Merge branch 'main' into reject_user_action_when_org_enabled_v2

Author: PerGon

.github/workflows/stale.yml

@@ -18,7 +18,7 @@ jobs:
           stale-pr-message: >
             This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.
 
-          days-before-stale: 30
-          days-before-close: 10
+          days-before-stale: 90
+          days-before-close: 14
           close-issue-label: "abandoned"
           exempt-issue-labels: "stale:exempt"

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## [5.11.0](https://github.com/philips-labs/terraform-aws-github-runner/compare/v5.10.4...v5.11.0) (2024-05-22)
+
+
+### Features
+
+* add variable to configure ebs optimization for runner instances ([479b779](https://github.com/philips-labs/terraform-aws-github-runner/commit/479b779a71c77a62dd28d247f8a74cb75ce083f0))
+* add variable to configure ebs optimization for runner instances ([#3901](https://github.com/philips-labs/terraform-aws-github-runner/issues/3901)) ([479b779](https://github.com/philips-labs/terraform-aws-github-runner/commit/479b779a71c77a62dd28d247f8a74cb75ce083f0))
+* Restrict instance SSM permissions ([#3918](https://github.com/philips-labs/terraform-aws-github-runner/issues/3918)) ([9399cf2](https://github.com/philips-labs/terraform-aws-github-runner/commit/9399cf29bec963dfa305f367f37c098a76130371))
+
+
+### Bug Fixes
+
+* adding missing permissions to boundaries ([#3873](https://github.com/philips-labs/terraform-aws-github-runner/issues/3873)) ([93e8d27](https://github.com/philips-labs/terraform-aws-github-runner/commit/93e8d2746b647539212dbc65887ec748a1d734b7))
+* **lambda:** bump the aws group across 1 directory with 6 updates ([#3907](https://github.com/philips-labs/terraform-aws-github-runner/issues/3907)) ([50dda9a](https://github.com/philips-labs/terraform-aws-github-runner/commit/50dda9a465229bdb8d106e7ebc5d5b1de115a286))
+
 ## [5.10.4](https://github.com/philips-labs/terraform-aws-github-runner/compare/v5.10.3...v5.10.4) (2024-05-06)
 
 

README.md

@@ -214,6 +214,7 @@ Talk to the forestkeepers in the `runners-channel` on Slack.
 | <a name="input_runner_name_prefix"></a> [runner\_name\_prefix](#input\_runner\_name\_prefix) | The prefix used for the GitHub runner name. The prefix will be used in the default start script to prefix the instance name when register the runner in GitHub. The value is availabe via an EC2 tag 'ghr:runner\_name\_prefix'. | `string` | `""` | no |
 | <a name="input_runner_os"></a> [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no |
 | <a name="input_runner_run_as"></a> [runner\_run\_as](#input\_runner\_run\_as) | Run the GitHub actions agent as user. | `string` | `"ec2-user"` | no |
+| <a name="input_runners_ebs_optimized"></a> [runners\_ebs\_optimized](#input\_runners\_ebs\_optimized) | Enable EBS optimization for the runner instances. | `bool` | `false` | no |
 | <a name="input_runners_lambda_s3_key"></a> [runners\_lambda\_s3\_key](#input\_runners\_lambda\_s3\_key) | S3 key for runners lambda function. Required if using S3 bucket to specify lambdas. | `string` | `null` | no |
 | <a name="input_runners_lambda_s3_object_version"></a> [runners\_lambda\_s3\_object\_version](#input\_runners\_lambda\_s3\_object\_version) | S3 object version for runners lambda function. Useful if S3 versioning is enabled on source bucket. | `string` | `null` | no |
 | <a name="input_runners_lambda_zip"></a> [runners\_lambda\_zip](#input\_runners\_lambda\_zip) | File location of the lambda zip file for scaling runners. | `string` | `null` | no |

lambdas/functions/ami-housekeeper/package.json

@@ -21,7 +21,7 @@
     "@types/jest": "^29.5.12",
     "@types/node": "^20.8.9",
     "@typescript-eslint/eslint-plugin": "^7.4.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@typescript-eslint/parser": "^7.9.0",
     "@vercel/ncc": "^0.38.1",
     "aws-sdk-client-mock": "^3.0.0",
     "aws-sdk-client-mock-jest": "^3.0.0",
@@ -37,8 +37,8 @@
     "ts-node-dev": "^2.0.0"
   },
   "dependencies": {
-    "@aws-sdk/client-ec2": "^3.568.0",
-    "@aws-sdk/client-ssm": "^3.568.0",
+    "@aws-sdk/client-ec2": "^3.575.0",
+    "@aws-sdk/client-ssm": "^3.575.0",
     "@aws-sdk/types": "^3.433.0",
     "@terraform-aws-github-runner/aws-powertools-util": "*",
     "@terraform-aws-github-runner/aws-ssm-util": "*",

