{"id":14008259,"url":"https://github.com/cattle-ops/terraform-aws-gitlab-runner","last_synced_at":"2026-03-14T09:10:14.742Z","repository":{"id":38055506,"uuid":"111354986","full_name":"cattle-ops/terraform-aws-gitlab-runner","owner":"cattle-ops","description":"Terraform module for AWS GitLab runners on ec2 (spot) instances","archived":false,"fork":false,"pushed_at":"2023-12-19T00:49:55.000Z","size":2770,"stargazers_count":536,"open_issues_count":23,"forks_count":310,"subscribers_count":10,"default_branch":"main","last_synced_at":"2023-12-19T08:46:43.218Z","etag":null,"topics":["aws","ci","cicd","gitlab-ci","hacktoberfest","infrastructure-as-code","spot-instances","terraform"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cattle-ops.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"security_groups.tf","support":null,"governance":null,"roadmap":null,"authors":null},"funding":{"github":"npalm"}},"created_at":"2017-11-20T03:01:33.000Z","updated_at":"2024-07-04T23:00:14.371Z","dependencies_parsed_at":"2022-07-12T17:11:59.527Z","dependency_job_id":"326339ea-7cd0-48f6-b618-f4fe0c414d60","html_url":"https://github.com/cattle-ops/terraform-aws-gitlab-runner","commit_stats":null,"previous_names":["npalm/terraform-aws-gitlab-runner"],"tags_count":144,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cattle-ops%2Fterraform-aws-gitlab-runner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cattle-ops%2Fterraform-aws-gitlab-runner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cattle-ops%2Fterraform-aws-gitlab-runner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cattle-ops%2Fterraform-aws-gitlab-runner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cattle-ops","download_url":"https://codeload.github.com/cattle-ops/terraform-aws-gitlab-runner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227410556,"owners_count":17774769,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","ci","cicd","gitlab-ci","hacktoberfest","infrastructure-as-code","spot-instances","terraform"],"created_at":"2024-08-10T11:01:30.792Z","updated_at":"2026-03-14T09:10:14.728Z","avatar_url":"https://github.com/cattle-ops.png","language":"HCL","funding_links":["https://github.com/sponsors/npalm"],"categories":["HCL"],"sub_categories":[],"readme":"\u003c!-- First line should be an H1: Badges on top please! --\u003e\n\u003c!-- markdownlint-disable MD041/first-line-heading/first-line-h1 --\u003e\n[![Terraform registry](https://img.shields.io/github/v/release/cattle-ops/terraform-aws-gitlab-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/cattle-ops/gitlab-runner/aws/)\n[![Gitter](https://badges.gitter.im/terraform-aws-gitlab-runner/Lobby.svg)](https://gitter.im/terraform-aws-gitlab-runner/Lobby?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge)\n[![Actions](https://github.com/cattle-ops/terraform-aws-gitlab-runner/workflows/CI/badge.svg)](https://github.com/cattle-ops/terraform-aws-gitlab-runner/actions)\n[![Renovate](https://img.shields.io/badge/renovate-enabled-brightgreen?logo=renovate)](https://www.mend.io/renovate/)\n\u003c!-- markdownlint-enable MD041/first-line-heading/first-line-h1 --\u003e\n\n# Terraform module for GitLab auto-scaling runners on AWS spot instances \u003c!-- omit in toc --\u003e\n\n💥 See [issue 819](https://github.com/cattle-ops/terraform-aws-gitlab-runner/issues/819) on how to migrate to v7 smoothly.\n💥 See [pr 1204](https://github.com/cattle-ops/terraform-aws-gitlab-runner/pull/1204) on how to migrate to v8 smoothly.\n\nThis [Terraform](https://www.terraform.io/) modules creates a [GitLab Runner](https://docs.gitlab.com/runner/). A blog post\ndescribes the original version of the runner. See the post at [040code](https://040code.github.io/2017/12/09/runners-on-the-spot/).\nThe original setup of the module is based on the blog post: [Auto scale GitLab CI runners and save 90% on EC2 costs](https://about.gitlab.com/2017/11/23/autoscale-ci-runners/).\n\nThe runners created by the module use spot instances by default for running the builds using the `docker+machine` executor.\n\n- Shared cache in S3 with life cycle management to clear objects after x days.\n- Logs streamed to CloudWatch.\n- Runner agents registered automatically.\n\nThe runner supports 3 main scenarios:\n\n1. GitLab CI docker-machine runner - one runner agent\n\n In this scenario the runner agent is running on a single EC2 node and runners are created by [docker machine](https://docs.gitlab.com/runner/configuration/autoscale.html)\n using spot instances. Runners will scale automatically based on the configuration. The module creates a S3 cache by default,\n which is shared across runners (spot instances).\n\n ![runners-default](https://github.com/cattle-ops/terraform-aws-gitlab-runner/raw/main/assets/images/runner-default.png)\n\n2. GitLab CI docker-machine runner - multiple runner agents\n\n In this scenario the multiple runner agents can be created with different configuration by instantiating the module multiple times.\n Runners will scale automatically based on the configuration. The S3 cache can be shared across runners by managing the cache\n outside the module.\n\n ![runners-cache](https://github.com/cattle-ops/terraform-aws-gitlab-runner/raw/main/assets/images/runner-cache.png)\n\n3. GitLab Ci docker runner\n\n In this scenario _not_ docker machine is used but docker to schedule the builds. Builds will run on the same EC2 instance as the\n agent. No auto-scaling is supported.\n\n ![runners-docker](https://github.com/cattle-ops/terraform-aws-gitlab-runner/raw/main/assets/images/runner-docker.png)\n\nFor detailed concepts and usage please refer to [usage](docs/usage.md).\n\n## Contributors ✨\n\nPRs are welcome! Please see the [contributing guide](CONTRIBUTING.md) for more details.\n\nThanks to all the people who already contributed!\n\n\u003c!-- this is the only option to integrate the contributors list in the README.md --\u003e\n\u003c!-- markdownlint-disable MD033 --\u003e\n\u003ca href=\"https://github.com/cattle-ops/terraform-aws-gitlab-runner/graphs/contributors\"\u003e\n \u003c!-- markdownlint-disable MD033 --\u003e\n \u003cimg src=\"https://contrib.rocks/image?repo=cattle-ops/terraform-aws-gitlab-runner\" alt=\"contributors\"/\u003e\n\u003c/a\u003e\n\nMade with [contributors-img](https://contrib.rocks).\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## Module Documentation\n\n\u003c!-- markdownlint-disable --\u003e\n\u003c!-- cSpell:disable --\u003e\n\u003c!-- markdown-link-check-disable --\u003e\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.3 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 6.0.0 |\n| \u003ca name=\"requirement_local\"\u003e\u003c/a\u003e [local](#requirement\\_local) | \u003e= 2.4.0 |\n| \u003ca name=\"requirement_tls\"\u003e\u003c/a\u003e [tls](#requirement\\_tls) | \u003e= 3 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | 6.17.0 |\n| \u003ca name=\"provider_local\"\u003e\u003c/a\u003e [local](#provider\\_local) | 2.5.3 |\n| \u003ca name=\"provider_tls\"\u003e\u003c/a\u003e [tls](#provider\\_tls) | 4.1.0 |\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_cache\"\u003e\u003c/a\u003e [cache](#module\\_cache) | ./modules/cache | n/a |\n| \u003ca name=\"module_terminate_agent_hook\"\u003e\u003c/a\u003e [terminate\\_agent\\_hook](#module\\_terminate\\_agent\\_hook) | ./modules/terminate-agent-hook | n/a |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_autoscaling_group.autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |\n| [aws_autoscaling_group.gitlab_runner_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |\n| [aws_autoscaling_lifecycle_hook.wait_for_gitlab_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_lifecycle_hook) | resource |\n| [aws_autoscaling_schedule.scale_in](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_schedule) | resource |\n| [aws_autoscaling_schedule.scale_out](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_schedule) | resource |\n| [aws_cloudwatch_log_group.environment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_eip.gitlab_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |\n| [aws_iam_instance_profile.docker_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |\n| [aws_iam_instance_profile.docker_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |\n| [aws_iam_instance_profile.