Deploy a harness delegate on ecs fargate using terraform.
Optionally, create an ECS drone runner to enable VM builds in Harness CIE.
Your delegate token should be stored in AWS Secrets Manager as a plaintext secret.
You should also grab the latest delegate image for your account by going to the delegate creation screen and copying the image given in the guide.
module "delegate" {
source = "git::https://github.com/harness-community/terraform-aws-harness-delegate-ecs-fargate.git"
name = "ecs"
harness_account_id = "wlgELJ0TTre5aZhzpt8gVA"
delegate_image = "harness/delegate:23.07.79904"
delegate_token_secret_arn = "arn:aws:secretsmanager:us-west-2:012345678901:secret:harness/delegate-zBsttc"
delegate_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
]
security_groups = [
"sg-0a38670715029163f"
]
subnets = [
"subnet-0ee34605c385f4c65",
"subnet-0f26e9386ae01a555"
]
}
The policy and network here must be pre-existing resources.
module "delegate" {
source = "git::https://github.com/harness-community/terraform-aws-harness-delegate-ecs-fargate.git"
name = "ecs"
harness_account_id = "wlgELJ0TTre5aZhzpt8gVA"
delegate_image = "harness/delegate:23.07.79904"
delegate_token_secret_arn = "arn:aws:secretsmanager:us-west-2:012345678901:secret:harness/delegate-zBsttc"
delegate_policy_arns = [
aws_iam_policy.delegate_aws_access.arn
]
security_groups = [
module.vpc.default_security_group_id
]
subnets = module.vpc.private_subnets
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 3.0"
name = "this"
cidr = "10.0.0.0/16"
azs = ["us-west-2a", "us-west-2b"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
public_subnets = ["10.0.4.0/24", "10.0.5.0/24"]
enable_nat_gateway = true
single_nat_gateway = true
enable_dns_hostnames = true
public_subnet_tags = {
"type" = "public"
}
private_subnet_tags = {
"type" = "private"
}
}
resource "aws_iam_policy" "delegate_aws_access" {
name = "delegate_aws_access"
description = "Policy for harness delegate aws access"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetArtifacts",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"${aws_s3_bucket.this.arn}",
"${aws_s3_bucket.this.arn}/*"
]
}
]
}
EOF
}
variable "harness_platform_api_key" {
type = string
sensitive = true
}
data "harness_current_account" "current" {}
data "http" "latest_delegate_tag" {
url = "https://app.harness.io/ng/api/delegate-setup/latest-supported-version?accountIdentifier=${data.harness_current_account.current.id}"
request_headers = {
x-api-key = var.harness_platform_api_key
}
}
locals {
latest_delegate_tag = jsondecode(data.http.latest_delegate_tag.response_body).resource.latestSupportedVersion
}
module "delegate" {
source = "git::https://github.com/harness-community/terraform-aws-harness-delegate-ecs-fargate.git"
name = "ecs"
harness_account_id = data.harness_current_account.current.id
delegate_image = "harness/delegate:${local.latest_delegate_tag}"
delegate_token_secret_arn = "arn:aws:secretsmanager:us-west-2:012345678901:secret:harness/delegate-zBsttc"
delegate_policy_arns = [
aws_iam_policy.delegate_aws_access.arn
]
security_groups = [
module.vpc.default_security_group_id
]
subnets = module.vpc.private_subnets
}
To deploy a drone runner and enable VM based CI builds you just need your runner config file.
runner_config = file("${path.module}/pool.yml")
Or as a base64 encoded string
cat pool.yml | base64 -w 0
base64_runner_config = "dmVyc2lvbjogI...ZDdiYTI4Cg=="
Refer to the drone documentation on all the prerequisites needed to build the yaml and set up your VPC.
module "delegate" {
source = "git::https://github.com/harness-community/terraform-aws-harness-delegate-ecs-fargate.git"
name = "ecs"
harness_account_id = "wlgELJ0TTre5aZhzpt8gVA"
delegate_token_secret_arn = "arn:aws:secretsmanager:us-west-2:012345678901:secret:harness/delegate-zBsttc"
runner_config = file("${path.module}/pool.yml")
delegate_policy_arns = [
aws_iam_policy.delegate_aws_access.arn,
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
]
security_groups = [
module.vpc.default_security_group_id
]
subnets = module.vpc.private_subnets
}
No requirements.
