Merge branch 'main' into update-docs-e96ilc1

Author: npalm

.github/workflows/stale.yml

@@ -18,7 +18,7 @@ jobs:
           stale-pr-message: >
             This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.
 
-          days-before-stale: 30
-          days-before-close: 10
+          days-before-stale: 90
+          days-before-close: 14
           close-issue-label: "abandoned"
           exempt-issue-labels: "stale:exempt"

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## [5.11.0](https://github.com/philips-labs/terraform-aws-github-runner/compare/v5.10.4...v5.11.0) (2024-05-22)
+
+
+### Features
+
+* add variable to configure ebs optimization for runner instances ([479b779](https://github.com/philips-labs/terraform-aws-github-runner/commit/479b779a71c77a62dd28d247f8a74cb75ce083f0))
+* add variable to configure ebs optimization for runner instances ([#3901](https://github.com/philips-labs/terraform-aws-github-runner/issues/3901)) ([479b779](https://github.com/philips-labs/terraform-aws-github-runner/commit/479b779a71c77a62dd28d247f8a74cb75ce083f0))
+* Restrict instance SSM permissions ([#3918](https://github.com/philips-labs/terraform-aws-github-runner/issues/3918)) ([9399cf2](https://github.com/philips-labs/terraform-aws-github-runner/commit/9399cf29bec963dfa305f367f37c098a76130371))
+
+
+### Bug Fixes
+
+* adding missing permissions to boundaries ([#3873](https://github.com/philips-labs/terraform-aws-github-runner/issues/3873)) ([93e8d27](https://github.com/philips-labs/terraform-aws-github-runner/commit/93e8d2746b647539212dbc65887ec748a1d734b7))
+* **lambda:** bump the aws group across 1 directory with 6 updates ([#3907](https://github.com/philips-labs/terraform-aws-github-runner/issues/3907)) ([50dda9a](https://github.com/philips-labs/terraform-aws-github-runner/commit/50dda9a465229bdb8d106e7ebc5d5b1de115a286))
+
 ## [5.10.4](https://github.com/philips-labs/terraform-aws-github-runner/compare/v5.10.3...v5.10.4) (2024-05-06)
 
 

README.md

@@ -179,6 +179,7 @@ Talk to the forestkeepers in the `runners-channel` on Slack.
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_logging_kms_key_id"></a> [logging\_kms\_key\_id](#input\_logging\_kms\_key\_id) | Specifies the kms key id to encrypt the logs with. | `string` | `null` | no |
 | <a name="input_logging_retention_in_days"></a> [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no |
+| <a name="input_matcher_config_parameter_store_tier"></a> [matcher\_config\_parameter\_store\_tier](#input\_matcher\_config\_parameter\_store\_tier) | The tier of the parameter store for the matcher configuration. Valid values are `Standard`, and `Advanced`. | `string` | `"Standard"` | no |
 | <a name="input_metrics_namespace"></a> [metrics\_namespace](#input\_metrics\_namespace) | The namespace for the metrics created by the module. Merics will only be created if explicit enabled. | `string` | `"GitHub Runners"` | no |
 | <a name="input_minimum_running_time_in_minutes"></a> [minimum\_running\_time\_in\_minutes](#input\_minimum\_running\_time\_in\_minutes) | The time an ec2 action runner should be running at minimum before terminated, if not busy. | `number` | `null` | no |
 | <a name="input_pool_config"></a> [pool\_config](#input\_pool\_config) | The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for weekdays to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. | <pre>list(object({<br>    schedule_expression = string<br>    size                = number<br>  }))</pre> | `[]` | no |

lambdas/functions/ami-housekeeper/package.json

@@ -37,8 +37,8 @@
     "ts-node-dev": "^2.0.0"
   },
   "dependencies": {
-    "@aws-sdk/client-ec2": "^3.575.0",
-    "@aws-sdk/client-ssm": "^3.575.0",
+    "@aws-sdk/client-ec2": "^3.600.0",
+    "@aws-sdk/client-ssm": "^3.600.0",
     "@aws-sdk/types": "^3.433.0",
     "@terraform-aws-github-runner/aws-powertools-util": "*",
     "@terraform-aws-github-runner/aws-ssm-util": "*",

lambdas/functions/control-plane/package.json

@@ -38,7 +38,7 @@
     "ts-node-dev": "^2.0.0"
   },
   "dependencies": {
-    "@aws-sdk/client-ec2": "^3.575.0",
+    "@aws-sdk/client-ec2": "^3.600.0",
     "@aws-sdk/types": "^3.433.0",
     "@middy/core": "^4.7.0",
     "@octokit/auth-app": "6.0.3",

