}\n\noutput \"mig_instance_template\" {\n description = \"The name of the MIG Instance Template\"\n value = module.runner_mig.mig_instance_template\n}\n" }, { "path": "examples/gh-org-runner-mig-native-simple/providers.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n version = \">= 4.0\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n version = \">= 4.0\"\n }\n }\n required_version = \">= 0.13\"\n}\n" }, { "path": "examples/gh-org-runner-mig-native-simple/variables.tf", "content": "/**\n * Copyright 2019 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner MIG\"\n}\n\nvariable \"repo_owner\" {\n type = string\n description = \"Owner of the organisation for the Github Action\"\n}\n\nvariable \"gh_token\" {\n type = string\n description = \"Github token that is used for generating Self Hosted Runner Token\"\n}\n" }, { "path": "examples/gh-runner-gke-dind/.dockerignore", "content": ".terraform\n*.tf*\n*.tfvars\n" }, { "path": "examples/gh-runner-gke-dind/.gcloudignore", "content": ".terraform\n*.tfstate\n*.tf\n*.out\nsample-manifests\n" }, { "path": "examples/gh-runner-gke-dind/README.md", "content": "# Self Hosted runners on GKE that support Docker Workflows\n\n## Overview\n\nThis example shows how to deploy runners that support Docker Workflows on GKE.\n\nMore examples of [Self Hosted Runners on GKE/Anthos](https://github.com/github-developer/self-hosted-runners-anthos).\n\n## Deployment\n\n1. Follow the instructions in the [GitHub documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) to create a GitHub App for authenticating ARC\n\n1. Gather the values for your GitHub App ID, GitHub App Installation ID, and GitHub App Private Key from the instructions linked above.\n\n1. Substitute your values into the example [`main.tf`](main.tf). Modify any other values as needed. For a full list of available variables, refer to the [module documentation](../../modules/gh-runner-gke/).\n\n1. Execute Terraform commands to create the required resources.\n```sh\nterraform init\nterraform apply\n```\n\n1. Your runners should become active at `https://github.com/organizations/ORGANIZATION/settings/actions/runners`.\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| project\\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| cluster\\_name | Cluster name |\n| location | Cluster location |\n| project\\_id | The project in which resources are created |\n| service\\_account | The default service account used for running nodes. |\n\n\n" }, { "path": "examples/gh-runner-gke-dind/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"runner-gke\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke\"\n version = \"~> 5.0\"\n\n project_id = var.project_id\n create_network = true\n network_name = \"runner-network-dind\"\n subnet_name = \"runner-subnet-dind\"\n cluster_suffix = \"dind\"\n gh_app_id = \"123456\"\n gh_app_installation_id = \"12345678\"\n gh_app_private_key = \"sample\"\n gh_config_url = \"https://github.com/ORGANIZATION\"\n arc_container_mode = \"dind\"\n enable_private_nodes = true\n}\n" }, { "path": "examples/gh-runner-gke-dind/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"service_account\" {\n description = \"The default service account used for running nodes.\"\n value = module.runner-gke.service_account\n}\n\noutput \"cluster_name\" {\n description = \"Cluster name\"\n value = module.runner-gke.cluster_name\n}\n\noutput \"location\" {\n description = \"Cluster location\"\n value = module.runner-gke.location\n}\n\noutput \"project_id\" {\n value = var.project_id\n description = \"The project in which resources are created\"\n}\n" }, { "path": "examples/gh-runner-gke-dind/providers.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/*****************************************\n Kubernetes provider configuration\n *****************************************/\n\ndata \"google_client_config\" \"default\" {\n}\n\nprovider \"kubernetes\" {\n host = \"https://${module.runner-gke.kubernetes_endpoint}\"\n token = data.google_client_config.default.access_token\n cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)\n}\n\nprovider \"helm\" {\n kubernetes = {\n host = \"https://${module.runner-gke.kubernetes_endpoint}\"\n token = data.google_client_config.default.access_token\n cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)\n exec = {\n api_version = \"client.authentication.k8s.io/v1beta1\"\n command = \"gke-gcloud-auth-plugin\"\n }\n }\n}\n" }, { "path": "examples/gh-runner-gke-dind/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner MIG\"\n}\n" }, { "path": "examples/gh-runner-gke-dind/versions.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n }\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.0\"\n }\n }\n required_version = \">= 0.13\"\n}\n" }, { "path": "examples/gh-runner-gke-dind-rootless/README.md", "content": "# Self Hosted runners on GKE that support dind-rootless\n\n## Overview\n\nThis example shows how to deploy runners that support Docker Workflows on GKE in a rootless configuration. This example is based on the instructions published in [Deploying GitHub Action Runners on GKE with dind-rootless](https://medium.com/google-cloud/github-action-runners-on-gke-with-dind-rootless-bd54e23516c9).\n\nMore examples of [Self Hosted Runners on GKE/Anthos](https://github.com/github-developer/self-hosted-runners-anthos).\n\n## Deployment\n\n1. Follow the instructions in the [GitHub documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) to create a GitHub App for authenticating ARC\n\n1. Gather the values for your GitHub App ID, GitHub App Installation ID, and GitHub App Private Key from the instructions linked above.\n\n1. Substitute your values into the example [`main.tf`](main.tf). Modify any other values as needed. For a full list of available variables, refer to the [module documentation](../../modules/gh-runner-gke/).\n\n1. Execute Terraform commands to create the required resources.\n```sh\nterraform init\nterraform apply\n```\n\n1. Your runners should become active at `https://github.com/organizations/ORGANIZATION/settings/actions/runners`.\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| project\\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| cluster\\_name | Cluster name |\n| location | Cluster location |\n| project\\_id | The project in which resources are created |\n| service\\_account | The default service account used for running nodes. |\n\n\n" }, { "path": "examples/gh-runner-gke-dind-rootless/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"runner-gke\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke\"\n version = \"~> 5.0\"\n\n project_id = var.project_id\n create_network = true\n network_name = \"runner-network-dind-r\"\n subnet_name = \"runner-subnet-dind-r\"\n cluster_suffix = \"dind-rootless\"\n gh_app_id = \"123456\"\n gh_app_installation_id = \"12345678\"\n gh_app_private_key = \"sample\"\n gh_config_url = \"https://github.com/ORGANIZATION\"\n enable_private_nodes = true\n\n # pass values.yaml for dind-rootless runners configuratin\n arc_runners_values = [\n file(\"${path.module}/values.yaml\")\n ]\n}\n" }, { "path": "examples/gh-runner-gke-dind-rootless/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"service_account\" {\n description = \"The default service account used for running nodes.\"\n value = module.runner-gke.service_account\n}\n\noutput \"cluster_name\" {\n description = \"Cluster name\"\n value = module.runner-gke.cluster_name\n}\n\noutput \"location\" {\n description = \"Cluster location\"\n value = module.runner-gke.location\n}\n\noutput \"project_id\" {\n value = var.project_id\n description = \"The project in which resources are created\"\n}\n" }, { "path": "examples/gh-runner-gke-dind-rootless/providers.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/*****************************************\n Kubernetes provider configuration\n *****************************************/\n\ndata \"google_client_config\" \"default\" {\n}\n\nprovider \"kubernetes\" {\n host = \"https://${module.runner-gke.kubernetes_endpoint}\"\n token = data.google_client_config.default.access_token\n cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)\n}\n\nprovider \"helm\" {\n kubernetes = {\n host = \"https://${module.runner-gke.kubernetes_endpoint}\"\n token = data.google_client_config.default.access_token\n cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)\n exec = {\n api_version = \"client.authentication.k8s.io/v1beta1\"\n command = \"gke-gcloud-auth-plugin\"\n }\n }\n}\n" }, { "path": "examples/gh-runner-gke-dind-rootless/values.yaml", "content": "# Copyright 2024 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n## githubConfigUrl is the GitHub url for where you want to configure runners\n## ex: https://github.com/myorg/myrepo or https://github.com/myorg\n## githubConfigUrl: \"https://github.com/[user]/[repo]\"\n## Note: specified on command line outside of values.yml\n\n## githubConfigSecret is the k8s secrets to use when auth with GitHub API.\n## You can choose to use GitHub App or a PAT token\n## githubConfigSecret: \"my-token\"\n## Note: specified on command line outside of values.yml\n\n## maxRunners is the max number of runners the autoscaling runner set will scale up to.\nmaxRunners: 5\n\n## minRunners is the min number of idle runners. The target number of runners created will be\n## calculated as a sum of minRunners and the number of jobs assigned to the scale set.\nminRunners: 0\n\n#runnerGroup: \"my-custom-runner-group\"\n\n## name of the runner scale set to create. Defaults to the helm release name\nrunnerScaleSetName: \"arc-runner-set\"\n\n## template is the PodSpec for each runner Pod\n## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec\ntemplate:\n spec:\n initContainers:\n - name: init-dind-externals\n image: ghcr.io/actions/actions-runner:latest\n command: [\"cp\", \"-r\", \"-v\", \"/home/runner/externals/.\", \"/home/runner/tmpDir/\"]\n volumeMounts:\n - name: dind-externals\n mountPath: /home/runner/tmpDir\n - name: init-dind-rootless\n image: docker:dind-rootless\n command:\n - sh\n - -c\n - |\n set -x\n cp -a /etc/. /dind-etc/\n echo 'runner:x:1001:1001:runner:/home/runner:/bin/ash' >> /dind-etc/passwd\n echo 'runner:x:1001:' >> /dind-etc/group\n echo 'runner:100000:65536' >> /dind-etc/subgid\n echo 'runner:100000:65536' >> /dind-etc/subuid\n chmod 755 /dind-etc;\n chmod u=rwx,g=rx+s,o=rx /dind-home\n chown 1001:1001 /dind-home\n securityContext:\n runAsUser: 0\n volumeMounts:\n - mountPath: /dind-etc\n name: dind-etc\n - mountPath: /dind-home\n name: dind-home\n containers:\n - name: runner\n image: ghcr.io/actions/actions-runner:latest\n command: [\"/home/runner/run.sh\"]\n env:\n - name: DOCKER_HOST\n value: unix:///home/runner/var/run/docker.sock\n securityContext:\n privileged: true\n runAsUser: 1001\n runAsGroup: 1001\n volumeMounts:\n - name: work\n mountPath: /home/runner/_work\n - name: dind-sock\n mountPath: /home/runner/var/run\n - name: dind\n image: docker:dind-rootless\n args: [\"dockerd\", \"--host=unix:///home/runner/var/run/docker.sock\"]\n securityContext:\n privileged: true\n runAsUser: 1001\n runAsGroup: 1001\n volumeMounts:\n - name: work\n mountPath: /home/runner/_work\n - name: dind-sock\n mountPath: /home/runner/var/run\n - name: dind-externals\n mountPath: /home/runner/externals\n - name: dind-etc\n mountPath: /etc\n - name: dind-home\n mountPath: /home/runner\n volumes:\n - name: work\n emptyDir: {}\n - name: dind-externals\n emptyDir: {}\n - name: dind-sock\n emptyDir: {}\n - name: dind-etc\n emptyDir: {}\n - name: dind-home\n emptyDir: {}\n" }, { "path": "examples/gh-runner-gke-dind-rootless/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner MIG\"\n}\n" }, { "path": "examples/gh-runner-gke-dind-rootless/versions.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n }\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.0\"\n }\n }\n required_version = \">= 0.13\"\n}\n" }, { "path": "examples/gh-runner-gke-simple/.dockerignore", "content": ".terraform\n*.tf*\n*.tfvars\n" }, { "path": "examples/gh-runner-gke-simple/.gcloudignore", "content": ".terraform\n*.tfstate\n*.tf\n*.out\nsample-manifests\n" }, { "path": "examples/gh-runner-gke-simple/README.md", "content": "# Simple Self Hosted runners on GKE\n\n## Overview\n\nThis example shows how to deploy ARC runners on GKE.\n\nMore examples of [Self Hosted Runners on GKE/Anthos](https://github.com/github-developer/self-hosted-runners-anthos).\n\n## Deployment\n\n1. Follow the instructions in the [GitHub documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) to create a GitHub App for authenticating ARC\n\n1. Gather the values for your GitHub App ID, GitHub App Installation ID, and GitHub App Private Key from the instructions linked above.\n\n1. Substitute your values into the example [`main.tf`](main.tf). Modify any other values as needed. For a full list of available variables, refer to the [module documentation](../../modules/gh-runner-gke/).\n\n1. Execute Terraform commands to create the required resources.\n```sh\nterraform init\nterraform apply\n```\n\n1. Your runners should become active at `https://github.com/organizations/ORGANIZATION/settings/actions/runners`.\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| project\\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| cluster\\_name | Cluster name |\n| location | Cluster location |\n| network\\_name | Name of VPC |\n| project\\_id | The project in which resources are created |\n| service\\_account | The default service account used for running nodes. |\n| subnet\\_name | Name of VPC |\n\n\n" }, { "path": "examples/gh-runner-gke-simple/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"runner-gke\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke\"\n version = \"~> 5.0\"\n\n project_id = var.project_id\n create_network = true\n cluster_suffix = \"k8s\"\n gh_app_id = \"123456\"\n gh_app_installation_id = \"12345678\"\n gh_app_private_key = \"sample\"\n gh_config_url = \"https://github.com/ORGANIZATION\"\n}\n" }, { "path": "examples/gh-runner-gke-simple/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"service_account\" {\n description = \"The default service account used for running nodes.\"\n value = module.runner-gke.service_account\n}\n\noutput \"cluster_name\" {\n description = \"Cluster name\"\n value = module.runner-gke.cluster_name\n}\n\noutput \"network_name\" {\n description = \"Name of VPC\"\n value = module.runner-gke.network_name\n}\n\noutput \"subnet_name\" {\n description = \"Name of VPC\"\n value = module.runner-gke.subnet_name\n}\n\noutput \"location\" {\n description = \"Cluster location\"\n value = module.runner-gke.location\n}\n\noutput \"project_id\" {\n value = var.project_id\n description = \"The project in which resources are created\"\n}\n" }, { "path": "examples/gh-runner-gke-simple/providers.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/*****************************************\n Kubernetes provider configuration\n *****************************************/\n\ndata \"google_client_config\" \"default\" {\n}\n\nprovider \"kubernetes\" {\n host = \"https://${module.runner-gke.kubernetes_endpoint}\"\n token = data.google_client_config.default.access_token\n cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)\n}\n\nprovider \"helm\" {\n kubernetes = {\n host = \"https://${module.runner-gke.kubernetes_endpoint}\"\n token = data.google_client_config.default.access_token\n cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)\n exec = {\n api_version = \"client.authentication.k8s.io/v1beta1\"\n command = \"gke-gcloud-auth-plugin\"\n }\n }\n}\n" }, { "path": "examples/gh-runner-gke-simple/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner MIG\"\n}\n" }, { "path": "examples/gh-runner-gke-simple/versions.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n }\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.0\"\n }\n }\n required_version = \">= 0.13\"\n}\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/.dockerignore", "content": ".terraform\n*.tf*\n*.tfvars\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/.gcloudignore", "content": ".terraform\n*.tfstate\n*.tf\n*.out\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/Dockerfile", "content": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n# Download and verify the integrity of the download first\n\nFROM ubuntu:24.04\nRUN apt-get update && \\\n apt-get -y install apt-transport-https \\\n ca-certificates \\\n curl \\\n tar \\\n jq \\\n build-essential \\\n gnupg2 \\\n iputils-ping \\\n software-properties-common\n\nRUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \\\n add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable\" && \\\n apt-get update && \\\n apt-get -y install docker-ce\n\nARG GH_RUNNER_VERSION=\"2.169.0\"\nWORKDIR /runner\nRUN curl -o actions.tar.gz --location \"https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-x64-${GH_RUNNER_VERSION}.tar.gz\" && \\\n tar -zxf actions.tar.gz && \\\n rm -f actions.tar.gz && \\\n ./bin/installdependencies.sh\n\nCOPY entrypoint.sh .\nENV RUNNER_ALLOW_RUNASROOT=1\nRUN chmod +x entrypoint.sh\nENTRYPOINT [\"/runner/entrypoint.sh\"]\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/README.md", "content": "# Example Runners on MIG Container VM that support Docker Workflows\n\n## Overview\n\nThis example shows how to deploy a runner that supports Docker Workflows on GCE Container VM.\n\n## Steps to deploy this example\n\n- Step 1: Build the example runner image using Google Cloud Build. Alternatively, you can also use a prebuilt image or build using a local docker daemon.\n\n```sh\n$ gcloud config set project $PROJECT_ID\n$ gcloud services enable containerregistry.googleapis.com cloudbuild.googleapis.com\n$ gcloud builds submit --config=cloudbuild.yaml\n```\n\n- Step 2: Create terraform.tfvars file with the necessary values.\n\nAccess tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the administration permission to use this API. Authenticated users must have admin access to the repository to use this API.\n\nMore info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/).\n\n```tf\nproject_id = \"your-project-id\"\nimage = \"your-image-registry/image:tag\"\ngh_token = \"your-github-token\"\nrepo_url = \"https://github.com/owner/your-repo-name\"\nrepo_name = \"your-repo-name\"\nrepo_owner = \"owner\"\n```\n\n- Step 3: Create the infrastructure.\n\n```sh\n$ terraform init\n$ terraform plan\n$ terraform apply\n```\n\n- Step 4: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.\n\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| gh\\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |\n| image | The github runner image | `string` | n/a | yes |\n| project\\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |\n| repo\\_name | Name of the repo for the Github Action | `string` | n/a | yes |\n| repo\\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |\n| repo\\_url | Repo URL for the Github Action | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| mig\\_instance\\_group | The instance group url of the created MIG |\n| mig\\_name | The name of the MIG |\n\n\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/cloudbuild.yaml", "content": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nsteps:\n - name: \"gcr.io/cloud-builders/docker\"\n args:\n [\n \"build\",\n \"-t\",\n \"gcr.io/$PROJECT_ID/runner:latest\",\n \"-t\",\n \"gcr.io/$PROJECT_ID/runner:0.1\",\n \".\",\n ]\nimages:\n - \"gcr.io/$PROJECT_ID/runner\"\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/entrypoint.sh", "content": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n#remove runner on stop signal\nremove_runner() {\n /runner/config.sh remove --unattended --token \"$(curl -sS --request POST --url \"https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/remove-token\" --header \"authorization: Bearer ${GITHUB_TOKEN}\" --header \"content-type: application/json\" | jq -r .token)\"\n exit 0\n}\n\n#Trap SIGTERM\ntrap 'remove_runner' SIGTERM\n#Trap SIGINT\ntrap 'remove_runner' SIGINT\n\n\n# shellcheck disable=SC2034\n#ACTIONS_RUNNER_INPUT_NAME is read by config.sh\n#set name for this runner as the hostname\nACTIONS_RUNNER_INPUT_NAME=$HOSTNAME\n#get regsistration token for this runnner\nACTIONS_RUNNER_INPUT_TOKEN=\"$(curl -sS --request POST --url \"https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/registration-token\" --header \"authorization: Bearer ${GITHUB_TOKEN}\" --header 'content-type: application/json' | jq -r .token)\"\n#configure runner\n/runner/config.sh --unattended --replace --work \"/tmp\" --url \"$ACTIONS_RUNNER_INPUT_URL\" --token \"$ACTIONS_RUNNER_INPUT_TOKEN\"\n#start runner\n#https://github.com/actions/runner/issues/246#issuecomment-615293718\n/runner/bin/runsvc.sh & wait $!