From 3508b09b554f92e008fd9dfa97f8e04b0cb3586e Mon Sep 17 00:00:00 2001 From: "cattle-ops-releaser-2[bot]" <134548870+cattle-ops-releaser-2[bot]@users.noreply.github.com> Date: Mon, 20 Oct 2025 20:15:15 +0000 Subject: [PATCH 1/2] chore(main): release 9.4.0 --- .github/.release-please-manifest.json | 2 +- CHANGELOG.md | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/.release-please-manifest.json b/.github/.release-please-manifest.json index 430e28e5..b7ef03eb 100644 --- a/.github/.release-please-manifest.json +++ b/.github/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "9.3.0" + ".": "9.4.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index b63e8be9..11860555 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,19 @@ # Changelog +## [9.4.0](https://github.com/cattle-ops/terraform-aws-gitlab-runner/compare/9.3.0...9.4.0) (2025-10-20) + + +### Features + +* add `preemptive_mode` option passthrough on docker_autoscaler ([#1344](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/1344)) ([91a86e1](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/91a86e125c7b88627fd54316eeff4773f39e81e0)) + + +### Bug Fixes + +* correct default terminate lambda handler value ([#1347](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/1347)) ([57c17af](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/57c17afe5228840ea03530548f81629c2fc505f2)) +* ensure that key pair names do not overlap ([#1338](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/1338)) ([286de13](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/286de13b3fa7a3cb8188ce83b9a2afd9e209f157)), closes [#1291](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/1291) +* use unique output file name for the lambda function ([#1336](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/1336)) ([babfd75](https://github.com/cattle-ops/terraform-aws-gitlab-runner/commit/babfd75dccd57e82e3e2936a94cda39e7019f671)) + ## [9.3.0](https://github.com/cattle-ops/terraform-aws-gitlab-runner/compare/9.2.4...9.3.0) (2025-10-09) From 04d9a95ef72cc5067189e6fa13d5b27893830a38 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 20 Oct 2025 20:15:38 +0000 Subject: [PATCH 2/2] docs: auto update terraform docs --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 124afb56..2fd9c6e8 100644 --- a/README.md +++ b/README.md @@ -86,7 +86,7 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.15.0 | +| [aws](#provider\_aws) | 6.17.0 | | [local](#provider\_local) | 2.5.3 | | [tls](#provider\_tls) | 4.1.0 | @@ -196,8 +196,8 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file | [runner\_cloudwatch](#input\_runner\_cloudwatch) | enable = Boolean used to enable or disable the CloudWatch logging.
log\_group\_name = Option to override the default name (`environment`) of the log group. Requires `enable = true`.
retention\_days = Retention for cloudwatch logs. Defaults to unlimited. Requires `enable = true`. | 
object({
    enable         = optional(bool, true)
    log_group_name = optional(string, null)
    retention_days = optional(number, 0)
  })
| `{}` | no | | [runner\_egress\_rules](#input\_runner\_egress\_rules) | Map of Egress rules for the Runner Manager security group. | 
map(object({
    from_port       = optional(number, null)
    to_port         = optional(number, null)
    protocol        = string
    description     = string
    cidr_block      = optional(string, null)
    ipv6_cidr_block = optional(string, null)
    prefix_list_id  = optional(string, null)
    security_group  = optional(string, null)
  }))
| 
{
  "allow_https_ipv4": {
    "cidr_block": "0.0.0.0/0",
    "description": "Allow HTTPS egress traffic",
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  },
  "allow_https_ipv6": {
    "description": "Allow HTTPS egress traffic (IPv6)",
    "from_port": 443,
    "ipv6_cidr_block": "::/0",
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | | [runner\_enable\_asg\_recreation](#input\_runner\_enable\_asg\_recreation) | Enable automatic redeployment of the Runner's ASG when the Launch Configs change. | `bool` | `true` | no | -| [runner\_gitlab](#input\_runner\_gitlab) | ca\_certificate = Trusted CA certificate bundle (PEM format).
certificate = Certificate of the GitLab instance to connect to (PEM format).
registration\_token = (deprecated, This is replaced by the `registration_token` in `runner_gitlab_registration_config`.) Registration token to use to register the Runner.
runner\_version = Version of the [GitLab Runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). Make sure that it is available for your AMI. See https://packages.gitlab.com/app/runner/gitlab-runner/search?dist=amazon%2F2023&filter=rpms&page=1&q=
url = URL of the GitLab instance to connect to.
url\_clone = URL of the GitLab instance to clone from. Use only if the agent can’t connect to the GitLab URL.
access\_token\_secure\_parameter\_store\_name = (deprecated) The name of the SSM parameter to read the GitLab access token from. It must have the `api` scope and be pre created.