lambdas/functions/control-plane/src/aws/runners.ts

@@ -94,6 +94,7 @@ function getRunnerInfo(runningInstances: DescribeInstancesResult) {
 }
 
 export async function terminateRunner(instanceId: string): Promise<void> {
+  logger.info(`Runner '${instanceId}' will be terminated.`);
   const ec2 = getTracedAWSV3Client(new EC2Client({ region: process.env.AWS_REGION }));
   await ec2.send(new TerminateInstancesCommand({ InstanceIds: [instanceId] }));
   logger.info(`Runner ${instanceId} has been terminated.`);

lambdas/functions/control-plane/src/scale-runners/scale-down.ts

@@ -88,7 +88,8 @@ async function listGitHubRunners(runner: RunnerInfo): Promise<GhRunners> {
           per_page: 100,
         });
   githubCache.runners.set(key, runners);
-
+  logger.debug(`[listGithubRunners] Cache set for ${key}`);
+  logger.debug(`[listGithubRunners] Runners: ${JSON.stringify(runners)}`);
   return runners;
 }
 
@@ -156,18 +157,25 @@ async function evaluateAndRemoveRunners(
       .filter((runner) => runner.owner === ownerTag)
       .sort(evictionStrategy === 'oldest_first' ? oldestFirstStrategy : newestFirstStrategy);
     logger.debug(`Found: '${ec2RunnersFiltered.length}' active GitHub runners with owner tag: '${ownerTag}'`);
+    logger.debug(`Active GitHub runners with owner tag: '${ownerTag}': ${JSON.stringify(ec2RunnersFiltered)}`);
     for (const ec2Runner of ec2RunnersFiltered) {
       const ghRunners = await listGitHubRunners(ec2Runner);
       const ghRunnersFiltered = ghRunners.filter((runner: { name: string }) =>
         runner.name.endsWith(ec2Runner.instanceId),
       );
+      logger.debug(
+        `Found: '${ghRunnersFiltered.length}' GitHub runners for AWS runner instance: '${ec2Runner.instanceId}'`,
+      );
+      logger.debug(
+        `GitHub runners for AWS runner instance: '${ec2Runner.instanceId}': ${JSON.stringify(ghRunnersFiltered)}`,
+      );
       if (ghRunnersFiltered.length) {
         if (runnerMinimumTimeExceeded(ec2Runner)) {
           if (idleCounter > 0) {
             idleCounter--;
             logger.info(`Runner '${ec2Runner.instanceId}' will be kept idle.`);
           } else {
-            logger.info(`Runner '${ec2Runner.instanceId}' will be terminated.`);
+            logger.info(`Will try to terminate runners that are not busy`);
             await removeRunner(
               ec2Runner,
               ghRunnersFiltered.map((runner: { id: number }) => runner.id),
@@ -224,6 +232,7 @@ export async function scaleDown(): Promise<void> {
   const ec2Runners = await listRunners(environment);
   const activeEc2RunnersCount = ec2Runners.length;
   logger.info(`Found: '${activeEc2RunnersCount}' active GitHub EC2 runner instances before clean-up.`);
+  logger.debug(`Active GitHub EC2 runner instances: ${JSON.stringify(ec2Runners)}`);
 
   if (activeEc2RunnersCount === 0) {
     logger.debug(`No active runners found for environment: '${environment}'`);

lambdas/functions/gh-agent-syncer/package.json

@@ -37,8 +37,8 @@
     "typescript": "^5.4.5"
   },
   "dependencies": {
-    "@aws-sdk/client-s3": "^3.575.0",
-    "@aws-sdk/lib-storage": "^3.575.0",
+    "@aws-sdk/client-s3": "^3.600.0",
+    "@aws-sdk/lib-storage": "^3.600.0",
     "@aws-sdk/types": "^3.433.0",
     "@middy/core": "^4.7.0",
     "@terraform-aws-github-runner/aws-powertools-util": "*",

lambdas/functions/termination-watcher/package.json

@@ -35,7 +35,7 @@
     "ts-node-dev": "^2.0.0"
   },
   "dependencies": {
-    "@aws-sdk/client-ec2": "^3.575.0",
+    "@aws-sdk/client-ec2": "^3.600.0",
     "@aws-sdk/types": "^3.433.0",
     "@middy/core": "^4.7.0",
     "@terraform-aws-github-runner/aws-powertools-util": "*",

