CMSgov · gfreeman-navapbc · Dec 8, 2023 · Nov 2, 2023 · Nov 2, 2023 · Nov 2, 2023
@@ -1,6 +1,9 @@
 name: Build Runner EC2 Images
 
 on:
+  pull_request:
+    paths:
+      - .github/workflows/build-runner-images.yml
   schedule:
     # 00:00 on Monday each week
     - cron: "0 0 * * 1"
@@ -9,20 +12,40 @@ on:
 jobs:
   build-image:
     name: Build
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     defaults:
       run:
         working-directory: packer/github-actions-runner
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      AMI_ACCOUNT: ${{ vars.RUNNER_AMI_ACCOUNT }}
+      AMI_FILTER: ${{ vars.RUNNER_AMI_FILTER }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v3
         with:
-          role-to-assume: arn:aws:iam::${{ vars.RUNNER_ACCOUNT }}:role/github-to-aws-oidc
+          role-to-assume: ${{ vars.RUNNER_ACCOUNT_ROLE }}
           aws-region: us-east-1
 
+      - name: Retrieve default VPC ID and subnet
+        id: vpc
+        run: |
+          VPC_ID=$(aws ec2 describe-vpcs --filters "Name=tag:Name, Values=bcda-managed-vpc" --query 'Vpcs[].VpcId' --output text)
+          echo "VPC_ID=$VPC_ID" >> "$GITHUB_ENV"
+
+          SUBNET_ID=$(aws ec2 describe-subnets \
+            --filters \
+              "Name=vpc-id,Values=$VPC_ID" \
+              "Name=tag:Layer,Values=app" \
+            --query 'Subnets[0].SubnetId' \
+            --output text)
+          echo "SUBNET_ID=$SUBNET_ID" >> "$GITHUB_ENV"
+
       - name: Setup `packer`
         uses: hashicorp/setup-packer@main
         id: setup
@@ -35,8 +58,20 @@ jobs:
 
       - name: Run `packer validate`
         id: validate
-        run: packer validate .
+        run: |
+          packer validate \
+            -var ami_account="$AMI_ACCOUNT" \
+            -var ami_filter="$AMI_FILTER" \
+            -var vpc_id="$VPC_ID" \
+            -var subnet_id="$SUBNET_ID" \
+            -evaluate-datasources .
 
       - name: Packer Build
         id: build
-        run: packer build -color=false -on-error=cleanup build.pkr.hcl
+        run: |
+          PACKER_LOG=1 packer build \
+            -var ami_account="$AMI_ACCOUNT" \
+            -var ami_filter="$AMI_FILTER" \
+            -var vpc_id="$VPC_ID" \
+            -var subnet_id="$SUBNET_ID" \
+            -color=false -on-error=cleanup .
@@ -16,9 +16,9 @@ build {
   provisioner "shell" {
     environment_vars = []
     inline = concat([
-      "sudo yum update -y",
-      "sudo yum install -y amazon-cloudwatch-agent curl jq git",
-      "sudo amazon-linux-extras install docker",
+      "sudo yum -y upgrade-minimal",
+      "sudo yum -y install amazon-cloudwatch-agent jq git docker",
+      "sudo yum -y install curl",
       "sudo systemctl enable docker.service",
       "sudo systemctl enable containerd.service",
       "sudo service docker start",

@@ -3,15 +3,31 @@ source "amazon-ebs" "github-actions-runner" {
   instance_type                             = var.instance_type
   region                                    = var.region
   security_group_id                         = var.security_group_id
+  vpc_id                                    = var.vpc_id
   subnet_id                                 = var.subnet_id
   associate_public_ip_address               = var.associate_public_ip_address
   temporary_security_group_source_public_ip = var.temporary_security_group_source_public_ip
 
   source_ami_filter {
-    ami_filter = { name = ["${ vars.AMI_FILTER }"] }
-    ami_owners = ["${ vars.AMI_ACCOUNT }"]
-    enable_userdata = false
+    filters = { name = "${var.ami_filter}" }
+    owners = ["${var.ami_account}"]
+    most_recent = true
   }
 
+  security_group_filter {
+    filters = {
+      "tag:Name": "packer_sg"
+    }
+  }
+
+  communicator = "ssh"
   ssh_username = "ec2-user"
+  ssh_timeout = "1h"
+  ssh_pty = true
+  iam_instance_profile = "bcda-packer"
+
+  tags = {
+    Name = "github-actions-runner-ami",
+    Base_AMI_Name = "{{ .SourceAMIName }}"
+  }
 }
@@ -4,6 +4,18 @@ variable "region" {
   default     = "us-east-1"
 }
 
+variable "ami_filter" {
+  description = "The filter for searching the AMI"
+  type        = string
+  default     = null
+}
+
+variable "ami_account" {
+  description = "The target AMI account"
+  type        = string
+  default     = null
+}
+
 variable "instance_type" {
   description = "The instance type Packer will use for the builder"
   type        = string
@@ -16,6 +28,12 @@ variable "security_group_id" {
   default     = null
 }
 
+variable "vpc_id" {
+  description = "The name of the VPC where the instance will be launched"
+  type        = string
+  default     = null
+}
+
 variable "subnet_id" {
   description = "If using VPC, the ID of the subnet, such as subnet-12345def, where Packer will launch the EC2 instance. This field is required if you are using an non-default VPC"
   type        = string
@@ -58,6 +76,11 @@ variable "custom_shell_commands" {
   default     = []
 }
 
+variable "runner_version" {
+  description = "The version (no v prefix) of the runner software to install https://github.com/actions/runner/releases. The latest release will be fetched from GitHub if not provided."
+  default     = null
+}
+
 data "http" github_runner_release_json {
   url = "https://github.com/repos/actions/runner/releases/latest"
   request_headers = {