preregistered\_runner\_token\_ssm\_parameter\_name = The name of the SSM parameter to read the preregistered GitLab Runner token from. | 
object({
    ca_certificate                                = optional(string, "")
    certificate                                   = optional(string, "")
    registration_token                            = optional(string, "__REPLACED_BY_USER_DATA__") # deprecated, removed in 8.0.0
    runner_version                                = optional(string, "16.0.3")
    url                                           = optional(string, "")
    url_clone                                     = optional(string, "")
    access_token_secure_parameter_store_name      = optional(string, "gitlab-runner-access-token") # deprecated, removed in 8.0.0
    preregistered_runner_token_ssm_parameter_name = optional(string, "")
  })
| n/a | yes | -| [runner\_gitlab\_registration\_config](#input\_runner\_gitlab\_registration\_config) | (deprecated, replaced by runner\_gitlab.preregistered\_runner\_token\_ssm\_parameter\_name) Configuration used to register the Runner. See the README for an example, or reference the examples in the examples directory of this repo. There is also a good GitLab documentation available at: https://docs.gitlab.com/ee/ci/runners/configure_runners.html | 
object({
    registration_token = optional(string, "__GITLAB_REGISTRATION_TOKEN_FROM_SSM__") # deprecated, removed in 8.0.0
    tag_list           = optional(string, "")                                       # deprecated, removed in 8.0.0
    description        = optional(string, "")                                       # deprecated, removed in 8.0.0
    type               = optional(string, "")                                       # mandatory if gitlab_runner_version >= 16.0.0 # deprecated, removed in 8.0.0
    group_id           = optional(string, "")                                       # mandatory if type is group # deprecated, removed in 8.0.0
    project_id         = optional(string, "")                                       # mandatory if type is project # deprecated, removed in 8.0.0
    locked_to_project  = optional(string, "")                                       # deprecated, removed in 8.0.0
    run_untagged       = optional(string, "")                                       # deprecated, removed in 8.0.0
    maximum_timeout    = optional(string, "")                                       # deprecated, removed in 8.0.0
    access_level       = optional(string, "not_protected")                          # this is the only mandatory field calling the GitLab get token for executor operation # deprecated, removed in 8.0.0
  })
| `{}` | no | +| [runner\_gitlab](#input\_runner\_gitlab) | ca\_certificate = Trusted CA certificate bundle (PEM format).
certificate = Certificate of the GitLab instance to connect to (PEM format).
registration\_token = (deprecated, this is replaced by the `preregistered_runner_token_ssm_parameter_name`) Registration token to use to register the Runner.
runner\_version = Version of the [GitLab Runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). Make sure that it is available for your AMI. See https://packages.gitlab.com/app/runner/gitlab-runner/search?dist=amazon%2F2023&filter=rpms&page=1&q=
url = URL of the GitLab instance to connect to.
url\_clone = URL of the GitLab instance to clone from. Use only if the agent can’t connect to the GitLab URL.
access\_token\_secure\_parameter\_store\_name = (deprecated, this is replaced by the `preregistered_runner_token_ssm_parameter_name`) The name of the SSM parameter to read the GitLab access token from. It must have the `api` scope and be pre created.
preregistered\_runner\_token\_ssm\_parameter\_name = The name of the SSM parameter to read the preregistered GitLab Runner token from. | 
object({
    ca_certificate                                = optional(string, "")
    certificate                                   = optional(string, "")
    registration_token                            = optional(string, "__REPLACED_BY_USER_DATA__") # deprecated, do not use, will be removed
    runner_version                                = optional(string, "16.0.3")
    url                                           = optional(string, "")
    url_clone                                     = optional(string, "")
    access_token_secure_parameter_store_name      = optional(string, "gitlab-runner-access-token") # deprecated, do not use, will be removed
    preregistered_runner_token_ssm_parameter_name = optional(string, "")
  })
| n/a | yes | +| [runner\_gitlab\_registration\_config](#input\_runner\_gitlab\_registration\_config) | (deprecated, replaced by runner\_gitlab.preregistered\_runner\_token\_ssm\_parameter\_name) Register the Runner manually with GitLab first. | 
object({
