From fe79626333049553e3bb462cd51c5cb7b2dc3fc6 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Tue, 8 Dec 2020 14:17:20 +0100 Subject: [PATCH 1/2] bugfix: Add policies for logging (#389) * Add policies for logging * Add policies for logging --- modules/runners/logging.tf | 11 ++++++++ modules/runners/policies-runner.tf | 2 ++ .../policies/instance-cloudwatch-policy.json | 25 +++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 modules/runners/policies/instance-cloudwatch-policy.json diff --git a/modules/runners/logging.tf b/modules/runners/logging.tf index fcfb60b1a4..312842e453 100644 --- a/modules/runners/logging.tf +++ b/modules/runners/logging.tf @@ -18,3 +18,14 @@ resource "aws_cloudwatch_log_group" "runners" { retention_in_days = var.logging_retention_in_days tags = local.tags } + +resource "aws_iam_role_policy" "cloudwatch" { + count = var.enable_ssm_on_runners ? 1 : 0 + name = "CloudWatchLogginAndMetrics" + role = aws_iam_role.runner.name + policy = templatefile("${path.module}/policies/instance-cloudwatch-policy.json", + { + ssm_parameter_arn = aws_ssm_parameter.cloudwatch_agent_config_runner[0].arn + } + ) +} diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf index 2e3f5d8fb2..eb1a349d95 100644 --- a/modules/runners/policies-runner.tf +++ b/modules/runners/policies-runner.tf @@ -45,3 +45,5 @@ resource "aws_iam_role_policy_attachment" "managed_policies" { role = aws_iam_role.runner.name policy_arn = element(var.runner_iam_role_managed_policy_arns, count.index) } + +// see also logging.tf for logging and metrics policies \ No newline at end of file diff --git a/modules/runners/policies/instance-cloudwatch-policy.json b/modules/runners/policies/instance-cloudwatch-policy.json new file mode 100644 index 0000000000..308dcaad36 --- /dev/null +++ b/modules/runners/policies/instance-cloudwatch-policy.json @@ -0,0 +1,25 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData", + "ec2:DescribeVolumes", + "ec2:DescribeTags", + "logs:PutLogEvents", + "logs:DescribeLogStreams", + "logs:DescribeLogGroups", + "logs:CreateLogStream" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:GetParameter" + ], + "Resource": "${ssm_parameter_arn}/*" + } + ] +} \ No newline at end of file From 5868af46349c70c402b6378d9627dc812331199a Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Tue, 8 Dec 2020 14:36:03 +0100 Subject: [PATCH 2/2] Release v0.8.1 --- CHANGELOG.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c5cf55766..290604f7e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,18 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.8.1] - 2020-12-08 +### Changed +- Policy is missing for streaming logs to cloudwatch #388 + ## [0.8.0] - 2020-12-08 ### Changed + - Examples upgraded to Terraform 13 (#372) ### Added + - Streaming runner logs to cloudwatch #375 ## [0.7.0] - 2020-12-04 + ### Changed + - Small clarifications in the README #368 @lrytz ### Added + - Allow operator to pass in a list of managed IAM policy ARNs for the runner role #361 @jpalomaki - expand options for sourcing lambda to include S3 #292 @eky5006 @@ -96,7 +105,8 @@ terraform import module.runners.module.webhook.aws_cloudwatch_log_group.webhook - First release. -[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.8.0..HEAD +[unreleased]: https://github.com/philips-labs/terraform-aws-github-runner/compare/v0.8.1..HEAD +[0.8.1]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.8.0..v0.8.1 [0.8.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.7.0..v0.8.0 [0.7.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.6.0..v0.7.0 [0.6.0]: https://github.com/philips-labs/terraform-aws-github-runner/releases/tag/v0.5.0..v0.6.0