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |\n| [aws_iam_policy.eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.instance_docker_autoscaler_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.instance_docker_machine_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.instance_kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.instance_session_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.service_linked_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_role.docker_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role.docker_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy_attachment.docker_autoscaler_session_manager_aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.docker_autoscaler_user_defined_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.docker_machine_cache_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.docker_machine_session_manager_aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.docker_machine_user_defined_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.instance_docker_autoscaler_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.instance_docker_machine_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.instance_kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.instance_session_manager_aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.instance_session_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.service_linked_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.user_defined_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_key_pair.autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |\n| [aws_key_pair.fleet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |\n| [aws_kms_alias.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |\n| [aws_kms_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_launch_template.fleet_gitlab_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |\n| [aws_launch_template.gitlab_runner_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |\n| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |\n| [aws_security_group.docker_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |\n| [aws_security_group.docker_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |\n| [aws_security_group.runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |\n| [aws_ssm_parameter.runner_registration_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |\n| [aws_ssm_parameter.runner_sentry_dsn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |\n| [aws_vpc_security_group_egress_rule.docker_autoscaler_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |\n| [aws_vpc_security_group_egress_rule.docker_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |\n| [aws_vpc_security_group_egress_rule.runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |\n| [aws_vpc_security_group_egress_rule.runner_manager_to_docker_autoscaler_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |\n| [aws_vpc_security_group_egress_rule.runner_manager_to_docker_machine_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.docker_autoscaler_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.docker_autoscaler_internal_traffic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.docker_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.docker_machine_docker_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.docker_machine_docker_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.docker_machine_ping_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.docker_machine_ping_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.docker_machine_ssh_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.docker_machine_ssh_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [aws_vpc_security_group_ingress_rule.runner_ping_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |\n| [local_file.config_toml](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |\n| [local_file.user_data](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |\n| [tls_private_key.autoscaler](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.fleet](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [aws_ami.docker_autoscaler_by_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |\n| [aws_ami.docker_machine_by_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |\n| [aws_ami.runner_by_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |\n| [aws_availability_zone.runners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy_document.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n| [aws_subnet.runners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_debug\"\u003e\u003c/a\u003e [debug](#input\\_debug) | trace\\_runner\\_user\\_data: Enable bash trace for the user data script on the Agent. Be aware this could log sensitive data such as you GitLab runner token.\u003cbr/\u003ewrite\\_runner\\_config\\_to\\_file: When enabled, outputs the rendered config.toml file in the root module. Note that enabling this can\u003cbr/\u003e potentially expose sensitive information.\u003cbr/\u003ewrite\\_runner\\_user\\_data\\_to\\_file: When enabled, outputs the rendered userdata.sh file in the root module. Note that enabling this\u003cbr/\u003e can potentially expose sensitive information. | \u003cpre\u003eobject({\u003cbr/\u003e trace_runner_user_data = optional(bool, false)\u003cbr/\u003e write_runner_config_to_file = optional(bool, false)\u003cbr/\u003e write_runner_user_data_to_file = optional(bool, false)\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_enable_managed_kms_key\"\u003e\u003c/a\u003e [enable\\_managed\\_kms\\_key](#input\\_enable\\_managed\\_kms\\_key) | Let the module manage a KMS key. Be-aware of the costs of an custom key. Do not specify a `kms_key_id` when `enable_kms` is set to `true`. | `bool` | `false` | no |\n| \u003ca name=\"input_environment\"\u003e\u003c/a\u003e [environment](#input\\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |\n| \u003ca name=\"input_iam_object_prefix\"\u003e\u003c/a\u003e [iam\\_object\\_prefix](#input\\_iam\\_object\\_prefix) | Set the name prefix of all AWS IAM resources. | `string` | `\"\"` | no |\n| \u003ca name=\"input_iam_permissions_boundary\"\u003e\u003c/a\u003e [iam\\_permissions\\_boundary](#input\\_iam\\_permissions\\_boundary) | Name of permissions boundary policy to attach to AWS IAM roles | `string` | `\"\"` | no |\n| \u003ca name=\"input_kms_key_id\"\u003e\u003c/a\u003e [kms\\_key\\_id](#input\\_kms\\_key\\_id) | KMS key id to encrypt the resources. Ensure that CloudWatch and Runner/Runner Workers have access to the provided KMS key. | `string` | `\"\"` | no |\n| \u003ca name=\"input_kms_managed_alias_name\"\u003e\u003c/a\u003e [kms\\_managed\\_alias\\_name](#input\\_kms\\_managed\\_alias\\_name) | Alias added to the created KMS key. | `string` | `\"\"` | no |\n| \u003ca name=\"input_kms_managed_deletion_rotation_window_in_days\"\u003e\u003c/a\u003e [kms\\_managed\\_deletion\\_rotation\\_window\\_in\\_days](#input\\_kms\\_managed\\_deletion\\_rotation\\_window\\_in\\_days) | Key deletion/rotation window for the created KMS key. Set to 0 for no rotation/deletion window. | `number` | `7` | no |\n| \u003ca name=\"input_runner_ami_filter\"\u003e\u003c/a\u003e [runner\\_ami\\_filter](#input\\_runner\\_ami\\_filter) | List of maps used to create the AMI filter for the Runner AMI. Must resolve to an Amazon Linux 1, 2 or 2023 image. | `map(list(string))` | \u003cpre\u003e{\u003cbr/\u003e \"name\": [\u003cbr/\u003e \"al2023-ami-2023*-x86_64\"\u003cbr/\u003e ]\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_ami_id\"\u003e\u003c/a\u003e [runner\\_ami\\_id](#input\\_runner\\_ami\\_id) | The AMI ID of the Runner instance. | `string` | `\"\"` | no |\n| \u003ca name=\"input_runner_ami_owners\"\u003e\u003c/a\u003e [runner\\_ami\\_owners](#input\\_runner\\_ami\\_owners) | The list of owners used to select the AMI of the Runner instance. | `list(string)` | \u003cpre\u003e[\u003cbr/\u003e \"amazon\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_cloudwatch\"\u003e\u003c/a\u003e [runner\\_cloudwatch](#input\\_runner\\_cloudwatch) | enable = Boolean used to enable or disable the CloudWatch logging.\u003cbr/\u003elog\\_group\\_name = Option to override the default name (`environment`) of the log group. Requires `enable = true`.\u003cbr/\u003eretention\\_days = Retention for cloudwatch logs. Defaults to unlimited. Requires `enable = true`. | \u003cpre\u003eobject({\u003cbr/\u003e enable = optional(bool, true)\u003cbr/\u003e log_group_name = optional(string, null)\u003cbr/\u003e retention_days = optional(number, 0)\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_egress_rules\"\u003e\u003c/a\u003e [runner\\_egress\\_rules](#input\\_runner\\_egress\\_rules) | Map of Egress rules for the Runner Manager security group. | \u003cpre\u003emap(object({\u003cbr/\u003e from_port = optional(number, null)\u003cbr/\u003e to_port = optional(number, null)\u003cbr/\u003e protocol = string\u003cbr/\u003e description = string\u003cbr/\u003e cidr_block = optional(string, null)\u003cbr/\u003e ipv6_cidr_block = optional(string, null)\u003cbr/\u003e prefix_list_id = optional(string, null)\u003cbr/\u003e security_group = optional(string, null)\u003cbr/\u003e }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"allow_https_ipv4\": {\u003cbr/\u003e \"cidr_block\": \"0.0.0.0/0\",\u003cbr/\u003e \"description\": \"Allow HTTPS egress traffic\",\u003cbr/\u003e \"from_port\": 443,\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 443\u003cbr/\u003e },\u003cbr/\u003e \"allow_https_ipv6\": {\u003cbr/\u003e \"description\": \"Allow HTTPS egress traffic (IPv6)\",\u003cbr/\u003e \"from_port\": 443,\u003cbr/\u003e \"ipv6_cidr_block\": \"::/0\",\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 443\u003cbr/\u003e }\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_enable_asg_recreation\"\u003e\u003c/a\u003e [runner\\_enable\\_asg\\_recreation](#input\\_runner\\_enable\\_asg\\_recreation) | Enable automatic redeployment of the Runner's ASG when the Launch Configs change. | `bool` | `true` | no |\n| \u003ca name=\"input_runner_gitlab\"\u003e\u003c/a\u003e [runner\\_gitlab](#input\\_runner\\_gitlab) | ca\\_certificate = Trusted CA certificate bundle (PEM format).