gitlabrunner-host.yml

Description: Creates an EC2 with GitLab Runner.

Metadata: 
  AWS::CloudFormation::Interface: 
    ParameterGroups: 
      - Label: 
          default: "Network Configuration"
        Parameters: 
          - VpcId          
          - PrivateSubnetId

      - Label:
          default: "Remote access"
        Parameters:
          - SshKeyName
          - SshCidr

      - Label: 
          default: "Host Settings"
        Parameters: 
          - InstanceType          
          - DiskSize

      - Label: 
          default: "Runner Settings"
        Parameters: 
          - RunnerName
          - GitLabRegistrationToken          
          - GitlabServer
          - ConcurrentRunners
    ParameterLabels:
      VpcId:
        default: "Which VPC should the runner host be deployed to?"
      PrivateSubnetId:
        default: "Which Subnet in the VPC should the host be deployed to?"
      SshKeyName:
        default: "What is the key pair name you want to use when accessing over SSH?"
      SshCidr:
        default: "From which CIDR block do you want to have remote access over SSH?"
      RunnerName:
        default: "What name do you want to give to the runner?"
      GitLabRegistrationToken:
        default: "What is the registration token for the Gitlab project this runner should connect to?"
      GitlabServer:
        default: "What is the URL to the Gitlab master?"

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: The VPC to use for the runner host. (https://console.aws.amazon.com/vpc)

  PrivateSubnetId:
    Type: AWS::EC2::Subnet::Id
    Description: The Subnet to place the runner host in. (https://console.aws.amazon.com/vpc)

  SshCidr:
    Type: String
    Description: (Only required if you want to do remote login) The CIDR the runner host can be accessed from. Don't use "0.0.0.0/0", use a Bastion host CIDR instead. (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html)
    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})|^$
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x or empty.

  InstanceType:
    Type: String
    Default: t2.small
    Description: The type and size of the host.
    AllowedValues: [t1.micro, t2.nano, t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge, m1.small,
      m1.medium, m1.large, m1.xlarge, m2.xlarge, m2.2xlarge, m2.4xlarge, m3.medium,
      m3.large, m3.xlarge, m3.2xlarge, m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge,
      m4.10xlarge, c1.medium, c1.xlarge, c3.large, c3.xlarge, c3.2xlarge, c3.4xlarge,
      c3.8xlarge, c4.large, c4.xlarge, c4.2xlarge, c4.4xlarge, c4.8xlarge, g2.2xlarge,
      g2.8xlarge, r3.large, r3.xlarge, r3.2xlarge, r3.4xlarge, r3.8xlarge, i2.xlarge,
      i2.2xlarge, i2.4xlarge, i2.8xlarge, d2.xlarge, d2.2xlarge, d2.4xlarge, d2.8xlarge,
      hi1.4xlarge, hs1.8xlarge, cr1.8xlarge, cc2.8xlarge, cg1.4xlarge]
    ConstraintDescription: must be a valid EC2 instance type.

  SshKeyName:
    Type: String    
    Description: (Only required if you want to do remote login) The key pair name to be associated with the runner host. Must exist in your account. (https://console.aws.amazon.com/ec2/v2/home#KeyPairs:sort=keyName)
    
  DiskSize:
    Type: String
    Default: 100
    Description: The size of the volume (in GB) that will be connected to the instance.

  RunnerName:
      Type: String
      Description: This name will be visible in the Runners settings in Gitlab CI/CD settings and in your build outputs.
      MinLength: 2          
      ConstraintDescription: the runner name must consist of at least 2 characters.

  GitLabRegistrationToken:
    Type: String    
    Description: GitLab registration token for one of your Gitlab projects (Gitlab project -> Settings -> CI/CD -> Runner settings -> Registration token under Specific runners). (https://docs.gitlab.com/ee/ci/runners/#registering-a-specific-runner-with-a-project-registration-token)
    NoEcho: true

  GitlabServer:
     Type: String
     Description: The URL for the Gitlab server to connect this runner to. Defaults to https://gitlab.com but can be e.g. your organization's Gitlab enterprise host.
     Default: https://gitlab.com/

  ConcurrentRunners:
    Type: Number
    Description: The number of max concurrent runners the host allow. (https://docs.gitlab.com/runner/configuration/advanced-configuration.html)
    Default: 4
    MinValue: 1
    MaxValue: 20
    ConstraintDescription: the number of concurrent runners  must be a number between 1-20.

Mappings:
  #  These are variants of the Amazon Linux AMI with Ubuntu 16.04 LTS. Taken from https://cloud-images.ubuntu.com/locator/ec2/, filter 18.04 hvm:ebs-ssd, sorted on Zone.
  AmazonLinuxAMI:
    eu-west-3:
        AMI: ami-2b12a356
    eu-west-2:
        AMI: ami-299d734e
    us-east-2:
        AMI: ami-46fec023       
    us-west-2:
        AMI: ami-04f8bb7c
    ap-southeast-2:
        AMI: ami-20f32c42	
    ap-northeast-2:
        AMI: ami-6969c307	
    cn-northwest-1:
        AMI: ami-e1bbaf83
    cn-north-1:
        AMI: ami-a001dfcd
    eu-west-1:
        AMI: ami-477b773e
    eu-central-1:
        AMI: ami-b50b385e
    ap-south-1:
        AMI: ami-2396be4c
    ca-central-1:
        AMI: ami-5906853d
    ap-southeast-1:
        AMI: ami-053f3879
    sa-east-1:
        AMI: ami-4b6a3127
    ap-northeast-1:
        AMI: ami-5017d82f
    us-west-1:
        AMI: ami-ea34d089
    us-east-1:
        AMI: ami-85f9b8fa
Conditions:
  HasKeyName:
    Fn::Not:
    - Fn::Equals:
      - ''
      - Ref: SshKeyName

