Fix: Require AMI ID with preinstalled dependecies.

Author: hllvc

stackguardian_private_runner/aws/ami.tf

@@ -1,21 +1,40 @@
 locals {
-  subnet_id        = var.private_subnet_id != null ? var.private_subnet_id : var.public_subnet_id
-  user_data_script = var.ami_id != "" ? "register_runner.sh" : "user_data_all.sh"
+  subnet_id = var.private_subnet_id != null ? var.private_subnet_id : var.public_subnet_id
+
+  # SSH key logic: custom public key > named key > no key
+  use_custom_key = var.ssh_public_key != ""
+  use_named_key  = var.ssh_key_name != "" && var.ssh_public_key == ""
+  ssh_key_name   = local.use_custom_key ? aws_key_pair.this[0].key_name : (local.use_named_key ? var.ssh_key_name : "")
 }
 
 data "stackguardian_runner_group_token" "this" {
   runner_group_id = stackguardian_runner_group.this.resource_name
 }
 
+# Create SSH key pair when custom public key is provided
+resource "aws_key_pair" "this" {
+  count      = local.use_custom_key ? 1 : 0
+  key_name   = "${var.name_prefix}-private-runner-custom-key"
+  public_key = var.ssh_public_key
+
+  tags = {
+    Name = "${var.name_prefix}-private-runner-custom-key"
+  }
+}
+
 # Launch Template for Auto Scaling Group
 resource "aws_launch_template" "this" {
   name_prefix   = "${var.name_prefix}-private-runner-"
-  image_id      = local.runner_ami_id
+  image_id      = var.ami_id
   instance_type = var.instance_type
-  key_name      = var.ssh_key_name
+  key_name      = local.ssh_key_name != "" ? local.ssh_key_name : null
 
   vpc_security_group_ids = [aws_security_group.this.id]
 
+  network_interfaces {
+    associate_public_ip_address = var.associate_public_ip
+  }
+
   iam_instance_profile {
     name = aws_iam_instance_profile.this.name
   }
@@ -29,23 +48,17 @@ resource "aws_launch_template" "this" {
   block_device_mappings {
     device_name = "/dev/sda1"
     ebs {
-      volume_size           = 100
-      volume_type           = "gp3"
-      delete_on_termination = true
+      volume_size           = var.volume_size
+      volume_type           = var.volume_type
+      delete_on_termination = var.delete_volume_on_termination
     }
   }
 
-  user_data = base64encode("${templatefile("${path.module}/templates/${local.user_data_script}", {
-    os_family             = var.os_family
+  user_data = base64encode("${templatefile("${path.module}/templates/register_runner.sh", {
     sg_org_name           = var.sg_org_name
     sg_api_uri            = var.sg_api_uri
     sg_runner_group_name  = stackguardian_runner_group.this.resource_name
     sg_runner_group_token = data.stackguardian_runner_group_token.this.runner_group_token
-    # sg_runner_group_token                                             = (
-    #   data.stackguardian_runner_group_token.this.runner_group_token ! = null
-    #   ? data.stackguardian_runner_group_token.this.runner_group_token
-    #   : var.sg_runner_token
-    # )
   })}")
 
   tag_specifications {

stackguardian_private_runner/aws/autoscaling.tf

@@ -50,21 +50,13 @@ resource "aws_security_group" "this" {
   description = "Block inboud and Allow All outbound for Private Runner."
   vpc_id      = var.vpc_id
 
-  # Allow all ingress
-  # ingress {
-  #   from_port   = 0
-  #   to_port     = 0
-  #   protocol    = "-1"
-  #   cidr_blocks = ["0.0.0.0/0"]
-  # }
-
   # Allow SSH
   ingress {
     description = "SSH"
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["178.77.15.22/32"]
+    cidr_blocks = var.allow_ssh_cidr_blocks
   }
 
   egress {

stackguardian_private_runner/aws/network.tf

@@ -4,11 +4,6 @@ terraform {
       source  = "StackGuardian/stackguardian"
       version = "1.3.3"
     }
-    # Local Provider
-    # stackguardian = {
-    #   source  = "terraform/provider/stackguardian"
-    #   version = "0.0.0-dev"
-    # }
     aws = {
       source = "hashicorp/aws"
     }
@@ -25,7 +20,6 @@ terraform {
       source = "hashicorp/random"
     }
   }
-  required_version = ">= 1.3"
 }
 
 provider "aws" {

stackguardian_private_runner/aws/provider.tf

@@ -1,5 +1,13 @@
+locals {
+  runner_group_name = (
+    var.override_runner_group_name != ""
+    ? var.override_runner_group_name
+    : "${var.name_prefix}-runner-group-${data.aws_caller_identity.current.account_id}"
+  )
+}
+
 resource "stackguardian_runner_group" "this" {
-  resource_name = "${var.name_prefix}-runner-group-${data.aws_caller_identity.current.account_id}"
+  resource_name = locals.runner_group_name
   description   = "Private Runner Group for AWS S3 storage backend"
 
   max_number_of_runners = var.asg_max_size

stackguardian_private_runner/aws/runner_group.tf

@@ -5,8 +5,8 @@ resource "random_string" "storage_backend_prefix" {
 }
 
 resource "aws_s3_bucket" "this" {
-  bucket = "${random_string.storage_backend_prefix.result}-private-runner-storage-backend"
-  # force_destroy = true
+  bucket        = "${random_string.storage_backend_prefix.result}-private-runner-storage-backend"
+  force_destroy = var.force_destroy_storage_backend
 }
 
