juandi-m / ghactionsselfmangedrunners_cf_ec2 Goto Github PK

This CloudFormation stack is designed to set up a robust AWS environment to host GitHub Runners for deploying and managing infrastructure. The stack includes a variety of AWS resources tailored to create a secure and scalable environment for continuous integration and deployment tasks.

• VPC and Subnets: Establishes a VPC with associated public subnets facilitating controlled access to AWS resources.
• Internet Gateway and Routing: Configures an Internet Gateway to provide Internet access to instances within public subnets.
• EC2 Instances: Provisions EC2 instances to serve as self-hosted GitHub Runners.
• Security Groups: Implements security rules that govern inbound and outbound traffic to the instances.
• IAM Roles and Policies: Sets up IAM roles with policies that grant the necessary permissions for the EC2 instances to interact with other AWS services.
• S3 Buckets: Includes an S3 bucket for storing application artifacts and managing state files securely.
• DynamoDB Table: Utilizes a DynamoDB table for storage related to the operations performed by the runners.
• Additional Key Pairs: Generates key pairs for secure SSH access to the instances.

GitHub Actions is a CI/CD platform that automates your software build, test, and deployment pipelines. Within this infrastructure, Actions are configured to deploy AWS resources through the runners hosted on EC2 instances.

The self-hosted runners are configured on EC2 instances. These runners listen for jobs from GitHub Actions, such as deploying updates or configuring infrastructure. The runners are set up using a user data script that installs necessary tools and configures each instance to connect securely with GitHub.

Each runner uses a specific GitHub token to authenticate with GitHub and gain permissions to manage repository-specific actions. Tokens are stored securely and are used by runners to register with GitHub, ensuring that each runner can only interact with designated repositories.

• Public Subnets: Used for resources that need to interact directly with the Internet, such as the EC2 instances configured as GitHub Runners.
• Private Subnets (optional enhancement): For added security, critical backend services can be hosted in private subnets that do not have direct Internet access.

• Internet Gateway (IGW): Provides connectivity between the AWS resources in the public subnet and the Internet, enabling the EC2 instances to fetch and execute jobs from GitHub.

• Security Groups: Configured to allow only essential traffic. By default, allows inbound SSH traffic and outbound Internet access to handle GitHub interactions via HTTPS.
• NAT Gateway (optional): For instances in private subnets, a NAT Gateway facilitates outbound Internet access, allowing these instances to communicate with external services like GitHub without exposing them directly to the Internet.

• AWS CloudWatch and VPC Flow Logs: Used for monitoring traffic and detecting unusual activity, ensuring that the network remains secure and performs optimally.