Imagine you have a (shared) runner already and would be able therefore to install this project runner with the execution of a pipeline based on an .gitlab-ci.yaml which includes all cmds running based on public docker images to install all what is required and execute the cdk-gitlab-runner setup.

use public ecr replace docker io

https://gallery.ecr.aws/gitlab/gitlab-runner

Use Case

Proposed Solution

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

First off thanks for creating this package. It has served me well but I have hit a bit of a wall when it comes to my CI jobs and access an RDS instance that is only available on the VPC from the Gitlab runner.

I am trying to find a way to grant the Gitlab runner to my RDS database but have not managed to do so and I am wondering if that is a limitation to this package or an error in my code. I granted access to the database from lambda by simply passing in to the lambda props a security group I created from the VPC. It appears this can also be done with EC2 in a similar fashion but the Gitlab runner creates it's own security group rather than taking one through props.

Is there a workaround to allow the Gitlab runner to access RDS? I have posted my code below to hopefully make clear what i'm trying to achieve. Apologies if anything unclear, I am fairly new to this

import { Construct } from 'constructs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as cognito from 'aws-cdk-lib/aws-cognito';
import { CognitoIdentityProvider } from '@aws-sdk/client-cognito-identity-provider';
import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
import { Runtime } from 'aws-cdk-lib/aws-lambda';
import { LambdaIntegration } from 'aws-cdk-lib/aws-apigateway';

export default class MyStack extends Construct {
  constructor(scope: Construct, id: string) {
    super(scope, id);

    // my vpc
    const vpc = new ec2.Vpc(this, `VPC`, {
      cidr: '10.0.0.0/20',
      natGateways: 1,
      maxAzs: 2,
      enableDnsHostnames: true,
      enableDnsSupport: true,
      subnetConfiguration: [
        {
          cidrMask: 22,
          name: 'public',
          subnetType: ec2.SubnetType.PUBLIC
        },
        {
          cidrMask: 22,
          name: 'private',
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED
        }
      ]
    });

    // my sg
    const defaultSecurityGroup = ec2.SecurityGroup.fromSecurityGroupId(
      this,
      'SG',
      vpc.vpcDefaultSecurityGroup
    );
    defaultSecurityGroup.addIngressRule(
      ec2.Peer.securityGroupId(defaultSecurityGroup.securityGroupId),
      ec2.Port.tcp(5432),
      'Opening RDS to Lambda'
    );

    // my rds cluster
    const rdsCluster = new rds.DatabaseCluster(
      this,
      `Cluster`,
      {
        engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
        parameterGroup: rds.ParameterGroup.fromParameterGroupName(
          this,
          'ParameterGroup',
          'default.aurora-postgresql13'
        ),
        instanceProps: {
          vpc,
          vpcSubnets: props.vpc.selectSubnets({
            subnetType: ec2.SubnetType.PUBLIC
          }),
          instanceType: ec2.InstanceType.of(
            ec2.InstanceClass.T3,
            ec2.InstanceSize.MEDIUM
          ),
          securityGroups: [defaultSecurityGroup]
        },
        instances: 1,
        storageEncrypted: true,
        credentials: rds.Credentials.fromSecret(databaseCredentialsSecret)
      }
    );
  }
}

Describe the bug
As the system log below shows, a command on userData, 'usermod -aG docker ssm-user' does not work.

[   93.182052] cloud-init[2486]: usermod: user 'ssm-user' does not exist

Expected behavior
ssm-user should have been existed before usermod.

Screenshots

Additional context

usermod command can be deleted If it's just for running docker command without sudo.

I would love to see this construct library being able to handle multiple GitLab CI tokens for one runner.

Use Case

Creating a runner that is supposed to cover multiple projects but not a whole group.

Proposed Solution

This...

new GitlabRunnerAutoscaling(stack, 'foo', {
  gitlabToken: 'bar'
});

...becomes this:

new GitlabRunnerAutoscaling(stack, 'foo', {
  gitlabTokens: ['bar', 'baz']
});

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

The GitLab Runner should be able to dynamically resolve the GitLab token from AWS Secrets Manager.

Use Case

Get rid of the need to pass a token and write it into the resulting CloudFormation template in clear text.