\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"runner-mig-dind\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-container-vm\"\n version = \"~> 5.0\"\n\n create_network = true\n project_id = var.project_id\n image = var.image\n repo_name = var.repo_name\n repo_url = var.repo_url\n repo_owner = var.repo_owner\n gh_token = var.gh_token\n dind = true\n}\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"mig_instance_group\" {\n description = \"The instance group url of the created MIG\"\n value = module.runner-mig-dind.mig_instance_group\n}\n\noutput \"mig_name\" {\n description = \"The name of the MIG\"\n value = module.runner-mig-dind.mig_name\n}\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner MIG\"\n}\n\nvariable \"image\" {\n type = string\n description = \"The github runner image\"\n}\n\nvariable \"repo_url\" {\n type = string\n description = \"Repo URL for the Github Action\"\n}\n\n\nvariable \"repo_name\" {\n type = string\n description = \"Name of the repo for the Github Action\"\n}\n\n\nvariable \"repo_owner\" {\n type = string\n description = \"Owner of the repo for the Github Action\"\n}\n\nvariable \"gh_token\" {\n type = string\n description = \"Github token that is used for generating Self Hosted Runner Token\"\n}\n" }, { "path": "examples/gh-runner-mig-container-vm-dind/versions.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n }\n }\n required_version = \">= 0.13\"\n}\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/.dockerignore", "content": ".terraform\n*.tf*\n*.tfvars\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/.gcloudignore", "content": ".terraform\n*.tfstate\n*.tf\n*.out\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/Dockerfile", "content": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n# Download and verify the integrity of the download first\n\nFROM ubuntu:24.04\n\nRUN apt-get update && \\\n apt-get -y install curl \\\n iputils-ping \\\n tar \\\n jq\n\nARG GH_RUNNER_VERSION=\"2.169.0\"\nWORKDIR /runner\nRUN curl -o actions.tar.gz --location \"https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-x64-${GH_RUNNER_VERSION}.tar.gz\" && \\\n tar -zxf actions.tar.gz && \\\n rm -f actions.tar.gz && \\\n ./bin/installdependencies.sh\n\nCOPY entrypoint.sh .\nRUN chmod +x entrypoint.sh\n\nRUN useradd ghrunner && chown -R ghrunner: /runner\nUSER ghrunner\nENTRYPOINT [\"/runner/entrypoint.sh\"]\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/README.md", "content": "# Example Runners on MIG Container VM\n\n## Overview\n\nThis example shows how to deploy a runner on GCE Container VM.\n\n## Steps to deploy this example\n\n- Step 1: Build the example runner image using Google Cloud Build. Alternatively, you can also use a prebuilt image or build using a local docker daemon.\n\n```sh\n$ gcloud config set project $PROJECT_ID\n$ gcloud services enable containerregistry.googleapis.com cloudbuild.googleapis.com\n$ gcloud builds submit --config=cloudbuild.yaml\n```\n\n- Step 2: Create terraform.tfvars file with the necessary values.\n\nAccess tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the administration permission to use this API. Authenticated users must have admin access to the repository to use this API.\n\nMore info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/).\n\n```tf\nproject_id = \"your-project-id\"\nimage = \"your-image-registry/image:tag\"\ngh_token = \"your-github-token\"\nrepo_url = \"https://github.com/owner/your-repo-name\"\nrepo_name = \"your-repo-name\"\nrepo_owner = \"owner\"\n```\n\n- Step 3: Create the infrastructure.\n\n```sh\n$ terraform init\n$ terraform plan\n$ terraform apply\n```\n\n- Step 4: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.\n\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| gh\\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |\n| image | The github runner image | `string` | n/a | yes |\n| project\\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |\n| repo\\_name | Name of the repo for the Github Action | `string` | n/a | yes |\n| repo\\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |\n| repo\\_url | Repo URL for the Github Action | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| mig\\_instance\\_group | The instance group url of the created MIG |\n| mig\\_instance\\_template | The name of the MIG Instance Template |\n| mig\\_name | The name of the MIG |\n| service\\_account | Service account email for GCE |\n\n\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/cloudbuild.yaml", "content": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nsteps:\n - name: \"gcr.io/cloud-builders/docker\"\n args:\n [\n \"build\",\n \"-t\",\n \"gcr.io/$PROJECT_ID/runner:latest\",\n \"-t\",\n \"gcr.io/$PROJECT_ID/runner:0.1\",\n \".\",\n ]\nimages:\n - \"gcr.io/$PROJECT_ID/runner\"\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/entrypoint.sh", "content": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n#remove runner on stop signal\nremove_runner() {\n /runner/config.sh remove --unattended --token \"$(curl -sS --request POST --url \"https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/remove-token\" --header \"authorization: Bearer ${GITHUB_TOKEN}\" --header \"content-type: application/json\" | jq -r .token)\"\n exit 0\n}\n\n#Trap SIGTERM\ntrap 'remove_runner' SIGTERM\n#Trap SIGINT\ntrap 'remove_runner' SIGINT\n#set name for this runner as the hostname\n# shellcheck disable=SC2034\n# ACTIONS_RUNNER_INPUT_NAME is used by config.sh\nACTIONS_RUNNER_INPUT_NAME=$HOSTNAME\n#get regsistration token for this runnner\nACTIONS_RUNNER_INPUT_TOKEN=\"$(curl -sS --request POST --url \"https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/registration-token\" --header \"authorization: Bearer ${GITHUB_TOKEN}\" --header 'content-type: application/json' | jq -r .token)\"\n#configure runner\n/runner/config.sh --unattended --work \"/tmp\" --url \"$ACTIONS_RUNNER_INPUT_URL\" --token \"$ACTIONS_RUNNER_INPUT_TOKEN\"\n#start runner\n#https://github.com/actions/runner/issues/246#issuecomment-615293718\n/runner/bin/runsvc.sh & wait $!\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"runner-mig\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-container-vm\"\n version = \"~> 5.0\"\n\n create_network = true\n project_id = var.project_id\n image = var.image\n repo_name = var.repo_name\n repo_owner = var.repo_owner\n repo_url = var.repo_url\n gh_token = var.gh_token\n}\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"mig_instance_group\" {\n description = \"The instance group url of the created MIG\"\n value = module.runner-mig.mig_instance_group\n}\n\noutput \"mig_name\" {\n description = \"The name of the MIG\"\n value = module.runner-mig.mig_name\n}\n\noutput \"service_account\" {\n description = \"Service account email for GCE\"\n value = module.runner-mig.service_account\n}\n\noutput \"mig_instance_template\" {\n description = \"The name of the MIG Instance Template\"\n value = module.runner-mig.mig_instance_template\n}\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner MIG\"\n}\n\nvariable \"image\" {\n type = string\n description = \"The github runner image\"\n}\n\nvariable \"repo_url\" {\n type = string\n description = \"Repo URL for the Github Action\"\n}\nvariable \"repo_name\" {\n type = string\n description = \"Name of the repo for the Github Action\"\n}\n\nvariable \"repo_owner\" {\n type = string\n description = \"Owner of the repo for the Github Action\"\n}\n\nvariable \"gh_token\" {\n type = string\n description = \"Github token that is used for generating Self Hosted Runner Token\"\n}\n" }, { "path": "examples/gh-runner-mig-container-vm-simple/versions.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n }\n }\n required_version = \">= 0.13\"\n}\n" }, { "path": "examples/gh-runner-mig-native-packer/.gcloudignore", "content": ".terraform\n*.tfstate\n*.tf\n*.out\n" }, { "path": "examples/gh-runner-mig-native-packer/README.md", "content": "# Example Runners that support Docker Workflows\n\n## Overview\n\nThis example showcases how to use Packer to pre-bake a Google VM Image with the necessary toolchain including Github Actions Runner and deploy this image using the `gh-runner-mig` module.\n\nWe use startup/shutdown scripts to register the runner when it comes online and de-register when it is shut down.\n\nIn this example, Packer creates a VM image that has the following:\n\n- curl\n- jq\n- Docker\n- Github Actions Runner\n\n## Steps to deploy this example\n\n- Step 1: Enable APIs necessary to build an GCE VM image using Packer and Google Cloud Build.\n\n```sh\n$ gcloud config set project $PROJECT_ID\n$ gcloud services enable compute.googleapis.com cloudbuild.googleapis.com\n```\n\n\n- Step 2: Give Cloud Build Service Account necessary permissions to create a new GCE VM Image using Packer.\n\n```sh\n$ CLOUD_BUILD_ACCOUNT=$(gcloud projects get-iam-policy $PROJECT_ID --filter=\"(bindings.role:roles/cloudbuild.builds.builder)\" --flatten=\"bindings[].members\" --format=\"value(bindings.members[])\")\n$ gcloud projects add-iam-policy-binding $PROJECT_ID --member $CLOUD_BUILD_ACCOUNT --role roles/compute.instanceAdmin.v1\n$ gcloud projects add-iam-policy-binding $PROJECT_ID --member $CLOUD_BUILD_ACCOUNT --role roles/iam.serviceAccountUser\n```\n\n- Step 3: Build GCE VM image. When the build finishes, the image id of the form `gh-actions-image-*` will be displayed. We will use this in the tfvars we create in step 4.\n\n```sh\n$ gcloud builds submit --config=cloudbuild.yaml\n```\n\n- Step 4: Create terraform.tfvars file with the necessary values.\n\nAccess tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the administration permission to use this API. Authenticated users must have admin access to the repository to use this API.\n\nMore info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/)\n\n```tf\nproject_id = \"your-project-id\"\nsource_image = \"image-id-from-step-3\"\ngh_token = \"your-github-token\"\nrepo_url = \"https://github.com/owner/your-repo-name\"\nrepo_name = \"your-repo-name\"\nrepo_owner = \"owner\"\n```\n\n- Step 5: Create the infrastructure\n\n```sh\n$ terraform init\n$ terraform plan\n$ terraform apply\n```\n\n- Step 4: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.\n\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| gh\\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |\n| project\\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |\n| repo\\_name | Name of the repo for the Github Action | `string` | n/a | yes |\n| repo\\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |\n| source\\_image | Source disk image | `string` | n/a | yes |\n| source\\_image\\_project | Project where the source image comes from | `string` | `null` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| mig\\_instance\\_group | The instance group url of the created MIG |\n| mig\\_instance\\_template | The name of the MIG Instance Template |\n| mig\\_name | The name of the MIG |\n| service\\_account | Service account email for GCE |\n\n\n" }, { "path": "examples/gh-runner-mig-native-packer/cloudbuild.yaml", "content": "# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nsteps:\n - name: \"hashicorp/packer:1.14.1\"\n args:\n - build\n - -var\n - project_id=$PROJECT_ID\n - packer.json\n" }, { "path": "examples/gh-runner-mig-native-packer/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"runner-mig\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-vm\"\n version = \"~> 5.0\"\n\n create_network = true\n project_id = var.project_id\n repo_name = var.repo_name\n repo_owner = var.repo_owner\n gh_token = var.gh_token\n startup_script = file(\"${path.cwd}/startup.sh\")\n shutdown_script = file(\"${path.cwd}/shutdown.sh\")\n source_image_project = var.source_image_project != null ? var.source_image_project : var.project_id\n source_image = var.source_image\n}\n" }, { "path": "examples/gh-runner-mig-native-packer/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"mig_instance_group\" {\n description = \"The instance group url of the created MIG\"\n value = module.runner-mig.mig_instance_group\n}\n\noutput \"mig_name\" {\n description = \"The name of the MIG\"\n value = module.runner-mig.mig_name\n}\n\noutput \"service_account\" {\n description = \"Service account email for GCE\"\n value = module.runner-mig.service_account\n}\n\noutput \"mig_instance_template\" {\n description = \"The name of the MIG Instance Template\"\n value = module.runner-mig.mig_instance_template\n}\n" }, { "path": "examples/gh-runner-mig-native-packer/packer.json", "content": "{\n \"variables\": {\n \"source_image_family\": \"ubuntu-1804-lts\",\n \"source_image_project_id\": \"ubuntu-os-cloud\",\n \"machine_type\": \"n1-standard-4\",\n \"disk_size\": \"50\",\n \"disk_type\": \"pd-ssd\",\n \"image_name\": \"gh-actions-image-{{timestamp}}\",\n \"image_family\": \"gh-actions-image\",\n \"ssh_username\": \"ubuntu\",\n \"region\": \"us-central1\",\n \"zone\": \"us-central1-a\",\n \"project_id\": \"{{env `PACKER_PROJECT_ID`}}\",\n \"gh_runner_version\": \"2.168.0\"\n },\n \"builders\": [\n {\n \"type\": \"googlecompute\",\n \"project_id\": \"{{user `project_id`}}\",\n \"source_image_family\": \"{{user `source_image_family`}}\",\n \"source_image_project_id\": \"{{user `source_image_project_id`}}\",\n \"zone\": \"{{user `zone`}}\",\n \"machine_type\": \"{{user `machine_type`}}\",\n \"disk_size\": \"{{user `disk_size`}}\",\n \"ssh_username\": \"{{user `ssh_username`}}\",\n \"image_name\": \"{{user `image_name`}}\",\n \"image_family\": \"{{user `source_image_family`}}\",\n \"disable_default_service_account\": false,\n \"metadata\": {\n \"enable-oslogin\": \"true\",\n \"new_nodes_topic\": \"new-instances-0001\"\n }\n }\n ],\n \"provisioners\": [\n {\n \"type\": \"shell\",\n \"environment_vars\": [\"DEBIAN_FRONTEND=noninteractive\"],\n \"inline\": [\n \"apt-get update\",\n \"apt-get dist-upgrade -y\",\n \"apt-get install -y apt-transport-https ca-certificates curl tar jq build-essential gnupg2 software-properties-common\",\n \"curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -\",\n \"add-apt-repository \\\"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\\\"\",\n \"apt-get update\",\n \"apt-get install -y docker-ce\",\n \"usermod -aG docker ubuntu\"\n ],\n \"execute_command\": \"sudo -S sh -c '{{ .Vars }} {{ .Path }}'\"\n },\n {\n \"type\": \"shell\",\n \"environment_vars\": [\"DEBIAN_FRONTEND=noninteractive\"],\n \"inline\": [\n \"curl -o actions.tar.gz --location \\\"https://github.com/actions/runner/releases/download/v{{user `gh_runner_version`}}/actions-runner-linux-x64-{{user `gh_runner_version`}}.tar.gz\\\"\",\n \"mkdir /runner\",\n \"mkdir /runner-tmp\",\n \"tar -zxf actions.tar.gz --directory /runner\",\n \"rm -f actions.tar.gz\",\n \"/runner/bin/installdependencies.sh\"\n ],\n \"execute_command\": \"sudo -S sh -c '{{ .Vars }} {{ .Path }}'\"\n }\n ]\n}\n" }, { "path": "examples/gh-runner-mig-native-packer/shutdown.sh", "content": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nsecretUri=$(curl -sS \"http://metadata.google.internal/computeMetadata/v1/instance/attributes/secret-id\" -H \"Metadata-Flavor: Google\")\n#secrets URI is of the form projects/$PROJECT_NUMBER/secrets/$SECRET_NAME/versions/$SECRET_VERSION\n#split into array based on `/` delimeter\nIFS=\"/\" read -r -a secretsConfig <<< \"$secretUri\"\n#get SECRET_NAME and SECRET_VERSION\nSECRET_NAME=${secretsConfig[3]}\nSECRET_VERSION=${secretsConfig[5]}\n#access secret from secretsmanager\nsecrets=$(gcloud secrets versions access \"$SECRET_VERSION\" --secret=\"$SECRET_NAME\")\n#set secrets as env vars\n# shellcheck disable=SC2046\n# we want to use wordsplitting\nexport $(echo \"$secrets\" | jq -r \"to_entries|map(\\\"\\(.key)=\\(.value|tostring)\\\")|.[]\")\n#stop and uninstall the runner service\ncd /runner || exit\n./svc.sh stop\n./svc.sh uninstall\n#remove the runner configuration\nRUNNER_ALLOW_RUNASROOT=1 /runner/config.sh remove --unattended --token \"$(curl -sS --request POST --url \"https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/remove-token\" --header \"authorization: Bearer ${GITHUB_TOKEN}\" --header \"content-type: application/json\" | jq -r .token)\"\n" }, { "path": "examples/gh-runner-mig-native-packer/startup.sh", "content": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nsecretUri=$(curl -sS \"http://metadata.google.internal/computeMetadata/v1/instance/attributes/secret-id\" -H \"Metadata-Flavor: Google\")\n#secrets URI is of the form projects/$PROJECT_NUMBER/secrets/$SECRET_NAME/versions/$SECRET_VERSION\n#split into array based on `/` delimeter\nIFS=\"/\" read -r -a secretsConfig <<< \"$secretUri\"\n#get SECRET_NAME and SECRET_VERSION\nSECRET_NAME=${secretsConfig[3]}\nSECRET_VERSION=${secretsConfig[5]}\n#access secret from secretsmanager\nsecrets=$(gcloud secrets versions access \"$SECRET_VERSION\" --secret=\"$SECRET_NAME\")\n#set secrets as env vars\n# shellcheck disable=SC2046\n# we want to use wordsplitting\nexport $(echo \"$secrets\" | jq -r \"to_entries|map(\\\"\\(.key)=\\(.value|tostring)\\\")|.[]\")\n#get actions token\n# shellcheck disable=SC2034\n# ACTIONS_RUNNER_INPUT_NAME is used by config.sh\nACTIONS_RUNNER_INPUT_NAME=$HOSTNAME\nACTIONS_RUNNER_INPUT_TOKEN=\"$(curl -sS --request POST --url \"https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/registration-token\" --header \"authorization: Bearer ${GITHUB_TOKEN}\" --header 'content-type: application/json' | jq -r .token)\"\n#configure runner\nRUNNER_ALLOW_RUNASROOT=1 /runner/config.sh --unattended --replace --work \"/runner-tmp\" --url \"$REPO_URL\" --token \"$ACTIONS_RUNNER_INPUT_TOKEN\"\n#install and start runner service\ncd /runner || exit\n./svc.sh install\n./svc.sh start\n" }, { "path": "examples/gh-runner-mig-native-packer/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner MIG\"\n}\n\nvariable \"repo_name\" {\n type = string\n description = \"Name of the repo for the Github Action\"\n}\n\nvariable \"repo_owner\" {\n type = string\n description = \"Owner of the repo for the Github Action\"\n}\n\nvariable \"gh_token\" {\n type = string\n description = \"Github token that is used for generating Self Hosted Runner Token\"\n}\n\nvariable \"source_image_project\" {\n type = string\n description = \"Project where the source image comes from\"\n default = null\n}\n\nvariable \"source_image\" {\n type = string\n description = \"Source disk image\"\n}\n\n" }, { "path": "examples/gh-runner-mig-native-packer/versions.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n }\n }\n required_version = \">= 0.13\"\n}\n" }, { "path": "examples/gh-runner-mig-native-simple/README.md", "content": "# Example Runners that support Docker Workflows\n\n## Overview\n\nThis example showcases how to use startup scripts to deploy runners using the `gh-runner-mig` module.\n\nWe use startup/shutdown scripts to install the runner binary, register the runner when it comes online and de-register when shut down.\n\n## Steps to deploy this example\n\n- Step 1: Create terraform.tfvars file with the necessary values.\n\nAccess tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the administration permission to use this API. Authenticated users must have admin access to the repository to use this API.\n\nMore info can be found [here](https://developer.github.com/v3/actions/self_hosted_runners/).\n\n```sh\nproject_id = \"your-project-id\"\ngh_token = \"your-github-token\"\nrepo_name = \"your-repo-name\"\nrepo_owner = \"owner\"\n```\n\n- Step 2: Create the infrastructure\n\n```sh\n$ terraform init\n$ terraform plan\n$ terraform apply\n```\n\n- Step 3: Your runners should become active at https://github.com/owner/your-repo-name/settings/actions.\n\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| gh\\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |\n| project\\_id | The project id to deploy Github Runner MIG | `string` | n/a | yes |\n| repo\\_name | Name of the repo for the Github Action | `string` | n/a | yes |\n| repo\\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| mig\\_instance\\_group | The instance group url of the created MIG |\n| mig\\_instance\\_template | The name of the MIG Instance Template |\n| mig\\_name | The name of the MIG |\n| service\\_account | Service account email for GCE |\n\n\n" }, { "path": "examples/gh-runner-mig-native-simple/main.tf", "content": "/**\n * Copyright 2019 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"runner-mig\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-mig-vm\"\n version = \"~> 5.0\"\n\n create_network = true\n project_id = var.project_id\n repo_name = var.repo_name\n repo_owner = var.repo_owner\n gh_token = var.gh_token\n}\n" }, { "path": "examples/gh-runner-mig-native-simple/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"mig_instance_group\" {\n description = \"The instance group url of the created MIG\"\n value = module.runner-mig.mig_instance_group\n}\n\noutput \"mig_name\" {\n description = \"The name of the MIG\"\n value = module.runner-mig.mig_name\n}\n\noutput \"service_account\" {\n description = \"Service account email for GCE\"\n value = module.runner-mig.service_account\n}\n\noutput \"mig_instance_template\" {\n description = \"The name of the MIG Instance Template\"\n value = module.runner-mig.mig_instance_template\n}\n" }, { "path": "examples/gh-runner-mig-native-simple/variables.tf", "content": "/**\n * Copyright 2019 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner MIG\"\n}\n\nvariable \"repo_name\" {\n type = string\n description = \"Name of the repo for the Github Action\"\n}\n\nvariable \"repo_owner\" {\n type = string\n description = \"Owner of the repo for the Github Action\"\n}\n\nvariable \"gh_token\" {\n type = string\n description = \"Github token that is used for generating Self Hosted Runner Token\"\n}\n" }, { "path": "examples/gh-runner-mig-native-simple/versions.