Initial V2 Release Candidate (#30)

Benbentwo · web-flow · commit c3bca7cdc5c3 · 2025-06-09T18:04:27.000Z
* bugfix the V2 release with update to variables and main.tf logic.
Updated readme to better explain the getting started process.

* remove .atmos
diff --git a/.gitignore b/.gitignore
@@ -7,7 +7,7 @@ aws-assumed-role/
 *.iml
 .direnv
 .envrc
-
+.atmos/
 # Compiled and auto-generated files
 # Note that the leading "**/" appears necessary for Docker even if not for Git
 
diff --git a/README.md b/README.md
diff --git a/README.yaml b/README.yaml
@@ -49,7 +49,7 @@ description: |-
 
   Regardless of the networking style, you should have these defaults in common:
 
-  (`defaults.yaml`)
+  (`runs-on/defaults.yaml`)
 
   ```yaml
   components:
@@ -64,19 +64,30 @@ description: |-
           capabilities: ["CAPABILITY_IAM"]
           on_failure: "ROLLBACK"
           timeout_in_minutes: 30
-          template_url: https://runs-on.s3.eu-west-1.amazonaws.com/cloudformation/template.yaml
+          # template_url: https://runs-on.s3.eu-west-1.amazonaws.com/cloudformation/template.yaml
+          # See latest version and changelog at https://runs-on.com/changelog/
+          template_url: https://runs-on.s3.eu-west-1.amazonaws.com/cloudformation/template-v2.8.3.yaml   
           parameters:
-            AppCPU: 512
-            AppMemory: 1024
-            EmailAddress: devops@acme.com
-            Environment: core-auto
-            GithubOrganization: ACME
-            LicenseKey: <LICENSE>
-            Private: always # always | true | false - Always will default place in private subnet, true will place in private subnet if tag `private=true` present on workflow, false will place in public subnet
+            AppCPU: 256
+            AppMemory: 512
+            EmailAddress: developer@cloudposse.com
+            # Environments let you run multiple Stacks in one organization and segregate resources.
+            # If you specify an environment, then all the jobs must also specify the which environment they are running in.
+            # To keep things simple, we use the default environment ("production") and leave the `env` label unset in the workflow.
+            EncryptEbs: true
+            # With the default value of SSHAllowed: true, the runners that are placed in a public subnet
+            # will allow ingress on port 22. This is highly abused (scanners running constantly looking for vulernable SSH servers)
+            # and should not be allowed. If you need access to the runners, use Session Manager (SSM).
+            SSHAllowed: false
+            LicenseKey: <LICENSE_KEY>
+            Private: false # always | true | false - Always will default place in private subnet, true will place in private subnet if tag `private=true` present on workflow, false will place in public subnet
+            RunnerLargeDiskSize: 120 # Disk size in GB for disk=large runners
+            Ec2LogRetentionInDays: 30
+            VpcFlowLogRetentionInDays: 14
   ```
 
 
-  ### Embedded networking
+  ### Embedded networking (Runs On managed VPC)
 
   When no VPC details are set, the component will create a new VPC and subnets for you. This is done via the CloudFormation template.
 
@@ -102,7 +113,49 @@ description: |-
           parameters:
             VpcCidrBlock: 10.100.0.0/16
   ```
-  ### (DEPRECATED) Configuring with Transit Gateway
+
+  ### External networking (Use existing VPC)
+
+  When you want to use an existing VPC, you can set the `vpc_id`, `subnet_ids`, and `security_group_id` variables.
+
+  (`_defaults.yaml`)
+
+  ```yaml
+  terraform:
+    hooks:
+      store-outputs:
+        name: auto/ssm
+  ```
+
+  (`runs-on.yaml`)
+
+  ```yaml
+  import:
+    - orgs/acme/core/auto/_defaults
+    - mixins/region/us-east-1
+    - catalog/vpc/defaults
+    - catalog/runs-on/defaults
+
+  components:
+    terraform:
+      runs-on:
+        metadata:
+          inherits:
+            - runs-on/defaults
+          component: runs-on
+        vars:
+          networking_stack: external
+          # There are other ways to get the vpc_id, subnet_ids, and security_group_id. You can 
+          # Harcode
+          # Use Atmos KV Store
+          # Use atmos !terraform.output yaml function
+          vpc_id: !store auto/ssm vpc vpc_id
+          subnet_ids: !store auto/ssm vpc private_subnet_ids
+          security_group_id: !store auto/ssm vpc default_security_group_id
+  ```
+
+  <details>
+  <summary>(DEPRECATED) Configuring with Transit Gateway</summary>
 
   It's important to note that the embedded networking will require some customization to work with Transit Gateway.
 
@@ -229,48 +282,7 @@ description: |-
                 - runs-on
           ...
   ```
-
-  ### External networking
-
-  When you want to use an existing VPC, you can set the `vpc_id`, `subnet_ids`, and `security_group_id` variables.
-
-  (`_defaults.yaml`)
-
-  ```yaml
-  terraform:
-    hooks:
-      store-outputs:
-        name: auto/ssm
-  ```
-
-  (`runs-on.yaml`)
-
-  ```yaml
-  import:
-    - orgs/acme/core/auto/_defaults
-    - mixins/region/us-east-1
-    - catalog/vpc/defaults
-    - catalog/runs-on/defaults
-
-  components:
-    terraform:
-      vpc:
-        vars:
-          name: vpc
-          enabled: true
-          cidr_block: 10.100.0.0/16
-
-      runs-on:
-        metadata:
-          inherits:
-            - runs-on/defaults
-          component: runs-on
-        vars:
-          networking_stack: external
-          vpc_id: !store auto/ssm vpc vpc_id
-          subnet_ids: !store auto/ssm vpc private_subnet_ids
-          security_group_id: !store auto/ssm vpc default_security_group_id
-  ```
+  </details>
 