lambdas/functions/webhook/package.json

@@ -38,7 +38,7 @@
     "typescript": "^5.4.5"
   },
   "dependencies": {
-    "@aws-sdk/client-sqs": "^3.575.0",
+    "@aws-sdk/client-sqs": "^3.600.0",
     "@middy/core": "^4.7.0",
     "@octokit/rest": "^20.0.1",
     "@octokit/types": "^12.5.0",

lambdas/functions/webhook/src/ConfigResolver.ts

@@ -29,7 +29,7 @@ export class Config {
       Config.matcherConfig = JSON.parse(matcherConfigVal) as Array<RunnerMatcherConfig>;
       logger.debug('Loaded queues config', { matcherConfig: Config.matcherConfig });
     }
-    const workflowJobEventSecondaryQueue = process.env.SQS_WORKFLOW_JOB_QUEUE ?? undefined;
+    const workflowJobEventSecondaryQueue = process.env.SQS_WORKFLOW_JOB_QUEUE || undefined;
     return new Config(repositoryAllowList, workflowJobEventSecondaryQueue);
   }
 

lambdas/functions/webhook/src/sqs/index.test.ts

@@ -16,6 +16,8 @@ jest.mock('@aws-sdk/client-sqs', () => ({
 }));
 jest.mock('@terraform-aws-github-runner/aws-ssm-util');
 
+import { SQS } from '@aws-sdk/client-sqs';
+
 describe('Test sending message to SQS.', () => {
   const queueUrl = 'https://sqs.eu-west-1.amazonaws.com/123456789/queued-builds';
   const message = {
@@ -98,15 +100,27 @@ describe('Test sending message to SQS.', () => {
     expect(result).resolves;
   });
 
-  it('Does not send webhook events to workflow job event copy queue', async () => {
+  it('Does not send webhook events to workflow job event copy queue when job queue is not in environment', async () => {
+    // Arrange
+    delete process.env.SQS_WORKFLOW_JOB_QUEUE;
+    const config = await Config.load();
+
+    // Act
+    await sendWebhookEventToWorkflowJobQueue(message, config);
+
+    // Assert
+    expect(SQS).not.toHaveBeenCalled();
+  });
+
+  it('Does not send webhook events to workflow job event copy queue when job queue is set to empty string', async () => {
     // Arrange
     process.env.SQS_WORKFLOW_JOB_QUEUE = '';
     const config = await Config.load();
     // Act
     await sendWebhookEventToWorkflowJobQueue(message, config);
 
     // Assert
-    expect(mockSQS.sendMessage).not.toHaveBeenCalledWith(sqsMessage);
+    expect(SQS).not.toHaveBeenCalled();
   });
 
   it('Catch the exception when even copy queue throws exception', async () => {

lambdas/functions/webhook/src/sqs/index.ts

@@ -50,17 +50,21 @@ export const sendActionRequest = async (message: ActionRequestMessage): Promise<
 };
 
 export async function sendWebhookEventToWorkflowJobQueue(message: GithubWorkflowEvent, config: Config): Promise<void> {
-  if (config.workflowJobEventSecondaryQueue != undefined) {
-    const sqs = new SQS({ region: process.env.AWS_REGION });
-    const sqsMessage: SendMessageCommandInput = {
-      QueueUrl: String(config.workflowJobEventSecondaryQueue),
-      MessageBody: JSON.stringify(message),
-    };
-    logger.debug(`Sending Webhook events to the workflow job queue: ${config.workflowJobEventSecondaryQueue}`);
-    try {
-      await sqs.sendMessage(sqsMessage);
-    } catch (e) {
-      logger.warn(`Error in sending webhook events to workflow job queue: ${(e as Error).message}`);
-    }
+  if (!config.workflowJobEventSecondaryQueue) {
+    return;
+  }
+
+  const sqs = new SQS({ region: process.env.AWS_REGION });
+  const sqsMessage: SendMessageCommandInput = {
+    QueueUrl: String(config.workflowJobEventSecondaryQueue),
+    MessageBody: JSON.stringify(message),
+  };
+
+  logger.debug(`Sending Webhook events to the workflow job queue: ${config.workflowJobEventSecondaryQueue}`);
+
+  try {
+    await sqs.sendMessage(sqsMessage);
+  } catch (e) {
+    logger.warn(`Error in sending webhook events to workflow job queue: ${(e as Error).message}`);
   }
 }

lambdas/libs/aws-ssm-util/package.json

@@ -36,7 +36,7 @@
     "typescript": "^5.4.5"
   },
   "dependencies": {
-    "@aws-sdk/client-ssm": "^3.575.0",
+    "@aws-sdk/client-ssm": "^3.600.0",
     "@aws-sdk/types": "^3.433.0",
     "@terraform-aws-github-runner/aws-powertools-util": "*"
   },