    registration_token = optional(string, "__GITLAB_REGISTRATION_TOKEN_FROM_SSM__") # deprecated, do not use, will be removed
    tag_list           = optional(string, "")                                       # deprecated, do not use, will be removed
    description        = optional(string, "")                                       # deprecated, do not use, will be removed
    type               = optional(string, "")                                       # deprecated, do not use, will be removed
    group_id           = optional(string, "")                                       # deprecated, do not use, will be removed
    project_id         = optional(string, "")                                       # deprecated, do not use, will be removed
    locked_to_project  = optional(string, "")                                       # deprecated, do not use, will be removed
    run_untagged       = optional(string, "")                                       # deprecated, do not use, will be removed
    maximum_timeout    = optional(string, "")                                       # deprecated, do not use, will be removed
    access_level       = optional(string, "not_protected")                          # deprecated, do not use, will be removed
  })
| `{}` | no | | [runner\_gitlab\_registration\_token\_secure\_parameter\_store\_name](#input\_runner\_gitlab\_registration\_token\_secure\_parameter\_store\_name) | (deprecated, replaced by runner\_gitlab.preregistered\_runner\_token\_ssm\_parameter\_name) The name of the SSM parameter to read the GitLab Runner registration token from. | `string` | `"gitlab-runner-registration-token"` | no | | [runner\_gitlab\_token\_secure\_parameter\_store](#input\_runner\_gitlab\_token\_secure\_parameter\_store) | Name of the Secure Parameter Store entry to hold the GitLab Runner token. | `string` | `"runner-token"` | no | | [runner\_ingress\_rules](#input\_runner\_ingress\_rules) | Map of Ingress rules for the Runner Manager security group. | 
map(object({
    from_port       = optional(number, null)
    to_port         = optional(number, null)
    protocol        = string
    description     = string
    cidr_block      = optional(string, null)
    ipv6_cidr_block = optional(string, null)
    prefix_list_id  = optional(string, null)
    security_group  = optional(string, null)
  }))
| `{}` | no | @@ -226,7 +226,7 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file | [runner\_worker\_docker\_autoscaler\_ami\_id](#input\_runner\_worker\_docker\_autoscaler\_ami\_id) | The ID of the AMI to use for the Runner Worker (autoscaler). | `string` | `""` | no | | [runner\_worker\_docker\_autoscaler\_ami\_owners](#input\_runner\_worker\_docker\_autoscaler\_ami\_owners) | The list of owners used to select the AMI of the Runner Worker (autoscaler). | `list(string)` | 
[
  "099720109477"
]
| no | | [runner\_worker\_docker\_autoscaler\_asg](#input\_runner\_worker\_docker\_autoscaler\_asg) | enabled\_metrics = List of metrics to collect.
enable\_mixed\_instances\_policy = Make use of autoscaling-group mixed\_instances\_policy capacities to leverage pools and spot instances.
health\_check\_grace\_period = Time (in seconds) after instance comes into service before checking health.
health\_check\_type = Controls how health checking is done. Values are - EC2 and ELB.
instance\_refresh\_min\_healthy\_percentage = The amount of capacity in the Auto Scaling group that must remain healthy during an instance refresh to allow the operation to continue, as a percentage of the desired capacity of the Auto Scaling group.
instance\_refresh\_triggers = Set of additional property names that will trigger an Instance Refresh. A refresh will always be triggered by a change in any of launch\_configuration, launch\_template, or mixed\_instances\_policy.
on\_demand\_base\_capacity = Absolute minimum amount of desired capacity that must be fulfilled by on-demand instances.
on\_demand\_percentage\_above\_base\_capacity = Percentage split between on-demand and Spot instances above the base on-demand capacity.
spot\_allocation\_strategy = How to allocate capacity across the Spot pools. 'lowest-price' to optimize cost, 'capacity-optimized' to reduce interruptions.
spot\_instance\_pools = Number of Spot pools per availability zone to allocate capacity. EC2 Auto Scaling selects the cheapest Spot pools and evenly allocates Spot capacity across the number of Spot pools that you specify.
subnet\_ids = The list of subnet IDs to use for the Runner Worker when the fleet mode is enabled.
default\_instance\_type = Default instance type for the launch template
types = The type of instance to use for the Runner Worker. In case of fleet mode, multiple instance types are supported.
upgrade\_strategy = Auto deploy new instances when launch template changes. Can be either 'bluegreen', 'rolling' or 'off'.