Name | Version |
---|---|
aws | n/a |
No modules.
Name | Type |
---|---|
aws_cloudwatch_log_group.this | resource |
aws_ecs_cluster.this | resource |
aws_ecs_service.this | resource |
aws_ecs_task_definition.delegate | resource |
aws_ecs_task_definition.delegate-runner | resource |
aws_efs_access_point.runner | resource |
aws_efs_file_system.runner | resource |
aws_efs_mount_target.runner | resource |
aws_iam_policy.task_exec | resource |
aws_iam_policy.task_execution | resource |
aws_iam_policy.task_execution_registry | resource |
aws_iam_role.task | resource |
aws_iam_role.task_execution | resource |
aws_iam_role_policy_attachment.task | resource |
aws_iam_role_policy_attachment.task_exec | resource |
aws_iam_role_policy_attachment.task_execution | resource |
aws_iam_role_policy_attachment.task_execution_registry | resource |
aws_region.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
base64_runner_config | An AWS drone runner config base64 encoded | string |
"" |
no |
cdn_url | n/a | string |
"https://app.harness.io" |
no |
cluster_id | ID for the ECS cluster to use | string |
"" |
no |
cluster_name | Name for the ECS cluster created by the module | string |
"harness-delegate" |
no |
delegate_check_location | n/a | string |
"delegateprod.txt" |
no |
delegate_description | n/a | string |
"" |
no |
delegate_image | n/a | string |
"harness/delegate:latest" |
no |
delegate_policy_arns | IAM policies to use for the task role, gives your delegate access to AWS | list(string) |
n/a | yes |
delegate_storage_url | n/a | string |
"https://app.harness.io" |
no |
delegate_tags | n/a | string |
"" |
no |
delegate_token_secret_arn | Secret manager secret that holds the delegate token | string |
n/a | yes |
enable_ecs_exec | Create policy to enable ecs execution on delegate container | bool |
false |
no |
harness_account_id | Harness account id | string |
n/a | yes |
init_script | n/a | string |
"" |
no |
kms_key_id | A KMS key to use for encrypting the EFS volume | string |
"" |
no |
log_streaming_service_url | n/a | string |
"https://app.harness.io/gratis/log-service/" |
no |
manager_host_and_port | n/a | string |
"https://app.harness.io/gratis" |
no |
name | Delegate name | string |
n/a | yes |
proxy_manager | n/a | string |
"" |
no |
delegate_environment | Additional environment variables to add to the delegate | list(object({ name = string, value = string })) |
[] |
no |
desired_count | number of delegate tasks | number |
1 |
no |
registry_secret_arn | Secret manager secret that holds the login for a container registry | string |
"" |
no |
remote_watcher_url_cdn | n/a | string |
"https://app.harness.io/public/shared/watchers/builds" |
no |
runner_config | An AWS drone runner config | string |
"" |
no |
runner_image | n/a | string |
"drone/drone-runner-aws" |
no |
security_groups | VPC security groups to place the delegate pods in | list(string) |
n/a | yes |
subnets | VPC subnets to place the delegate pods in | list(string) |
n/a | yes |
watcher_check_location | n/a | string |
"current.version" |
no |
watcher_storage_url | n/a | string |
"https://app.harness.io/public/prod/premium/watchers" |
no |
Name | Description |
---|---|
aws_ecs_cluster | The ID of the ECS cluster |
aws_ecs_service | The ID of the ECS service |
aws_ecs_task_definition | The ARN of the ECS task definition |
aws_efs_file_system | The filesystem used for drone runner |
aws_iam_role_task | The IAM role for the ECS task |
aws_iam_role_task_execution | The IAM role for ECS execution |