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n }\n }\n required_version = \">= 0.13\"\n}\n" }, { "path": "examples/oidc-simple/README.md", "content": "# OIDC Simple Example\n\n## Overview\n\nThis example showcases how to configure [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) using the [gh-oidc module](../../modules/gh-oidc/README.md) for a sample Service Account.\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| project\\_id | The project id to create WIF pool and example SA | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| pool\\_name | Pool name |\n| provider\\_name | Provider name |\n| sa\\_email | Example SA email |\n\n\n" }, { "path": "examples/oidc-simple/main.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n\nresource \"google_service_account\" \"sa\" {\n project = var.project_id\n account_id = \"test-storage-sa\"\n}\n\nresource \"google_project_iam_member\" \"project\" {\n project = var.project_id\n role = \"roles/storage.admin\"\n member = \"serviceAccount:${google_service_account.sa.email}\"\n}\n\nmodule \"oidc\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-oidc\"\n version = \"~> 5.0\"\n\n project_id = var.project_id\n pool_id = \"example-pool\"\n provider_id = \"example-gh-provider\"\n attribute_condition = \"assertion.repository_owner_id=='1342004'\"\n sa_mapping = {\n (google_service_account.sa.account_id) = {\n sa_name = google_service_account.sa.name\n attribute = \"attribute.repository/user/repo\"\n }\n }\n}\n" }, { "path": "examples/oidc-simple/outputs.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"pool_name\" {\n description = \"Pool name\"\n value = module.oidc.pool_name\n}\n\noutput \"provider_name\" {\n description = \"Provider name\"\n value = module.oidc.provider_name\n}\n\noutput \"sa_email\" {\n description = \"Example SA email\"\n value = google_service_account.sa.email\n}\n" }, { "path": "examples/oidc-simple/variables.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to create WIF pool and example SA\"\n}\n" }, { "path": "examples/oidc-simple/versions.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n }\n }\n required_version = \">= 0.13\"\n}\n" }, { "path": "metadata.yaml", "content": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: blueprints.cloud.google.com/v1alpha1\nkind: BlueprintMetadata\nmetadata:\n name: terraform-google-github-actions-runners\n annotations:\n config.kubernetes.io/local-config: \"true\"\nspec:\n title: terraform-google-github-actions-runners\n source:\n repo: https://github.com/terraform-google-modules/terraform-google-github-actions-runners\n sourceType: git\n subBlueprints:\n - name: gh-oidc\n location: modules/gh-oidc\n - name: gh-runner-gke\n location: modules/gh-runner-gke\n - name: gh-runner-mig-container-vm\n location: modules/gh-runner-mig-container-vm\n - name: gh-runner-mig-vm\n location: modules/gh-runner-mig-vm\n examples:\n - name: gh-org-runner-mig-native-simple\n location: examples/gh-org-runner-mig-native-simple\n - name: gh-runner-gke-dind\n location: examples/gh-runner-gke-dind\n - name: gh-runner-gke-simple\n location: examples/gh-runner-gke-simple\n - name: gh-runner-mig-container-vm-dind\n location: examples/gh-runner-mig-container-vm-dind\n - name: gh-runner-mig-container-vm-simple\n location: examples/gh-runner-mig-container-vm-simple\n - name: gh-runner-mig-native-packer\n location: examples/gh-runner-mig-native-packer\n - name: gh-runner-mig-native-simple\n location: examples/gh-runner-mig-native-simple\n - name: oidc-simple\n location: examples/oidc-simple\n roles:\n - level: Project\n roles:\n - roles/owner\n services:\n - cloudresourcemanager.googleapis.com\n - storage-api.googleapis.com\n - iam.googleapis.com\n - container.googleapis.com\n - serviceusage.googleapis.com\n" }, { "path": "modules/gh-oidc/README.md", "content": "## GitHub OIDC\n\nThis module handles the opinionated creation of infrastructure necessary to configure [Workload Identity pools](https://cloud.google.com/iam/docs/workload-identity-federation#pools) and [providers](https://cloud.google.com/iam/docs/workload-identity-federation#providers) for authenticating to GCP using GitHub Actions OIDC tokens.\n\nThis includes:\n\n- Creation of a Workload Identity pool\n- Configuring a Workload Identity provider\n- Granting external identities necessary IAM roles on Service Accounts\n\n### Example Usage\n\n```terraform\nmodule \"gh_oidc\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-oidc\"\n project_id = var.project_id\n pool_id = \"example-pool\"\n provider_id = \"example-gh-provider\"\n sa_mapping = {\n \"foo-service-account\" = {\n sa_name = \"projects/my-project/serviceAccounts/foo-service-account@my-project.iam.gserviceaccount.com\"\n attribute = \"attribute.repository/${USER/ORG}/\"\n }\n }\n}\n```\n\nBelow are some examples:\n\n### [OIDC Simple](../../examples/oidc-simple/README.md)\n\nThis example shows how to use this module along with a Service Account to access storage buckets.\n\n### GitHub Workflow\n\nOnce provisioned, you can use the [google-github-actions/auth](https://github.com/google-github-actions/auth) Action in a workflow as shown below\n\n```yaml\n# Example workflow\n# .github/workflows/example.yml\n\nname: 'example oidc'\non:\n push:\n branches:\n - 'main'\njobs:\n run:\n name: 'example to list bucket contents'\n permissions:\n id-token: write\n contents: read\n runs-on: 'ubuntu-latest'\n steps:\n - id: 'auth'\n uses: 'google-github-actions/auth@v1'\n with:\n token_format: 'access_token'\n workload_identity_provider: ${{ secrets.PROVIDER_NAME }} # this is the output provider_name from the TF module\n service_account: ${{ secrets.SA_EMAIL }} # this is a SA email configured using the TF module with access to YOUR-GCS-BUCKET\n - id: 'list-buckets-contents'\n run: |-\n curl -sSf https://storage.googleapis.com/storage/v1/b/YOUR-GCS-BUCKET/o \\\n --header \"Authorization: Bearer ${{ steps.auth.outputs.access_token }}\"\n```\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| allowed\\_audiences | Workload Identity Pool Provider allowed audiences. | `list(string)` | `[]` | no |\n| attribute\\_condition | Workload Identity Pool Provider attribute condition expression. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition) | `string` | `null` | no |\n| attribute\\_mapping | Workload Identity Pool Provider attribute mapping. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_mapping) | `map(any)` | 
{
  \"attribute.actor\": \"assertion.actor\",
  \"attribute.aud\": \"assertion.aud\",
  \"attribute.repository\": \"assertion.repository\",
  \"google.subject\": \"assertion.sub\"
}
| no |\n| issuer\\_uri | Workload Identity Pool Issuer URL | `string` | `\"https://token.actions.githubusercontent.com\"` | no |\n| pool\\_description | Workload Identity Pool description | `string` | `\"Workload Identity Pool managed by Terraform\"` | no |\n| pool\\_display\\_name | Workload Identity Pool display name | `string` | `null` | no |\n| pool\\_id | Workload Identity Pool ID | `string` | n/a | yes |\n| project\\_id | The project id to create Workload Identity Pool | `string` | n/a | yes |\n| provider\\_description | Workload Identity Pool Provider description | `string` | `\"Workload Identity Pool Provider managed by Terraform\"` | no |\n| provider\\_display\\_name | Workload Identity Pool Provider display name | `string` | `null` | no |\n| provider\\_id | Workload Identity Pool Provider id | `string` | n/a | yes |\n| sa\\_mapping | Service Account resource names and corresponding WIF provider attributes. If attribute is set to `*` all identities in the pool are granted access to SAs. | 
map(object({
    sa_name   = string
    attribute = string
  }))
| `{}` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| pool\\_name | Pool name |\n| provider\\_name | Provider name |\n\n\n\n## Requirements\n\nBefore this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:\n\n1. Required APIs are activated\n\n ```\n \"iam.googleapis.com\",\n \"cloudresourcemanager.googleapis.com\",\n \"iamcredentials.googleapis.com\",\n \"sts.googleapis.com\",\n ```\n\n1. Service Account used to deploy this module has the following roles\n\n ```\n roles/iam.workloadIdentityPoolAdmin\n roles/iam.serviceAccountAdmin\n ```\n" }, { "path": "modules/gh-oidc/main.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nresource \"google_iam_workload_identity_pool\" \"main\" {\n provider = google-beta\n project = var.project_id\n workload_identity_pool_id = var.pool_id\n display_name = var.pool_display_name\n description = var.pool_description\n disabled = false\n}\n\nresource \"google_iam_workload_identity_pool_provider\" \"main\" {\n provider = google-beta\n project = var.project_id\n workload_identity_pool_id = google_iam_workload_identity_pool.main.workload_identity_pool_id\n workload_identity_pool_provider_id = var.provider_id\n display_name = var.provider_display_name\n description = var.provider_description\n attribute_condition = var.attribute_condition\n attribute_mapping = var.attribute_mapping\n oidc {\n allowed_audiences = var.allowed_audiences\n issuer_uri = var.issuer_uri\n }\n}\n\nresource \"google_service_account_iam_member\" \"wif-sa\" {\n for_each = var.sa_mapping\n service_account_id = each.value.sa_name\n role = \"roles/iam.workloadIdentityUser\"\n member = \"principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.main.name}/${each.value.attribute}\"\n}\n" }, { "path": "modules/gh-oidc/metadata.yaml", "content": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: blueprints.cloud.google.com/v1alpha1\nkind: BlueprintMetadata\nmetadata:\n name: terraform-google-github-actions-runners\n annotations:\n config.kubernetes.io/local-config: \"true\"\nspec:\n title: \"\"\n source:\n repo: https://github.com/terraform-google-modules/terraform-google-github-actions-runners\n sourceType: git\n version: 5.1.0\n actuationTool:\n type: Terraform\n version: '>= 0.13'\n examples:\n - name: gh-org-runner-mig-native-simple\n location: examples/gh-org-runner-mig-native-simple\n - name: gh-runner-gke-dind\n location: examples/gh-runner-gke-dind\n - name: gh-runner-gke-simple\n location: examples/gh-runner-gke-simple\n - name: gh-runner-mig-container-vm-dind\n location: examples/gh-runner-mig-container-vm-dind\n - name: gh-runner-mig-container-vm-simple\n location: examples/gh-runner-mig-container-vm-simple\n - name: gh-runner-mig-native-packer\n location: examples/gh-runner-mig-native-packer\n - name: gh-runner-mig-native-simple\n location: examples/gh-runner-mig-native-simple\n - name: oidc-simple\n location: examples/oidc-simple\n variables:\n - name: allowed_audiences\n description: Workload Identity Pool Provider allowed audiences.\n type: list(string)\n default: []\n required: false\n - name: attribute_condition\n description: Workload Identity Pool Provider attribute condition expression. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition)\n type: string\n required: false\n - name: attribute_mapping\n description: Workload Identity Pool Provider attribute mapping. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_mapping)\n type: map(any)\n default:\n attribute.actor: assertion.actor\n attribute.aud: assertion.aud\n attribute.repository: assertion.repository\n google.subject: assertion.sub\n required: false\n - name: issuer_uri\n description: Workload Identity Pool Issuer URL\n type: string\n default: https://token.actions.githubusercontent.com\n required: false\n - name: pool_description\n description: Workload Identity Pool description\n type: string\n default: Workload Identity Pool managed by Terraform\n required: false\n - name: pool_display_name\n description: Workload Identity Pool display name\n type: string\n required: false\n - name: pool_id\n description: Workload Identity Pool ID\n type: string\n required: true\n - name: project_id\n description: The project id to create Workload Identity Pool\n type: string\n required: true\n - name: provider_description\n description: Workload Identity Pool Provider description\n type: string\n default: Workload Identity Pool Provider managed by Terraform\n required: false\n - name: provider_display_name\n description: Workload Identity Pool Provider display name\n type: string\n required: false\n - name: provider_id\n description: Workload Identity Pool Provider id\n type: string\n required: true\n - name: sa_mapping\n description: Service Account resource names and corresponding WIF provider attributes. If attribute is set to `*` all identities in the pool are granted access to SAs.\n type: |-\n map(object({\n sa_name = string\n attribute = string\n }))\n default: {}\n required: false\n outputs:\n - name: pool_name\n description: Pool name\n - name: provider_name\n description: Provider name\n roles:\n - level: Project\n roles:\n - roles/owner\n services:\n - cloudresourcemanager.googleapis.com\n - storage-api.googleapis.com\n - iam.googleapis.com\n - container.googleapis.com\n - serviceusage.googleapis.com\n" }, { "path": "modules/gh-oidc/outputs.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"pool_name\" {\n description = \"Pool name\"\n value = google_iam_workload_identity_pool.main.name\n}\n\noutput \"provider_name\" {\n description = \"Provider name\"\n value = google_iam_workload_identity_pool_provider.main.name\n}\n" }, { "path": "modules/gh-oidc/variables.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to create Workload Identity Pool\"\n}\n\nvariable \"pool_id\" {\n type = string\n description = \"Workload Identity Pool ID\"\n}\n\nvariable \"pool_display_name\" {\n type = string\n description = \"Workload Identity Pool display name\"\n default = null\n}\n\nvariable \"pool_description\" {\n type = string\n description = \"Workload Identity Pool description\"\n default = \"Workload Identity Pool managed by Terraform\"\n}\n\nvariable \"provider_id\" {\n type = string\n description = \"Workload Identity Pool Provider id\"\n}\n\nvariable \"issuer_uri\" {\n type = string\n description = \"Workload Identity Pool Issuer URL\"\n default = \"https://token.actions.githubusercontent.com\"\n}\n\nvariable \"provider_display_name\" {\n type = string\n description = \"Workload Identity Pool Provider display name\"\n default = null\n}\n\nvariable \"provider_description\" {\n type = string\n description = \"Workload Identity Pool Provider description\"\n default = \"Workload Identity Pool Provider managed by Terraform\"\n}\n\nvariable \"attribute_condition\" {\n type = string\n description = \"Workload Identity Pool Provider attribute condition expression. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition)\"\n default = null\n}\n\nvariable \"attribute_mapping\" {\n type = map(any)\n description = \"Workload Identity Pool Provider attribute mapping. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_mapping)\"\n default = {\n \"google.subject\" = \"assertion.sub\"\n \"attribute.actor\" = \"assertion.actor\"\n \"attribute.aud\" = \"assertion.aud\"\n \"attribute.repository\" = \"assertion.repository\"\n }\n}\n\nvariable \"allowed_audiences\" {\n type = list(string)\n description = \"Workload Identity Pool Provider allowed audiences.\"\n default = []\n}\n\nvariable \"sa_mapping\" {\n type = map(object({\n sa_name = string\n attribute = string\n }))\n description = \"Service Account resource names and corresponding WIF provider attributes. If attribute is set to `*` all identities in the pool are granted access to SAs.\"\n default = {}\n}\n" }, { "path": "modules/gh-oidc/versions.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_version = \">= 1.3\"\n required_providers {\n\n google = {\n source = \"hashicorp/google\"\n version = \">= 3.64, < 8\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n version = \">= 3.64, < 8\"\n }\n }\n\n provider_meta \"google\" {\n module_name = \"blueprints/terraform/terraform-google-github-actions-runners:gh-oidc/v5.1.0\"\n }\n\n provider_meta \"google-beta\" {\n module_name = \"blueprints/terraform/terraform-google-github-actions-runners:gh-oidc/v5.1.0\"\n }\n\n}\n" }, { "path": "modules/gh-runner-gke/README.md", "content": "# Self Hosted Runners on GKE\n\nThis module handles the opinionated creation of infrastructure necessary to deploy GitHub Actions Runners on GKE. This module follows the guide provided by GitHub for [Quickstart for Actions Runner Controller](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).\n\n![ARC on GKE architecture diagram](../../assets/gh-runners-gke.png)\n\nThis includes:\n\n- Enabling necessary APIs\n- VPC\n- GKE Cluster\n- Kubernetes Secret\n- Installation via Helm Chart\n\n## Usage\nSee below for example usage of this module:\n```tf\nmodule \"runner-gke\" {\n source = \"terraform-google-modules/github-actions-runners/google//modules/gh-runner-gke\"\n version = \"~> 5.1\"\n\n project_id = \"PROJECT_ID\"\n create_network = true\n cluster_suffix = \"k8s\"\n gh_app_id = \"123456\"\n gh_app_installation_id = \"12345678\"\n gh_app_private_key = \"sample\"\n gh_config_url = \"https://github.com/ORGANIZATION\"\n}\n```\n\n### Authenticating to GitHub\n\nIt's recommended to authenticate to GitHub via a GitHub App. Follow the instructions at [Authenticating ARC with a GitHub App](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) to retrieve the necessary prerequisites:\n\n- GitHub App ID\n- GitHub App Installation ID\n- GitHub App Private Key\n\nInstall the app in the organization or account for which the runners should be available.\n\nSubstitute these values gathered from creating the GitHub App installation into the variables in the module.\n\n## Requirements\n\nBefore this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:\n\n1. Required APIs are activated\n\n ```\n \"cloudresourcemanager.googleapis.com\",\n \"storage-api.googleapis.com\",\n \"iam.googleapis.com\",\n \"container.googleapis.com\",\n \"serviceusage.googleapis.com\"\n ```\n\n## Examples\n\n### [Simple Self Hosted Runners on GKE](../../examples/gh-runner-gke-simple/README.md)\n\nThis example shows how to deploy a simple GKE Self Hosted Runner.\n\nBelow are some examples:\n\n### [Self Hosted runners on GKE that support Docker workflows](../../examples/gh-runner-gke-dind/README.md)\n\nThis example shows how to deploy Self Hosted Runners on GKE that supports Docker Workflows.\n\n### [Self Hosted runners on GKE that support Docker Workflows in rootless configuration](examples/gh-runner-gke-dind-rootless/)\n\nThis example shows how to deploy Self Hosted Runners on GKE that supports Docker Workflows in a rootless configuration.\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| arc\\_container\\_mode | value of containerMode.type in ARC runner scale set helm chart. If set, value can be `dind` or `kubernetes` | `string` | `\"\"` | no |\n| arc\\_controller\\_values | List of values in raw yaml format to pass to helm for ARC runners scale set controller chart | `list(string)` | `[]` | no |\n| arc\\_controller\\_version | Version tag for the ARC image. See [https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set-controller](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set-controller) for releases. | `string` | `\"0.9.3\"` | no |\n| arc\\_runners\\_namespace | Namespace created for the ARC runner pods. | `string` | `\"arc-runners\"` | no |\n| arc\\_runners\\_values | List of values in raw yaml format to pass to helm for ARC runners scale set chart | `list(string)` | `[]` | no |\n| arc\\_runners\\_version | Version tag for the ARC image. See [https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set) for releases. | `string` | `\"0.9.3\"` | no |\n| arc\\_systems\\_namespace | Namespace created for the ARC operator pods. | `string` | `\"arc-systems\"` | no |\n| cluster\\_suffix | Name of the GitHub organization associated with this runner cluster. | `string` | `\"arc\"` | no |\n| create\\_network | When set to true, VPC will be auto created | `bool` | `true` | no |\n| enable\\_private\\_nodes | Whether nodes have internal IP addresses only. | `bool` | `false` | no |\n| gh\\_app\\_id | After creating the GitHub App, on the GitHub App's page, note the value for \"App ID\". | `string` | n/a | yes |\n| gh\\_app\\_installation\\_id | You can find the app installation ID on the app installation page, which has the following URL format: `https://github.com/organizations/ORGANIZATION/settings/installations/INSTALLATION_ID` | `string` | n/a | yes |\n| gh\\_app\\_pre\\_defined\\_secret\\_name | Name for the k8s secret required to configure gh runners on GKE via GitHub App authentication | `string` | `\"gh-app-pre-defined-secret\"` | no |\n| gh\\_app\\_private\\_key | Under \"Private keys\", click Generate a private key, and save the .pem file. Use the contents of this file for this variable. | `string` | n/a | yes |\n| gh\\_config\\_url | URL of GitHub App config. If installed in an organization, this is in the format \"https://github.com/ORGANIZATION\" | `string` | n/a | yes |\n| ip\\_range\\_pods\\_cidr | The secondary ip range cidr to use for pods | `string` | `\"192.168.0.0/18\"` | no |\n| ip\\_range\\_pods\\_name | The secondary ip range to use for pods | `string` | `\"ip-range-pods\"` | no |\n| ip\\_range\\_services\\_cider | The secondary ip range cidr to use for services | `string` | `\"192.168.64.0/18\"` | no |\n| ip\\_range\\_services\\_name | The secondary ip range to use for services | `string` | `\"ip-range-scv\"` | no |\n| machine\\_type | Machine type for runner node pool | `string` | `\"n1-standard-4\"` | no |\n| max\\_node\\_count | Maximum number of nodes in the runner node pool | `number` | `4` | no |\n| min\\_node\\_count | Minimum number of nodes in the runner node pool | `number` | `2` | no |\n| network\\_name | Name for the VPC network | `string` | `\"runner-network\"` | no |\n| project\\_id | The project id to deploy Github Runner cluster | `string` | n/a | yes |\n| region | The GCP region to deploy instances into | `string` | `\"us-east4\"` | no |\n| service\\_account | Optional Service Account for the nodes | `string` | `\"\"` | no |\n| spot | A boolean that represents whether the underlying node VMs are spot | `bool` | `false` | no |\n| subnet\\_ip | IP range for the subnet | `string` | `\"10.0.0.0/17\"` | no |\n| subnet\\_name | Name for the subnet | `string` | `\"runner-subnet\"` | no |\n| subnetwork\\_project | The ID of the project in which the subnetwork belongs. If it is not provided, the project\\_id is used. | `string` | `\"\"` | no |\n| zones | The GCP zone to deploy gke into | `list(string)` | 
