Problem
When using the docker-autoscaler executor, there is no way to add tags exclusively to worker instances without also affecting the runner manager instance.
The module's top-level tags variable and the provider's default_tags both propagate to all resources — manager and workers alike. The runner_instance.additional_tags only applies to the manager ASG, but there is no equivalent for the worker launch template's tag_specifications.
Use Case
AWS GuardDuty Runtime Monitoring can be configured to exclude EC2 instances tagged GuardDutyManaged: false. For ephemeral CI workers (short-lived spot instances), GuardDuty scanning generates significant cost with little security value. The manager instance should remain monitored.
Currently, the only options is: Exclude both manager and workers (undesirable — manager should stay monitored)
Proposed Solution
Add an additional_tags field to runner_worker_docker_autoscaler_instance:
runner_worker_docker_autoscaler_instance = {
# ... existing fields ...
additional_tags = { "GuardDutyManaged" = "false" }
}These tags would be merged into the worker launch template's tag_specifications (instance, volume, network-interface) alongside local.tags.
Alternatives Considered
- Using
default_tags at the provider level — affects all resources including the manager
- Using
runner_instance.additional_tags — only affects the manager ASG, not workers
- Switching GuardDuty to include-mode — requires account-level changes unrelated to the module
Problem
When using the
docker-autoscalerexecutor, there is no way to add tags exclusively to worker instances without also affecting the runner manager instance.The module's top-level
tagsvariable and the provider'sdefault_tagsboth propagate to all resources — manager and workers alike. Therunner_instance.additional_tagsonly applies to the manager ASG, but there is no equivalent for the worker launch template'stag_specifications.Use Case
AWS GuardDuty Runtime Monitoring can be configured to exclude EC2 instances tagged
GuardDutyManaged: false. For ephemeral CI workers (short-lived spot instances), GuardDuty scanning generates significant cost with little security value. The manager instance should remain monitored.Currently, the only options is: Exclude both manager and workers (undesirable — manager should stay monitored)
Proposed Solution
Add an
additional_tagsfield torunner_worker_docker_autoscaler_instance:These tags would be merged into the worker launch template's
tag_specifications(instance, volume, network-interface) alongsidelocal.tags.Alternatives Considered
default_tagsat the provider level — affects all resources including the managerrunner_instance.additional_tags— only affects the manager ASG, not workers