feat(runner-role): Enable using separate IAM role for runners #4875
Conversation
…terraform-aws-github-runner into feat-customize-runner-role
|
Sorry for keep you waining, PR is still on the radar. |
There was a problem hiding this comment.
Pull request overview
This PR introduces the ability to customize IAM roles and instance profiles for GitHub Actions runner instances, allowing users to specify their own existing IAM resources instead of relying on the module to create them. This is designed to support legacy IAM roles from previous infrastructure migrations while maintaining backward compatibility.
- Adds
iam_overridesvariable to control whether to use existing IAM roles/profiles or create new ones - Converts IAM role and instance profile resources to conditional creation using count
- Updates all IAM policy attachments and references to handle both scenarios
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| variables.tf | Adds root-level iam_overrides variable with override flags and resource identifiers |
| modules/runners/variables.tf | Adds module-level iam_overrides variable matching the root module structure |
| modules/runners/policies-runner.tf | Converts IAM resources to conditional creation and updates references to use array indexing |
| modules/runners/scale-up.tf | Updates scale-up Lambda policy to reference either custom or module-created runner role ARN |
| modules/runners/pool.tf | Updates pool configuration to pass either custom or module-created runner role |
| modules/runners/main.tf | Updates launch template to reference either custom or module-created instance profile |
| modules/runners/logging.tf | Updates CloudWatch policy attachment to handle conditional role creation |
| modules/multi-runner/variables.tf | Adds iam_overrides to multi-runner configuration and module-level variable |
| modules/multi-runner/runners.tf | Passes iam_overrides to runners module |
| main.tf | Passes iam_overrides from root to runners module |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@maratinvitae sorry for the long wait, but we working hard to get through the backlog. Please can you rebase the PR? |
npalm
left a comment
npalm
left a comment
There was a problem hiding this comment.
PR looks fine, but want to run a quick test.
2 participants
What
Allow customization of runner IAM role
Description
This PR introduces the ability to explicitly specify an IAM role and instance profile for the runner instances. This is motivated by a need to accommodate legacy IAM roles that remain from previous infrastructure migrations.
Proposed change is backward-compatible.