[
  \"us-east4-a\"
]
| no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| ca\\_certificate | The cluster ca certificate (base64 encoded) |\n| client\\_token | The bearer token for auth |\n| cluster\\_name | Cluster name |\n| kubernetes\\_endpoint | The cluster endpoint |\n| location | Cluster location |\n| network\\_name | Name of VPC |\n| service\\_account | The default service account used for running nodes. |\n| subnet\\_name | Name of VPC |\n\n\n" }, { "path": "modules/gh-runner-gke/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nlocals {\n network_name = var.create_network ? google_compute_network.gh-network[0].name : var.network_name\n subnet_name = var.create_network ? google_compute_subnetwork.gh-subnetwork[0].name : var.subnet_name\n service_account = var.service_account == \"\" ? \"create\" : var.service_account\n}\n\n/*****************************************\n Optional Network\n *****************************************/\nresource \"google_compute_network\" \"gh-network\" {\n count = var.create_network ? 1 : 0\n name = var.network_name\n project = var.project_id\n auto_create_subnetworks = false\n}\nresource \"google_compute_subnetwork\" \"gh-subnetwork\" {\n count = var.create_network ? 1 : 0\n project = var.project_id\n name = var.subnet_name\n ip_cidr_range = var.subnet_ip\n region = var.region\n network = google_compute_network.gh-network[0].name\n\n secondary_ip_range {\n range_name = var.ip_range_pods_name\n ip_cidr_range = var.ip_range_pods_cidr\n }\n\n secondary_ip_range {\n range_name = var.ip_range_services_name\n ip_cidr_range = var.ip_range_services_cider\n }\n}\n/*****************************************\n Runner GKE\n *****************************************/\nmodule \"runner-cluster\" {\n source = \"terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster/\"\n version = \"~> 35.0\"\n project_id = var.project_id\n name = \"gh-runner-${var.cluster_suffix}\"\n regional = false\n region = var.region\n zones = var.zones\n network = local.network_name\n network_project_id = var.subnetwork_project != \"\" ? var.subnetwork_project : var.project_id\n subnetwork = local.subnet_name\n ip_range_pods = var.ip_range_pods_name\n ip_range_services = var.ip_range_services_name\n logging_service = \"logging.googleapis.com/kubernetes\"\n monitoring_service = \"monitoring.googleapis.com/kubernetes\"\n remove_default_node_pool = true\n service_account = local.service_account\n gce_pd_csi_driver = true\n deletion_protection = false\n node_pools = [\n {\n name = \"runner-pool\"\n min_count = var.min_node_count\n max_count = var.max_node_count\n auto_upgrade = true\n machine_type = var.machine_type\n enable_private_nodes = var.enable_private_nodes\n spot = var.spot\n }\n ]\n}\n\ndata \"google_client_config\" \"default\" {\n}\n\nresource \"kubernetes_namespace\" \"arc_systems\" {\n metadata {\n name = var.arc_systems_namespace\n }\n}\n\nresource \"kubernetes_namespace\" \"arc_runners\" {\n metadata {\n name = var.arc_runners_namespace\n }\n\n depends_on = [helm_release.arc]\n}\n\n/*****************************************\n K8S secrets for configuring k8s runners\n *****************************************/\nresource \"kubernetes_secret\" \"gh_app_pre_defined_secret\" {\n metadata {\n name = var.gh_app_pre_defined_secret_name\n namespace = kubernetes_namespace.arc_runners.metadata[0].name\n }\n data = {\n github_app_id = var.gh_app_id\n github_app_installation_id = var.gh_app_installation_id\n github_app_private_key = var.gh_app_private_key\n }\n}\n\nresource \"helm_release\" \"arc\" {\n name = \"arc\"\n namespace = kubernetes_namespace.arc_systems.metadata[0].name\n chart = \"oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller\"\n version = var.arc_controller_version\n wait = true\n values = var.arc_controller_values\n}\n\nresource \"helm_release\" \"arc_runners_set\" {\n name = \"arc-runners\"\n namespace = kubernetes_namespace.arc_runners.metadata[0].name\n chart = \"oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set\"\n version = var.arc_runners_version\n\n set = concat(\n [\n {\n name = \"githubConfigSecret\"\n value = kubernetes_secret.gh_app_pre_defined_secret.metadata[0].name\n },\n {\n name = \"githubConfigUrl\"\n value = var.gh_config_url\n }\n ],\n var.arc_container_mode == \"\" ? [] : [\n {\n name = \"containerMode.type\"\n value = var.arc_container_mode\n }\n ]\n )\n\n values = var.arc_runners_values\n}\n" }, { "path": "modules/gh-runner-gke/metadata.yaml", "content": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: blueprints.cloud.google.com/v1alpha1\nkind: BlueprintMetadata\nmetadata:\n name: terraform-google-github-actions-runners\n annotations:\n config.kubernetes.io/local-config: \"true\"\nspec:\n title: \"\"\n source:\n repo: https://github.com/terraform-google-modules/terraform-google-github-actions-runners\n sourceType: git\n version: 5.1.0\n actuationTool:\n type: Terraform\n version: '>= 0.13'\n examples:\n - name: gh-org-runner-mig-native-simple\n location: examples/gh-org-runner-mig-native-simple\n - name: gh-runner-gke-dind\n location: examples/gh-runner-gke-dind\n - name: gh-runner-gke-simple\n location: examples/gh-runner-gke-simple\n - name: gh-runner-mig-container-vm-dind\n location: examples/gh-runner-mig-container-vm-dind\n - name: gh-runner-mig-container-vm-simple\n location: examples/gh-runner-mig-container-vm-simple\n - name: gh-runner-mig-native-packer\n location: examples/gh-runner-mig-native-packer\n - name: gh-runner-mig-native-simple\n location: examples/gh-runner-mig-native-simple\n - name: oidc-simple\n location: examples/oidc-simple\n variables:\n - name: create_network\n description: When set to true, VPC will be auto created\n type: bool\n default: true\n required: false\n - name: gh_token\n description: Github token that is used for generating Self Hosted Runner Token\n type: string\n required: true\n - name: ip_range_pods_cidr\n description: The secondary ip range cidr to use for pods\n type: string\n default: 192.168.0.0/18\n required: false\n - name: ip_range_pods_name\n description: The secondary ip range to use for pods\n type: string\n default: ip-range-pods\n required: false\n - name: ip_range_services_cider\n description: The secondary ip range cidr to use for services\n type: string\n default: 192.168.64.0/18\n required: false\n - name: ip_range_services_name\n description: The secondary ip range to use for services\n type: string\n default: ip-range-scv\n required: false\n - name: machine_type\n description: Machine type for runner node pool\n type: string\n default: n1-standard-4\n required: false\n - name: max_node_count\n description: Maximum number of nodes in the runner node pool\n type: number\n default: 4\n required: false\n - name: min_node_count\n description: Minimum number of nodes in the runner node pool\n type: number\n default: 2\n required: false\n - name: network_name\n description: Name for the VPC network\n type: string\n default: runner-network\n required: false\n - name: project_id\n description: The project id to deploy Github Runner cluster\n type: string\n required: true\n - name: region\n description: The GCP region to deploy instances into\n type: string\n default: us-east4\n required: false\n - name: repo_name\n description: Name of the repo for the Github Action\n type: string\n required: true\n - name: repo_owner\n description: Owner of the repo for the Github Action\n type: string\n required: true\n - name: repo_url\n description: Repo URL for the Github Action\n type: string\n required: true\n - name: runner_k8s_config\n description: Name for the k8s secret required to configure gh runners on GKE\n type: string\n default: runner-k8s-config\n required: false\n - name: service_account\n description: Optional Service Account for the nodes\n type: string\n default: \"\"\n required: false\n - name: subnet_ip\n description: IP range for the subnet\n type: string\n default: 10.0.0.0/17\n required: false\n - name: subnet_name\n description: Name for the subnet\n type: string\n default: runner-subnet\n required: false\n - name: subnetwork_project\n description: The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used.\n type: string\n default: \"\"\n required: false\n - name: zones\n description: The GCP zone to deploy gke into\n type: list(string)\n default:\n - us-east4-a\n required: false\n outputs:\n - name: ca_certificate\n description: The cluster ca certificate (base64 encoded)\n - name: client_token\n description: The bearer token for auth\n - name: cluster_name\n description: Cluster name\n - name: kubernetes_endpoint\n description: The cluster endpoint\n - name: location\n description: Cluster location\n - name: network_name\n description: Name of VPC\n - name: service_account\n description: The default service account used for running nodes.\n - name: subnet_name\n description: Name of VPC\n roles:\n - level: Project\n roles:\n - roles/owner\n services:\n - cloudresourcemanager.googleapis.com\n - storage-api.googleapis.com\n - iam.googleapis.com\n - container.googleapis.com\n - serviceusage.googleapis.com\n" }, { "path": "modules/gh-runner-gke/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"kubernetes_endpoint\" {\n description = \"The cluster endpoint\"\n sensitive = true\n value = module.runner-cluster.endpoint\n}\n\noutput \"client_token\" {\n description = \"The bearer token for auth\"\n sensitive = true\n value = base64encode(data.google_client_config.default.access_token)\n}\n\noutput \"ca_certificate\" {\n description = \"The cluster ca certificate (base64 encoded)\"\n sensitive = true\n value = module.runner-cluster.ca_certificate\n}\n\noutput \"service_account\" {\n description = \"The default service account used for running nodes.\"\n value = module.runner-cluster.service_account\n}\n\noutput \"cluster_name\" {\n description = \"Cluster name\"\n value = module.runner-cluster.name\n}\n\noutput \"network_name\" {\n description = \"Name of VPC\"\n value = local.network_name\n}\n\noutput \"subnet_name\" {\n description = \"Name of VPC\"\n value = local.subnet_name\n}\n\noutput \"location\" {\n description = \"Cluster location\"\n value = module.runner-cluster.location\n}\n" }, { "path": "modules/gh-runner-gke/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner cluster\"\n}\n\nvariable \"region\" {\n type = string\n description = \"The GCP region to deploy instances into\"\n default = \"us-east4\"\n}\n\nvariable \"zones\" {\n type = list(string)\n description = \"The GCP zone to deploy gke into\"\n default = [\"us-east4-a\"]\n}\n\nvariable \"ip_range_pods_name\" {\n type = string\n description = \"The secondary ip range to use for pods\"\n default = \"ip-range-pods\"\n}\n\nvariable \"ip_range_services_name\" {\n type = string\n description = \"The secondary ip range to use for services\"\n default = \"ip-range-scv\"\n}\n\nvariable \"ip_range_pods_cidr\" {\n type = string\n description = \"The secondary ip range cidr to use for pods\"\n default = \"192.168.0.0/18\"\n}\n\nvariable \"ip_range_services_cider\" {\n type = string\n description = \"The secondary ip range cidr to use for services\"\n default = \"192.168.64.0/18\"\n}\n\nvariable \"network_name\" {\n type = string\n description = \"Name for the VPC network\"\n default = \"runner-network\"\n}\n\nvariable \"subnet_ip\" {\n type = string\n description = \"IP range for the subnet\"\n default = \"10.0.0.0/17\"\n}\n\nvariable \"subnet_name\" {\n type = string\n description = \"Name for the subnet\"\n default = \"runner-subnet\"\n}\n\nvariable \"create_network\" {\n type = bool\n description = \"When set to true, VPC will be auto created\"\n default = true\n}\n\nvariable \"subnetwork_project\" {\n type = string\n description = \"The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used.\"\n default = \"\"\n}\n\nvariable \"machine_type\" {\n type = string\n description = \"Machine type for runner node pool\"\n default = \"n1-standard-4\"\n}\n\nvariable \"max_node_count\" {\n type = number\n description = \"Maximum number of nodes in the runner node pool\"\n default = 4\n}\n\nvariable \"min_node_count\" {\n type = number\n description = \"Minimum number of nodes in the runner node pool\"\n default = 2\n}\n\nvariable \"gh_app_pre_defined_secret_name\" {\n type = string\n description = \"Name for the k8s secret required to configure gh runners on GKE via GitHub App authentication\"\n default = \"gh-app-pre-defined-secret\"\n}\n\nvariable \"gh_app_id\" {\n type = string\n description = \"After creating the GitHub App, on the GitHub App's page, note the value for \\\"App ID\\\".\"\n}\n\nvariable \"gh_app_installation_id\" {\n type = string\n description = \"You can find the app installation ID on the app installation page, which has the following URL format: `https://github.com/organizations/ORGANIZATION/settings/installations/INSTALLATION_ID`\"\n}\n\nvariable \"gh_app_private_key\" {\n type = string\n description = \"Under \\\"Private keys\\\", click Generate a private key, and save the .pem file. Use the contents of this file for this variable.\"\n sensitive = true\n}\n\nvariable \"service_account\" {\n type = string\n description = \"Optional Service Account for the nodes\"\n default = \"\"\n}\n\nvariable \"arc_systems_namespace\" {\n type = string\n description = \"Namespace created for the ARC operator pods.\"\n default = \"arc-systems\"\n}\n\nvariable \"arc_runners_namespace\" {\n type = string\n description = \"Namespace created for the ARC runner pods.\"\n default = \"arc-runners\"\n}\n\nvariable \"cluster_suffix\" {\n type = string\n description = \"Name of the GitHub organization associated with this runner cluster.\"\n default = \"arc\"\n}\n\nvariable \"gh_config_url\" {\n type = string\n description = \"URL of GitHub App config. If installed in an organization, this is in the format \\\"https://github.com/ORGANIZATION\\\"\"\n}\n\nvariable \"arc_runners_version\" {\n type = string\n description = \"Version tag for the ARC image. See [https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set) for releases.\"\n default = \"0.9.3\"\n}\n\nvariable \"arc_controller_version\" {\n type = string\n description = \"Version tag for the ARC image. See [https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set-controller](https://github.com/actions/actions-runner-controller/pkgs/container/actions-runner-controller-charts%2Fgha-runner-scale-set-controller) for releases.\"\n default = \"0.9.3\"\n}\n\nvariable \"arc_container_mode\" {\n type = string\n description = \"value of containerMode.type in ARC runner scale set helm chart. If set, value can be `dind` or `kubernetes`\"\n default = \"\"\n}\n\nvariable \"arc_controller_values\" {\n type = list(string)\n description = \"List of values in raw yaml format to pass to helm for ARC runners scale set controller chart\"\n default = []\n}\n\nvariable \"arc_runners_values\" {\n type = list(string)\n description = \"List of values in raw yaml format to pass to helm for ARC runners scale set chart\"\n default = []\n}\n\nvariable \"enable_private_nodes\" {\n type = bool\n description = \"Whether nodes have internal IP addresses only.\"\n default = false\n}\n\nvariable \"spot\" {\n type = bool\n description = \"A boolean that represents whether the underlying node VMs are spot\"\n default = false\n}\n" }, { "path": "modules/gh-runner-gke/versions.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_version = \">= 1.3\"\n required_providers {\n\n google = {\n source = \"hashicorp/google\"\n version = \">= 4.3.0, < 8\"\n }\n\n google-beta = {\n source = \"hashicorp/google-beta\"\n version = \">= 4.3.0, < 8\"\n }\n\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.0\"\n }\n\n helm = {\n source = \"hashicorp/helm\"\n version = \"~> 3.0\"\n }\n }\n\n provider_meta \"google\" {\n module_name = \"blueprints/terraform/terraform-google-github-actions-runners:gh-runner-gke/v5.1.0\"\n }\n\n}\n" }, { "path": "modules/gh-runner-mig-container-vm/README.md", "content": "## Self Hosted Runners on Managed Instance Group\n\nThis module handles the opinionated creation of infrastructure necessary to deploy Github Self Hosted Runners on MIG Container VMs.\n\nThis includes:\n\n- Enabling necessary APIs\n- VPC\n- NAT & Cloud Router\n- MIG Container Instance Template\n- MIG Instance Manager\n- FW Rules\n\nBelow are some examples:\n\n### [Self Hosted runners that support Docker Workflows](../../examples/gh-runner-mig-container-vm-dind/README.md)\n\nThis example shows how to deploy a Self Hosted Runner that supports Docker Workflows on MIG Container VMs.\n\n### [Simple Self Hosted Runner](../../examples/gh-runner-mig-container-vm-simple/README.md)\n\nThis example shows how to deploy a Self Hosted Runner on MIG Container VMs.