Proposed Solution

• Introduce an additional field gitlabTokenSecretName into the props.
• If gitlabToken is not specified and gitlabTokenSecretName is, the construct adds the command $(aws secretsmanager get-secret-value --region ${Aws.REGION} --secret-id gitlab-runner --query SecretString --output text | grep -o '"registration-token":"[^"]*' | grep -o '[^"]*$') instead of the clear text token into the user data.
• If gitlabTokenSecretName is specified, the constructs adds read permissions for the secrets to the instance role:

  instanceRole.addToPrincipalPolicy(new PolicyStatement({
        actions: [
            "secretsmanager:GetSecretValue"
        ],
        effect: Effect.ALLOW,
        resources: [
            `arn:aws:secretsmanager:${Aws.REGION}:${Aws.ACCOUNT_ID}:secret:gitlab-runner*`
        ]
  }));
  

Other

Successfully tested the proposed solution with the existing construct.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

I have been using the GitlabContainerRunner construct for a while, and it has been working great. A while ago, we enabled AWS Security Hub and have been working through its findings.

Here are some of the findings:

1. Instance should require IMDSv2
2. Instance should not allow access to port 22

I have been able to add fixes later, but the solution is not nice. Especially feature 2 is difficult to do, as it is easy to add new rules to a security group, but removing rules is very difficult.

Fixing finding 1 shouldn't incur any breaking changes for anyone, so this can be enabled with a simple option on the construct. Finding 2 might be a bit more complicate, maybe this could be an option along the lines of disable_ssh_access that would be False by default.

There are 2 deprecation warnings when using constructs provided by this repository.

CDK OUTPUT

[WARNING] aws-cdk-lib.aws_ec2.VpcProps#cidr is deprecated.
  Use ipAddresses instead
  This API will be removed in the next major release.
[WARNING] aws-cdk-lib.aws_ec2.MachineImage#latestAmazonLinux is deprecated.
  use MachineImage.latestAmazonLinux2 instead
  This API will be removed in the next major release.

Links:
cidr deprecation
latestAmazonLinux deprecation

Both of these are fairly easy to fix, as they are mostly a change in syntax. If you like, I could make these changes and submit a pull request. However, given how simple these changes are, it could be faster if you made these changes yourself.

Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

Install amazon-cloudwatch-agent.

Use Case

If amazon-cloudwatch-agent sends metrics to cloudwatch, it enables further improvements below:

• Automated instance termination on out of disk space in EBS
• Alerting on too much memory/cpu consumption on runners, etc...

Proposed Solution

Use userData to Install amazon-cloudwatch-agent to instances.

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Terminates runner instance with low disk space in order to avoid run-time error.

Use Case

As time goes by, free space of EBS volume is getting smaller. It causes "no space left on device" error at run-time. Gitlab runners have low free EBS space should be terminated before that.

Proposed Solution

Uses SNS topic and Cloudwatch alarm to call a lambda function, that terminates runner instance on low disk space using boto3.

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

It would be useful to configure the number of concurrent jobs a runner can handle. This means that it is not needed to create multiple runners if you are running many simple tasks (such as linting and waiting for servers to come online).

Proposed Solution

Either a new configuration field is added to the GitlabContainerRunner construct like this

const runner = new GitlabContainerRunner(this, 'testing', {
  gitlabtoken: '$GITLABTOKEN',
  ec2type: 't3.large',
  configuration: {
    concurrent_jobs: 4,
  }
});

or it is added as a new field

const runner = new GitlabContainerRunner(this, 'testing', {
  gitlabtoken: '$GITLABTOKEN',
  ec2type: 't3.large',
  concurrent_jobs: 4,
});

Links

• https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section

• 👋 I may be able to implement this feature request

• ⚠️ This feature might incur a breaking change

It has been a while since I wrote JavaScript code, but I could try to implement this.

This is a 🚀 Feature Request

link this issue at gitlab

https://github.com/guan840912/cdk-gitlab-runner/blob/3ace2564a9d51774be2641f6d25dbe2a69fb3b99/src/gitlab-runner-instance.ts#L576-L602

Use Case

Proposed Solution

1. remove git
2. use sudo amazon-linux-extras install docker to install docker on Amazon Linux2.

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Describe the bug
I had an EC2 instance with GitLab runner which stopped working. So, I attempted to simplify redeploy the stack that contained the runner; however, no runner is created after the stack has been redeployed.

When logging into the instance using ec2 connect, there are no docker containers running.