  HasCidr: !Not [ !Equals [ !Ref SshCidr, "" ]] 

Resources:
  GitlabRunnerHost:
    Type: AWS::EC2::Instance
    Properties:
      IamInstanceProfile: !Ref GitlabRunnerInstanceProfile 
      ImageId: !FindInMap [AmazonLinuxAMI, !Ref 'AWS::Region', AMI]
      InstanceType: !Ref InstanceType
      KeyName: 
        Fn::If:
        - HasKeyName
        - Ref: SshKeyName
        - Ref: AWS::NoValue
      SubnetId: !Ref PrivateSubnetId
      SecurityGroupIds:
      - !Ref GitlabRunnerSecurityGroup
      Tags:
      - Key: Name
        Value: !Sub ${RunnerName}-host
      - Key: AlwaysOn
        Value: true
      BlockDeviceMappings:
      - DeviceName: "/dev/sda1"
        Ebs:
          DeleteOnTermination: true
          VolumeSize:
            Ref: DiskSize
          VolumeType: gp2
      UserData: 
        'Fn::Base64': !Sub |
          #!/bin/bash -xe
          apt-get install -y apt-transport-https ca-certificates curl software-properties-common
          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
          add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
          apt-get update
          apt-get install -y docker-ce

          curl -L https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh | bash
          apt-get -y install gitlab-runner
          
          apt-get install -y awscli

          # Configure gitlab-runner to accept up to number of concurrent runners defined in parameter ConcurrentRunners
          sed -i.bak -r '/^concurrent = /s/[0-9]+/${ConcurrentRunners}/' /etc/gitlab-runner/config.toml

          # Create a default cache directory for the cache-runner
          mkdir /cache

          # Print out the public IP, good for debuggning
          curl ipinfo.io/ip

          # Register a vanilla-runner. This runner is suitable e.g. for all other containers not needing docker commands.
          gitlab-runner register -n -u ${GitlabServer} -r ${GitLabRegistrationToken} --name ${RunnerName}-vanilla --run-untagged --tag-list "vanilla" --locked=false --executor docker --docker-image "alpine:latest" 

          # Register a docker-runner. This runner is suitable e.g. for containers that need to make use of docker commands.  
          # Note! docker images will be cached on the gitlab runner host.  
          gitlab-runner register -n -u ${GitlabServer} -r ${GitLabRegistrationToken} --name ${RunnerName}-docker --tag-list "docker" --locked=false  --executor docker --docker-image "docker:latest" --docker-volumes /var/run/docker.sock:/var/run/docker.sock

          # Register runner to GitLab server
          # Register a dind (docker in docker) runner. This runners is suitable for builds that needs to build docker images.  
          gitlab-runner register -n -u ${GitlabServer} -r ${GitLabRegistrationToken} --name ${RunnerName}-dind --tag-list "dind" --locked=false --executor docker --docker-image "docker:stable" --docker-privileged

          # Register a cache-runner. This runner is suitable e.g. for all builds that need to cache NPM packages or similar.  
          # Note! NPM packages or similar will be cached on the gitlab runner host.  
          gitlab-runner register -n -u ${GitlabServer} -r ${GitLabRegistrationToken} --name ${RunnerName}-cache --tag-list "cache" --locked=false  --executor docker --docker-image "alpine:latest" --docker-volumes /cache:/cache

  GitlabRunnerRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      RoleName: !Sub ${AWS::StackName}-GitlabRunnerRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
      - !Ref GitlabRunnerPolicy

  GitlabRunnerInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref GitlabRunnerRole
      InstanceProfileName: !Sub ${AWS::StackName}-GitlabRunnerInstanceProfile

  GitlabRunnerPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub ${AWS::StackName}-GitlabRunnerPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
            - sts:AssumeRole
            Resource: "*"

  GitlabRunnerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for GitLab Runner Host
      VpcId: !Ref VpcId      
      SecurityGroupEgress: #open for outbound traffic
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0

  SSHSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Condition: HasCidr
    Properties:
      GroupId: !Ref 'GitlabRunnerSecurityGroup'    
      IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      CidrIp: !Ref SshCidr

Outputs:
  GitlabRunnerInstanceProfile:
    Description: Instance profile to attach to Gitlab runner host. This to enable assuming of other roles, such as deploy roles.
    Value: !Ref GitlabRunnerInstanceProfile
    Export:
      Name: !Sub ${AWS::StackName}-GitlabRunnerInstanceProfile
  GitlabRunnerRole:
    Description: Role attached to GitlabRunnerInstanceProfile.
    Value: !GetAtt GitlabRunnerRole.Arn
    Export:
      Name: !Sub ${AWS::StackName}-GitlabRunnerRole
  SSHKeyName:
    Condition: HasKeyName
    Description: The key name provided for remote access
    Value: !Ref SshKeyName
    Export:
      Name: !Sub ${AWS::StackName}-SSHKeyName
  SshCidr:
    Condition: HasCidr
    Description: The CIDR block provided for remote access
    Value: !Ref SshCidr
    Export:
      Name: !Sub ${AWS::StackName}-SshCidr
  PrivateIp:
    Description: The private IP of the host
    Value: !GetAtt GitlabRunnerHost.PrivateIp
    Export:
      Name: !Sub ${AWS::StackName}-PrivateIp