\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| additional\\_metadata | Additional metadata to attach to the instance | `map(any)` | `{}` | no |\n| cooldown\\_period | The number of seconds that the autoscaler should wait before it starts collecting information from a new instance. | `number` | `60` | no |\n| create\\_network | When set to true, VPC,router and NAT will be auto created | `bool` | `true` | no |\n| dind | Flag to determine whether to expose dockersock | `bool` | `false` | no |\n| disk\\_size\\_gb | Instance disk size in GB | `number` | `100` | no |\n| disk\\_type | Instance disk type, can be either pd-ssd, local-ssd, or pd-standard | `string` | `\"pd-ssd\"` | no |\n| gh\\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |\n| image | The github runner image | `string` | n/a | yes |\n| instance\\_name | The gce instance name | `string` | `\"gh-runner\"` | no |\n| network\\_name | Name for the VPC network | `string` | `\"gh-runner-network\"` | no |\n| project\\_id | The project id to deploy Github Runner | `string` | n/a | yes |\n| region | The GCP region to deploy instances into | `string` | `\"us-east4\"` | no |\n| repo\\_name | Name of the repo for the Github Action | `string` | n/a | yes |\n| repo\\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |\n| repo\\_url | Repo URL for the Github Action | `string` | n/a | yes |\n| restart\\_policy | The desired Docker restart policy for the runner image | `string` | `\"Always\"` | no |\n| service\\_account | Service account email address | `string` | `\"\"` | no |\n| spot | Provision a SPOT instance | `bool` | `false` | no |\n| spot\\_instance\\_termination\\_action | Action to take when Compute Engine preempts a Spot VM. | `string` | `\"STOP\"` | no |\n| subnet\\_ip | IP range for the subnet | `string` | `\"10.10.10.0/24\"` | no |\n| subnet\\_name | Name for the subnet | `string` | `\"gh-runner-subnet\"` | no |\n| subnetwork\\_project | The ID of the project in which the subnetwork belongs. If it is not provided, the project\\_id is used. | `string` | `\"\"` | no |\n| target\\_size | The number of runner instances | `number` | `2` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| mig\\_instance\\_group | The instance group url of the created MIG |\n| mig\\_instance\\_template | The name of the MIG Instance Template |\n| mig\\_name | The name of the MIG |\n| network\\_name | Name of VPC |\n| service\\_account | Service account email for GCE |\n| subnet\\_name | Name of VPC |\n\n\n\n## Requirements\n\nBefore this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:\n\n1. Required APIs are activated\n\n ```\n \"iam.googleapis.com\",\n \"cloudresourcemanager.googleapis.com\",\n \"containerregistry.googleapis.com\",\n \"storage-component.googleapis.com\",\n \"logging.googleapis.com\",\n \"monitoring.googleapis.com\"\n ```\n" }, { "path": "modules/gh-runner-mig-container-vm/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nlocals {\n dindVolumeMounts = var.dind ? [{\n mountPath = \"/var/run/docker.sock\"\n name = \"dockersock\"\n readOnly = false\n }] : []\n dindVolumes = var.dind ? [\n {\n name = \"dockersock\"\n\n hostPath = {\n path = \"/var/run/docker.sock\"\n }\n }] : []\n network_name = var.create_network ? google_compute_network.gh-network[0].self_link : var.network_name\n subnet_name = var.create_network ? google_compute_subnetwork.gh-subnetwork[0].self_link : var.subnet_name\n service_account = var.service_account == \"\" ? google_service_account.runner_service_account[0].email : var.service_account\n # location = var.regional ? var.region : var.zones[0]\n}\n\n/*****************************************\n Optional Runner Networking\n *****************************************/\nresource \"google_compute_network\" \"gh-network\" {\n count = var.create_network ? 1 : 0\n name = var.network_name\n project = var.project_id\n auto_create_subnetworks = false\n}\nresource \"google_compute_subnetwork\" \"gh-subnetwork\" {\n count = var.create_network ? 1 : 0\n project = var.project_id\n name = var.subnet_name\n ip_cidr_range = var.subnet_ip\n region = var.region\n network = google_compute_network.gh-network[0].name\n}\n\nresource \"google_compute_router\" \"default\" {\n count = var.create_network ? 1 : 0\n name = \"${var.network_name}-router\"\n network = google_compute_network.gh-network[0].self_link\n region = var.region\n project = var.project_id\n}\n\nresource \"google_compute_router_nat\" \"nat\" {\n count = var.create_network ? 1 : 0\n project = var.project_id\n name = \"${var.network_name}-nat\"\n router = google_compute_router.default[0].name\n region = google_compute_router.default[0].region\n nat_ip_allocate_option = \"AUTO_ONLY\"\n source_subnetwork_ip_ranges_to_nat = \"ALL_SUBNETWORKS_ALL_IP_RANGES\"\n}\n\n\n/*****************************************\n IAM Bindings GCE SVC\n *****************************************/\n\nresource \"google_service_account\" \"runner_service_account\" {\n count = var.service_account == \"\" ? 1 : 0\n project = var.project_id\n account_id = \"runner-service-account\"\n display_name = \"Github Runner GCE Service Account\"\n}\n\n# allow GCE to pull images from GCR\nresource \"google_project_iam_binding\" \"gce\" {\n count = var.service_account == \"\" ? 1 : 0\n project = var.project_id\n role = \"roles/storage.objectViewer\"\n members = [\n \"serviceAccount:${local.service_account}\",\n ]\n}\n\n/*****************************************\n Runner GCE Instance Template\n *****************************************/\nlocals {\n instance_name = format(\"%s-%s\", var.instance_name, substr(md5(module.gce-container.container.image), 0, 8))\n}\n\nmodule \"gce-container\" {\n source = \"terraform-google-modules/container-vm/google\"\n version = \"~> 3.0\"\n container = {\n image = var.image\n env = [\n {\n name = \"ACTIONS_RUNNER_INPUT_URL\"\n value = var.repo_url\n },\n {\n name = \"GITHUB_TOKEN\"\n value = var.gh_token\n },\n {\n name = \"REPO_OWNER\"\n value = var.repo_owner\n },\n {\n name = \"REPO_NAME\"\n value = var.repo_name\n }\n ]\n\n # Declare volumes to be mounted\n # This is similar to how Docker volumes are mounted\n volumeMounts = concat([\n {\n mountPath = \"/cache\"\n name = \"tempfs-0\"\n readOnly = false\n }\n ], local.dindVolumeMounts)\n }\n\n # Declare the volumes\n volumes = concat([\n {\n name = \"tempfs-0\"\n\n emptyDir = {\n medium = \"Memory\"\n }\n }\n ], local.dindVolumes)\n\n restart_policy = var.restart_policy\n}\n\n\nmodule \"mig_template\" {\n source = \"terraform-google-modules/vm/google//modules/instance_template\"\n version = \"~> 13.0\"\n project_id = var.project_id\n region = var.region\n network = local.network_name\n subnetwork = local.subnet_name\n subnetwork_project = var.subnetwork_project != \"\" ? var.subnetwork_project : var.project_id\n service_account = {\n email = local.service_account\n scopes = [\n \"https://www.googleapis.com/auth/cloud-platform\",\n ]\n }\n disk_size_gb = var.disk_size_gb\n disk_type = var.disk_type\n auto_delete = true\n name_prefix = \"gh-runner\"\n source_image_family = \"cos-stable\"\n source_image_project = \"cos-cloud\"\n startup_script = \"export TEST_ENV='hello'\"\n source_image = reverse(split(\"/\", module.gce-container.source_image))[0]\n spot = var.spot\n spot_instance_termination_action = var.spot_instance_termination_action\n metadata = merge(var.additional_metadata, { \"gce-container-declaration\" = module.gce-container.metadata_value })\n tags = [\n \"gh-runner-vm\"\n ]\n labels = {\n container-vm = module.gce-container.vm_container_label\n }\n}\n/*****************************************\n Runner MIG\n *****************************************/\nmodule \"mig\" {\n source = \"terraform-google-modules/vm/google//modules/mig\"\n version = \"~> 13.0\"\n project_id = var.project_id\n hostname = local.instance_name\n region = var.region\n instance_template = module.mig_template.self_link\n target_size = var.target_size\n\n /* autoscaler */\n autoscaling_enabled = true\n cooldown_period = var.cooldown_period\n}\n" }, { "path": "modules/gh-runner-mig-container-vm/metadata.yaml", "content": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: blueprints.cloud.google.com/v1alpha1\nkind: BlueprintMetadata\nmetadata:\n name: terraform-google-github-actions-runners\n annotations:\n config.kubernetes.io/local-config: \"true\"\nspec:\n title: \"\"\n source:\n repo: https://github.com/terraform-google-modules/terraform-google-github-actions-runners\n sourceType: git\n version: 5.1.0\n actuationTool:\n type: Terraform\n version: '>= 0.13'\n examples:\n - name: gh-org-runner-mig-native-simple\n location: examples/gh-org-runner-mig-native-simple\n - name: gh-runner-gke-dind\n location: examples/gh-runner-gke-dind\n - name: gh-runner-gke-simple\n location: examples/gh-runner-gke-simple\n - name: gh-runner-mig-container-vm-dind\n location: examples/gh-runner-mig-container-vm-dind\n - name: gh-runner-mig-container-vm-simple\n location: examples/gh-runner-mig-container-vm-simple\n - name: gh-runner-mig-native-packer\n location: examples/gh-runner-mig-native-packer\n - name: gh-runner-mig-native-simple\n location: examples/gh-runner-mig-native-simple\n - name: oidc-simple\n location: examples/oidc-simple\n variables:\n - name: additional_metadata\n description: Additional metadata to attach to the instance\n type: map(any)\n default: {}\n required: false\n - name: cooldown_period\n description: The number of seconds that the autoscaler should wait before it starts collecting information from a new instance.\n type: number\n default: 60\n required: false\n - name: create_network\n description: When set to true, VPC,router and NAT will be auto created\n type: bool\n default: true\n required: false\n - name: dind\n description: 'Flag to determine whether to expose dockersock '\n type: bool\n default: false\n required: false\n - name: gh_token\n description: Github token that is used for generating Self Hosted Runner Token\n type: string\n required: true\n - name: image\n description: The github runner image\n type: string\n required: true\n - name: instance_name\n description: The gce instance name\n type: string\n default: gh-runner\n required: false\n - name: network_name\n description: Name for the VPC network\n type: string\n default: gh-runner-network\n required: false\n - name: project_id\n description: The project id to deploy Github Runner\n type: string\n required: true\n - name: region\n description: The GCP region to deploy instances into\n type: string\n default: us-east4\n required: false\n - name: repo_name\n description: Name of the repo for the Github Action\n type: string\n required: true\n - name: repo_owner\n description: Owner of the repo for the Github Action\n type: string\n required: true\n - name: repo_url\n description: Repo URL for the Github Action\n type: string\n required: true\n - name: restart_policy\n description: The desired Docker restart policy for the runner image\n type: string\n default: Always\n required: false\n - name: service_account\n description: Service account email address\n type: string\n default: \"\"\n required: false\n - name: subnet_ip\n description: IP range for the subnet\n type: string\n default: 10.10.10.0/24\n required: false\n - name: subnet_name\n description: Name for the subnet\n type: string\n default: gh-runner-subnet\n required: false\n - name: subnetwork_project\n description: The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used.\n type: string\n default: \"\"\n required: false\n - name: target_size\n description: The number of runner instances\n type: number\n default: 2\n required: false\n outputs:\n - name: mig_instance_group\n description: The instance group url of the created MIG\n - name: mig_instance_template\n description: The name of the MIG Instance Template\n - name: mig_name\n description: The name of the MIG\n - name: network_name\n description: Name of VPC\n - name: service_account\n description: Service account email for GCE\n - name: subnet_name\n description: Name of VPC\n roles:\n - level: Project\n roles:\n - roles/owner\n services:\n - cloudresourcemanager.googleapis.com\n - storage-api.googleapis.com\n - iam.googleapis.com\n - container.googleapis.com\n - serviceusage.googleapis.com\n" }, { "path": "modules/gh-runner-mig-container-vm/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"mig_instance_group\" {\n description = \"The instance group url of the created MIG\"\n value = module.mig.instance_group\n}\n\noutput \"mig_name\" {\n description = \"The name of the MIG\"\n value = local.instance_name\n}\n\noutput \"mig_instance_template\" {\n description = \"The name of the MIG Instance Template\"\n value = module.mig_template.name\n}\n\noutput \"network_name\" {\n description = \"Name of VPC\"\n value = local.network_name\n}\n\noutput \"subnet_name\" {\n description = \"Name of VPC\"\n value = local.subnet_name\n}\n\noutput \"service_account\" {\n description = \"Service account email for GCE\"\n value = local.service_account\n}\n\n\n" }, { "path": "modules/gh-runner-mig-container-vm/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner\"\n}\nvariable \"region\" {\n type = string\n description = \"The GCP region to deploy instances into\"\n default = \"us-east4\"\n}\n\nvariable \"network_name\" {\n type = string\n description = \"Name for the VPC network\"\n default = \"gh-runner-network\"\n}\n\nvariable \"create_network\" {\n type = bool\n description = \"When set to true, VPC,router and NAT will be auto created\"\n default = true\n}\n\nvariable \"subnetwork_project\" {\n type = string\n description = \"The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used.\"\n default = \"\"\n}\n\nvariable \"subnet_ip\" {\n type = string\n description = \"IP range for the subnet\"\n default = \"10.10.10.0/24\"\n}\nvariable \"subnet_name\" {\n type = string\n description = \"Name for the subnet\"\n default = \"gh-runner-subnet\"\n}\n\nvariable \"restart_policy\" {\n type = string\n description = \"The desired Docker restart policy for the runner image\"\n default = \"Always\"\n}\n\nvariable \"image\" {\n type = string\n description = \"The github runner image\"\n}\n\nvariable \"repo_url\" {\n type = string\n description = \"Repo URL for the Github Action\"\n}\n\nvariable \"repo_name\" {\n type = string\n description = \"Name of the repo for the Github Action\"\n}\n\n\nvariable \"repo_owner\" {\n type = string\n description = \"Owner of the repo for the Github Action\"\n}\n\nvariable \"gh_token\" {\n type = string\n description = \"Github token that is used for generating Self Hosted Runner Token\"\n}\n\nvariable \"instance_name\" {\n type = string\n description = \"The gce instance name\"\n default = \"gh-runner\"\n}\n\nvariable \"target_size\" {\n type = number\n description = \"The number of runner instances\"\n default = 2\n}\n\nvariable \"service_account\" {\n description = \"Service account email address\"\n type = string\n default = \"\"\n}\nvariable \"additional_metadata\" {\n type = map(any)\n description = \"Additional metadata to attach to the instance\"\n default = {}\n}\n\nvariable \"dind\" {\n type = bool\n description = \"Flag to determine whether to expose dockersock \"\n default = false\n}\n\nvariable \"cooldown_period\" {\n description = \"The number of seconds that the autoscaler should wait before it starts collecting information from a new instance.\"\n type = number\n default = 60\n}\n\nvariable \"spot\" {\n type = bool\n description = \"Provision a SPOT instance\"\n default = false\n}\n\nvariable \"spot_instance_termination_action\" {\n description = \"Action to take when Compute Engine preempts a Spot VM.\"\n type = string\n default = \"STOP\"\n}\n\nvariable \"disk_size_gb\" {\n type = number\n description = \"Instance disk size in GB\"\n default = 100\n}\n\nvariable \"disk_type\" {\n type = string\n description = \"Instance disk type, can be either pd-ssd, local-ssd, or pd-standard\"\n default = \"pd-ssd\"\n}\n" }, { "path": "modules/gh-runner-mig-container-vm/versions.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_version = \">= 1.3\"\n required_providers {\n\n google = {\n source = \"hashicorp/google\"\n version = \">= 3.53, < 8\"\n }\n }\n\n provider_meta \"google\" {\n module_name = \"blueprints/terraform/terraform-google-github-actions-runners:gh-runner-mig-container-vm/v5.1.0\"\n }\n\n}\n" }, { "path": "modules/gh-runner-mig-vm/README.md", "content": "## Self Hosted Runners on Managed Instance Group\n\nThis module handles the opinionated creation of infrastructure necessary to deploy Github Self Hosted Runners on MIG.\n\nThis includes:\n\n- Enabling necessary APIs\n- VPC\n- NAT & Cloud Router\n- Service Account for MIG\n- MIG Instance Template\n- MIG Instance Manager\n- FW Rules\n- Secret Manager Secret\n\nBelow are some examples:\n\n### [Simple Self Hosted Runner](../../examples/gh-runner-mig-native-simple/README.md)\n\nThis example shows how to deploy a MIG Self Hosted Runner bootstrapped using startup scripts.\n\n### [Simple Self Hosted Runner](../../examples/gh-runner-mig-native-packer/README.md)\n\nThis example shows how to deploy a MIG Self Hosted Runner with an image pre-baked using Packer.\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| cooldown\\_period | The number of seconds that the autoscaler should wait before it starts collecting information from a new instance. | `number` | `60` | no |\n| create\\_network | When set to true, VPC,router and NAT will be auto created | `bool` | `true` | no |\n| create\\_subnetwork | Whether to create subnetwork or use the one provided via subnet\\_name | `bool` | `true` | no |\n| custom\\_metadata | User provided custom metadata | `map(any)` | `{}` | no |\n| disk\\_size\\_gb | Instance disk size in GB | `number` | `100` | no |\n| disk\\_type | Instance disk type, can be either pd-ssd, local-ssd, or pd-standard | `string` | `\"pd-ssd\"` | no |\n| gh\\_runner\\_labels | GitHub runner labels to attach to the runners. Docs: https://docs.github.com/en/actions/hosting-your-own-runners/using-labels-with-self-hosted-runners | `set(string)` | `[]` | no |\n| gh\\_token | Github token that is used for generating Self Hosted Runner Token | `string` | n/a | yes |\n| instance\\_tags | Additional tags to add to the instances | `list(string)` | `[]` | no |\n| machine\\_type | The GCP machine type to deploy | `string` | `\"n1-standard-1\"` | no |\n| max\\_replicas | Maximum number of runner instances | `number` | `10` | no |\n| min\\_replicas | Minimum number of runner instances | `number` | `2` | no |\n| network\\_name | Name for the VPC network | `string` | `\"gh-runner-network\"` | no |\n| project\\_id | The project id to deploy Github Runner | `string` | n/a | yes |\n| region | The GCP region to deploy instances into | `string` | `\"us-east4\"` | no |\n| repo\\_name | Name of the repo for the Github Action | `string` | `\"\"` | no |\n| repo\\_owner | Owner of the repo for the Github Action | `string` | n/a | yes |\n| service\\_account | Service account email address | `string` | `\"\"` | no |\n| shutdown\\_script | User shutdown script to run when instances shutdown | `string` | `\"\"` | no |\n| source\\_image | Source disk image. If neither source\\_image nor source\\_image\\_family is specified, defaults to the latest public CentOS image. | `string` | `\"\"` | no |\n| source\\_image\\_family | Source image family. If neither source\\_image nor source\\_image\\_family is specified, defaults to the latest public Ubuntu image. | `string` | `\"ubuntu-1804-lts\"` | no |\n| source\\_image\\_project | Project where the source image comes from | `string` | `\"ubuntu-os-cloud\"` | no |\n| spot | Provision a SPOT instance | `bool` | `false` | no |\n| spot\\_instance\\_termination\\_action | Action to take when Compute Engine preempts a Spot VM. | `string` | `\"STOP\"` | no |\n| startup\\_script | User startup script to run when instances spin up | `string` | `\"\"` | no |\n| subnet\\_ip | IP range for the subnet | `string` | `\"10.10.10.0/24\"` | no |\n| subnet\\_name | Name for the subnet | `string` | `\"gh-runner-subnet\"` | no |\n| subnetwork\\_project | The ID of the project in which the subnetwork belongs. If it is not provided, the project\\_id is used. | `string` | `\"\"` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| mig\\_instance\\_group | The instance group url of the created MIG |\n| mig\\_instance\\_template | The name of the MIG Instance Template |\n| mig\\_name | The name of the MIG |\n| network\\_name | Name of VPC |\n| service\\_account | Service account email for GCE |\n| subnet\\_name | Name of VPC |\n\n\n\n## Requirements\n\nBefore this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:\n\n1. Required APIs are activated\n\n ```\n \"iam.googleapis.com\",\n \"compute.googleapis.com\",\n \"storage-component.googleapis.com\",\n \"logging.googleapis.com\",\n \"monitoring.googleapis.com\",\n \"secretmanager.googleapis.com\",\n ```\n" }, { "path": "modules/gh-runner-mig-vm/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nlocals {\n network_name = var.create_network ? google_compute_network.gh-network[0].self_link : var.network_name\n subnet_name = var.create_subnetwork ? google_compute_subnetwork.gh-subnetwork[0].self_link : var.subnet_name\n service_account = var.service_account == \"\" ? google_service_account.runner_service_account[0].email : var.service_account\n startup_script = var.startup_script == \"\" ? file(\"${path.module}/scripts/startup.sh\") : var.startup_script\n shutdown_script = var.shutdown_script == \"\" ? file(\"${path.module}/scripts/shutdown.sh\") : var.shutdown_script\n}\n\n/*****************************************\n Optional Runner Networking\n *****************************************/\nresource \"google_compute_network\" \"gh-network\" {\n count = var.create_network ? 1 : 0\n name = var.network_name\n project = var.project_id\n auto_create_subnetworks = false\n}\nresource \"google_compute_subnetwork\" \"gh-subnetwork\" {\n count = var.create_subnetwork ? 1 : 0\n project = var.project_id\n name = var.subnet_name\n ip_cidr_range = var.subnet_ip\n region = var.region\n network = local.network_name\n}\n\nresource \"google_compute_router\" \"default\" {\n count = var.create_network ? 1 : 0\n name = \"${var.network_name}-router\"\n network = google_compute_network.gh-network[0].self_link\n region = var.region\n project = var.project_id\n}\n\nresource \"google_compute_router_nat\" \"nat\" {\n count = var.create_network ? 1 : 0\n project = var.project_id\n name = \"${var.network_name}-nat\"\n router = google_compute_router.default[0].name\n region = google_compute_router.default[0].region\n nat_ip_allocate_option = \"AUTO_ONLY\"\n source_subnetwork_ip_ranges_to_nat = \"ALL_SUBNETWORKS_ALL_IP_RANGES\"\n}\n\n/*****************************************\n IAM Bindings GCE SVC\n *****************************************/\n\nresource \"google_service_account\" \"runner_service_account\" {\n count = var.service_account == \"\" ? 