   # Terraform Docs
 
diff --git a/src/README.md b/src/README.md
diff --git a/src/main.tf b/src/main.tf
@@ -1,11 +1,13 @@
 locals {
   enabled = module.this.enabled
 
-  external_vpc_id            = var.vpc_id != null ? { "ExternalVpcId" = var.vpc_id } : {}
-  networking_stack           = var.networking_stack != null ? { "NetworkingStack" = var.networking_stack } : {}
-  subnet_ids                 = var.subnet_ids != null ? { "ExternalVpcSubnetIds" = var.subnet_ids } : {}
+  external_vpc_id  = var.vpc_id != null ? { "ExternalVpcId" = var.vpc_id } : {}
+  networking_stack = var.networking_stack != null ? { "NetworkingStack" = var.networking_stack } : {}
+  subnet_ids       = var.subnet_ids != null ? { "ExternalVpcSubnetIds" = join(",", var.subnet_ids) } : {}
+  // If var.security_group_id is provided, we use it. Otherwise, if we are using the external networking stack, we create one.
   external_security_group_id = var.security_group_id != null ? { "ExternalVpcSecurityGroupId" = var.security_group_id } : {}
-  created_security_group_id  = var.security_group_id == null && var.networking_stack == "external" ? { "ExternalVpcSecurityGroupId" = module.security_group.id } : {}
+  // If var.security_group_id is not provided and we are using the external networking stack, we create one.
+  created_security_group_id = var.security_group_id == null && var.networking_stack == "external" ? { "ExternalVpcSecurityGroupId" = module.security_group.id } : {}
 
   parameters = merge({
     "EC2InstanceCustomPolicy" = module.iam_policy.policy_arn
@@ -68,13 +70,20 @@ module "iam_policy" {
   ]
 }
 
+// Typically when runs-on is installed, and we're using the embedded networking stack, we need a security group. 
+// This is a batties included optional feature.
 module "security_group" {
   source  = "cloudposse/security-group/aws"
   version = "2.2.0"
 
-  enabled = local.enabled && var.security_group_id == null && var.networking_stack == "external"
+  // Enabled if we are using the external networking stack and no security group ID is provided
+  enabled = local.enabled && var.networking_stack == "external" && var.security_group_id == null
 
-  vpc_id = local.vpc_id
+  // This cannot be local.vpc_id because that would create a dependency cycle - as the local.vpc_id is determined as the resulting VPC id.
+  // The vpc_id is the created vpc by runs-on, or the one provided by the user if using the external networking stack.
+  // Thus the security group ID (which is passed in as `ExternalVpcSecurityGroupId` as a parameter to the stack) cannot depend on the stacks' vpc_id.
+  // `var.vpc_id` is safe to use here, because the networking_stack is required to be external for this.
+  vpc_id = var.vpc_id
 
   context = module.this.context
 }
diff --git a/src/variables.tf b/src/variables.tf
@@ -54,21 +54,13 @@ variable "vpc_id" {
   description = "VPC ID"
   nullable    = true
   default     = null
-  validation {
-    condition     = var.networking_stack != "external" || var.vpc_id != null
-    error_message = "VPC ID is required when networking stack is `external`."
-  }
 }
 
 variable "subnet_ids" {
   type        = list(string)
   description = "Subnet IDs"
   nullable    = true
   default     = null
-  validation {
-    condition     = var.networking_stack != "external" || var.subnet_ids != null && length(var.subnet_ids) > 0
-    error_message = "Subnet IDs are required when networking stack is `external`."
-  }
 }
 
 variable "security_group_id" {
