fix: registration should use internal IP so that we can use tags for …

…firewall rules (#4)
DeimosCloud · Mar 16, 2022 · 8926850 · 8926850
1 parent b0110b8
commit 8926850
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -51,6 +51,7 @@ module "runner" {
   source  = "DeimosCloud/gitlab-ci-runner/google"
 
   network = "default"
+  subnetwork = "someNetwork"
   region  = "europe-west1"
   project = local.project_id
 

diff --git a/firewall.tf b/firewall.tf
@@ -1,6 +1,6 @@
 resource "google_compute_firewall" "ssh" {
   count       = var.runners_allow_ssh_access ? 1 : 0
-  name        = "${var.prefix}-gitlab-allow-ssh"
+  name        = "${var.prefix}-gitlab-runner-allow-ssh"
   description = "Allow SSH to Runner instances"
   network     = data.google_compute_network.this.name
 
@@ -23,12 +23,26 @@ resource "google_compute_firewall" "docker_machine" {
     ports    = ["2376"]
   }
 
-  source_tags = [local.firewall_tag]
-  target_tags = [local.firewall_tag, "docker-machine"]
+  source_tags = concat([local.firewall_tag], var.docker_machine_tags)
+  target_tags = concat(["docker-machine", local.firewall_tag], var.runners_tags)
+}
+
+resource "google_compute_firewall" "docker_machine_ssh" {
+  name        = "${var.prefix}-gitlab-runner-docker-machine-allow-ssh"
+  description = "Allow ssh to docker-machine from runner "
+  network     = data.google_compute_network.this.name
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  source_tags = concat([local.firewall_tag], var.docker_machine_tags)
+  target_tags = concat(["docker-machine", local.firewall_tag], var.runners_tags)
 }
 
 resource "google_compute_firewall" "internet" {
-  name        = "${var.prefix}-gitlab-allow-internet"
+  name        = "${var.prefix}-gitlab-runner-allow-internet"
   description = "Allow connection to internet"
   network     = data.google_compute_network.this.name
 

diff --git a/locals.tf b/locals.tf
@@ -53,9 +53,10 @@ locals {
       runners_gitlab_url                    = var.runners_gitlab_url
       runners_service_account               = google_service_account.agent.email
       runners_service_account_json          = base64decode(google_service_account_key.agent.private_key)
-      runners_tags                          = join(",", distinct(concat([local.firewall_tag], var.docker_machine_tags)))
+      runners_tags                          = join(",", distinct(concat([local.firewall_tag], var.runners_tags)))
       runners_enable_monitoring             = var.runners_enable_monitoring
-
+      runners_network                       = var.network
+      runners_subnetwork                    = var.subnetwork
   })
 
   template_shutdown_script = templatefile("${path.module}/templates/shutdown-script.sh.tpl", {
@@ -79,7 +80,7 @@ locals {
       runners_machine_type           = var.runners_machine_type
       runners_disk_type              = var.runners_disk_type
       runners_disk_size              = var.runners_disk_size
-      runners_tags                   = join(",", distinct(concat(["gitlab"], var.runners_tags)))
+      runners_tags                   = join(",", distinct(concat([local.firewall_tag], var.runners_tags)))
       runners_labels                 = local.agent_machine_labels
       runners_use_internal_ip        = var.runners_use_internal_ip
       docker_machine_options         = length(var.docker_machine_options) == 0 ? "" : local.docker_machine_options_string

diff --git a/templates/runner-config.toml.tpl b/templates/runner-config.toml.tpl
@@ -14,7 +14,6 @@ listen_address = "127.0.0.1:9252"
   request_concurrency = ${runners_request_concurrency}
   output_limit = ${runners_output_limit}
   limit = ${runners_limit}
-  %{~ if runners_executor == "docker" ~}
   [runners.docker]
     tls_verify = false
     image = "${runners_image}"
@@ -29,7 +28,6 @@ listen_address = "127.0.0.1:9252"
     ${runners_volumes_tmpfs}
   [runners.docker.services_tmpfs]
     ${runners_services_volumes_tmpfs}
-  %{~ endif ~}
   [runners.cache]
     Type = "gcs"
     Shared = ${shared_cache}
@@ -62,6 +60,8 @@ listen_address = "127.0.0.1:9252"
       %{~ endif ~}
       %{~ if runners_use_internal_ip ~}
       "google-use-internal-ip-only",
+      %{~ else ~}
+      "google-use-internal-ip",
       %{~ endif ~}
       ${docker_machine_options}
     ]

diff --git a/templates/startup-script.sh.tpl b/templates/startup-script.sh.tpl
@@ -74,6 +74,10 @@ else
       --google-scopes https://www.googleapis.com/auth/cloud-platform \
       --google-disk-type pd-ssd \
       --google-tags ${runners_tags} \
+      --google-network ${runners_network} \
+      %{~ if runners_subnetwork != "" ~}
+      --google-subnetwork ${runners_subnetwork} \
+      %{~ endif ~}
       $dummymachine
   docker-machine rm -y $dummymachine
   unset HOME