1 : 0\n project = var.project_id\n account_id = \"runner-service-account\"\n display_name = \"Github Runner GCE Service Account\"\n}\n\n/*****************************************\n Runner Secrets\n *****************************************/\nresource \"google_secret_manager_secret\" \"gh-secret\" {\n provider = google-beta\n project = var.project_id\n secret_id = \"gh-token\"\n\n labels = {\n label = \"gh-token\"\n }\n\n replication {\n user_managed {\n replicas {\n location = var.region\n }\n }\n }\n}\nresource \"google_secret_manager_secret_version\" \"gh-secret-version\" {\n provider = google-beta\n secret = google_secret_manager_secret.gh-secret.id\n secret_data = jsonencode({\n \"REPO_NAME\" = var.repo_name\n \"REPO_OWNER\" = var.repo_owner\n \"GITHUB_TOKEN\" = var.gh_token\n \"LABELS\" = join(\",\", var.gh_runner_labels)\n })\n}\n\n\nresource \"google_secret_manager_secret_iam_member\" \"gh-secret-member\" {\n provider = google-beta\n project = var.project_id\n secret_id = google_secret_manager_secret.gh-secret.id\n role = \"roles/secretmanager.secretAccessor\"\n member = \"serviceAccount:${local.service_account}\"\n}\n\n/*****************************************\n Runner GCE Instance Template\n *****************************************/\nlocals {\n instance_name = \"gh-runner-vm\"\n}\n\n\nmodule \"mig_template\" {\n source = \"terraform-google-modules/vm/google//modules/instance_template\"\n version = \"~> 13.0\"\n project_id = var.project_id\n machine_type = var.machine_type\n network = local.network_name\n subnetwork = local.subnet_name\n region = var.region\n subnetwork_project = var.subnetwork_project != \"\" ? var.subnetwork_project : var.project_id\n service_account = {\n email = local.service_account\n scopes = [\n \"https://www.googleapis.com/auth/cloud-platform\",\n ]\n }\n disk_size_gb = var.disk_size_gb\n disk_type = var.disk_type\n auto_delete = true\n name_prefix = \"gh-runner\"\n source_image_family = var.source_image_family\n source_image_project = var.source_image_project\n startup_script = local.startup_script\n source_image = var.source_image\n spot = var.spot\n spot_instance_termination_action = var.spot_instance_termination_action\n metadata = merge({\n \"secret-id\" = google_secret_manager_secret_version.gh-secret-version.name\n }, {\n \"shutdown-script\" = local.shutdown_script\n }, var.custom_metadata)\n tags = concat([\"gh-runner-vm\"], var.instance_tags)\n}\n/*****************************************\n Runner MIG\n *****************************************/\nmodule \"mig\" {\n source = \"terraform-google-modules/vm/google//modules/mig\"\n version = \"~> 13.0\"\n project_id = var.project_id\n hostname = local.instance_name\n region = var.region\n instance_template = module.mig_template.self_link\n\n /* autoscaler */\n autoscaling_enabled = true\n min_replicas = var.min_replicas\n max_replicas = var.max_replicas\n cooldown_period = var.cooldown_period\n}\n" }, { "path": "modules/gh-runner-mig-vm/metadata.yaml", "content": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\napiVersion: blueprints.cloud.google.com/v1alpha1\nkind: BlueprintMetadata\nmetadata:\n name: terraform-google-github-actions-runners\n annotations:\n config.kubernetes.io/local-config: \"true\"\nspec:\n title: \"\"\n source:\n repo: https://github.com/terraform-google-modules/terraform-google-github-actions-runners\n sourceType: git\n version: 5.1.0\n actuationTool:\n type: Terraform\n version: '>= 0.13'\n examples:\n - name: gh-org-runner-mig-native-simple\n location: examples/gh-org-runner-mig-native-simple\n - name: gh-runner-gke-dind\n location: examples/gh-runner-gke-dind\n - name: gh-runner-gke-simple\n location: examples/gh-runner-gke-simple\n - name: gh-runner-mig-container-vm-dind\n location: examples/gh-runner-mig-container-vm-dind\n - name: gh-runner-mig-container-vm-simple\n location: examples/gh-runner-mig-container-vm-simple\n - name: gh-runner-mig-native-packer\n location: examples/gh-runner-mig-native-packer\n - name: gh-runner-mig-native-simple\n location: examples/gh-runner-mig-native-simple\n - name: oidc-simple\n location: examples/oidc-simple\n variables:\n - name: cooldown_period\n description: The number of seconds that the autoscaler should wait before it starts collecting information from a new instance.\n type: number\n default: 60\n required: false\n - name: create_network\n description: When set to true, VPC,router and NAT will be auto created\n type: bool\n default: true\n required: false\n - name: create_subnetwork\n description: Whether to create subnetwork or use the one provided via subnet_name\n type: bool\n default: true\n required: false\n - name: custom_metadata\n description: User provided custom metadata\n type: map(any)\n default: {}\n required: false\n - name: gh_runner_labels\n description: 'GitHub runner labels to attach to the runners. Docs: https://docs.github.com/en/actions/hosting-your-own-runners/using-labels-with-self-hosted-runners'\n type: set(string)\n default: []\n required: false\n - name: gh_token\n description: Github token that is used for generating Self Hosted Runner Token\n type: string\n required: true\n - name: machine_type\n description: The GCP machine type to deploy\n type: string\n default: n1-standard-1\n required: false\n - name: max_replicas\n description: Maximum number of runner instances\n type: number\n default: 10\n required: false\n - name: min_replicas\n description: Minimum number of runner instances\n type: number\n default: 2\n required: false\n - name: network_name\n description: Name for the VPC network\n type: string\n default: gh-runner-network\n required: false\n - name: project_id\n description: The project id to deploy Github Runner\n type: string\n required: true\n - name: region\n description: The GCP region to deploy instances into\n type: string\n default: us-east4\n required: false\n - name: repo_name\n description: Name of the repo for the Github Action\n type: string\n default: \"\"\n required: false\n - name: repo_owner\n description: Owner of the repo for the Github Action\n type: string\n required: true\n - name: service_account\n description: Service account email address\n type: string\n default: \"\"\n required: false\n - name: shutdown_script\n description: User shutdown script to run when instances shutdown\n type: string\n default: \"\"\n required: false\n - name: source_image\n description: Source disk image. If neither source_image nor source_image_family is specified, defaults to the latest public CentOS image.\n type: string\n default: \"\"\n required: false\n - name: source_image_family\n description: Source image family. If neither source_image nor source_image_family is specified, defaults to the latest public Ubuntu image.\n type: string\n default: ubuntu-1804-lts\n required: false\n - name: source_image_project\n description: Project where the source image comes from\n type: string\n default: ubuntu-os-cloud\n required: false\n - name: startup_script\n description: User startup script to run when instances spin up\n type: string\n default: \"\"\n required: false\n - name: subnet_ip\n description: IP range for the subnet\n type: string\n default: 10.10.10.0/24\n required: false\n - name: subnet_name\n description: Name for the subnet\n type: string\n default: gh-runner-subnet\n required: false\n - name: subnetwork_project\n description: The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used.\n type: string\n default: \"\"\n required: false\n outputs:\n - name: mig_instance_group\n description: The instance group url of the created MIG\n - name: mig_instance_template\n description: The name of the MIG Instance Template\n - name: mig_name\n description: The name of the MIG\n - name: network_name\n description: Name of VPC\n - name: service_account\n description: Service account email for GCE\n - name: subnet_name\n description: Name of VPC\n roles:\n - level: Project\n roles:\n - roles/owner\n services:\n - cloudresourcemanager.googleapis.com\n - storage-api.googleapis.com\n - iam.googleapis.com\n - container.googleapis.com\n - serviceusage.googleapis.com\n" }, { "path": "modules/gh-runner-mig-vm/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"mig_instance_group\" {\n description = \"The instance group url of the created MIG\"\n value = module.mig.instance_group\n}\n\noutput \"mig_name\" {\n description = \"The name of the MIG\"\n value = local.instance_name\n}\n\noutput \"mig_instance_template\" {\n description = \"The name of the MIG Instance Template\"\n value = module.mig_template.name\n}\n\noutput \"network_name\" {\n description = \"Name of VPC\"\n value = local.network_name\n}\n\noutput \"subnet_name\" {\n description = \"Name of VPC\"\n value = local.subnet_name\n}\n\noutput \"service_account\" {\n description = \"Service account email for GCE\"\n value = local.service_account\n}\n\n\n" }, { "path": "modules/gh-runner-mig-vm/scripts/shutdown.sh", "content": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nsecretUri=$(curl -sS \"http://metadata.google.internal/computeMetadata/v1/instance/attributes/secret-id\" -H \"Metadata-Flavor: Google\")\n#secrets URI is of the form projects/$PROJECT_NUMBER/secrets/$SECRET_NAME/versions/$SECRET_VERSION\n#split into array based on `/` delimeter\nIFS=\"/\" read -r -a secretsConfig <<<\"$secretUri\"\n#get SECRET_NAME and SECRET_VERSION\nSECRET_NAME=${secretsConfig[3]}\nSECRET_VERSION=${secretsConfig[5]}\n#access secret from secretsmanager\nsecrets=$(gcloud secrets versions access \"$SECRET_VERSION\" --secret=\"$SECRET_NAME\")\n#set secrets as env vars\n# shellcheck disable=SC2046\n# we want to use wordsplitting\nexport $(echo \"$secrets\" | jq -r \"to_entries|map(\\\"\\(.key)=\\(.value|tostring)\\\")|.[]\")\n#stop and uninstall the runner service\ncd /runner || exit\n./svc.sh stop\n./svc.sh uninstall\nif [[ -z $REPO_NAME ]]; then\n # Remove action runner from the organisation\n POST_URL=\"https://api.github.com/orgs/${REPO_OWNER}/actions/runners/remove-token\"\nelse\n # Remove action runner from the repo\n POST_URL=\"https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/remove-token\"\nfi\n#remove the runner configuration\nRUNNER_ALLOW_RUNASROOT=1 /runner/config.sh remove --unattended --token \"$(curl -sS --request POST --url \"$POST_URL\" --header \"authorization: Bearer ${GITHUB_TOKEN}\" --header \"content-type: application/json\" | jq -r .token)\"\n" }, { "path": "modules/gh-runner-mig-vm/scripts/startup.sh", "content": "#!/bin/bash\n# Copyright 2020 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n#install jq\napt-get update\napt-get -y install jq\n\nsecretUri=$(curl -sS \"http://metadata.google.internal/computeMetadata/v1/instance/attributes/secret-id\" -H \"Metadata-Flavor: Google\")\n#secrets URI is of the form projects/$PROJECT_NUMBER/secrets/$SECRET_NAME/versions/$SECRET_VERSION\n#split into array based on `/` delimeter\nIFS=\"/\" read -r -a secretsConfig <<<\"$secretUri\"\n#get SECRET_NAME and SECRET_VERSION\nSECRET_NAME=${secretsConfig[3]}\nSECRET_VERSION=${secretsConfig[5]}\n#access secret from secretsmanager\nsecrets=$(gcloud secrets versions access \"$SECRET_VERSION\" --secret=\"$SECRET_NAME\")\n#set secrets as env vars\n# shellcheck disable=SC2046\n# we want to use wordsplitting\nexport $(echo \"$secrets\" | jq -r \"to_entries|map(\\\"\\(.key)=\\(.value|tostring)\\\")|.[]\")\n#github runner version\nGH_RUNNER_VERSION=\"2.283.2\"\n#get actions binary\ncurl -o actions.tar.gz --location \"https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-x64-${GH_RUNNER_VERSION}.tar.gz\"\nmkdir /runner\nmkdir /runner-tmp\ntar -zxf actions.tar.gz --directory /runner\nrm -f actions.tar.gz\n/runner/bin/installdependencies.sh\n#get actions token\n# shellcheck disable=SC2034\n# ACTIONS_RUNNER_INPUT_NAME is used by config.sh\nACTIONS_RUNNER_INPUT_NAME=$HOSTNAME\nif [[ -z $REPO_NAME ]]; then\n # Add action runner for an organisation\n POST_URL=\"https://api.github.com/orgs/${REPO_OWNER}/actions/runners/registration-token\"\n GH_URL=\"https://github.com/${REPO_OWNER}\"\nelse\n # Add action runner for a repo\n POST_URL=\"https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/registration-token\"\n GH_URL=\"https://github.com/${REPO_OWNER}/${REPO_NAME}\"\nfi\n\n# Register runner\nACTIONS_RUNNER_INPUT_TOKEN=\"$(curl -sS --request POST --url \"$POST_URL\" --header \"authorization: Bearer ${GITHUB_TOKEN}\" --header 'content-type: application/json' | jq -r .token)\"\n#configure runner\nRUNNER_ALLOW_RUNASROOT=1 /runner/config.sh --unattended --replace --work \"/runner-tmp\" --url \"$GH_URL\" --token \"$ACTIONS_RUNNER_INPUT_TOKEN\" --labels \"$LABELS\"\n\n#install and start runner service\ncd /runner || exit\n./svc.sh install\n./svc.sh start\n" }, { "path": "modules/gh-runner-mig-vm/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id\" {\n type = string\n description = \"The project id to deploy Github Runner\"\n}\nvariable \"region\" {\n type = string\n description = \"The GCP region to deploy instances into\"\n default = \"us-east4\"\n}\n\nvariable \"network_name\" {\n type = string\n description = \"Name for the VPC network\"\n default = \"gh-runner-network\"\n}\n\nvariable \"create_network\" {\n type = bool\n description = \"When set to true, VPC,router and NAT will be auto created\"\n default = true\n}\n\nvariable \"subnetwork_project\" {\n type = string\n description = \"The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used.\"\n default = \"\"\n}\n\nvariable \"subnet_ip\" {\n type = string\n description = \"IP range for the subnet\"\n default = \"10.10.10.0/24\"\n}\n\nvariable \"create_subnetwork\" {\n type = bool\n description = \"Whether to create subnetwork or use the one provided via subnet_name\"\n default = true\n}\n\nvariable \"subnet_name\" {\n type = string\n description = \"Name for the subnet\"\n default = \"gh-runner-subnet\"\n}\n\nvariable \"repo_name\" {\n type = string\n description = \"Name of the repo for the Github Action\"\n default = \"\"\n}\n\nvariable \"repo_owner\" {\n type = string\n description = \"Owner of the repo for the Github Action\"\n}\n\nvariable \"gh_runner_labels\" {\n type = set(string)\n description = \"GitHub runner labels to attach to the runners. Docs: https://docs.github.com/en/actions/hosting-your-own-runners/using-labels-with-self-hosted-runners\"\n default = []\n}\n\nvariable \"min_replicas\" {\n type = number\n description = \"Minimum number of runner instances\"\n default = 2\n}\n\nvariable \"max_replicas\" {\n type = number\n default = 10\n description = \"Maximum number of runner instances\"\n}\n\nvariable \"gh_token\" {\n type = string\n description = \"Github token that is used for generating Self Hosted Runner Token\"\n}\n\nvariable \"service_account\" {\n description = \"Service account email address\"\n type = string\n default = \"\"\n}\n\nvariable \"machine_type\" {\n type = string\n description = \"The GCP machine type to deploy\"\n default = \"n1-standard-1\"\n}\n\nvariable \"source_image_family\" {\n type = string\n description = \"Source image family. If neither source_image nor source_image_family is specified, defaults to the latest public Ubuntu image.\"\n default = \"ubuntu-1804-lts\"\n}\n\nvariable \"source_image_project\" {\n type = string\n description = \"Project where the source image comes from\"\n default = \"ubuntu-os-cloud\"\n}\n\nvariable \"source_image\" {\n type = string\n description = \"Source disk image. If neither source_image nor source_image_family is specified, defaults to the latest public CentOS image.\"\n default = \"\"\n}\n\nvariable \"startup_script\" {\n type = string\n description = \"User startup script to run when instances spin up\"\n default = \"\"\n}\n\nvariable \"shutdown_script\" {\n type = string\n description = \"User shutdown script to run when instances shutdown\"\n default = \"\"\n}\n\nvariable \"custom_metadata\" {\n type = map(any)\n description = \"User provided custom metadata\"\n default = {}\n}\n\nvariable \"cooldown_period\" {\n description = \"The number of seconds that the autoscaler should wait before it starts collecting information from a new instance.\"\n type = number\n default = 60\n}\n\nvariable \"instance_tags\" {\n type = list(string)\n description = \"Additional tags to add to the instances\"\n default = []\n}\n\nvariable \"spot\" {\n type = bool\n description = \"Provision a SPOT instance\"\n default = false\n}\n\nvariable \"spot_instance_termination_action\" {\n description = \"Action to take when Compute Engine preempts a Spot VM.\"\n type = string\n default = \"STOP\"\n}\n\nvariable \"disk_size_gb\" {\n type = number\n description = \"Instance disk size in GB\"\n default = 100\n}\n\nvariable \"disk_type\" {\n type = string\n description = \"Instance disk type, can be either pd-ssd, local-ssd, or pd-standard\"\n default = \"pd-ssd\"\n}\n" }, { "path": "modules/gh-runner-mig-vm/versions.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_version = \">= 1.3\"\n required_providers {\n\n google = {\n source = \"hashicorp/google\"\n version = \">= 3.53, < 8\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n version = \">= 3.53, < 8\"\n }\n }\n\n provider_meta \"google\" {\n module_name = \"blueprints/terraform/terraform-google-github-actions-runners:gh-runner-mig-vm/v5.1.0\"\n }\n\n provider_meta \"google-beta\" {\n module_name = \"blueprints/terraform/terraform-google-github-actions-runners:gh-runner-mig-vm/v5.1.0\"\n }\n\n}\n" }, { "path": "test/.gitignore", "content": "source.sh\n" }, { "path": "test/fixtures/gh-runner-mig-container-vm/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"example_mig_runner\" {\n source = \"../../../examples/gh-runner-mig-container-vm-simple\"\n\n project_id = var.project_id_mig_container\n image = \"gcr.io/google-samples/hello-app:1.0\"\n repo_url = \"example\"\n repo_name = \"example\"\n repo_owner = \"example\"\n gh_token = \"example\"\n}\n" }, { "path": "test/fixtures/gh-runner-mig-container-vm/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"project_id\" {\n value = var.project_id_mig_container\n}\n\noutput \"mig_instance_group\" {\n description = \"The instance group url of the created MIG\"\n value = module.example_mig_runner.mig_instance_group\n}\n\noutput \"mig_name\" {\n description = \"The name of the MIG\"\n value = module.example_mig_runner.mig_name\n}\n\noutput \"service_account\" {\n description = \"Service account email for GCE\"\n value = module.example_mig_runner.service_account\n}\n\noutput \"mig_instance_template\" {\n description = \"The name of the MIG Instance Template\"\n value = module.example_mig_runner.mig_instance_template\n}\n" }, { "path": "test/fixtures/gh-runner-mig-container-vm/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nvariable \"project_id_mig_container\" {\n type = string\n description = \"The GCP project to use for integration tests\"\n}\n" }, { "path": "test/integration/discover_test.go", "content": "// Copyright 2022 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft\"\n)\n\nfunc TestAll(t *testing.T) {\n\ttft.AutoDiscoverAndTest(t)\n}\n" }, { "path": "test/integration/gh-runner-gke-dind/gh_runner_gke_dind_test.go", "content": "// Copyright 2024 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage gh_runner_gke_dind\n\nimport (\n\t\"testing\"\n\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud\"\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft\"\n\t\"github.com/gruntwork-io/terratest/modules/k8s\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/tidwall/gjson\"\n)\n\nfunc TestGhRunnerGkeDind(t *testing.T) {\n\tbpt := tft.NewTFBlueprintTest(t)\n\n\tbpt.DefineVerify(func(assert *assert.Assertions) {\n\t\tbpt.DefaultVerify(assert)\n\n\t\t// get outputs\n\t\tprojectId := bpt.GetStringOutput(\"project_id\")\n\t\tlocation := bpt.GetStringOutput(\"location\")\n\t\tclusterName := bpt.GetStringOutput(\"cluster_name\")\n\n\t\t// Check cluster is running\n\t\tcluster := gcloud.Runf(t, \"container clusters describe %s --location %s --project %s\", clusterName, location, projectId)\n\t\tassert.Contains([]string{\"RUNNING\"}, cluster.Get(\"status\").String())\n\n\t\t// Get cluster credentials\n\t\tgcloud.Runf(t, \"container clusters get-credentials %s --location %s --project %s\", clusterName, location, projectId)\n\t\tk8sOpts := k8s.KubectlOptions{}\n\n\t\tCheckPodsRunningInNamespace(\"arc-systems\", t, k8sOpts, assert)\n\t\tCheckPodsRunningInNamespace(\"arc-runners\", t, k8sOpts, assert)\n\t})\n\n\tbpt.Test()\n}\n\nfunc CheckPodsRunningInNamespace(namespace string, t *testing.T, k8sOpts k8s.KubectlOptions, assert *assert.Assertions) {\n\tpods, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, \"get\", \"pods\", \"-n\", namespace, \"-o\", \"json\")\n\n\tif err != nil {\n\t\tt.Fatalf(\"Error getting pods: %s\", err)\n\t}\n\n\tstatuses := gjson.Get(pods, \"items.