cdk-autoscaling-gitlab-runner-example/src/runner-role.ts at main · pepperize/cdk-autoscaling-gitlab-runner-example · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
import { GitlabRunnerAutoscaling } from "@pepperize/cdk-autoscaling-gitlab-runner";
import { Stack } from "aws-cdk-lib";
import { ManagedPolicy, PolicyDocument, Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
import { ParameterTier, ParameterType, StringParameter } from "aws-cdk-lib/aws-ssm";
import { Construct } from "constructs";
import { RunnerStackProps } from "./runner-stack-props";

export interface WithCustomRunnersRoleProps extends RunnerStackProps {}

export class RunnersRoleStack extends Stack {
  constructor(scope: Construct, id: string, props: WithCustomRunnersRoleProps) {
    super(scope, id, props);

    const { gitlabToken } = props;

    const token = new StringParameter(this, "Token", {
      parameterName: "/gitlab-runner/token",
      stringValue: gitlabToken,
      type: ParameterType.SECURE_STRING,
      tier: ParameterTier.STANDARD,
    });

    /**
     * Set role (override default runners role)
     */
    const role = new Role(this, "CustomRunnersRole", {
      assumedBy: new ServicePrincipal("ec2.amazonaws.com", {}),
      inlinePolicies: {
        CdkDeploy: PolicyDocument.fromJson({
          Version: "2012-10-17",
          Statement: [
            {
              Effect: "Allow",
              Action: [
                "cloudformation:DescribeStacks",
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DeleteChangeSet",
                "cloudformation:GetTemplate",
              ],
              Resource: ["*"],
            },
            {
              Effect: "Allow",
              Action: ["s3:*Object", "s3:ListBucket", "s3:GetBucketLocation"],
              Resource: ["arn:aws:s3:::cdktoolkit-*"],
            },
          ],
        }),
        CfnDeploy: PolicyDocument.fromJson({
          Version: "2012-10-17",
          Statement: [
            {
              Effect: "Allow",
              Action: ["*"],
              Resource: ["*"],
              Condition: {
                "ForAnyValue:StringEquals": {
                  "aws:CalledVia": "cloudformation.amazonaws.com",
                },
              },
            },
          ],
        }),
      },
    });

    const runner = new GitlabRunnerAutoscaling(this, "Runner", {
      runners: [
        {
          role: role,
          token: token,
          configuration: {
            name: "gitlab-runner-with-custom-role",
          },
        },
      ],
    });

    /**
     * Add role to runners instance profile
     */
    const roleForS3FullAccess = new Role(this, "RunnersInstanceRole", {
      assumedBy: new ServicePrincipal("ec2.amazonaws.com", {}),
      managedPolicies: [
        ManagedPolicy.fromManagedPolicyArn(this, "AmazonS3FullAccess", "arn:aws:iam::aws:policy/AmazonS3FullAccess"),
      ],
    });

    runner.runners[0].instanceProfile.roles.push(roleForS3FullAccess.roleName);
  }
}