feat: Add option to disable SSL verification support for GitHub Enterprise Server (#1216)

axel3rd · npalm · web-flow · commit 3c3ef19b1768 · 2021-10-01T13:01:20.000+02:00
* Disable SSL verification support for GitHub Enterprise Server

* Terraform formatting

Close #1207

Co-authored-by: Niek Palm &lt;npalm@users.noreply.github.com&gt;

Co-authored-by: Niek Palm &lt;npalm@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -359,6 +359,7 @@ No requirements.
 | enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
 | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
 | ghes\_url | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no |
+| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to `false` when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no |
 | github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | <pre>object({<br>    key_base64     = string<br>    id             = string<br>    client_id      = string<br>    client_secret  = string<br>    webhook_secret = string<br>  })</pre> | n/a | yes |
 | idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | <pre>list(object({<br>    cron      = string<br>    timeZone  = string<br>    idleCount = number<br>  }))</pre> | `[]` | no |
 | instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -128,7 +128,8 @@ module "runners" {
 
   runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns
 
-  ghes_url = var.ghes_url
+  ghes_url        = var.ghes_url
+  ghes_ssl_verify = var.ghes_ssl_verify
 
   kms_key_arn = var.kms_key_arn
 }
diff --git a/modules/runners/main.tf b/modules/runners/main.tf
@@ -108,6 +108,7 @@ resource "aws_launch_template" "runner" {
     enable_cloudwatch_agent         = var.enable_cloudwatch_agent
     ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner[0].name : ""
     ghes_url                        = var.ghes_url
+    ghes_ssl_verify                 = var.ghes_ssl_verify
     install_config_runner           = local.install_config_runner
   }))
 
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
@@ -18,6 +18,7 @@ resource "aws_lambda_function" "scale_down" {
       RUNNER_BOOT_TIME_IN_MINUTES             = var.runner_boot_time_in_minutes
       SCALE_DOWN_CONFIG                       = jsonencode(var.idle_config)
       GHES_URL                                = var.ghes_url
+      NODE_TLS_REJECT_UNAUTHORIZED            = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1
       PARAMETER_GITHUB_APP_CLIENT_ID_NAME     = var.github_app_parameters.client_id.name
       PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = var.github_app_parameters.client_secret.name
       PARAMETER_GITHUB_APP_ID_NAME            = var.github_app_parameters.id.name
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
@@ -17,6 +17,7 @@ resource "aws_lambda_function" "scale_up" {
       ENABLE_ORGANIZATION_RUNNERS             = var.enable_organization_runners
       ENVIRONMENT                             = var.environment
       GHES_URL                                = var.ghes_url
+      NODE_TLS_REJECT_UNAUTHORIZED            = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1
       RUNNER_EXTRA_LABELS                     = var.runner_extra_labels
       RUNNER_GROUP_NAME                       = var.runner_group_name
       RUNNERS_MAXIMUM_COUNT                   = var.runners_maximum_count
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
@@ -303,6 +303,12 @@ variable "ghes_url" {
   default     = null
 }
 
+variable "ghes_ssl_verify" {
+  description = "GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure)."
+  type        = bool
+  default     = true
+}
+
 variable "lambda_subnet_ids" {
   description = "List of subnets in which the lambda will be launched, the subnets needs to be subnets in the `vpc_id`."
   type        = list(string)
diff --git a/variables.tf b/variables.tf
@@ -313,6 +313,12 @@ variable "ghes_url" {
   default     = null
 }
 
+variable "ghes_ssl_verify" {
+  description = "GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure)."
+  type        = bool
+  default     = true
+}
+
 variable "lambda_subnet_ids" {
   description = "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`."
   type        = list(string)

Original file line number	Diff line number	Diff line change
`@@ -128,7 +128,8 @@ module "runners" {`
`128`	`128`
`129`	`129`	`runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns`
`130`	`130`
`131`		`- ghes_url = var.ghes_url`
	`131`	`+ ghes_url = var.ghes_url`
	`132`	`+ ghes_ssl_verify = var.ghes_ssl_verify`
`132`	`133`
`133`	`134`	`kms_key_arn = var.kms_key_arn`
`134`	`135`	`}`