\u003cbr/\u003ecertificate = Certificate of the GitLab instance to connect to (PEM format).\u003cbr/\u003eregistration\\_token = (deprecated, this is replaced by the `preregistered_runner_token_ssm_parameter_name`) Registration token to use to register the Runner.\u003cbr/\u003erunner\\_version = Version of the [GitLab Runner](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). Make sure that it is available for your AMI. See https://packages.gitlab.com/app/runner/gitlab-runner/search?dist=amazon%2F2023\u0026filter=rpms\u0026page=1\u0026q=\u003cbr/\u003eurl = URL of the GitLab instance to connect to.\u003cbr/\u003eurl\\_clone = URL of the GitLab instance to clone from. Use only if the agent can’t connect to the GitLab URL.\u003cbr/\u003eaccess\\_token\\_secure\\_parameter\\_store\\_name = (deprecated, this is replaced by the `preregistered_runner_token_ssm_parameter_name`) The name of the SSM parameter to read the GitLab access token from. It must have the `api` scope and be pre created.\u003cbr/\u003epreregistered\\_runner\\_token\\_ssm\\_parameter\\_name = The name of the SSM parameter to read the preregistered GitLab Runner token from. | \u003cpre\u003eobject({\u003cbr/\u003e ca_certificate = optional(string, \"\")\u003cbr/\u003e certificate = optional(string, \"\")\u003cbr/\u003e registration_token = optional(string, \"__REPLACED_BY_USER_DATA__\") # deprecated, do not use, will be removed\u003cbr/\u003e runner_version = optional(string, \"16.0.3\")\u003cbr/\u003e url = optional(string, \"\")\u003cbr/\u003e url_clone = optional(string, \"\")\u003cbr/\u003e access_token_secure_parameter_store_name = optional(string, \"gitlab-runner-access-token\") # deprecated, do not use, will be removed\u003cbr/\u003e preregistered_runner_token_ssm_parameter_name = optional(string, \"\")\u003cbr/\u003e })\u003c/pre\u003e | n/a | yes |\n| \u003ca name=\"input_runner_gitlab_registration_config\"\u003e\u003c/a\u003e [runner\\_gitlab\\_registration\\_config](#input\\_runner\\_gitlab\\_registration\\_config) | (deprecated, replaced by runner\\_gitlab.preregistered\\_runner\\_token\\_ssm\\_parameter\\_name) Register the Runner manually with GitLab first. | \u003cpre\u003eobject({\u003cbr/\u003e registration_token = optional(string, \"__GITLAB_REGISTRATION_TOKEN_FROM_SSM__\") # deprecated, do not use, will be removed\u003cbr/\u003e tag_list = optional(string, \"\") # deprecated, do not use, will be removed\u003cbr/\u003e description = optional(string, \"\") # deprecated, do not use, will be removed\u003cbr/\u003e type = optional(string, \"\") # deprecated, do not use, will be removed\u003cbr/\u003e group_id = optional(string, \"\") # deprecated, do not use, will be removed\u003cbr/\u003e project_id = optional(string, \"\") # deprecated, do not use, will be removed\u003cbr/\u003e locked_to_project = optional(string, \"\") # deprecated, do not use, will be removed\u003cbr/\u003e run_untagged = optional(string, \"\") # deprecated, do not use, will be removed\u003cbr/\u003e maximum_timeout = optional(string, \"\") # deprecated, do not use, will be removed\u003cbr/\u003e access_level = optional(string, \"not_protected\") # deprecated, do not use, will be removed\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_gitlab_registration_token_secure_parameter_store_name\"\u003e\u003c/a\u003e [runner\\_gitlab\\_registration\\_token\\_secure\\_parameter\\_store\\_name](#input\\_runner\\_gitlab\\_registration\\_token\\_secure\\_parameter\\_store\\_name) | (deprecated, replaced by runner\\_gitlab.preregistered\\_runner\\_token\\_ssm\\_parameter\\_name) The name of the SSM parameter to read the GitLab Runner registration token from. | `string` | `\"gitlab-runner-registration-token\"` | no |\n| \u003ca name=\"input_runner_gitlab_token_secure_parameter_store\"\u003e\u003c/a\u003e [runner\\_gitlab\\_token\\_secure\\_parameter\\_store](#input\\_runner\\_gitlab\\_token\\_secure\\_parameter\\_store) | Name of the Secure Parameter Store entry to hold the GitLab Runner token. | `string` | `\"runner-token\"` | no |\n| \u003ca name=\"input_runner_ingress_rules\"\u003e\u003c/a\u003e [runner\\_ingress\\_rules](#input\\_runner\\_ingress\\_rules) | Map of Ingress rules for the Runner Manager security group. | \u003cpre\u003emap(object({\u003cbr/\u003e from_port = optional(number, null)\u003cbr/\u003e to_port = optional(number, null)\u003cbr/\u003e protocol = string\u003cbr/\u003e description = string\u003cbr/\u003e cidr_block = optional(string, null)\u003cbr/\u003e ipv6_cidr_block = optional(string, null)\u003cbr/\u003e prefix_list_id = optional(string, null)\u003cbr/\u003e security_group = optional(string, null)\u003cbr/\u003e }))\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_install\"\u003e\u003c/a\u003e [runner\\_install](#input\\_runner\\_install) | amazon\\_ecr\\_credential\\_helper = Install amazon-ecr-credential-helper inside `userdata_pre_install` script\u003cbr/\u003edocker\\_machine\\_download\\_url = URL to download docker machine binary. If not set, the docker machine version will be used to download the binary.\u003cbr/\u003edocker\\_machine\\_version = By default docker\\_machine\\_download\\_url is used to set the docker machine version. This version will be ignored once `docker_machine_download_url` is set. The version number is maintained by the CKI project. Check out at https://gitlab.com/cki-project/docker-machine/-/releases\u003cbr/\u003epre\\_install\\_script = Script to run before installing the Runner\u003cbr/\u003epost\\_install\\_script = Script to run after installing the Runner\u003cbr/\u003estart\\_script = Script to run after starting the Runner\u003cbr/\u003eyum\\_update = Update the yum packages before installing the Runner | \u003cpre\u003eobject({\u003cbr/\u003e amazon_ecr_credential_helper = optional(bool, false)\u003cbr/\u003e docker_machine_download_url = optional(string, \"\")\u003cbr/\u003e docker_machine_version = optional(string, \"0.16.2-gitlab.19-cki.5\")\u003cbr/\u003e pre_install_script = optional(string, \"\")\u003cbr/\u003e post_install_script = optional(string, \"\")\u003cbr/\u003e start_script = optional(string, \"\")\u003cbr/\u003e yum_update = optional(bool, true)\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_instance\"\u003e\u003c/a\u003e [runner\\_instance](#input\\_runner\\_instance) | additional\\_tags = Map of tags that will be added to the Runner instance.\u003cbr/\u003ecollect\\_autoscaling\\_metrics = A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances.\u003cbr/\u003eebs\\_optimized = Enable EBS optimization for the Runner instance.\u003cbr/\u003emax\\_lifetime\\_seconds = The maximum time a Runner should live before it is killed.\u003cbr/\u003emonitoring = Enable the detailed monitoring on the Runner instance.\u003cbr/\u003ename = Name of the Runner instance.\u003cbr/\u003ename\\_prefix = Set the name prefix and override the `Name` tag for the Runner instance.\u003cbr/\u003eprivate\\_address\\_only = Restrict the Runner to use private IP addresses only. If this is set to `true` the Runner will use a private IP address only in case the Runner Workers use private addresses only.\u003cbr/\u003eroot\\_device\\_config = The Runner's root block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`\u003cbr/\u003espot\\_price = By setting a spot price bid price the Runner is created via a spot request. Be aware that spot instances can be stopped by AWS. Choose \\\"on-demand-price\\\" to pay up to the current on demand price for the instance type chosen.\u003cbr/\u003essm\\_access = Allows to connect to the Runner via SSM.\u003cbr/\u003etype = EC2 instance type used.\u003cbr/\u003euse\\_eip = Assigns an EIP to the Runner. | \u003cpre\u003eobject({\u003cbr/\u003e additional_tags = optional(map(string))\u003cbr/\u003e collect_autoscaling_metrics = optional(list(string), null)\u003cbr/\u003e ebs_optimized = optional(bool, true)\u003cbr/\u003e max_lifetime_seconds = optional(number, null)\u003cbr/\u003e monitoring = optional(bool, true)\u003cbr/\u003e name = string\u003cbr/\u003e name_prefix = optional(string)\u003cbr/\u003e private_address_only = optional(bool, true)\u003cbr/\u003e root_device_config = optional(map(string), {})\u003cbr/\u003e spot_price = optional(string, null)\u003cbr/\u003e ssm_access = optional(bool, false)\u003cbr/\u003e type = optional(string, \"t3.micro\")\u003cbr/\u003e use_eip = optional(bool, false)\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"name\": \"gitlab-runner\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_manager\"\u003e\u003c/a\u003e [runner\\_manager](#input\\_runner\\_manager) | For details check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section\u003cbr/\u003e\u003cbr/\u003egitlab\\_check\\_interval = Number of seconds between checking for available jobs (check\\_interval)\u003cbr/\u003emaximum\\_concurrent\\_jobs = The maximum number of jobs which can be processed by all Runners at the same time (concurrent).