 # Optional: Block public access

stackguardian_private_runner/aws/storage_backend.tf

@@ -1,4 +1,5 @@
-#!/bin/bash
+#!/usr/bin/env sh
+
 set -e
 
 ## Register Private Runner

stackguardian_private_runner/aws/templates/register_runner.sh

@@ -30,9 +30,33 @@ variable "name_prefix" {
   default     = "sg"
 }
 
-/*------------------------+
- | EC2 Required Variables |
- +------------------------*/
+variable "override_runner_group_name" {
+  description = <<EOT
+    Optional: Override the default runner group name.
+    If not provided, the module will use the default group name: {name_prefix}-runner-group-{account_id}
+    This is useful if you want to use a specific runner group name for your organization.
+    Default is an empty string, meaning the default group name will be used.
+  EOT
+  type        = string
+  default     = ""
+}
+
+/*---------------------------+
+ | Backend Storage Variables |
+ +---------------------------*/
+variable "force_destroy_storage_backend" {
+  description = <<EOT
+    Whether to force destroy the storage backend (S3 bucket) when the module is destroyed.
+    This will delete all data in the bucket, so use with caution.
+    Default is false, meaning the bucket will not be deleted if it contains objects.
+  EOT
+  type        = bool
+  default     = false
+}
+
+/*-----------------------+
+ | EC2 Network Variables |
+ +-----------------------*/
 variable "vpc_id" {
   description = "Existing VPC ID for the Private Runner instance"
   type        = string
@@ -49,36 +73,69 @@ variable "public_subnet_id" {
   type        = string
 }
 
-variable "ssh_key_name" {
-  description = "The SSH Key Name for the Private Runner instance"
+variable "associate_public_ip" {
+  description = "Whether to assign a public IP to the Private Runner instance"
+  type        = bool
+  default     = true
+}
+
+/*-----------------------+
+ | EC2 Storage Variables |
+ +-----------------------*/
+variable "volume_type" {
+  description = "Type of the EBS volume for the Private Runner instance"
   type        = string
+  default     = "gp3"
 }
 
-variable "instance_type" {
-  description = "The EC2 instance type for Private Runner (min 4 vCPU, 8GB RAM recommended)"
+variable "volume_size" {
+  description = "Size of the EBS volume in GB for the Private Runner instance"
+  type        = number
+  default     = 100
+}
+
+variable "delete_volume_on_termination" {
+  description = "Whether to delete the EBS volume on instance termination"
+  type        = bool
+  default     = false
+}
+
+/*------------------------------+
+ | EC2 SSH Connection Variables |
+ +------------------------------*/
+variable "ssh_key_name" {
+  description = "The existing SSH key name from AWS. If not provided and ssh_public_key is empty, no SSH key will be configured."
   type        = string
-  default     = "t3.medium"
+  default     = ""
 }
 
-variable "os_family" {
-  description = "The OS family for Private Runner instance: 'amazon', 'ubuntu', or 'rhel'"
+variable "ssh_public_key" {
+  description = "Custom SSH public key content to add to the instance. If provided, this takes precedence over ssh_key_name."
   type        = string
-  default     = "ubuntu"
+  default     = ""
+}
 
-  validation {
-    condition     = contains(["amazon", "ubuntu", "rhel"], var.os_family)
-    error_message = "The os_family must be one of 'amazon', 'ubuntu', or 'rhel'."
-  }
+variable "allow_ssh_cidr_blocks" {
+  description = "CIDR blocks allowed to SSH into the Private Runner instance. If empty, no SSH access is allowed."
+  type        = list(string)
+  default     = []
 }
 
-variable "os_version" {
-  description = "Specific OS version (e.g., '20.04' for Ubuntu, '8.5' for RHEL)"
+/*------------------------+
+ | EC2 Instance Variables |
+ +------------------------*/
+variable "instance_type" {
+  description = "The EC2 instance type for Private Runner (min 4 vCPU, 8GB RAM recommended)"
   type        = string
-  default     = "22.04"
+  default     = "t3.xlarge"
 }
 
 variable "ami_id" {
-  description = "The AMI ID for the Private Runner instance with pre-installed dependencies. If not provided, it will be fetched based on the OS family and version and dependencies will be installed in user-data."
+  description = <<EOT
+    The AMI ID for the Private Runner instance with pre-installed dependencies.
+    Required dependencies: docker, cron, jq, sg-runner (main.sh)
+    Recommended: Use StackGuardian Template with Packer to build custom AMI.
+  EOT
   type        = string
   default     = ""
 }
@@ -95,7 +152,7 @@ variable "asg_min_size" {
 variable "asg_max_size" {
   description = "Maximum number of instances in the Auto Scaling Group"
   type        = number
-  default     = 2
+  default     = 5
 }
 
 variable "asg_desired_capacity" {
@@ -123,13 +180,13 @@ variable "image" {
 variable "scale_out_cooldown_duration" {
   description = "Scale out cooldown duration in minutes"
   type        = string
-  default     = "2"
+  default     = "3"
 }
 
 variable "scale_in_cooldown_duration" {
   description = "Scale in cooldown duration in minutes"
   type        = string
-  default     = "2"
+  default     = "5"
 }
 
 variable "scale_out_threshold" {