feat(runner-role): Enable using separate IAM role for runners#4875
Conversation
|
Sorry for keep you waining, PR is still on the radar. |
There was a problem hiding this comment.
Pull request overview
This PR introduces the ability to customize IAM roles and instance profiles for GitHub Actions runner instances, allowing users to specify their own existing IAM resources instead of relying on the module to create them. This is designed to support legacy IAM roles from previous infrastructure migrations while maintaining backward compatibility.
- Adds
iam_overridesvariable to control whether to use existing IAM roles/profiles or create new ones - Converts IAM role and instance profile resources to conditional creation using count
- Updates all IAM policy attachments and references to handle both scenarios
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| variables.tf | Adds root-level iam_overrides variable with override flags and resource identifiers |
| modules/runners/variables.tf | Adds module-level iam_overrides variable matching the root module structure |
| modules/runners/policies-runner.tf | Converts IAM resources to conditional creation and updates references to use array indexing |
| modules/runners/scale-up.tf | Updates scale-up Lambda policy to reference either custom or module-created runner role ARN |
| modules/runners/pool.tf | Updates pool configuration to pass either custom or module-created runner role |
| modules/runners/main.tf | Updates launch template to reference either custom or module-created instance profile |
| modules/runners/logging.tf | Updates CloudWatch policy attachment to handle conditional role creation |
| modules/multi-runner/variables.tf | Adds iam_overrides to multi-runner configuration and module-level variable |
| modules/multi-runner/runners.tf | Passes iam_overrides to runners module |
| main.tf | Passes iam_overrides from root to runners module |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@maratinvitae sorry for the long wait, but we working hard to get through the backlog. Please can you rebase the PR? |
npalm
left a comment
npalm
left a comment
There was a problem hiding this comment.
PR looks fine, but want to run a quick test.
|
Hi @npalm, any updates on this PR? Just as a note, I have tested assuming external role successfully. |
|
One thing that could be really interesting here would be to move That would let us reuse the submodule to create the IAM role + instance profile independently from the rest of the runner infrastructure, while still leveraging all the default policies and existing configuration. I’m really excited about this feature because in my case I need to control the role name ahead of time, and I also want to reuse the same role across multiple runner groups. |
I think that increases the scope of this change a bit beyond what it was intended to do. I love the idea, but would like to see this landed and the submodule introduced in a different PR. |
Brend-Smits
left a comment
Brend-Smits
left a comment
There was a problem hiding this comment.
Hey!
Apologies for the long delay on this one.
We're trying to go through the massive backlog of PR's. But this one is now ready to get merged.
I will need to squash to get all commits signed, sorry about that.
Again, apologies for the delay but thanks a lot for the contribution. Future pull requests will be faster!
You're awesome! 🚀
Allow users to provide an external IAM role for runners via iam_overrides variable, instead of always using the module-managed role. This enables scenarios where runner IAM permissions need to be managed separately. Co-authored-by: Marat Soltobaev <marat.soltobaev@invitae.com>
Brend-Smits
force-pushed
the
feat-customize-runner-role
branch
from
1a61c98 to
e63e5e6
Compare
What
Allow customization of runner IAM role
Description
This PR introduces the ability to explicitly specify an IAM role and instance profile for the runner instances. This is motivated by a need to accommodate legacy IAM roles that remain from previous infrastructure migrations.
Proposed change is backward-compatible.