To Reproduce

1. Deploy construct
2. Deployment succeeds
3. No GitLab runner is created

Expected behavior
Runner is created

Additional context
Created using Python CDK using the following arguments:

from cdk_gitlab_runner import GitlabContainerRunner

...
        runner = GitlabContainerRunner(
            self, 'gitlabRunner',
            gitlabtoken=gitlab_token.string_value,
            ec2type='t3.small',
            concurrent_jobs=3,
            tags=[],
            runner_description='Group Runner',
        )

Describe the bug
When using runner versions after 15.10, there is a check here which checks if the token contains the substring 'glrt'. When fetching the token from SSM, you are given a token which is resolved deployment time. This token does not contain glrt which stops the execution

To Reproduce
Steps to reproduce the behavior:

gitlab_token = ssm.StringParameter.from_string_parameter_name(
    self, 'gitlabRunnerRegisterToken',
    string_parameter_name='/gitlab/groupToken',
)

runner = GitlabContainerRunner(
    self, 'gitlabRunner',
    gitlabtoken=gitlab_token.string_value,
    gitlab_runner_version='16.8',
    ec2type='t3.small',
    concurrent_jobs=3,
    tags=[],
    runner_description='Group Runner',
)

Additional context
I am using python.

GitlabRunnerAutoscaling support dockerVolumesList feature

Use Case

add dockerVolumesList() in GitlabRunnerAutoscaling()

Proposed Solution

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

feat: Launch Template support

Use Case

The initial design is to provision ASG with launch configuration for spot instances and will require to specify the spotPrice

https://github.com/guan840912/cdk-gitlab-runner/blob/c4020b5c8385f90a9cf788b4c72c0927f64da44c/src/gitlab-runner-autoscaling.ts#L251-L272

Proposed Solution

I believe we can replace it with ASG+LaunchTemplate in which we don't have to specify maxPrice and eventaully we can remove the spotPrice

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

gitlab deprecated the registration-token.
for further reading check this:

https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html

Describe the bug
Life cycle policy for auto scaling group is deleted before it runs on destroying cloudformation stack.

To Reproduce
Steps to reproduce the behavior:

1. Deploy GitlabRunnerAutoscaling
2. Destroy GitlabRunnerAutoscaling
3. Gitlab runner is still registered

Expected behavior
Registered Gitlab runner have to be deleted on stack destroy.

Additional context
Add any other context about the problem here.

let docker.sock binding not default binding, make it optional.

Use Case

Socket binding causes problem when job uses dind: https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-socket-bindi

Proposed Solution

make it optional.

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Describe the bug
A clear and concise description of what the bug is.

Unable to deploy construct configured to use spot instances.

To Reproduce
Steps to reproduce the behavior:

1. Configure construct in python

class DevelopmentResourcesStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs):
        super().__init__(scope, construct_id, **kwargs)

        runner = GitlabContainerRunner(
            self, 'gitlabRunner',
            gitlabtoken='[REDACTED]',
            ec2type='t3.large',
            block_duration=BlockDuration.ONE_HOUR,
            spot_fleet=True,
            tags=['spot']
        )

        runner.expire_after(Duration.hours(1))

2. Deploy
3. Crash is either a timeout or 404 on a resource named unregisterRunnerCR

Task timed out after 60.00 seconds (404 follows soon after this message)

OR

[ERROR] ClientError: An error occurred (404) when calling the HeadObject operation: Not Found
Traceback (most recent call last):
  File "/var/task/unregister_runner.py", line 37, in on_event
    return on_delete(event)
  File "/var/task/unregister_runner.py", line 62, in on_delete
    s3.download_file(props['BucketName'], 'runnertoken.txt', '/tmp/runnertoken.txt')
  File "/var/runtime/boto3/s3/inject.py", line 171, in download_file
    return transfer.download_file(
  File "/var/runtime/boto3/s3/transfer.py", line 315, in download_file
    future.result()
  File "/var/runtime/s3transfer/futures.py", line 103, in result
    return self._coordinator.result()
  File "/var/runtime/s3transfer/futures.py", line 266, in result
    raise self._exception
  File "/var/runtime/s3transfer/tasks.py", line 269, in _main
    self._submit(transfer_future=transfer_future, **kwargs)
  File "/var/runtime/s3transfer/download.py", line 354, in _submit
    response = client.head_object(
  File "/var/runtime/botocore/client.py", line 391, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 719, in _make_api_call
    raise error_class(parsed_response, operation_name)

Expected behavior
A clear and concise description of what you expected to happen.

Resource deploy normally.

Additional info
The bucket created by the construct appears to be empty for its entire lifetime. Region is eu-central-1