\u003cbr/\u003eprometheus\\_listen\\_address = Defines an address (\u003chost\u003e:\u003cport\u003e) the Prometheus metrics HTTP server should listen on (listen\\_address).\u003cbr/\u003esentry\\_dsn = Sentry DSN of the project for the Runner Manager to use (uses legacy DSN format) (sentry\\_dsn)\u003cbr/\u003econnection\\_max\\_age = The maximum age of a connection to the Runner Manager (connection\\_max\\_age). | \u003cpre\u003eobject({\u003cbr/\u003e gitlab_check_interval = optional(number, 3)\u003cbr/\u003e maximum_concurrent_jobs = optional(number, 10)\u003cbr/\u003e prometheus_listen_address = optional(string, \"\")\u003cbr/\u003e sentry_dsn = optional(string, \"__SENTRY_DSN_REPLACED_BY_USER_DATA__\")\u003cbr/\u003e connection_max_age = optional(string, \"15m\")\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_metadata_options\"\u003e\u003c/a\u003e [runner\\_metadata\\_options](#input\\_runner\\_metadata\\_options) | Enable the Runner instance metadata service. IMDSv2 is enabled by default. | \u003cpre\u003eobject({\u003cbr/\u003e http_endpoint = string\u003cbr/\u003e http_tokens = string\u003cbr/\u003e http_put_response_hop_limit = number\u003cbr/\u003e instance_metadata_tags = string\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"http_endpoint\": \"enabled\",\u003cbr/\u003e \"http_put_response_hop_limit\": 2,\u003cbr/\u003e \"http_tokens\": \"required\",\u003cbr/\u003e \"instance_metadata_tags\": \"disabled\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_networking\"\u003e\u003c/a\u003e [runner\\_networking](#input\\_runner\\_networking) | allow\\_incoming\\_ping = Allow ICMP Ping to the Runner. Specify `allow_incoming_ping_security_group_ids` too!\u003cbr/\u003eallow\\_incoming\\_ping\\_security\\_group\\_ids = A list of security group ids that are allowed to ping the Runner.\u003cbr/\u003esecurity\\_group\\_description = A description for the Runner's security group\u003cbr/\u003esecurity\\_group\\_ids = IDs of security groups to add to the Runner. | \u003cpre\u003eobject({\u003cbr/\u003e allow_incoming_ping = optional(bool, false)\u003cbr/\u003e allow_incoming_ping_security_group_ids = optional(list(string), [])\u003cbr/\u003e security_group_description = optional(string, \"A security group containing gitlab-runner agent instances\")\u003cbr/\u003e security_group_ids = optional(list(string), [])\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_role\"\u003e\u003c/a\u003e [runner\\_role](#input\\_runner\\_role) | additional\\_tags = Map of tags that will be added to the role created. Useful for tag based authorization.\u003cbr/\u003eallow\\_iam\\_service\\_linked\\_role\\_creation = Boolean used to control attaching the policy to the Runner to create service linked roles.\u003cbr/\u003eassume\\_role\\_policy\\_json = The assume role policy for the Runner.\u003cbr/\u003ecreate\\_role\\_profile = Whether to create the IAM role/profile for the Runner. If you provide your own role, make sure that it has the required permissions.\u003cbr/\u003epolicy\\_arns = List of policy ARNs to be added to the instance profile of the Runner.\u003cbr/\u003erole\\_profile\\_name = IAM role/profile name for the Runner. If unspecified then `${var.iam_object_prefix}-instance` is used. | \u003cpre\u003eobject({\u003cbr/\u003e additional_tags = optional(map(string))\u003cbr/\u003e allow_iam_service_linked_role_creation = optional(bool, true)\u003cbr/\u003e assume_role_policy_json = optional(string, \"\")\u003cbr/\u003e create_role_profile = optional(bool, true)\u003cbr/\u003e policy_arns = optional(list(string), [])\u003cbr/\u003e role_profile_name = optional(string)\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_schedule_config\"\u003e\u003c/a\u003e [runner\\_schedule\\_config](#input\\_runner\\_schedule\\_config) | Map containing the configuration of the ASG scale-out and scale-in for the Runner. Will only be used if `runner_schedule_enable` is set to `true`. | `map(any)` | \u003cpre\u003e{\u003cbr/\u003e \"scale_in_count\": 0,\u003cbr/\u003e \"scale_in_recurrence\": \"0 18 * * 1-5\",\u003cbr/\u003e \"scale_in_time_zone\": \"Etc/UTC\",\u003cbr/\u003e \"scale_out_count\": 1,\u003cbr/\u003e \"scale_out_recurrence\": \"0 8 * * 1-5\",\u003cbr/\u003e \"scale_out_time_zone\": \"Etc/UTC\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_schedule_enable\"\u003e\u003c/a\u003e [runner\\_schedule\\_enable](#input\\_runner\\_schedule\\_enable) | Set to `true` to enable the auto scaling group schedule for the Runner. | `bool` | `false` | no |\n| \u003ca name=\"input_runner_sentry_secure_parameter_store_name\"\u003e\u003c/a\u003e [runner\\_sentry\\_secure\\_parameter\\_store\\_name](#input\\_runner\\_sentry\\_secure\\_parameter\\_store\\_name) | The Sentry DSN name used to store the Sentry DSN in Secure Parameter Store | `string` | `\"sentry-dsn\"` | no |\n| \u003ca name=\"input_runner_terminate_ec2_environment_variables\"\u003e\u003c/a\u003e [runner\\_terminate\\_ec2\\_environment\\_variables](#input\\_runner\\_terminate\\_ec2\\_environment\\_variables) | Environment variables to set for the Lambda function. A value of `{HANDLER} is replaced with the handler value of the Lambda function.` | `map(string)` | `{}` | no |\n| \u003ca name=\"input_runner_terminate_ec2_lambda_egress_rules\"\u003e\u003c/a\u003e [runner\\_terminate\\_ec2\\_lambda\\_egress\\_rules](#input\\_runner\\_terminate\\_ec2\\_lambda\\_egress\\_rules) | Map of egress rules for the Lambda function. | \u003cpre\u003emap(object({\u003cbr/\u003e from_port = optional(number, null)\u003cbr/\u003e to_port = optional(number, null)\u003cbr/\u003e protocol = string\u003cbr/\u003e description = string\u003cbr/\u003e cidr_block = optional(string, null)\u003cbr/\u003e ipv6_cidr_block = optional(string, null)\u003cbr/\u003e prefix_list_id = optional(string, null)\u003cbr/\u003e security_group = optional(string, null)\u003cbr/\u003e }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"allow_https_ipv4\": {\u003cbr/\u003e \"cidr_block\": \"0.0.0.0/0\",\u003cbr/\u003e \"description\": \"Allow HTTPS egress traffic to all destinations (IPv4)\",\u003cbr/\u003e \"from_port\": 443,\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 443\u003cbr/\u003e },\u003cbr/\u003e \"allow_https_ipv6\": {\u003cbr/\u003e \"description\": \"Allow HTTPS egress traffic to all destinations (IPv6)\",\u003cbr/\u003e \"from_port\": 443,\u003cbr/\u003e \"ipv6_cidr_block\": \"::/0\",\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 443\u003cbr/\u003e }\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_terminate_ec2_lambda_handler\"\u003e\u003c/a\u003e [runner\\_terminate\\_ec2\\_lambda\\_handler](#input\\_runner\\_terminate\\_ec2\\_lambda\\_handler) | The handler for the terminate Lambda function. | `string` | `null` | no |\n| \u003ca name=\"input_runner_terminate_ec2_lambda_layer_arns\"\u003e\u003c/a\u003e [runner\\_terminate\\_ec2\\_lambda\\_layer\\_arns](#input\\_runner\\_terminate\\_ec2\\_lambda\\_layer\\_arns) | A list of ARNs of Lambda layers to attach to the Lambda function. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_runner_terminate_ec2_lifecycle_hook_name\"\u003e\u003c/a\u003e [runner\\_terminate\\_ec2\\_lifecycle\\_hook\\_name](#input\\_runner\\_terminate\\_ec2\\_lifecycle\\_hook\\_name) | Specifies a custom name for the ASG terminate lifecycle hook and related resources. | `string` | `null` | no |\n| \u003ca name=\"input_runner_terminate_ec2_lifecycle_timeout_duration\"\u003e\u003c/a\u003e [runner\\_terminate\\_ec2\\_lifecycle\\_timeout\\_duration](#input\\_runner\\_terminate\\_ec2\\_lifecycle\\_timeout\\_duration) | Amount of time in seconds to wait for GitLab Runner to finish picked up jobs. Defaults to the `maximum_timeout` configured + `5m`. Maximum allowed is `7200` (2 hours) | `number` | `null` | no |\n| \u003ca name=\"input_runner_terminate_ec2_timeout_duration\"\u003e\u003c/a\u003e [runner\\_terminate\\_ec2\\_timeout\\_duration](#input\\_runner\\_terminate\\_ec2\\_timeout\\_duration) | Timeout in seconds for the graceful terminate worker Lambda function. | `number` | `90` | no |\n| \u003ca name=\"input_runner_terraform_timeout_delete_asg\"\u003e\u003c/a\u003e [runner\\_terraform\\_timeout\\_delete\\_asg](#input\\_runner\\_terraform\\_timeout\\_delete\\_asg) | Timeout when trying to delete the Runner ASG. | `string` | `\"10m\"` | no |\n| \u003ca name=\"input_runner_worker\"\u003e\u003c/a\u003e [runner\\_worker](#input\\_runner\\_worker) | For detailed information, check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section.\u003cbr/\u003e\u003cbr/\u003eenvironment\\_variables = List of environment variables to add to the Runner Worker (environment).