terraform-aws-gitlab-runner
terraform-aws-gitlab-runner copied to clipboard
docker_machine_role_json is not very useful
This variable allows to change the assume_role
of the created role for the docker machine:
https://github.com/npalm/terraform-aws-gitlab-runner/blob/920d9c7e1a03a46d99a4f64795eb1b786676b642/main.tf#L331
This isn't that useful, it's almost always just going to be what the template is already.
What would be useful that is currently missing is to allow simple addition of custom policies to the docker machine instance role: for example, ability to pull from private ECR.
Having said that, it is still possible to add extra policies to the role that the module creates. For example:
module "gitlab_runner" {
…
}
data "aws_iam_policy_document" "gitlab_runner" {
statement {
sid = "ECRAuth"
actions = [
"ecr:GetAuthorizationToken",
]
resources = ["*"]
}
}
resource "aws_iam_policy" "gitlab_runner" {
name = "${var.name}-gitlab-runner-${var.env}"
policy = data.aws_iam_policy_document.gitlab_runner.json
}
resource "aws_iam_role_policy_attachment" "gitlab_runner" {
role = module.gitlab_runner.runner_agent_role_name
policy_arn = aws_iam_policy.gitlab_runner.arn
}
Can't you just use docker_machine_iam_policy_arns
?
Also it is useful for me because in the accounts I work with rules enforce that every role must trust a special entity used for monitoring and audit
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.
Also it is useful for me because in the accounts I work with rules enforce that every role must trust a special entity used for monitoring and audit
I think this is probably a reasonable thing for someone to have and we might want to just close the ticket?
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.