terraform-aws-gitlab-runner icon indicating copy to clipboard operation
terraform-aws-gitlab-runner copied to clipboard

Published 20 hours ago verified publisher icon cattle-ops

docker_machine_role_json is not very useful

Open Fuuzetsu opened this issue 3 years ago • 3 comments

This variable allows to change the assume_role of the created role for the docker machine:

https://github.com/npalm/terraform-aws-gitlab-runner/blob/920d9c7e1a03a46d99a4f64795eb1b786676b642/main.tf#L331

This isn't that useful, it's almost always just going to be what the template is already.

What would be useful that is currently missing is to allow simple addition of custom policies to the docker machine instance role: for example, ability to pull from private ECR.

Fuuzetsu avatar Dec 09 '20 07:12 Fuuzetsu

Having said that, it is still possible to add extra policies to the role that the module creates. For example:

module "gitlab_runner" {
…
}

data "aws_iam_policy_document" "gitlab_runner" {
  statement {
    sid = "ECRAuth"
    actions = [
      "ecr:GetAuthorizationToken",
    ]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "gitlab_runner" {
  name   = "${var.name}-gitlab-runner-${var.env}"
  policy = data.aws_iam_policy_document.gitlab_runner.json
}

resource "aws_iam_role_policy_attachment" "gitlab_runner" {
  role       = module.gitlab_runner.runner_agent_role_name
  policy_arn = aws_iam_policy.gitlab_runner.arn
}

Fuuzetsu avatar Dec 10 '20 03:12 Fuuzetsu

Can't you just use docker_machine_iam_policy_arns?

trallnag avatar Feb 16 '21 12:02 trallnag

Also it is useful for me because in the accounts I work with rules enforce that every role must trust a special entity used for monitoring and audit

trallnag avatar Feb 16 '21 16:02 trallnag

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] avatar Jan 02 '23 02:01 github-actions[bot]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] avatar Mar 18 '23 02:03 github-actions[bot]

Also it is useful for me because in the accounts I work with rules enforce that every role must trust a special entity used for monitoring and audit

I think this is probably a reasonable thing for someone to have and we might want to just close the ticket?

Fuuzetsu avatar Mar 19 '23 02:03 Fuuzetsu

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] avatar May 18 '23 02:05 github-actions[bot]