\u003cbr/\u003emax\\_jobs = Number of jobs which can be processed in parallel by the Runner Worker.\u003cbr/\u003eoutput\\_limit = Sets the maximum build log size in kilobytes. Default is 4MB (output\\_limit).\u003cbr/\u003erequest\\_concurrency = Limit number of concurrent requests for new jobs from GitLab (default 1) (request\\_concurrency).\u003cbr/\u003essm\\_access = Allows to connect to the Runner Worker via SSM.\u003cbr/\u003etype = The Runner Worker type to use. Currently supports `docker+machine` or `docker` or `docker-autoscaler`.\u003cbr/\u003euse\\_private\\_key = Use a private key to connect the Runner Manager to the Runner Workers. Ignored when fleeting is enabled (defaults to `true`). | \u003cpre\u003eobject({\u003cbr/\u003e environment_variables = optional(list(string), [])\u003cbr/\u003e max_jobs = optional(number, 0)\u003cbr/\u003e output_limit = optional(number, 4096)\u003cbr/\u003e request_concurrency = optional(number, 1)\u003cbr/\u003e ssm_access = optional(bool, false)\u003cbr/\u003e type = optional(string, \"docker+machine\")\u003cbr/\u003e # false positive, use_private_key is not a secret\u003cbr/\u003e # kics-scan ignore-line\u003cbr/\u003e use_private_key = optional(bool, false)\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_cache\"\u003e\u003c/a\u003e [runner\\_worker\\_cache](#input\\_runner\\_worker\\_cache) | Configuration to control the creation of the cache bucket. By default the bucket will be created and used as shared\u003cbr/\u003ecache. To use the same cache across multiple Runner Worker disable the creation of the cache and provide a policy and\u003cbr/\u003ebucket name. See the public runner example for more details.\"\u003cbr/\u003e\u003cbr/\u003eFor detailed documentation check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscaches3-section.\u003cbr/\u003e\u003cbr/\u003eaccess\\_log\\_bucker\\_id = The ID of the bucket where the access logs are stored.\u003cbr/\u003eaccess\\_log\\_bucket\\_prefix = The bucket prefix for the access logs.\u003cbr/\u003eauthentication\\_type = A string that declares the AuthenticationType for [runners.cache.s3]. Can either be 'iam' or 'credentials'.\u003cbr/\u003ebucket = Name of the cache bucket. Requires `create = false`.\u003cbr/\u003ebucket\\_prefix = Prefix for s3 cache bucket name. Requires `create = true`.\u003cbr/\u003ecreate = Boolean used to enable or disable the creation of the cache bucket.\u003cbr/\u003ecreate\\_aws\\_s3\\_bucket\\_public\\_access\\_block = Boolean used to enable or disable the creation of the public access block for the cache bucket. Useful when organizations do not allow the creation of public access blocks on individual buckets (e.g. public access is blocked on all buckets at the organization level).\u003cbr/\u003eexpiration\\_days = Number of days before cache objects expire. Requires `create = true`.\u003cbr/\u003einclude\\_account\\_id = Boolean used to include the account id in the cache bucket name. Requires `create = true`.\u003cbr/\u003epolicy = Policy to use for the cache bucket. Requires `create = false`.\u003cbr/\u003erandom\\_suffix = Boolean used to enable or disable the use of a random string suffix on the cache bucket name. Requires `create = true`.\u003cbr/\u003eshared = Boolean used to enable or disable the use of the cache bucket as shared cache.\u003cbr/\u003eversioning = Boolean used to enable versioning on the cache bucket. Requires `create = true`. | \u003cpre\u003eobject({\u003cbr/\u003e access_log_bucket_id = optional(string, null)\u003cbr/\u003e access_log_bucket_prefix = optional(string, null)\u003cbr/\u003e authentication_type = optional(string, \"iam\")\u003cbr/\u003e bucket = optional(string, \"\")\u003cbr/\u003e bucket_prefix = optional(string, \"\")\u003cbr/\u003e create = optional(bool, true)\u003cbr/\u003e create_aws_s3_bucket_public_access_block = optional(bool, true)\u003cbr/\u003e expiration_days = optional(number, 1)\u003cbr/\u003e include_account_id = optional(bool, true)\u003cbr/\u003e policy = optional(string, \"\")\u003cbr/\u003e random_suffix = optional(bool, false)\u003cbr/\u003e shared = optional(bool, false)\u003cbr/\u003e versioning = optional(bool, false)\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_docker_add_dind_volumes\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_add\\_dind\\_volumes](#input\\_runner\\_worker\\_docker\\_add\\_dind\\_volumes) | Add certificates and docker.sock to the volumes to support docker-in-docker (dind) | `bool` | `false` | no |\n| \u003ca name=\"input_runner_worker_docker_autoscaler\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_autoscaler](#input\\_runner\\_worker\\_docker\\_autoscaler) | fleeting\\_plugin\\_version = The version of aws fleeting plugin.\u003cbr/\u003econnector\\_config\\_user = User to connect to worker machine.\u003cbr/\u003ekey\\_pair\\_name = The name of the key pair used by the Runner to connect to the docker-machine Runner Workers. This variable is only supported when `enables` is set to `true`.\u003cbr/\u003ecapacity\\_per\\_instance = The number of jobs that can be executed concurrently by a single instance.\u003cbr/\u003emax\\_use\\_count = Max job number that can run on a worker.\u003cbr/\u003eupdate\\_interval = The interval to check with the fleeting plugin for instance updates.\u003cbr/\u003eupdate\\_interval\\_when\\_expecting = The interval to check with the fleeting plugin for instance updates when expecting a state change.\u003cbr/\u003einstance\\_ready\\_command = Executes this command on each instance provisioned by the autoscaler to ensure that it is ready for use. A failure results in the instance being removed. | \u003cpre\u003eobject({\u003cbr/\u003e fleeting_plugin_version = optional(string, \"1.0.0\")\u003cbr/\u003e connector_config_user = optional(string, \"ec2-user\")\u003cbr/\u003e key_pair_name = optional(string, \"runner-worker-key\")\u003cbr/\u003e capacity_per_instance = optional(number, 1)\u003cbr/\u003e max_use_count = optional(number, 100)\u003cbr/\u003e update_interval = optional(string, \"1m\")\u003cbr/\u003e update_interval_when_expecting = optional(string, \"2s\")\u003cbr/\u003e instance_ready_command = optional(string, \"\")\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_docker_autoscaler_ami_filter\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_autoscaler\\_ami\\_filter](#input\\_runner\\_worker\\_docker\\_autoscaler\\_ami\\_filter) | List of maps used to create the AMI filter for the Runner Worker (autoscaler). | `map(list(string))` | \u003cpre\u003e{\u003cbr/\u003e \"name\": [\u003cbr/\u003e \"ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-*\"\u003cbr/\u003e ]\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_worker_docker_autoscaler_ami_id\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_autoscaler\\_ami\\_id](#input\\_runner\\_worker\\_docker\\_autoscaler\\_ami\\_id) | The ID of the AMI to use for the Runner Worker (autoscaler). | `string` | `\"\"` | no |\n| \u003ca name=\"input_runner_worker_docker_autoscaler_ami_owners\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_autoscaler\\_ami\\_owners](#input\\_runner\\_worker\\_docker\\_autoscaler\\_ami\\_owners) | The list of owners used to select the AMI of the Runner Worker (autoscaler). | `list(string)` | \u003cpre\u003e[\u003cbr/\u003e \"099720109477\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_worker_docker_autoscaler_asg\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_autoscaler\\_asg](#input\\_runner\\_worker\\_docker\\_autoscaler\\_asg) | enabled\\_metrics = List of metrics to collect.\u003cbr/\u003eenable\\_mixed\\_instances\\_policy = Make use of autoscaling-group mixed\\_instances\\_policy capacities to leverage pools and spot instances.\u003cbr/\u003ehealth\\_check\\_grace\\_period = Time (in seconds) after instance comes into service before checking health.\u003cbr/\u003ehealth\\_check\\_type = Controls how health checking is done. Values are - EC2 and ELB.\u003cbr/\u003einstance\\_refresh\\_min\\_healthy\\_percentage = The amount of capacity in the Auto Scaling group that must remain healthy during an instance refresh to allow the operation to continue, as a percentage of the desired capacity of the Auto Scaling group.\u003cbr/\u003einstance\\_refresh\\_triggers = Set of additional property names that will trigger an Instance Refresh. A refresh will always be triggered by a change in any of launch\\_configuration, launch\\_template, or mixed\\_instances\\_policy.\u003cbr/\u003eon\\_demand\\_base\\_capacity = Absolute minimum amount of desired capacity that must be fulfilled by on-demand instances.\u003cbr/\u003eon\\_demand\\_percentage\\_above\\_base\\_capacity = Percentage split between on-demand and Spot instances above the base on-demand capacity.\u003cbr/\u003espot\\_allocation\\_strategy = How to allocate capacity across the Spot pools. 'lowest-price' to optimize cost, 'capacity-optimized' to reduce interruptions.\u003cbr/\u003espot\\_instance\\_pools = Number of Spot pools per availability zone to allocate capacity. EC2 Auto Scaling selects the cheapest Spot pools and evenly allocates Spot capacity across the number of Spot pools that you specify.