This project allows you to provision groups of:
- a Buildkit host
- GitHub self-hosted repo/org runners that use this Buildkit host when called with
docker buildx
You can link runners for different repos to the same Buildkit host or use multiple Buildkit hosts for the same repository.
- Only egress traffic on port 443 is allowed
- Ingress traffic is disabled
- Make sure you built the github-runner and buildkit-host AMIs using
packer build
before running Terraform. Alternatively, specify another AMI by exposing a variable.
- The PAT will not be stored/used on the EC2 machines, they will just be used to request short-lived (60min) runner tokens using Terraform to register the runners
- The registration will be done using a
user_data
script on the EC2 instances which is why the Terraform creation will not wait for the registration of the runner to be complete - Currently, runners are not de-registered on GitHub when they are destroyed
module "vpc" {
source = "./modules/github-runner-vpc"
subnet_availability_zone = "eu-central-1a"
}
will create the AWS VPC and the needed subnets/gateways without creating any runners.
You can also provide your own subnet/security group to be used by the EC2 instances instead.
This will set up a Buildkit host and start buildkitd
on port 8082 within the private network.
module "buildkit-host-001" {
source = "./modules/buildkit-host"
host_name = "buildkit-host-001"
ec2_instance_type = "t3.micro"
subnet_id = module.vpc.subnet_id
vpc_security_group_ids = [module.vpc.security_group_id]
}
Output of the module will be the private IP of the host (no public IP is associated)
This will create a new EC2 instance and add is as a runner to the provided repository.
The PAT needs Read/Write access to actions
(fine-grained tokens)
module "repo-runner-001" {
source = "./modules/github-repo-runner"
runner_name = "gh-runner-001"
github_username = var.github_username
github_pat = var.github_pat #needs the "repo" scope
repo-name = "terraform-github-runner"
repo-owner = "KarimDarwish"
ec2_instance_type = "t3.micro"
subnet_id = module.vpc.subnet_id
vpc_security_group_ids = [module.vpc.security_group_id]
root_block_device = {
volume_size = 120
volume_type = "gp3"
encrypted = true
delete_on_termination = true
}
depends_on = [module.vpc]
}
This will create a new EC2 instance of the provided type and add it as an organization level runner to your GitHub org.
The PAT needs the admin:org
scope to be able to add the runner.
module "org-runner-001" {
source = "./modules/github-org-runner"
runner_name = "gh-runner-001"
github_pat = var.github_org_pat
github_username = var.github_username
org_name = "KarimDarwishOrg"
ec2_instance_type = "t3.micro"
subnet_id = module.vpc.subnet_id
vpc_security_group_ids = [module.vpc.security_group_id]
root_block_device = {
volume_size = 120
volume_type = "gp3"
encrypted = true
delete_on_termination = true
}
depends_on = [module.vpc]
}
- ARM image/machine support
- AWS Network Firewall to only allow outbound traffic to github domains
- CloudWatch for logging/metrics
- Auto de-register on destroy
- Runner groups for GitHub Enterprise