#.status.phase\")\n\n\tfor _, status := range statuses.Array() {\n\t\tassert.Equal(\"Running\", status.String())\n\t}\n}\n" }, { "path": "test/integration/gh-runner-gke-dind-rootless/gh_runner_gke_dind_rootless_test.go", "content": "// Copyright 2024 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage gh_runner_gke_dind_rootless\n\nimport (\n\t\"testing\"\n\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud\"\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft\"\n\t\"github.com/gruntwork-io/terratest/modules/k8s\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/tidwall/gjson\"\n)\n\nfunc TestGhRunnerGkeDindRootless(t *testing.T) {\n\tbpt := tft.NewTFBlueprintTest(t)\n\n\tbpt.DefineVerify(func(assert *assert.Assertions) {\n\t\tbpt.DefaultVerify(assert)\n\n\t\t// get outputs\n\t\tprojectId := bpt.GetStringOutput(\"project_id\")\n\t\tlocation := bpt.GetStringOutput(\"location\")\n\t\tclusterName := bpt.GetStringOutput(\"cluster_name\")\n\n\t\t// Check cluster is running\n\t\tcluster := gcloud.Runf(t, \"container clusters describe %s --location %s --project %s\", clusterName, location, projectId)\n\t\tassert.Contains([]string{\"RUNNING\"}, cluster.Get(\"status\").String())\n\n\t\t// Get cluster credentials\n\t\tgcloud.Runf(t, \"container clusters get-credentials %s --location %s --project %s\", clusterName, location, projectId)\n\t\tk8sOpts := k8s.KubectlOptions{}\n\n\t\tCheckPodsRunningInNamespace(\"arc-systems\", t, k8sOpts, assert)\n\t\tCheckPodsRunningInNamespace(\"arc-runners\", t, k8sOpts, assert)\n\t})\n\n\tbpt.Test()\n}\n\nfunc CheckPodsRunningInNamespace(namespace string, t *testing.T, k8sOpts k8s.KubectlOptions, assert *assert.Assertions) {\n\tpods, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, \"get\", \"pods\", \"-n\", namespace, \"-o\", \"json\")\n\n\tif err != nil {\n\t\tt.Fatalf(\"Error getting pods: %s\", err)\n\t}\n\n\tstatuses := gjson.Get(pods, \"items.#.status.phase\")\n\n\tfor _, status := range statuses.Array() {\n\t\tassert.Equal(\"Running\", status.String())\n\t}\n}\n" }, { "path": "test/integration/gh-runner-gke-simple/gh_runner_gke_simple_test.go", "content": "// Copyright 2024 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage gh_runner_gke_simple\n\nimport (\n\t\"testing\"\n\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud\"\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft\"\n\t\"github.com/gruntwork-io/terratest/modules/k8s\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/tidwall/gjson\"\n)\n\nfunc TestGhRunnerGkeSimple(t *testing.T) {\n\tbpt := tft.NewTFBlueprintTest(t)\n\n\tbpt.DefineVerify(func(assert *assert.Assertions) {\n\t\tbpt.DefaultVerify(assert)\n\n\t\t// get outputs\n\t\tprojectId := bpt.GetStringOutput(\"project_id\")\n\t\tlocation := bpt.GetStringOutput(\"location\")\n\t\tclusterName := bpt.GetStringOutput(\"cluster_name\")\n\n\t\t// Check cluster is running\n\t\tcluster := gcloud.Runf(t, \"container clusters describe %s --location %s --project %s\", clusterName, location, projectId)\n\t\tassert.Contains([]string{\"RUNNING\"}, cluster.Get(\"status\").String())\n\n\t\t// Get cluster credentials\n\t\tgcloud.Runf(t, \"container clusters get-credentials %s --location %s --project %s\", clusterName, location, projectId)\n\t\tk8sOpts := k8s.KubectlOptions{}\n\n\t\tCheckPodsRunningInNamespace(\"arc-systems\", t, k8sOpts, assert)\n\t\tCheckPodsRunningInNamespace(\"arc-runners\", t, k8sOpts, assert)\n\t})\n\n\tbpt.Test()\n}\n\nfunc CheckPodsRunningInNamespace(namespace string, t *testing.T, k8sOpts k8s.KubectlOptions, assert *assert.Assertions) {\n\tpods, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, \"get\", \"pods\", \"-n\", namespace, \"-o\", \"json\")\n\n\tif err != nil {\n\t\tt.Fatalf(\"Error getting pods: %s\", err)\n\t}\n\n\tstatuses := gjson.Get(pods, \"items.#.status.phase\")\n\n\tfor _, status := range statuses.Array() {\n\t\tassert.Equal(\"Running\", status.String())\n\t}\n}\n" }, { "path": "test/integration/gh-runner-mig-container-vm/gh_runner_mig_container_vm_test.go", "content": "// Copyright 2021 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage gh_runner_mig_container_vm\n\nimport (\n\t\"testing\"\n\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud\"\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestGHRunnerMIGContainerVM(t *testing.T) {\n\tbpt := tft.NewTFBlueprintTest(t)\n\tbpt.DefineVerify(func(assert *assert.Assertions) {\n\t\tbpt.DefaultVerify(assert)\n\n\t\t// get outputs\n\t\tprojectId := bpt.GetStringOutput(\"project_id\")\n\t\tmigName := bpt.GetStringOutput(\"mig_name\")\n\t\tmigInstanceTemplateName := bpt.GetStringOutput(\"mig_instance_template\")\n\n\t\t// Check mig exists\n\t\tmig := gcloud.Runf(t, \"compute instances list --project %s --filter='%s'\", projectId, migName)\n\t\tassert.NotNil(t, mig)\n\n\t\t// Check IT exists\n\t\tit := gcloud.Runf(t, \"compute instance-templates list --project %s --filter='%s'\", projectId, migInstanceTemplateName)\n\t\tassert.NotNil(t, it)\n\t})\n\n\tbpt.Test()\n}\n" }, { "path": "test/integration/go.mod", "content": "module github.com/terraform-google-modules/terraform-google-github-actions-runners/test/integration\n\ngo 1.24.0\n\ntoolchain go1.24.10\n\nrequire (\n\tgithub.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.17.9\n\tgithub.com/gruntwork-io/terratest v0.52.0\n\tgithub.com/stretchr/testify v1.11.1\n\tgithub.com/tidwall/gjson v1.18.0\n)\n\nrequire (\n\tfilippo.io/edwards25519 v1.1.0 // indirect\n\tgithub.com/agext/levenshtein v1.2.3 // indirect\n\tgithub.com/alexflint/go-filemutex v1.3.0 // indirect\n\tgithub.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect\n\tgithub.com/aws/aws-sdk-go-v2 v1.32.5 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/config v1.28.5 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/credentials v1.17.46 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/acm v1.30.6 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/autoscaling v1.51.0 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.44.0 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/dynamodb v1.37.1 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/ec2 v1.193.0 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/ecr v1.36.6 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/ecs v1.52.0 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/iam v1.38.1 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.5 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/kms v1.37.6 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/lambda v1.69.0 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/rds v1.91.0 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/route53 v1.46.2 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/s3 v1.69.0 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/sns v1.33.6 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/sqs v1.37.1 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/ssm v1.56.0 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/sso v1.24.6 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/sts v1.33.1 // indirect\n\tgithub.com/aws/smithy-go v1.22.1 // indirect\n\tgithub.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect\n\tgithub.com/boombuler/barcode v1.0.1 // indirect\n\tgithub.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect\n\tgithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect\n\tgithub.com/emicklei/go-restful/v3 v3.12.2 // indirect\n\tgithub.com/fxamacker/cbor/v2 v2.9.0 // indirect\n\tgithub.com/go-errors/errors v1.5.0 // indirect\n\tgithub.com/go-logr/logr v1.4.2 // indirect\n\tgithub.com/go-openapi/jsonpointer v0.21.0 // indirect\n\tgithub.com/go-openapi/jsonreference v0.20.2 // indirect\n\tgithub.com/go-openapi/swag v0.23.0 // indirect\n\tgithub.com/go-sql-driver/mysql v1.8.1 // indirect\n\tgithub.com/gogo/protobuf v1.3.2 // indirect\n\tgithub.com/google/gnostic-models v0.7.0 // indirect\n\tgithub.com/google/go-cmp v0.7.0 // indirect\n\tgithub.com/google/uuid v1.6.0 // indirect\n\tgithub.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect\n\tgithub.com/gruntwork-io/go-commons v0.17.1 // indirect\n\tgithub.com/hashicorp/errwrap v1.1.0 // indirect\n\tgithub.com/hashicorp/go-cleanhttp v0.5.2 // indirect\n\tgithub.com/hashicorp/go-getter/v2 v2.2.3 // indirect\n\tgithub.com/hashicorp/go-multierror v1.1.1 // indirect\n\tgithub.com/hashicorp/go-safetemp v1.0.0 // indirect\n\tgithub.com/hashicorp/go-version v1.7.0 // indirect\n\tgithub.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f // indirect\n\tgithub.com/hashicorp/hcl/v2 v2.22.0 // indirect\n\tgithub.com/hashicorp/terraform-config-inspect v0.0.0-20250731202709-e8a84eebd3e7 // indirect\n\tgithub.com/hashicorp/terraform-json v0.26.0 // indirect\n\tgithub.com/jackc/pgpassfile v1.0.0 // indirect\n\tgithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect\n\tgithub.com/jackc/pgx/v5 v5.7.1 // indirect\n\tgithub.com/jackc/puddle/v2 v2.2.2 // indirect\n\tgithub.com/jinzhu/copier v0.4.0 // indirect\n\tgithub.com/jmespath/go-jmespath v0.4.0 // indirect\n\tgithub.com/josharian/intern v1.0.0 // indirect\n\tgithub.com/json-iterator/go v1.1.12 // indirect\n\tgithub.com/klauspost/compress v1.16.7 // indirect\n\tgithub.com/mailru/easyjson v0.7.7 // indirect\n\tgithub.com/mattn/go-shellwords v1.0.12 // indirect\n\tgithub.com/mattn/go-zglob v0.0.4 // indirect\n\tgithub.com/mitchellh/go-homedir v1.1.0 // indirect\n\tgithub.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770 // indirect\n\tgithub.com/mitchellh/go-wordwrap v1.0.1 // indirect\n\tgithub.com/moby/spdystream v0.5.0 // indirect\n\tgithub.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect\n\tgithub.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect\n\tgithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect\n\tgithub.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect\n\tgithub.com/pkg/errors v0.9.1 // indirect\n\tgithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect\n\tgithub.com/pquerna/otp v1.4.0 // indirect\n\tgithub.com/russross/blackfriday/v2 v2.1.0 // indirect\n\tgithub.com/spf13/pflag v1.0.6 // indirect\n\tgithub.com/tidwall/match v1.1.1 // indirect\n\tgithub.com/tidwall/pretty v1.2.1 // indirect\n\tgithub.com/tidwall/sjson v1.2.5 // indirect\n\tgithub.com/tmccombs/hcl2json v0.6.4 // indirect\n\tgithub.com/ulikunitz/xz v0.5.14 // indirect\n\tgithub.com/urfave/cli/v2 v2.25.7 // indirect\n\tgithub.com/x448/float16 v0.8.4 // indirect\n\tgithub.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect\n\tgithub.com/zclconf/go-cty v1.16.3 // indirect\n\tgo.yaml.in/yaml/v2 v2.4.2 // indirect\n\tgo.yaml.in/yaml/v3 v3.0.4 // indirect\n\tgolang.org/x/crypto v0.41.0 // indirect\n\tgolang.org/x/mod v0.27.0 // indirect\n\tgolang.org/x/net v0.43.0 // indirect\n\tgolang.org/x/oauth2 v0.27.0 // indirect\n\tgolang.org/x/sync v0.16.0 // indirect\n\tgolang.org/x/sys v0.35.0 // indirect\n\tgolang.org/x/term v0.34.0 // indirect\n\tgolang.org/x/text v0.28.0 // indirect\n\tgolang.org/x/time v0.9.0 // indirect\n\tgolang.org/x/tools v0.36.0 // indirect\n\tgoogle.golang.org/protobuf v1.36.5 // indirect\n\tgopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect\n\tgopkg.in/inf.v0 v0.9.1 // indirect\n\tgopkg.in/yaml.v3 v3.0.1 // indirect\n\tk8s.io/api v0.34.0 // indirect\n\tk8s.io/apimachinery v0.34.0 // indirect\n\tk8s.io/client-go v0.34.0 // indirect\n\tk8s.io/klog/v2 v2.130.1 // indirect\n\tk8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect\n\tk8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect\n\tsigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect\n\tsigs.k8s.io/kustomize/kyaml v0.20.1 // indirect\n\tsigs.k8s.io/randfill v1.0.0 // indirect\n\tsigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect\n\tsigs.k8s.io/yaml v1.6.0 // indirect\n)\n" }, { "path": "test/integration/go.sum", "content": "filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=\nfilippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=\ngithub.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.17.9 h1:R7TF5kSOr+6fu9CFCdza5DIFLCQYGrQP923G7SaHd2Y=\ngithub.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.17.9/go.mod h1:KfuvXj6g70rv3AI3D0+4aq9Icf/Axu156s6h1JeDJt4=\ngithub.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=\ngithub.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=\ngithub.com/alexflint/go-filemutex v1.3.0 h1:LgE+nTUWnQCyRKbpoceKZsPQbs84LivvgwUymZXdOcM=\ngithub.com/alexflint/go-filemutex v1.3.0/go.mod h1:U0+VA/i30mGBlLCrFPGtTe9y6wGQfNAWPBTekHQ+c8A=\ngithub.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=\ngithub.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=\ngithub.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=\ngithub.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=\ngithub.com/aws/aws-sdk-go-v2 v1.32.5 h1:U8vdWJuY7ruAkzaOdD7guwJjD06YSKmnKCJs7s3IkIo=\ngithub.com/aws/aws-sdk-go-v2 v1.32.5/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=\ngithub.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 h1:lL7IfaFzngfx0ZwUGOZdsFFnQ5uLvR0hWqqhyE7Q9M8=\ngithub.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7/go.mod h1:QraP0UcVlQJsmHfioCrveWOC1nbiWUl3ej08h4mXWoc=\ngithub.com/aws/aws-sdk-go-v2/config v1.28.5 h1:Za41twdCXbuyyWv9LndXxZZv3QhTG1DinqlFsSuvtI0=\ngithub.com/aws/aws-sdk-go-v2/config v1.28.5/go.mod h1:4VsPbHP8JdcdUDmbTVgNL/8w9SqOkM5jyY8ljIxLO3o=\ngithub.com/aws/aws-sdk-go-v2/credentials v1.17.46 h1:AU7RcriIo2lXjUfHFnFKYsLCwgbz1E7Mm95ieIRDNUg=\ngithub.com/aws/aws-sdk-go-v2/credentials v1.17.46/go.mod h1:1FmYyLGL08KQXQ6mcTlifyFXfJVCNJTVGuQP4m0d/UA=\ngithub.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 h1:sDSXIrlsFSFJtWKLQS4PUWRvrT580rrnuLydJrCQ/yA=\ngithub.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20/go.mod h1:WZ/c+w0ofps+/OUqMwWgnfrgzZH1DZO1RIkktICsqnY=\ngithub.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41 h1:hqcxMc2g/MwwnRMod9n6Bd+t+9Nf7d5qRg7RaXKPd6o=\ngithub.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41/go.mod h1:d1eH0VrttvPmrCraU68LOyNdu26zFxQFjrVSb5vdhog=\ngithub.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 h1:4usbeaes3yJnCFC7kfeyhkdkPtoRYPa/hTmCqMpKpLI=\ngithub.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24/go.mod h1:5CI1JemjVwde8m2WG3cz23qHKPOxbpkq0HaoreEgLIY=\ngithub.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 h1:N1zsICrQglfzaBnrfM0Ys00860C+QFwu6u/5+LomP+o=\ngithub.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24/go.mod h1:dCn9HbJ8+K31i8IQ8EWmWj0EiIk0+vKiHNMxTTYveAg=\ngithub.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=\ngithub.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=\ngithub.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24 h1:JX70yGKLj25+lMC5Yyh8wBtvB01GDilyRuJvXJ4piD0=\ngithub.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24/go.mod h1:+Ln60j9SUTD0LEwnhEB0Xhg61DHqplBrbZpLgyjoEHg=\ngithub.com/aws/aws-sdk-go-v2/service/acm v1.30.6 h1:fDg0RlN30Xf/yYzEUL/WXqhmgFsjVb/I3230oCfyI5w=\ngithub.com/aws/aws-sdk-go-v2/service/acm v1.30.6/go.mod h1:zRR6jE3v/TcbfO8C2P+H0Z+kShiKKVaVyoIl8NQRjyg=\ngithub.com/aws/aws-sdk-go-v2/service/autoscaling v1.51.0 h1:1KzQVZi7OTixxaVJ8fWaJAUBjme+iQ3zBOCZhE4RgxQ=\ngithub.com/aws/aws-sdk-go-v2/service/autoscaling v1.51.0/go.mod h1:I1+/2m+IhnK5qEbhS3CrzjeiVloo9sItE/2K+so0fkU=\ngithub.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.44.0 h1:OREVd94+oXW5a+3SSUAo4K0L5ci8cucCLu+PSiek8OU=\ngithub.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.44.0/go.mod h1:Qbr4yfpNqVNl69l/GEDK+8wxLf/vHi0ChoiSDzD7thU=\ngithub.com/aws/aws-sdk-go-v2/service/dynamodb v1.37.1 h1:vucMirlM6D+RDU8ncKaSZ/5dGrXNajozVwpmWNPn2gQ=\ngithub.com/aws/aws-sdk-go-v2/service/dynamodb v1.37.1/go.mod h1:fceORfs010mNxZbQhfqUjUeHlTwANmIT4mvHamuUaUg=\ngithub.com/aws/aws-sdk-go-v2/service/ec2 v1.193.0 h1:RhSoBFT5/8tTmIseJUXM6INTXTQDF8+0oyxWBnozIms=\ngithub.com/aws/aws-sdk-go-v2/service/ec2 v1.193.0/go.mod h1:mzj8EEjIHSN2oZRXiw1Dd+uB4HZTl7hC8nBzX9IZMWw=\ngithub.com/aws/aws-sdk-go-v2/service/ecr v1.36.6 h1:zg+3FGHA0PBs0KM25qE/rOf2o5zsjNa1g/Qq83+SDI0=\ngithub.com/aws/aws-sdk-go-v2/service/ecr v1.36.6/go.mod h1:ZSq54Z9SIsOTf1Efwgw1msilSs4XVEfVQiP9nYVnKpM=\ngithub.com/aws/aws-sdk-go-v2/service/ecs v1.52.0 h1:7/vgFWplkusJN/m+3QOa+W9FNRqa8ujMPNmdufRaJpg=\ngithub.com/aws/aws-sdk-go-v2/service/ecs v1.52.0/go.mod h1:dPTOvmjJQ1T7Q+2+Xs2KSPrMvx+p0rpyV+HsQVnUK4o=\ngithub.com/aws/aws-sdk-go-v2/service/iam v1.38.1 h1:hfkzDZHBp9jAT4zcd5mtqckpU4E3Ax0LQaEWWk1VgN8=\ngithub.com/aws/aws-sdk-go-v2/service/iam v1.38.1/go.mod h1:u36ahDtZcQHGmVm/r+0L1sfKX4fzLEMdCqiKRKkUMVM=\ngithub.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y=\ngithub.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE=\ngithub.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5 h1:gvZOjQKPxFXy1ft3QnEyXmT+IqneM9QAUWlM3r0mfqw=\ngithub.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5/go.mod h1:DLWnfvIcm9IET/mmjdxeXbBKmTCm0ZB8p1za9BVteM8=\ngithub.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.5 h1:3Y457U2eGukmjYjeHG6kanZpDzJADa2m0ADqnuePYVQ=\ngithub.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.5/go.mod h1:CfwEHGkTjYZpkQ/5PvcbEtT7AJlG68KkEvmtwU8z3/U=\ngithub.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 h1:wtpJ4zcwrSbwhECWQoI/g6WM9zqCcSpHDJIWSbMLOu4=\ngithub.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5/go.mod h1:qu/W9HXQbbQ4+1+JcZp0ZNPV31ym537ZJN+fiS7Ti8E=\ngithub.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 h1:P1doBzv5VEg1ONxnJss1Kh5ZG/ewoIE4MQtKKc6Crgg=\ngithub.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5/go.mod h1:NOP+euMW7W3Ukt28tAxPuoWao4rhhqJD3QEBk7oCg7w=\ngithub.com/aws/aws-sdk-go-v2/service/kms v1.37.6 h1:CZImQdb1QbU9sGgJ9IswhVkxAcjkkD1eQTMA1KHWk+E=\ngithub.com/aws/aws-sdk-go-v2/service/kms v1.37.6/go.mod h1:YJDdlK0zsyxVBxGU48AR/Mi8DMrGdc1E3Yij4fNrONA=\ngithub.com/aws/aws-sdk-go-v2/service/lambda v1.69.0 h1:BXt75frE/FYtAmEDBJRBa2HexOw+oAZWZl6QknZEFgg=\ngithub.com/aws/aws-sdk-go-v2/service/lambda v1.69.0/go.mod h1:guz2K3x4FKSdDaoeB+TPVgJNU9oj2gftbp5cR8ela1A=\ngithub.com/aws/aws-sdk-go-v2/service/rds v1.91.0 h1:eqHz3Uih+gb0vLE5Cc4Xf733vOxsxDp6GFUUVQU4d7w=\ngithub.com/aws/aws-sdk-go-v2/service/rds v1.91.0/go.mod h1:h2jc7IleH3xHY7y+h8FH7WAZcz3IVLOB6/jXotIQ/qU=\ngithub.com/aws/aws-sdk-go-v2/service/route53 v1.46.2 h1:wmt05tPp/CaRZpPV5B4SaJ5TwkHKom07/BzHoLdkY1o=\ngithub.com/aws/aws-sdk-go-v2/service/route53 v1.46.2/go.mod h1:d+K9HESMpGb1EU9/UmmpInbGIUcAkwmcY6ZO/A3zZsw=\ngithub.com/aws/aws-sdk-go-v2/service/s3 v1.69.0 h1:Q2ax8S21clKOnHhhr933xm3JxdJebql+R7aNo7p7GBQ=\ngithub.com/aws/aws-sdk-go-v2/service/s3 v1.69.0/go.mod h1:ralv4XawHjEMaHOWnTFushl0WRqim/gQWesAMF6hTow=\ngithub.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6 h1:1KDMKvOKNrpD667ORbZ/+4OgvUoaok1gg/MLzrHF9fw=\ngithub.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6/go.mod h1:DmtyfCfONhOyVAJ6ZMTrDSFIeyCBlEO93Qkfhxwbxu0=\ngithub.com/aws/aws-sdk-go-v2/service/sns v1.33.6 h1:lEUtRHICiXsd7VRwRjXaY7MApT2X4Ue0Mrwe6XbyBro=\ngithub.com/aws/aws-sdk-go-v2/service/sns v1.33.6/go.mod h1:SODr0Lu3lFdT0SGsGX1TzFTapwveBrT5wztVoYtppm8=\ngithub.com/aws/aws-sdk-go-v2/service/sqs v1.37.1 h1:39WvSrVq9DD6UHkD+fx5x19P5KpRQfNdtgReDVNbelc=\ngithub.com/aws/aws-sdk-go-v2/service/sqs v1.37.1/go.mod h1:3gwPzC9LER/BTQdQZ3r6dUktb1rSjABF1D3Sr6nS7VU=\ngithub.com/aws/aws-sdk-go-v2/service/ssm v1.56.0 h1:mADKqoZaodipGgiZfuAjtlcr4IVBtXPZKVjkzUZCCYM=\ngithub.com/aws/aws-sdk-go-v2/service/ssm v1.56.0/go.mod h1:l9qF25TzH95FhcIak6e4vt79KE4I7M2Nf59eMUVjj6c=\ngithub.com/aws/aws-sdk-go-v2/service/sso v1.24.6 h1:3zu537oLmsPfDMyjnUS2g+F2vITgy5pB74tHI+JBNoM=\ngithub.com/aws/aws-sdk-go-v2/service/sso v1.24.6/go.mod h1:WJSZH2ZvepM6t6jwu4w/Z45Eoi75lPN7DcydSRtJg6Y=\ngithub.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 h1:K0OQAsDywb0ltlFrZm0JHPY3yZp/S9OaoLU33S7vPS8=\ngithub.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5/go.mod h1:ORITg+fyuMoeiQFiVGoqB3OydVTLkClw/ljbblMq6Cc=\ngithub.com/aws/aws-sdk-go-v2/service/sts v1.33.1 h1:6SZUVRQNvExYlMLbHdlKB48x0fLbc2iVROyaNEwBHbU=\ngithub.com/aws/aws-sdk-go-v2/service/sts v1.33.1/go.mod h1:GqWyYCwLXnlUB1lOAXQyNSPqPLQJvmo8J0DWBzp9mtg=\ngithub.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=\ngithub.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=\ngithub.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=\ngithub.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=\ngithub.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=\ngithub.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=\ngithub.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=\ngithub.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=\ngithub.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=\ngithub.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=\ngithub.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=\ngithub.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=\ngithub.com/go-errors/errors v1.5.0 h1:/EuijeGOu7ckFxzhkj4CXJ8JaenxK7bKUxpPYqeLHqQ=\ngithub.com/go-errors/errors v1.5.0/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=\ngithub.