\u003cbr/\u003esubnet\\_ids = The list of subnet IDs to use for the Runner Worker when the fleet mode is enabled.\u003cbr/\u003edefault\\_instance\\_type = Default instance type for the launch template\u003cbr/\u003etypes = The type of instance to use for the Runner Worker. In case of fleet mode, multiple instance types are supported.\u003cbr/\u003eupgrade\\_strategy = Auto deploy new instances when launch template changes. Can be either 'bluegreen', 'rolling' or 'off'.\u003cbr/\u003einstance\\_requirements = Override the instance type in the Launch Template with instance types that satisfy the requirements. | \u003cpre\u003eobject({\u003cbr/\u003e enabled_metrics = optional(list(string), [])\u003cbr/\u003e enable_mixed_instances_policy = optional(bool, false)\u003cbr/\u003e health_check_grace_period = optional(number, 300)\u003cbr/\u003e health_check_type = optional(string, \"EC2\")\u003cbr/\u003e instance_refresh_min_healthy_percentage = optional(number, 90)\u003cbr/\u003e instance_refresh_triggers = optional(list(string), [])\u003cbr/\u003e on_demand_base_capacity = optional(number, 0)\u003cbr/\u003e on_demand_percentage_above_base_capacity = optional(number, 100)\u003cbr/\u003e spot_allocation_strategy = optional(string, \"lowest-price\")\u003cbr/\u003e spot_instance_pools = optional(number, 2)\u003cbr/\u003e subnet_ids = optional(list(string), [])\u003cbr/\u003e default_instance_type = optional(string, \"m5.large\")\u003cbr/\u003e types = optional(list(string), [])\u003cbr/\u003e upgrade_strategy = optional(string, \"rolling\")\u003cbr/\u003e instance_requirements = optional(list(object({\u003cbr/\u003e allowed_instance_types = optional(list(string), [])\u003cbr/\u003e cpu_manufacturers = optional(list(string), [])\u003cbr/\u003e instance_generations = optional(list(string), [])\u003cbr/\u003e burstable_performance = optional(string)\u003cbr/\u003e memory_mib = optional(object({\u003cbr/\u003e min = optional(number, null)\u003cbr/\u003e max = optional(number, null) }), {})\u003cbr/\u003e vcpu_count = optional(object({\u003cbr/\u003e min = optional(number, null)\u003cbr/\u003e max = optional(number, null) }), {})\u003cbr/\u003e })), [])\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_docker_autoscaler_autoscaling_options\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_autoscaler\\_autoscaling\\_options](#input\\_runner\\_worker\\_docker\\_autoscaler\\_autoscaling\\_options) | Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersautoscalerpolicy-sections | \u003cpre\u003elist(object({\u003cbr/\u003e periods = list(string)\u003cbr/\u003e timezone = optional(string, \"UTC\")\u003cbr/\u003e idle_count = optional(number)\u003cbr/\u003e idle_time = optional(string)\u003cbr/\u003e scale_factor = optional(number)\u003cbr/\u003e scale_factor_limit = optional(number, 0)\u003cbr/\u003e preemptive_mode = optional(bool)\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_runner_worker_docker_autoscaler_instance\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_autoscaler\\_instance](#input\\_runner\\_worker\\_docker\\_autoscaler\\_instance) | ebs\\_optimized = Enable EBS optimization for the Runner Worker.\u003cbr/\u003ehttp\\_tokens = Whether or not the metadata service requires session tokens.\u003cbr/\u003ehttp\\_put\\_response\\_hop\\_limit = The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel.\u003cbr/\u003emonitoring = Enable detailed monitoring for the Runner Worker.\u003cbr/\u003eprivate\\_address\\_only = Restrict Runner Worker to the use of a private IP address. If `runner_instance.use_private_address_only` is set to `true` (default),\u003cbr/\u003eroot\\_device\\_name = The name of the root volume for the Runner Worker.\u003cbr/\u003eroot\\_size = The size of the root volume for the Runner Worker.\u003cbr/\u003estart\\_script = Cloud-init user data that will be passed to the Runner Worker. Should not be base64 encrypted.\u003cbr/\u003estart\\_script\\_compression\\_algorithm = `gzip` compress the start script to mitigate the ~16 KB user data limit. Use `none` for Windows (EC2Launch does not support gzipped user data).\u003cbr/\u003evolume\\_type = The type of volume to use for the Runner Worker. `gp2`, `gp3`, `io1` or `io2` are supported.\u003cbr/\u003evolume\\_iops = Guaranteed IOPS for the volume. Only supported when using `gp3`, `io1` or `io2` as `volume_type`.\u003cbr/\u003evolume\\_throughput = Throughput in MB/s for the volume. Only supported when using `gp3` as `volume_type`. | \u003cpre\u003eobject({\u003cbr/\u003e ebs_optimized = optional(bool, true)\u003cbr/\u003e # TODO should always be \"required\", right? https://aquasecurity.github.io/tfsec/v1.28.0/checks/aws/ec2/enforce-launch-config-http-token-imds/\u003cbr/\u003e http_tokens = optional(string, \"required\")\u003cbr/\u003e http_put_response_hop_limit = optional(number, 2)\u003cbr/\u003e monitoring = optional(bool, false)\u003cbr/\u003e private_address_only = optional(bool, true)\u003cbr/\u003e root_device_name = optional(string, \"/dev/sda1\")\u003cbr/\u003e root_size = optional(number, 8)\u003cbr/\u003e start_script = optional(string, \"\")\u003cbr/\u003e start_script_compression_algorithm = optional(string, \"gzip\")\u003cbr/\u003e volume_type = optional(string, \"gp2\")\u003cbr/\u003e volume_throughput = optional(number, 125)\u003cbr/\u003e volume_iops = optional(number, 3000)\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_docker_autoscaler_role\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_autoscaler\\_role](#input\\_runner\\_worker\\_docker\\_autoscaler\\_role) | additional\\_tags = Map of tags that will be added to the Runner Worker.\u003cbr/\u003eassume\\_role\\_policy\\_json = Assume role policy for the Runner Worker.\u003cbr/\u003epolicy\\_arns = List of ARNs of IAM policies to attach to the Runner Workers.\u003cbr/\u003eprofile\\_name = Name of the IAM profile to attach to the Runner Workers. | \u003cpre\u003eobject({\u003cbr/\u003e additional_tags = optional(map(string), {})\u003cbr/\u003e assume_role_policy_json = optional(string, \"\")\u003cbr/\u003e policy_arns = optional(list(string), [])\u003cbr/\u003e profile_name = optional(string, \"\")\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_docker_machine_ami_filter\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_ami\\_filter](#input\\_runner\\_worker\\_docker\\_machine\\_ami\\_filter) | List of maps used to create the AMI filter for the Runner Worker (docker-machine). | `map(list(string))` | \u003cpre\u003e{\u003cbr/\u003e \"name\": [\u003cbr/\u003e \"ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-*\"\u003cbr/\u003e ]\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_worker_docker_machine_ami_id\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_ami\\_id](#input\\_runner\\_worker\\_docker\\_machine\\_ami\\_id) | The ID of the AMI to use for the Runner Worker (docker-machine). | `string` | `\"\"` | no |\n| \u003ca name=\"input_runner_worker_docker_machine_ami_owners\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_ami\\_owners](#input\\_runner\\_worker\\_docker\\_machine\\_ami\\_owners) | The list of owners used to select the AMI of the Runner Worker (docker-machine). | `list(string)` | \u003cpre\u003e[\u003cbr/\u003e \"099720109477\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_worker_docker_machine_autoscaling_options\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_autoscaling\\_options](#input\\_runner\\_worker\\_docker\\_machine\\_autoscaling\\_options) | Set autoscaling parameters based on periods, see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section | \u003cpre\u003elist(object({\u003cbr/\u003e periods = list(string)\u003cbr/\u003e idle_count = optional(number)\u003cbr/\u003e idle_scale_factor = optional(number)\u003cbr/\u003e idle_count_min = optional(number)\u003cbr/\u003e idle_time = optional(number)\u003cbr/\u003e timezone = optional(string, \"UTC\")\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_runner_worker_docker_machine_ec2_metadata_options\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_ec2\\_metadata\\_options](#input\\_runner\\_worker\\_docker\\_machine\\_ec2\\_metadata\\_options) | Enable the Runner Worker metadata service. Requires you use CKI maintained docker machines. | \u003cpre\u003eobject({\u003cbr/\u003e http_tokens = string\u003cbr/\u003e http_put_response_hop_limit = number\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"http_put_response_hop_limit\": 2,\u003cbr/\u003e \"http_tokens\": \"required\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_worker_docker_machine_ec2_options\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_ec2\\_options](#input\\_runner\\_worker\\_docker\\_machine\\_ec2\\_options) | List of additional options for the docker+machine config. Each element of this list must be a key=value pair. E.g. '[\"amazonec2-zone=a\"]' | `list(string)` | `[]` | no |\n| \u003ca name=\"input_runner_worker_docker_machine_fleet\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_fleet](#input\\_runner\\_worker\\_docker\\_machine\\_fleet) | enable = Activates the fleet mode on the Runner. https://gitlab.com/cki-project/docker-machine/-/blob/v0.16.2-gitlab.19-cki.2/docs/drivers/aws.md#fleet-mode\u003cbr/\u003ekey\\_pair\\_name = The name of the key pair used by the Runner to connect to the docker-machine Runner Workers. This variable is only supported when `enables` is set to `true`. | \u003cpre\u003eobject({\u003cbr/\u003e enable = bool\u003cbr/\u003e key_pair_name = optional(string, \"fleet-key\")\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"enable\": false\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_worker_docker_machine_instance\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_instance](#input\\_runner\\_worker\\_docker\\_machine\\_instance) | For detailed documentation check https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section\u003cbr/\u003e\u003cbr/\u003edocker\\_registry\\_mirror\\_url = The URL of the Docker registry mirror to use for the Runner Worker.