lambdas/functions/control-plane/package.json

@@ -21,7 +21,7 @@
     "@types/jest": "^29.5.12",
     "@types/node": "^20.8.9",
     "@typescript-eslint/eslint-plugin": "^7.4.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@typescript-eslint/parser": "^7.9.0",
     "@vercel/ncc": "^0.38.1",
     "aws-sdk-client-mock": "^3.0.0",
     "aws-sdk-client-mock-jest": "^3.0.0",
@@ -38,7 +38,7 @@
     "ts-node-dev": "^2.0.0"
   },
   "dependencies": {
-    "@aws-sdk/client-ec2": "^3.568.0",
+    "@aws-sdk/client-ec2": "^3.575.0",
     "@aws-sdk/types": "^3.433.0",
     "@middy/core": "^4.7.0",
     "@octokit/auth-app": "6.0.3",

lambdas/functions/control-plane/src/scale-runners/scale-up.test.ts

@@ -348,6 +348,12 @@ describe('scaleUp with GHES', () => {
         Name: '/github-action-runners/default/runners/config/i-12345',
         Value: 'TEST_JIT_CONFIG_ORG',
         Type: 'SecureString',
+        Tags: [
+          {
+            Key: 'InstanceId',
+            Value: 'i-12345',
+          },
+        ],
       });
     });
 
@@ -363,6 +369,12 @@ describe('scaleUp with GHES', () => {
           '--url https://github.enterprise.something/Codertocat --token 1234abcd ' +
           '--labels label1,label2 --runnergroup Default',
         Type: 'SecureString',
+        Tags: [
+          {
+            Key: 'InstanceId',
+            Value: 'i-12345',
+          },
+        ],
       });
     });
     it.each(RUNNER_TYPES)(
@@ -718,6 +730,12 @@ describe('scaleUp with public GH', () => {
         Name: '/github-action-runners/default/runners/config/i-12345',
         Value: 'TEST_JIT_CONFIG_REPO',
         Type: 'SecureString',
+        Tags: [
+          {
+            Key: 'InstanceId',
+            Value: 'i-12345',
+          },
+        ],
       });
     });
 
@@ -734,6 +752,12 @@ describe('scaleUp with public GH', () => {
         Name: '/github-action-runners/default/runners/config/i-12345',
         Value: '--url https://github.com/Codertocat/hello-world --token 1234abcd --ephemeral',
         Type: 'SecureString',
+        Tags: [
+          {
+            Key: 'InstanceId',
+            Value: 'i-12345',
+          },
+        ],
       });
     });
 
@@ -751,6 +775,12 @@ describe('scaleUp with public GH', () => {
         Name: '/github-action-runners/default/runners/config/i-12345',
         Value: '--url https://github.com/Codertocat/hello-world --token 1234abcd --labels jit',
         Type: 'SecureString',
+        Tags: [
+          {
+            Key: 'InstanceId',
+            Value: 'i-12345',
+          },
+        ],
       });
     });
 

lambdas/functions/control-plane/src/scale-runners/scale-up.ts

@@ -376,7 +376,9 @@ async function createRegistrationTokenConfig(
   });
 
   for (const instance of instances) {
-    await putParameter(`${githubRunnerConfig.ssmTokenPath}/${instance}`, runnerServiceConfig.join(' '), true);
+    await putParameter(`${githubRunnerConfig.ssmTokenPath}/${instance}`, runnerServiceConfig.join(' '), true, {
+      tags: [{ Key: 'InstanceId', Value: instance }],
+    });
     if (isDelay) {
       // Delay to prevent AWS ssm rate limits by being within the max throughput limit
       await delay(25);
@@ -419,7 +421,9 @@ async function createJitConfig(githubRunnerConfig: CreateGitHubRunnerConfig, ins
     logger.debug('Runner JIT config for ephemeral runner generated.', {
       instance: instance,
     });
-    await putParameter(`${githubRunnerConfig.ssmTokenPath}/${instance}`, runnerConfig.data.encoded_jit_config, true);
+    await putParameter(`${githubRunnerConfig.ssmTokenPath}/${instance}`, runnerConfig.data.encoded_jit_config, true, {
+      tags: [{ Key: 'InstanceId', Value: instance }],
+    });
     if (isDelay) {
       // Delay to prevent AWS ssm rate limits by being within the max throughput limit
       await delay(25);