instance\_requirements = Override the instance type in the Launch Template with instance types that satisfy the requirements. | 
object({
    enabled_metrics                          = optional(list(string), [])
    enable_mixed_instances_policy            = optional(bool, false)
    health_check_grace_period                = optional(number, 300)
    health_check_type                        = optional(string, "EC2")
    instance_refresh_min_healthy_percentage  = optional(number, 90)
    instance_refresh_triggers                = optional(list(string), [])
    on_demand_base_capacity                  = optional(number, 0)
    on_demand_percentage_above_base_capacity = optional(number, 100)
    spot_allocation_strategy                 = optional(string, "lowest-price")
    spot_instance_pools                      = optional(number, 2)
    subnet_ids                               = optional(list(string), [])
    default_instance_type                    = optional(string, "m5.large")
    types                                    = optional(list(string), [])
    upgrade_strategy                         = optional(string, "rolling")
    instance_requirements = optional(list(object({
      allowed_instance_types = optional(list(string), [])
      cpu_manufacturers      = optional(list(string), [])
      instance_generations   = optional(list(string), [])
      burstable_performance  = optional(string)
      memory_mib = optional(object({
        min = optional(number, null)
      max = optional(number, null) }), {})
      vcpu_count = optional(object({
        min = optional(number, null)
      max = optional(number, null) }), {})
    })), [])
  })
| `{}` | no | -| [runner\_worker\_docker\_autoscaler\_autoscaling\_options](#input\_runner\_worker\_docker\_autoscaler\_autoscaling\_options) | Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersautoscalerpolicy-sections | 
list(object({
    periods            = list(string)
    timezone           = optional(string, "UTC")
    idle_count         = optional(number)
    idle_time          = optional(string)
    scale_factor       = optional(number)
    scale_factor_limit = optional(number, 0)
  }))
| `[]` | no | +| [runner\_worker\_docker\_autoscaler\_autoscaling\_options](#input\_runner\_worker\_docker\_autoscaler\_autoscaling\_options) | Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersautoscalerpolicy-sections | 
list(object({
    periods            = list(string)
    timezone           = optional(string, "UTC")
    idle_count         = optional(number)
    idle_time          = optional(string)
    scale_factor       = optional(number)
    scale_factor_limit = optional(number, 0)
    preemptive_mode    = optional(bool)
  }))
| `[]` | no | | [runner\_worker\_docker\_autoscaler\_instance](#input\_runner\_worker\_docker\_autoscaler\_instance) | ebs\_optimized = Enable EBS optimization for the Runner Worker.
http\_tokens = Whether or not the metadata service requires session tokens.
http\_put\_response\_hop\_limit = The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel.
monitoring = Enable detailed monitoring for the Runner Worker.
private\_address\_only = Restrict Runner Worker to the use of a private IP address. If `runner_instance.use_private_address_only` is set to `true` (default),
root\_device\_name = The name of the root volume for the Runner Worker.
root\_size = The size of the root volume for the Runner Worker.
start\_script = Cloud-init user data that will be passed to the Runner Worker. Should not be base64 encrypted.
start\_script\_compression\_algorithm = `gzip` compress the start script to mitigate the ~16 KB user data limit. Use `none` for Windows (EC2Launch does not support gzipped user data).
volume\_type = The type of volume to use for the Runner Worker. `gp2`, `gp3`, `io1` or `io2` are supported.
volume\_iops = Guaranteed IOPS for the volume. Only supported when using `gp3`, `io1` or `io2` as `volume_type`.
volume\_throughput = Throughput in MB/s for the volume. Only supported when using `gp3` as `volume_type`. | 
object({
    ebs_optimized = optional(bool, true)
    # TODO should always be "required", right? https://aquasecurity.github.io/tfsec/v1.28.0/checks/aws/ec2/enforce-launch-config-http-token-imds/
    http_tokens                        = optional(string, "required")
    http_put_response_hop_limit        = optional(number, 2)
    monitoring                         = optional(bool, false)
    private_address_only               = optional(bool, true)
    root_device_name                   = optional(string, "/dev/sda1")
    root_size                          = optional(number, 8)
    start_script                       = optional(string, "")
    start_script_compression_algorithm = optional(string, "gzip")
    volume_type                        = optional(string, "gp2")
    volume_throughput                  = optional(number, 125)
    volume_iops                        = optional(number, 3000)
  })
| `{}` | no | | [runner\_worker\_docker\_autoscaler\_role](#input\_runner\_worker\_docker\_autoscaler\_role) | additional\_tags = Map of tags that will be added to the Runner Worker.
assume\_role\_policy\_json = Assume role policy for the Runner Worker.
policy\_arns = List of ARNs of IAM policies to attach to the Runner Workers.
profile\_name = Name of the IAM profile to attach to the Runner Workers. | 
object({
    additional_tags         = optional(map(string), {})
    assume_role_policy_json = optional(string, "")
    policy_arns             = optional(list(string), [])
    profile_name            = optional(string, "")
  })
| `{}` | no | | [runner\_worker\_docker\_machine\_ami\_filter](#input\_runner\_worker\_docker\_machine\_ami\_filter) | List of maps used to create the AMI filter for the Runner Worker (docker-machine). | `map(list(string))` | 
{
  "name": [
    "ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-*"
  ]
}
| no |