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=\ngithub.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=\ngithub.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=\ngithub.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=\ngithub.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=\ngithub.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=\ngithub.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=\ngithub.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=\ngithub.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=\ngithub.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=\ngithub.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=\ngithub.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=\ngithub.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=\ngithub.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=\ngithub.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M=\ngithub.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=\ngithub.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=\ngithub.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=\ngithub.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=\ngithub.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=\ngithub.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=\ngithub.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=\ngithub.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=\ngithub.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=\ngithub.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=\ngithub.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=\ngithub.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=\ngithub.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=\ngithub.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0=\ngithub.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk=\ngithub.com/gruntwork-io/terratest v0.52.0 h1:7+I3FqEImowIajZ9Qyo5ngr7n2AUINJko6x+KzlWNjU=\ngithub.com/gruntwork-io/terratest v0.52.0/go.mod h1:y2Evi+Ac04QpzF3mbRPqrBjipDN7gjqlw6+OZoy2vX4=\ngithub.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=\ngithub.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=\ngithub.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=\ngithub.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=\ngithub.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=\ngithub.com/hashicorp/go-getter/v2 v2.2.3 h1:6CVzhT0KJQHqd9b0pK3xSP0CM/Cv+bVhk+jcaRJ2pGk=\ngithub.com/hashicorp/go-getter/v2 v2.2.3/go.mod h1:hp5Yy0GMQvwWVUmwLs3ygivz1JSLI323hdIE9J9m7TY=\ngithub.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=\ngithub.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=\ngithub.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo=\ngithub.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoDHxNAB65b+Rj1I=\ngithub.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=\ngithub.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=\ngithub.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f h1:UdxlrJz4JOnY8W+DbLISwf2B8WXEolNRA8BGCwI9jws=\ngithub.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w=\ngithub.com/hashicorp/hcl/v2 v2.22.0 h1:hkZ3nCtqeJsDhPRFz5EA9iwcG1hNWGePOTw6oyul12M=\ngithub.com/hashicorp/hcl/v2 v2.22.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=\ngithub.com/hashicorp/terraform-config-inspect v0.0.0-20250731202709-e8a84eebd3e7 h1:NIwoxkIKF4OAbTze/gukXLJqS9MISRXCqn4SnurhZ1I=\ngithub.com/hashicorp/terraform-config-inspect v0.0.0-20250731202709-e8a84eebd3e7/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI=\ngithub.com/hashicorp/terraform-json v0.26.0 h1:+BnJavhRH+oyNWPnfzrfQwVWCZBFMvjdiH2Vi38Udz4=\ngithub.com/hashicorp/terraform-json v0.26.0/go.mod h1:eyWCeC3nrZamyrKLFnrvwpc3LQPIJsx8hWHQ/nu2/v4=\ngithub.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=\ngithub.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=\ngithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=\ngithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=\ngithub.com/jackc/pgx/v5 v5.7.1 h1:x7SYsPBYDkHDksogeSmZZ5xzThcTgRz++I5E+ePFUcs=\ngithub.com/jackc/pgx/v5 v5.7.1/go.mod h1:e7O26IywZZ+naJtWWos6i6fvWK+29etgITqrqHLfoZA=\ngithub.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=\ngithub.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=\ngithub.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=\ngithub.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=\ngithub.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=\ngithub.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=\ngithub.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=\ngithub.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=\ngithub.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=\ngithub.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=\ngithub.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=\ngithub.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=\ngithub.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=\ngithub.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=\ngithub.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=\ngithub.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=\ngithub.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=\ngithub.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=\ngithub.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=\ngithub.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=\ngithub.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=\ngithub.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=\ngithub.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=\ngithub.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=\ngithub.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=\ngithub.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=\ngithub.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=\ngithub.com/mattn/go-zglob v0.0.4 h1:LQi2iOm0/fGgu80AioIJ/1j9w9Oh+9DZ39J4VAGzHQM=\ngithub.com/mattn/go-zglob v0.0.4/go.mod h1:MxxjyoXXnMxfIpxTK2GAkw1w8glPsQILx3N5wrKakiY=\ngithub.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=\ngithub.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=\ngithub.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770 h1:drhDO54gdT/a15GBcMRmunZiNcLgPiFIJa23KzmcvcU=\ngithub.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770/go.mod h1:SO/iHr6q2EzbqRApt+8/E9wqebTwQn5y+UlB04bxzo0=\ngithub.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=\ngithub.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=\ngithub.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=\ngithub.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=\ngithub.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=\ngithub.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=\ngithub.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=\ngithub.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=\ngithub.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=\ngithub.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=\ngithub.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=\ngithub.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=\ngithub.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=\ngithub.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=\ngithub.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=\ngithub.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=\ngithub.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=\ngithub.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=\ngithub.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=\ngithub.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=\ngithub.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=\ngithub.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=\ngithub.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=\ngithub.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=\ngithub.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=\ngithub.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=\ngithub.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=\ngithub.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=\ngithub.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=\ngithub.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=\ngithub.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=\ngithub.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=\ngithub.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=\ngithub.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=\ngithub.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=\ngithub.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=\ngithub.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=\ngithub.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=\ngithub.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=\ngithub.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=\ngithub.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=\ngithub.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=\ngithub.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=\ngithub.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=\ngithub.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=\ngithub.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=\ngithub.com/tmccombs/hcl2json v0.6.4 h1:/FWnzS9JCuyZ4MNwrG4vMrFrzRgsWEOVi+1AyYUVLGw=\ngithub.com/tmccombs/hcl2json v0.6.4/go.mod h1:+ppKlIW3H5nsAsZddXPy2iMyvld3SHxyjswOZhavRDk=\ngithub.com/ulikunitz/xz v0.5.14 h1:uv/0Bq533iFdnMHZdRBTOlaNMdb1+ZxXIlHDZHIHcvg=\ngithub.com/ulikunitz/xz v0.5.14/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=\ngithub.com/urfave/cli/v2 v2.25.7 h1:VAzn5oq403l5pHjc4OhD54+XGO9cdKVL/7lDjF+iKUs=\ngithub.com/urfave/cli/v2 v2.25.7/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ=\ngithub.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=\ngithub.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=\ngithub.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=\ngithub.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=\ngithub.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=\ngithub.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=\ngithub.com/zclconf/go-cty v1.16.3 h1:osr++gw2T61A8KVYHoQiFbFd1Lh3JOCXc/jFLJXKTxk=\ngithub.com/zclconf/go-cty v1.16.3/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=\ngithub.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=\ngithub.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=\ngo.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=\ngo.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=\ngo.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=\ngo.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=\ngolang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=\ngolang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=\ngolang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=\ngolang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=\ngolang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=\ngolang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=\ngolang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=\ngolang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=\ngolang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=\ngolang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=\ngolang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=\ngolang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=\ngolang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=\ngolang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=\ngolang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=\ngolang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=\ngolang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=\ngolang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=\ngolang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=\ngolang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=\ngolang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=\ngolang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=\ngolang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngoogle.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=\ngoogle.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=\ngopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=\ngopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=\ngopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=\ngopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=\ngopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=\ngopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=\ngopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=\ngopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\ngopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=\ngopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\nk8s.io/api v0.34.0 h1:L+JtP2wDbEYPUeNGbeSa/5GwFtIA662EmT2YSLOkAVE=\nk8s.io/api v0.34.0/go.mod h1:YzgkIzOOlhl9uwWCZNqpw6RJy9L2FK4dlJeayUoydug=\nk8s.io/apimachinery v0.34.0 h1:eR1WO5fo0HyoQZt1wdISpFDffnWOvFLOOeJ7MgIv4z0=\nk8s.io/apimachinery v0.34.0/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=\nk8s.io/client-go v0.34.0 h1:YoWv5r7bsBfb0Hs2jh8SOvFbKzzxyNo0nSb0zC19KZo=\nk8s.io/client-go v0.34.0/go.mod h1:ozgMnEKXkRjeMvBZdV1AijMHLTh3pbACPvK7zFR+QQY=\nk8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=\nk8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=\nk8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=\nk8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=\nk8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=\nk8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=\nsigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=\nsigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=\nsigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78=\nsigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po=\nsigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=\nsigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=\nsigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=\nsigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=\nsigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=\nsigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=\n" }, { "path": "test/integration/oidc-simple/oidc_simple_test.go", "content": "// Copyright 2021 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage oidc_simple\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud\"\n\t\"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestOIDCSimple(t *testing.T) {\n\toidc := tft.NewTFBlueprintTest(t)\n\toidc.DefineVerify(func(assert *assert.Assertions) {\n\t\toidc.DefaultVerify(assert)\n\n\t\tpool := gcloud.Run(t, fmt.Sprintf(\"beta iam workload-identity-pools describe %s\", oidc.GetStringOutput(\"pool_name\")))\n\t\tassert.Equal(\"ACTIVE\", pool.Get(\"state\").String(), \"WI pool is active\")\n\n\t\tprovider := gcloud.Run(t, fmt.Sprintf(\"beta iam workload-identity-pools providers describe %s\", oidc.GetStringOutput(\"provider_name\")))\n\t\tassert.Equal(\"ACTIVE\", provider.Get(\"state\").String(), \"WI provider is active\")\n\t\tassert.Equal(\"https://token.actions.githubusercontent.com\", provider.Get(\"oidc.issuerUri\").String(), \"provider has correct issuer ID\")\n\t\tassert.Equal(0, len(provider.Get(\"oidc.allowedAudiences\").Array()), \"WI provider has correct number of audiences\")\n\t\texpectedAttribMapping := map[string]string{\n\t\t\t\"attribute.actor\": \"assertion.actor\",\n\t\t\t\"attribute.aud\": \"assertion.aud\",\n\t\t\t\"attribute.repository\": \"assertion.repository\",\n\t\t\t\"google.subject\": \"assertion.sub\",\n\t\t}\n\t\tproviderMapping := provider.Get(\"attributeMapping\").Map()\n\t\tassert.Equal(len(expectedAttribMapping), len(providerMapping), \"WI provider has correct number of attribute mapping\")\n\t\tfor k, v := range expectedAttribMapping {\n\t\t\tassert.Equal(v, providerMapping[k].String(), \"has correct mapping\")\n\t\t}\n\n\t\tsaBindings := gcloud.Run(t, fmt.Sprintf(\"iam service-accounts get-iam-policy %s\", oidc.GetStringOutput(\"sa_email\"))).Get(\"bindings\").Array()\n\t\tassert.Equal(1, len(saBindings), \"SA has one binding\")\n\t\tassert.Equal(1, len(saBindings[0].Get(\"members\").Array()), \"SA binding has one member\")\n\t\tassert.Equal(fmt.Sprintf(\"principalSet://iam.googleapis.com/%s/attribute.repository/user/repo\", oidc.GetStringOutput(\"pool_name\")), saBindings[0].Get(\"members\").Array()[0].String(), \"SA binding has correct member\")\n\t\tassert.Equal(\"roles/iam.workloadIdentityUser\", saBindings[0].Get(\"role\").String(), \"SA binding has correct member\")\n\n\t})\n\n\toidc.Test()\n}\n" }, { "path": "test/setup/.gitignore", "content": "terraform.tfvars\nsource.sh\n" }, { "path": "test/setup/iam.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nlocals {\n int_required_roles = [\n \"roles/owner\"\n ]\n}\n\nresource \"google_service_account\" \"int_test\" {\n project = module.project.project_id\n account_id = \"ci-account\"\n display_name = \"ci-account\"\n}\n\nresource \"google_project_iam_member\" \"int_test\" {\n count = length(local.int_required_roles)\n\n project = module.project.project_id\n role = local.int_required_roles[count.index]\n member = \"serviceAccount:${google_service_account.int_test.email}\"\n}\n\nresource \"google_project_iam_member\" \"int_test_gke\" {\n count = length(local.int_required_roles)\n\n project = module.project-gke.project_id\n role = local.int_required_roles[count.index]\n member = \"serviceAccount:${google_service_account.int_test.email}\"\n}\n\nresource \"google_project_iam_member\" \"int_test_mig_container\" {\n count = length(local.int_required_roles)\n\n project = module.project-mig-container-vm.project_id\n role = local.int_required_roles[count.index]\n member = \"serviceAccount:${google_service_account.int_test.email}\"\n}\n\nresource \"google_service_account_key\" \"int_test\" {\n service_account_id = google_service_account.int_test.id\n}\n" }, { "path": "test/setup/main.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nmodule \"project\" {\n source = \"terraform-google-modules/project-factory/google\"\n version = \"~> 18.0\"\n\n name = \"ci-terraform-gh-runners\"\n random_project_id = \"true\"\n org_id = var.org_id\n folder_id = var.folder_id\n billing_account = var.billing_account\n\n activate_apis = [\n \"cloudresourcemanager.googleapis.com\",\n \"storage-api.googleapis.com\",\n \"iam.googleapis.com\",\n \"container.googleapis.com\",\n \"serviceusage.googleapis.com\"\n ]\n}\n\nmodule \"project-gke\" {\n source = \"terraform-google-modules/project-factory/google\"\n version = \"~> 18.0\"\n\n name = \"ci-runners-gke\"\n random_project_id = \"true\"\n org_id = var.org_id\n folder_id = var.folder_id\n billing_account = var.billing_account\n\n activate_apis = [\n \"iam.googleapis.com\",\n \"cloudresourcemanager.googleapis.com\",\n \"containerregistry.googleapis.com\",\n \"container.googleapis.com\",\n \"storage-component.googleapis.com\",\n \"logging.googleapis.com\",\n \"monitoring.googleapis.com\",\n ]\n}\n\nmodule \"project-mig-container-vm\" {\n source = \"terraform-google-modules/project-factory/google\"\n version = \"~> 18.0\"\n\n name = \"ci-runners-c-mig\"\n random_project_id = \"true\"\n org_id = var.org_id\n folder_id = var.folder_id\n billing_account = var.billing_account\n\n activate_apis = [\n \"iam.googleapis.com\",\n \"cloudresourcemanager.googleapis.com\",\n \"containerregistry.googleapis.com\",\n \"container.googleapis.com\",\n \"storage-component.googleapis.com\",\n \"logging.googleapis.com\",\n \"monitoring.googleapis.com\",\n ]\n}\n" }, { "path": "test/setup/outputs.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\noutput \"project_id\" {\n value = module.project.project_id\n}\n\noutput \"project_id_gke\" {\n value = module.project-gke.project_id\n}\n\noutput \"project_id_mig_container\" {\n value = module.project-mig-container-vm.project_id\n}\n\noutput \"sa_key\" {\n value = google_service_account_key.int_test.private_key\n sensitive = true\n}\n" }, { "path": "test/setup/variables.tf", "content": "/**\n * Copyright 2020 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nvariable \"org_id\" {\n description = \"The numeric organization id\"\n}\n\nvariable \"folder_id\" {\n description = \"The folder to deploy in\"\n}\n\nvariable \"billing_account\" {\n description = \"The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ\"\n}\n" }, { "path": "test/setup/versions.tf", "content": "/**\n * Copyright 2021 Google LLC\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nterraform {\n required_version = \">= 0.13\"\n\n required_providers {\n google = {\n source = \"hashicorp/google\"\n version = \">= 3.53.0, < 8\"\n }\n google-beta = {\n source = \"hashicorp/google-beta\"\n version = \">= 3.53.0, < 8\"\n }\n }\n}\n" } ]