feat: migrate launch template to use SSM for AMI lookup

Author: npalm

examples/default/.terraform.lock.hcl

@@ -180,6 +180,7 @@ module "runners" {
   runner_architecture       = var.runner_architecture
   ami_filter                = var.ami_filter
   ami_owners                = var.ami_owners
+  ami_id_ssm_parameter_arn  = var.ami_id_ssm_parameter_arn
   ami_id_ssm_parameter_name = var.ami_id_ssm_parameter_name
   ami_kms_key_arn           = var.ami_kms_key_arn
 

main.tf

@@ -28,6 +28,7 @@ module "runners" {
   runner_architecture       = each.value.runner_config.runner_architecture
   ami_filter                = each.value.runner_config.ami_filter
   ami_owners                = each.value.runner_config.ami_owners
+  ami_id_ssm_parameter_arn  = each.value.runner_config.ami_id_ssm_parameter_arn
   ami_id_ssm_parameter_name = each.value.runner_config.ami_id_ssm_parameter_name
   ami_kms_key_arn           = each.value.runner_config.ami_kms_key_arn
 

modules/multi-runner/runners.tf

@@ -1,8 +1,8 @@
 variable "github_app" {
   description = <<EOF
-  GitHub app parameters, see your github app. 
+  GitHub app parameters, see your github app.
   You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.
-  If you chose to provide the configuration values directly here, 
+  If you chose to provide the configuration values directly here,
   please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).
   Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc).
   EOF
@@ -67,6 +67,7 @@ variable "multi_runner_config" {
       })
       ami_filter                              = optional(map(list(string)), { state = ["available"] })
       ami_owners                              = optional(list(string), ["amazon"])
+      ami_id_ssm_parameter_arn                = optional(string, null)
       ami_id_ssm_parameter_name               = optional(string, null)
       ami_kms_key_arn                         = optional(string, "")
       create_service_linked_role_spot         = optional(bool, false)

modules/multi-runner/variables.tf

@@ -37,8 +37,9 @@ locals {
     "linux"   = "${path.module}/templates/start-runner.sh"
   }
 
-  ami_kms_key_arn = var.ami_kms_key_arn != null ? var.ami_kms_key_arn : ""
-  ami_filter      = merge(local.default_ami[var.runner_os], var.ami_filter)
+  ami_kms_key_arn           = var.ami_kms_key_arn != null ? var.ami_kms_key_arn : ""
+  ami_filter                = merge(local.default_ami[var.runner_os], var.ami_filter)
+  ami_id_ssm_module_managed = var.ami_id_ssm_parameter_arn == null
 
   enable_job_queued_check = var.enable_job_queued_check == null ? !var.enable_ephemeral_runners : var.enable_job_queued_check
 
@@ -84,6 +85,27 @@ data "aws_ami" "runner" {
   owners = var.ami_owners
 }
 
+resource "aws_ssm_parameter" "runner_ami_id" {
+  count     = local.ami_id_ssm_module_managed ? 1 : 0
+  name      = "${var.ssm_paths.root}/${var.ssm_paths.config}/ami_id"
+  type      = "String"
+  data_type = "aws:ec2:image"
+  value     = data.aws_ami.runner.id
+
+  tags = merge(
+    local.tags,
+    {
+      "ghr:ami_name" = data.aws_ami.runner.name
+    },
+    {
+      "ghr:ami_creation_date" = data.aws_ami.runner.creation_date
+    },
+    {
+      "ghr:ami_deprecation_time" = data.aws_ami.runner.deprecation_time
+    }
+  )
+}
+
 resource "aws_launch_template" "runner" {
   name = "${var.prefix}-action-runner"
 
@@ -140,7 +162,7 @@ resource "aws_launch_template" "runner" {
   }
 
   instance_initiated_shutdown_behavior = "terminate"
-  image_id                             = data.aws_ami.runner.id
+  image_id                             = "resolve:ssm:${local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami_id_ssm_parameter_arn}"
   key_name                             = var.key_name
   ebs_optimized                        = var.ebs_optimized
 

modules/runners/main.tf

@@ -38,6 +38,15 @@
                 "${ssm_config_path}/*"
             ]
         },
+        {
+            "Effect": "Allow",
+            "Action": [
+              "ssm:GetParameters"
+            ],
+            "Resource": [
+                "${ssm_ami_id_parameter_arn}"
+            ]
+        },
         {
             "Effect": "Allow",
             "Action": [

modules/runners/policies/lambda-scale-up.json

@@ -119,6 +119,7 @@ resource "aws_iam_role_policy" "scale_up" {
     ssm_config_path           = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter${var.ssm_paths.root}/${var.ssm_paths.config}"
     kms_key_arn               = local.kms_key_arn
     ami_kms_key_arn           = local.ami_kms_key_arn
+    ssm_ami_id_parameter_arn  = local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami_id_ssm_parameter_arn
   })
 }
 

modules/runners/scale-up.tf

@@ -130,6 +130,12 @@ variable "ami_owners" {
   default     = ["amazon"]
 }
 
+variable "ami_id_ssm_parameter_arn" {
+  description = "ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter"
+  type        = string
+  default     = null
+}
+
 variable "ami_id_ssm_parameter_name" {
   description = "Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter"
   type        = string

modules/runners/variables.tf

@@ -33,9 +33,9 @@ variable "enable_organization_runners" {
 
 variable "github_app" {
   description = <<EOF
-  GitHub app parameters, see your github app. 
+  GitHub app parameters, see your github app.
   You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.
-  If you chose to provide the configuration values directly here, 
+  If you chose to provide the configuration values directly here,
   please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).
   Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc).
   EOF
@@ -383,8 +383,14 @@ variable "ami_owners" {
   default     = ["amazon"]
 }
 
+variable "ami_id_ssm_parameter_arn" {
+  description = "ARN of the SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter"
+  type        = string
+  default     = null
+}
+
 variable "ami_id_ssm_parameter_name" {
-  description = "Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter"
+  description = "(DEPRECATED) Variable is replaced by `ami_id_ssm_parameter_arn` Externally managed SSM parameter (of data type aws:ec2:image) that contains the AMI ID to launch runner instances from. Overrides ami_filter"
   type        = string
   default     = null
 }