\u003cbr/\u003edestroy\\_after\\_max\\_builds = Destroy the instance after the maximum number of builds has been reached.\u003cbr/\u003eebs\\_optimized = Enable EBS optimization for the Runner Worker.\u003cbr/\u003eidle\\_count = Number of idle Runner Worker instances (not working for the Docker Runner Worker) (IdleCount).\u003cbr/\u003eidle\\_time = Idle time of the Runner Worker before they are destroyed (not working for the Docker Runner Worker) (IdleTime).\u003cbr/\u003emax\\_growth\\_rate = The maximum number of machines that can be added to the runner in parallel.\u003cbr/\u003emonitoring = Enable detailed monitoring for the Runner Worker.\u003cbr/\u003ename\\_prefix = Set the name prefix and override the `Name` tag for the Runner Worker.\u003cbr/\u003eprivate\\_address\\_only = Restrict Runner Worker to the use of a private IP address. If `runner_instance.use_private_address_only` is set to `true` (default), `runner_worker_docker_machine_instance.private_address_only` will also apply for the Runner.\u003cbr/\u003eroot\\_device\\_name = The name of the root volume for the Runner Worker.\u003cbr/\u003eroot\\_size = The size of the root volume for the Runner Worker.\u003cbr/\u003estart\\_script = Cloud-init user data that will be passed to the Runner Worker. Should not be base64 encrypted.\u003cbr/\u003esubnet\\_ids = The list of subnet IDs to use for the Runner Worker when the fleet mode is enabled.\u003cbr/\u003etypes = The type of instance to use for the Runner Worker. In case of fleet mode, multiple instance types are supported.\u003cbr/\u003evolume\\_type = The type of volume to use for the Runner Worker. `gp2`, `gp3`, `io1` or `io2` are supported.\u003cbr/\u003evolume\\_throughput = Throughput in MB/s for the volume. Only supported when using `gp3` as `volume_type`.\u003cbr/\u003evolume\\_iops = Guaranteed IOPS for the volume. Only supported when using `gp3`, `io1` or `io2` as `volume_type`. Works for fleeting only. See `runner_worker_docker_machine_fleet`. | \u003cpre\u003eobject({\u003cbr/\u003e destroy_after_max_builds = optional(number, 0)\u003cbr/\u003e docker_registry_mirror_url = optional(string, \"\")\u003cbr/\u003e ebs_optimized = optional(bool, true)\u003cbr/\u003e idle_count = optional(number, 0)\u003cbr/\u003e idle_time = optional(number, 600)\u003cbr/\u003e max_growth_rate = optional(number, 0)\u003cbr/\u003e monitoring = optional(bool, false)\u003cbr/\u003e name_prefix = optional(string, \"\")\u003cbr/\u003e private_address_only = optional(bool, true)\u003cbr/\u003e root_device_name = optional(string, \"/dev/sda1\")\u003cbr/\u003e root_size = optional(number, 8)\u003cbr/\u003e start_script = optional(string, \"\")\u003cbr/\u003e subnet_ids = optional(list(string), [])\u003cbr/\u003e types = optional(list(string), [\"m5.large\"])\u003cbr/\u003e volume_type = optional(string, \"gp2\")\u003cbr/\u003e volume_throughput = optional(number, 125)\u003cbr/\u003e volume_iops = optional(number, 3000)\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_docker_machine_instance_spot\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_instance\\_spot](#input\\_runner\\_worker\\_docker\\_machine\\_instance\\_spot) | enable = Enable spot instances for the Runner Worker.\u003cbr/\u003emax\\_price = The maximum price willing to pay. By default the price is limited by the current on demand price for the instance type chosen. | \u003cpre\u003eobject({\u003cbr/\u003e enable = optional(bool, true)\u003cbr/\u003e max_price = optional(string, \"on-demand-price\")\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_docker_machine_role\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_role](#input\\_runner\\_worker\\_docker\\_machine\\_role) | additional\\_tags = Map of tags that will be added to the Runner Worker.\u003cbr/\u003eassume\\_role\\_policy\\_json = Assume role policy for the Runner Worker.\u003cbr/\u003epolicy\\_arns = List of ARNs of IAM policies to attach to the Runner Workers.\u003cbr/\u003eprofile\\_name = Name of the IAM profile to attach to the Runner Workers. | \u003cpre\u003eobject({\u003cbr/\u003e additional_tags = optional(map(string), {})\u003cbr/\u003e assume_role_policy_json = optional(string, \"\")\u003cbr/\u003e policy_arns = optional(list(string), [])\u003cbr/\u003e profile_name = optional(string, \"\")\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_docker_machine_security_group_description\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_machine\\_security\\_group\\_description](#input\\_runner\\_worker\\_docker\\_machine\\_security\\_group\\_description) | A description for the Runner Worker security group | `string` | `\"A security group containing Runner Worker instances\"` | no |\n| \u003ca name=\"input_runner_worker_docker_options\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_options](#input\\_runner\\_worker\\_docker\\_options) | Options added to the [runners.docker] section of config.toml to configure the Docker container of the Runner Worker. For\u003cbr/\u003e details check https://docs.gitlab.com/runner/configuration/advanced-configuration.html\u003cbr/\u003e\u003cbr/\u003e Default values if the option is not given:\u003cbr/\u003e disable\\_cache = \"false\"\u003cbr/\u003e image = \"docker:18.03.1-ce\"\u003cbr/\u003e privileged = \"true\"\u003cbr/\u003e pull\\_policy = \"always\"\u003cbr/\u003e shm\\_size = 0\u003cbr/\u003e tls\\_verify = \"false\"\u003cbr/\u003e volumes = \"/cache\" | \u003cpre\u003eobject({\u003cbr/\u003e allowed_images = optional(list(string))\u003cbr/\u003e allowed_pull_policies = optional(list(string))\u003cbr/\u003e allowed_services = optional(list(string))\u003cbr/\u003e cache_dir = optional(string)\u003cbr/\u003e cap_add = optional(list(string))\u003cbr/\u003e cap_drop = optional(list(string))\u003cbr/\u003e container_labels = optional(list(string))\u003cbr/\u003e cpuset_cpus = optional(string)\u003cbr/\u003e cpu_shares = optional(number)\u003cbr/\u003e cpus = optional(string)\u003cbr/\u003e devices = optional(list(string))\u003cbr/\u003e device_cgroup_rules = optional(list(string))\u003cbr/\u003e disable_cache = optional(bool, false)\u003cbr/\u003e disable_entrypoint_overwrite = optional(bool)\u003cbr/\u003e dns = optional(list(string))\u003cbr/\u003e dns_search = optional(list(string))\u003cbr/\u003e extra_hosts = optional(list(string))\u003cbr/\u003e gpus = optional(string)\u003cbr/\u003e helper_image = optional(string)\u003cbr/\u003e helper_image_flavor = optional(string)\u003cbr/\u003e host = optional(string)\u003cbr/\u003e hostname = optional(string)\u003cbr/\u003e image = optional(string, \"docker:18.03.1-ce\")\u003cbr/\u003e isolation = optional(string)\u003cbr/\u003e links = optional(list(string))\u003cbr/\u003e mac_address = optional(string)\u003cbr/\u003e memory = optional(string)\u003cbr/\u003e memory_swap = optional(string)\u003cbr/\u003e memory_reservation = optional(string)\u003cbr/\u003e network_mode = optional(string)\u003cbr/\u003e oom_kill_disable = optional(bool)\u003cbr/\u003e oom_score_adjust = optional(number)\u003cbr/\u003e privileged = optional(bool, true)\u003cbr/\u003e pull_policies = optional(list(string), [\"always\"])\u003cbr/\u003e runtime = optional(string)\u003cbr/\u003e security_opt = optional(list(string))\u003cbr/\u003e shm_size = optional(number, 0)\u003cbr/\u003e sysctls = optional(list(string))\u003cbr/\u003e tls_cert_path = optional(string)\u003cbr/\u003e tls_verify = optional(bool, false)\u003cbr/\u003e user = optional(string)\u003cbr/\u003e userns_mode = optional(string)\u003cbr/\u003e volumes = optional(list(string), [\"/cache\"])\u003cbr/\u003e volumes_from = optional(list(string))\u003cbr/\u003e volume_driver = optional(string)\u003cbr/\u003e wait_for_services_timeout = optional(number)\u003cbr/\u003e })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"disable_cache\": \"false\",\u003cbr/\u003e \"image\": \"docker:18.03.1-ce\",\u003cbr/\u003e \"privileged\": \"true\",\u003cbr/\u003e \"pull_policies\": [\u003cbr/\u003e \"always\"\u003cbr/\u003e ],\u003cbr/\u003e \"shm_size\": 0,\u003cbr/\u003e \"tls_verify\": \"false\",\u003cbr/\u003e \"volumes\": [\u003cbr/\u003e \"/cache\"\u003cbr/\u003e ]\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_worker_docker_services\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_services](#input\\_runner\\_worker\\_docker\\_services) | Starts additional services with the Docker container. All fields must be set (examine the Dockerfile of the service image for the entrypoint - see ./examples/runner-default/main.tf) | \u003cpre\u003elist(object({\u003cbr/\u003e name = string\u003cbr/\u003e alias = string\u003cbr/\u003e entrypoint = list(string)\u003cbr/\u003e command = list(string)\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_runner_worker_docker_services_volumes_tmpfs\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_services\\_volumes\\_tmpfs](#input\\_runner\\_worker\\_docker\\_services\\_volumes\\_tmpfs) | Mount a tmpfs in gitlab service container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram | \u003cpre\u003elist(object({\u003cbr/\u003e volume = string\u003cbr/\u003e options = string\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_runner_worker_docker_volumes_tmpfs\"\u003e\u003c/a\u003e [runner\\_worker\\_docker\\_volumes\\_tmpfs](#input\\_runner\\_worker\\_docker\\_volumes\\_tmpfs) | Mount a tmpfs in Executor container. https://docs.gitlab.com/runner/executors/docker.html#mounting-a-directory-in-ram | \u003cpre\u003elist(object({\u003cbr/\u003e volume = string\u003cbr/\u003e options = string\u003cbr/\u003e }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_runner_worker_egress_rules\"\u003e\u003c/a\u003e [runner\\_worker\\_egress\\_rules](#input\\_runner\\_worker\\_egress\\_rules) | Map of egress rules for the Runner workers | \u003cpre\u003emap(object({\u003cbr/\u003e from_port = optional(number, null)\u003cbr/\u003e to_port = optional(number, null)\u003cbr/\u003e protocol = string\u003cbr/\u003e description = string\u003cbr/\u003e cidr_block = optional(string, null)\u003cbr/\u003e ipv6_cidr_block = optional(string, null)\u003cbr/\u003e prefix_list_id = optional(string, null)\u003cbr/\u003e security_group = optional(string, null)\u003cbr/\u003e }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e \"allow_http_ipv4\": {\u003cbr/\u003e \"cidr_block\": \"0.0.0.0/0\",\u003cbr/\u003e \"description\": \"Allow HTTP egress traffic to all destinations (IPv4)\",\u003cbr/\u003e \"from_port\": 80,\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 80\u003cbr/\u003e },\u003cbr/\u003e \"allow_http_ipv6\": {\u003cbr/\u003e \"description\": \"Allow HTTP egress traffic to all destinations (IPv6)\",\u003cbr/\u003e \"from_port\": 80,\u003cbr/\u003e \"ipv6_cidr_block\": \"::/0\",\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 80\u003cbr/\u003e },\u003cbr/\u003e \"allow_https_ipv4\": {\u003cbr/\u003e \"cidr_block\": \"0.0.0.0/0\",\u003cbr/\u003e \"description\": \"Allow HTTPS egress traffic to all destinations (IPv4)\",\u003cbr/\u003e \"from_port\": 443,\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 443\u003cbr/\u003e },\u003cbr/\u003e \"allow_https_ipv6\": {\u003cbr/\u003e \"description\": \"Allow HTTPS egress traffic to all destinations (IPv6)\",\u003cbr/\u003e \"from_port\": 443,\u003cbr/\u003e \"ipv6_cidr_block\": \"::/0\",\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 443\u003cbr/\u003e },\u003cbr/\u003e \"allow_ssh_ipv4\": {\u003cbr/\u003e \"cidr_block\": \"0.0.0.0/0\",\u003cbr/\u003e \"description\": \"Allow SSH egress traffic to all destinations (IPv4)\",\u003cbr/\u003e \"from_port\": 22,\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 22\u003cbr/\u003e },\u003cbr/\u003e \"allow_ssh_ipv6\": {\u003cbr/\u003e \"description\": \"Allow SSH egress traffic to all destinations (IPv6)\",\u003cbr/\u003e \"from_port\": 22,\u003cbr/\u003e \"ipv6_cidr_block\": \"::/0\",\u003cbr/\u003e \"protocol\": \"tcp\",\u003cbr/\u003e \"to_port\": 22\u003cbr/\u003e }\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_runner_worker_gitlab_pipeline\"\u003e\u003c/a\u003e [runner\\_worker\\_gitlab\\_pipeline](#input\\_runner\\_worker\\_gitlab\\_pipeline) | post\\_build\\_script = Script to execute in the pipeline just after the build, but before executing after\\_script.\u003cbr/\u003epre\\_build\\_script = Script to execute in the pipeline just before the build.\u003cbr/\u003epre\\_clone\\_script = Script to execute in the pipeline before cloning the Git repository. this can be used to adjust the Git client configuration first, for example. | \u003cpre\u003eobject({\u003cbr/\u003e post_build_script = optional(string, \"\\\"\\\"\")\u003cbr/\u003e pre_build_script = optional(string, \"\\\"\\\"\")\u003cbr/\u003e pre_clone_script = optional(string, \"\\\"\\\"\")\u003cbr/\u003e })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_runner_worker_ingress_rules\"\u003e\u003c/a\u003e [runner\\_worker\\_ingress\\_rules](#input\\_runner\\_worker\\_ingress\\_rules) | Map of ingress rules for the Runner workers | \u003cpre\u003emap(object({\u003cbr/\u003e from_port = optional(number, null)\u003cbr/\u003e to_port = optional(number, null)\u003cbr/\u003e protocol = string\u003cbr/\u003e description = string\u003cbr/\u003e cidr_block = optional(string, null)\u003cbr/\u003e ipv6_cidr_block = optional(string, null)\u003cbr/\u003e prefix_list_id = optional(string, null)\u003cbr/\u003e security_group = optional(string, null)\u003cbr/\u003e }))\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_security_group_prefix\"\u003e\u003c/a\u003e [security\\_group\\_prefix](#input\\_security\\_group\\_prefix) | Set the name prefix and overwrite the `Name` tag for all security groups. | `string` | `\"\"` | no |\n| \u003ca name=\"input_subnet_id\"\u003e\u003c/a\u003e [subnet\\_id](#input\\_subnet\\_id) | Subnet id used for the Runner and Runner Workers. Must belong to the `vpc_id`. In case the fleet mode is used, multiple subnets for\u003cbr/\u003ethe Runner Workers can be provided with runner\\_worker\\_docker\\_machine\\_instance.subnet\\_ids. | `string` | n/a | yes |\n| \u003ca name=\"input_suppressed_tags\"\u003e\u003c/a\u003e [suppressed\\_tags](#input\\_suppressed\\_tags) | List of tag keys which are automatically removed and never added as default tag by the module. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no |\n| \u003ca name=\"input_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#input\\_vpc\\_id) | The VPC used for the runner and runner workers. | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_runner_agent_role_arn\"\u003e\u003c/a\u003e [runner\\_agent\\_role\\_arn](#output\\_runner\\_agent\\_role\\_arn) | ARN of the role used for the ec2 instance for the GitLab runner agent. |\n| \u003ca name=\"output_runner_agent_role_name\"\u003e\u003c/a\u003e [runner\\_agent\\_role\\_name](#output\\_runner\\_agent\\_role\\_name) | Name of the role used for the ec2 instance for the GitLab runner agent. |\n| \u003ca name=\"output_runner_agent_sg_id\"\u003e\u003c/a\u003e [runner\\_agent\\_sg\\_id](#output\\_runner\\_agent\\_sg\\_id) | ID of the security group attached to the GitLab runner agent. |\n| \u003ca name=\"output_runner_as_group_name\"\u003e\u003c/a\u003e [runner\\_as\\_group\\_name](#output\\_runner\\_as\\_group\\_name) | Name of the autoscaling group for the gitlab-runner instance |\n| \u003ca name=\"output_runner_cache_bucket_arn\"\u003e\u003c/a\u003e [runner\\_cache\\_bucket\\_arn](#output\\_runner\\_cache\\_bucket\\_arn) | ARN of the S3 for the build cache. |\n| \u003ca name=\"output_runner_cache_bucket_name\"\u003e\u003c/a\u003e [runner\\_cache\\_bucket\\_name](#output\\_runner\\_cache\\_bucket\\_name) | Name of the S3 for the build cache. |\n| \u003ca name=\"output_runner_eip\"\u003e\u003c/a\u003e [runner\\_eip](#output\\_runner\\_eip) | EIP of the Gitlab Runner |\n| \u003ca name=\"output_runner_launch_template_name\"\u003e\u003c/a\u003e [runner\\_launch\\_template\\_name](#output\\_runner\\_launch\\_template\\_name) | The name of the runner's launch template. |\n| \u003ca name=\"output_runner_role_arn\"\u003e\u003c/a\u003e [runner\\_role\\_arn](#output\\_runner\\_role\\_arn) | ARN of the role used for the docker machine runners. |\n| \u003ca name=\"output_runner_role_name\"\u003e\u003c/a\u003e [runner\\_role\\_name](#output\\_runner\\_role\\_name) | Name of the role used for the docker machine runners. |\n| \u003ca name=\"output_runner_sg_id\"\u003e\u003c/a\u003e [runner\\_sg\\_id](#output\\_runner\\_sg\\_id) | ID of the security group attached to the worker instances (docker machine/autoscaler runners). |\n\u003c!-- END_TF_DOCS --\u003e\n\u003c!-- markdownlint-enable --\u003e\n\u003c!-- cSpell:enable --\u003e\n\u003c!-- markdown-link-check-enable --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcattle-ops%2Fterraform-aws-gitlab-runner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcattle-ops%2Fterraform-aws-gitlab-runner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcattle-ops%2Fterraform-aws-gitlab-runner/lists"}