lambdas/functions/gh-agent-syncer/package.json

@@ -23,7 +23,7 @@
     "@types/node": "^20.8.9",
     "@types/request": "^2.48.11",
     "@typescript-eslint/eslint-plugin": "^7.4.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@typescript-eslint/parser": "^7.9.0",
     "@vercel/ncc": "^0.38.1",
     "aws-sdk-client-mock": "^3.0.0",
     "aws-sdk-client-mock-jest": "^3.0.0",
@@ -37,8 +37,8 @@
     "typescript": "^5.4.5"
   },
   "dependencies": {
-    "@aws-sdk/client-s3": "^3.568.0",
-    "@aws-sdk/lib-storage": "^3.568.0",
+    "@aws-sdk/client-s3": "^3.575.0",
+    "@aws-sdk/lib-storage": "^3.575.0",
     "@aws-sdk/types": "^3.433.0",
     "@middy/core": "^4.7.0",
     "@terraform-aws-github-runner/aws-powertools-util": "*",

lambdas/functions/termination-watcher/package.json

@@ -19,7 +19,7 @@
     "@types/jest": "^29.5.6",
     "@types/node": "^20.8.9",
     "@typescript-eslint/eslint-plugin": "^7.4.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@typescript-eslint/parser": "^7.9.0",
     "@vercel/ncc": "^0.38.1",
     "aws-sdk-client-mock": "^3.0.0",
     "aws-sdk-client-mock-jest": "^3.0.0",
@@ -35,7 +35,7 @@
     "ts-node-dev": "^2.0.0"
   },
   "dependencies": {
-    "@aws-sdk/client-ec2": "^3.568.0",
+    "@aws-sdk/client-ec2": "^3.575.0",
     "@aws-sdk/types": "^3.433.0",
     "@middy/core": "^4.7.0",
     "@terraform-aws-github-runner/aws-powertools-util": "*",

lambdas/functions/webhook/package.json

@@ -23,7 +23,7 @@
     "@types/jest": "^29.5.12",
     "@types/node": "^20.8.9",
     "@typescript-eslint/eslint-plugin": "^7.4.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@typescript-eslint/parser": "^7.9.0",
     "@vercel/ncc": "0.38.1",
     "body-parser": "^1.20.2",
     "eslint": "^8.56.0",
@@ -38,7 +38,7 @@
     "typescript": "^5.4.5"
   },
   "dependencies": {
-    "@aws-sdk/client-sqs": "^3.568.0",
+    "@aws-sdk/client-sqs": "^3.575.0",
     "@middy/core": "^4.7.0",
     "@octokit/rest": "^20.0.1",
     "@octokit/types": "^12.5.0",

lambdas/libs/aws-powertools-util/package.json

@@ -21,7 +21,7 @@
     "@types/jest": "^29.5.12",
     "@types/node": "^20.8.9",
     "@typescript-eslint/eslint-plugin": "^7.4.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@typescript-eslint/parser": "^7.9.0",
     "@vercel/ncc": "0.38.1",
     "body-parser": "^1.20.2",
     "eslint": "^8.56.0",

lambdas/libs/aws-ssm-util/package.json

@@ -21,7 +21,7 @@
     "@types/jest": "^29.5.12",
     "@types/node": "^20.8.9",
     "@typescript-eslint/eslint-plugin": "^7.4.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@typescript-eslint/parser": "^7.9.0",
     "@vercel/ncc": "0.38.1",
     "body-parser": "^1.20.2",
     "eslint": "^8.56.0",
@@ -36,7 +36,7 @@
     "typescript": "^5.4.5"
   },
   "dependencies": {
-    "@aws-sdk/client-ssm": "^3.568.0",
+    "@aws-sdk/client-ssm": "^3.575.0",
     "@aws-sdk/types": "^3.433.0",
     "@terraform-aws-github-runner/aws-powertools-util": "*"
   },

lambdas/libs/aws-ssm-util/src/index.ts

@@ -1,4 +1,4 @@
-import { GetParameterCommand, PutParameterCommand, SSMClient } from '@aws-sdk/client-ssm';
+import { GetParameterCommand, PutParameterCommand, SSMClient, Tag } from '@aws-sdk/client-ssm';
 import { getTracedAWSV3Client } from '@terraform-aws-github-runner/aws-powertools-util';
 
 export async function getParameter(parameter_name: string): Promise<string> {
@@ -7,13 +7,19 @@ export async function getParameter(parameter_name: string): Promise<string> {
     ?.Value as string;
 }
 
-export async function putParameter(parameter_name: string, parameter_value: string, secure: boolean): Promise<void> {
+export async function putParameter(
+  parameter_name: string,
+  parameter_value: string,
+  secure: boolean,
+  options: { tags?: Tag[] } = {},
+): Promise<void> {
   const client = getTracedAWSV3Client(new SSMClient({ region: process.env.AWS_REGION }));
   await client.send(
     new PutParameterCommand({
       Name: parameter_name,
       Value: parameter_value,
       Type: secure ? 'SecureString' : 'String',
+      Tags: options.tags,
     }),
   );
 }