feat: separate runner for AG Data Science for publishing packages int…

…ernally This does introduce a fair bit of duplication that we should probably figure out how to remove, this starts a separate runner for the AG Data Science group that can publish packages to the internal bucket. Co-authored-by: Sekhar Panja <[email protected]> Co-authored-by: Michal Charemza <[email protected]>
uktrade · Jan 21, 2025 · c1f9ae7 · c1f9ae7
1 parent 9d7e92b
commit c1f9ae7
Show file tree

Hide file tree

Showing 2 changed files with 161 additions and 11 deletions.
diff --git a/infra/ecs_main_gitlab.tf b/infra/ecs_main_gitlab.tf
@@ -862,17 +862,6 @@ resource "aws_launch_configuration" "gitlab_runner_data_science" {
     --access-level "not_protected" \
     --run-untagged="true" \
     --locked="true"
-
-  gitlab-runner register \
-    --non-interactive \
-    --url "http://${var.gitlab_domain}/" \
-    --clone-url "http://${var.gitlab_domain}/" \
-    --registration-token "${var.gitlab_runner_ag_data_science_project_token}" \
-    --executor "shell" \
-    --description "ag data science" \
-    --access-level "not_protected" \
-    --run-untagged="true" \
-    --locked="true"
   EOF
 }
 
@@ -1044,3 +1033,163 @@ resource "aws_iam_policy_attachment" "gitlab_runner_data_science" {
   roles      = ["${aws_iam_role.gitlab_runner_data_science[count.index].name}"]
   policy_arn = aws_iam_policy.gitlab_runner_data_science[count.index].arn
 }
+
+resource "aws_autoscaling_group" "gitlab_runner_ag_data_science" {
+  count                     = var.gitlab_on ? 1 : 0
+  name_prefix               = "${var.prefix}-gitlab-runner-ag-data-science-"
+  max_size                  = 2
+  min_size                  = 1
+  desired_capacity          = 1
+  health_check_grace_period = 120
+  health_check_type         = "EC2"
+  launch_configuration      = aws_launch_configuration.gitlab_runner_ag_data_science[0].name
+  vpc_zone_identifier       = aws_subnet.private_without_egress.*.id
+
+  tag {
+    key                 = "Name"
+    value               = "${var.prefix}-gitlab-runner-ag-data-science-asg"
+    propagate_at_launch = true
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_launch_configuration" "gitlab_runner_ag_data_science" {
+  count       = var.gitlab_on ? 1 : 0
+  name_prefix = "${var.prefix}-gitlab-runner-ag-data-science-"
+  # This is the ECS optimized image, although we're not running ECS. It's
+  # handy since it has everything docker installed, and cuts down on the
+  # types of infrastructure
+  image_id             = "ami-0749bd3fac17dc2cc"
+  instance_type        = var.gitlab_runner_ag_data_science_instance_type
+  iam_instance_profile = aws_iam_instance_profile.gitlab_runner_ag_data_science[count.index].name
+  security_groups      = ["${aws_security_group.gitlab_runner[count.index].id}"]
+  key_name             = aws_key_pair.shared.key_name
+
+  associate_public_ip_address = false
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  root_block_device {
+    volume_size = var.gitlab_runner_team_root_volume_size
+    encrypted   = true
+  }
+
+  user_data = <<EOF
+  #!/bin/bash
+  #
+  set -e
+  yum update -y
+  yum install -y git jq unzip
+
+  curl "https://s3.eu-west-2.amazonaws.com/mirrors.notebook.uktrade.io/aws-cli/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+  unzip awscliv2.zip
+  ./aws/install
+
+  curl -L --output /usr/local/bin/gitlab-runner https://s3.eu-west-2.amazonaws.com/mirrors.notebook.uktrade.io/gitlab-runner/gitlab-runner-linux-amd64
+  chmod +x /usr/local/bin/gitlab-runner
+  ln -s /usr/local/bin/gitlab-runner /usr/bin/gitlab-runner
+  useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
+  usermod -aG docker gitlab-runner
+
+  mkdir -p /etc/gitlab-runner
+  echo "concurrent = 10" >> /etc/gitlab-runner/config.toml
+  echo "check_interval = 1" >> /etc/gitlab-runner/config.toml
+
+  echo "0 0 * * * /usr/bin/docker image prune -f -a --filter until=168h" >> /var/spool/cron/ec2-user
+
+  gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
+  gitlab-runner start
+  # Connects via HTTP, but uses private ip, not public internet
+  gitlab-runner register \
+    --non-interactive \
+    --url "http://${var.gitlab_domain}/" \
+    --clone-url "http://${var.gitlab_domain}/" \
+    --registration-token "${var.gitlab_runner_ag_data_science_project_token}" \
+    --executor "shell" \
+    --description "ag data science" \
+    --access-level "not_protected" \
+    --run-untagged="true" \
+    --locked="true"
+  EOF
+}
+
+resource "aws_iam_instance_profile" "gitlab_runner_ag_data_science" {
+  count = var.gitlab_on ? 1 : 0
+  name  = "${var.prefix}-gitlab-runner-ag-data-science"
+  role  = aws_iam_role.gitlab_runner_ag_data_science[count.index].name
+}
+
+resource "aws_iam_role" "gitlab_runner_ag_data_science" {
+  count              = var.gitlab_on ? 1 : 0
+  name               = "${var.prefix}-gitlab-runner-ag-data-science"
+  path               = "/"
+  assume_role_policy = data.aws_iam_policy_document.gitlab_runner_ag_data_science_assume_role[count.index].json
+}
+
+data "aws_iam_policy_document" "gitlab_runner_ag_data_science_assume_role" {
+  count = var.gitlab_on ? 1 : 0
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "gitlab_runner_ag_data_science" {
+  count  = var.gitlab_on ? 1 : 0
+  name   = "${var.prefix}-gitlab-runner-ag-data-science"
+  policy = data.aws_iam_policy_document.gitlab_runner_ag_data_science[count.index].json
+}
+
+data "aws_iam_policy_document" "gitlab_runner_ag_data_science" {
+  count = var.gitlab_on ? 1 : 0
+
+  statement {
+    actions = [
+      "ecr:GetAuthorizationToken",
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+
+  # Read only for the base images
+  statement {
+    actions = [
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer",
+    ]
+
+    resources = [
+      "${aws_ecr_repository.theia.arn}",
+    ]
+  }
+
+  # Allow list and put object for Gitlab private package index
+  statement {
+    actions = [
+      "s3:ListBucket",
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.notebooks.id}",
+    ]
+  }
+
+  statement {
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.notebooks.id}/shared/ag_packages/*"
+    ]
+  }
+}
diff --git a/infra/main.tf b/infra/main.tf
@@ -146,6 +146,7 @@ variable "gitlab_ebs_volume_size" {
 variable "gitlab_runner_instance_type" {}
 variable "gitlab_runner_tap_instance_type" {}
 variable "gitlab_runner_data_science_instance_type" {}
+variable "gitlab_runner_ag_data_science_instance_type" {}
 variable "gitlab_runner_root_volume_size" {}
 variable "gitlab_runner_team_root_volume_size" {}
 variable "gitlab_db_instance_class" {}