From 81525c74a8907630269ef9cbf3e71df105282140 Mon Sep 17 00:00:00 2001 From: edersonbrilhante Date: Thu, 11 Jun 2026 13:11:31 +0200 Subject: [PATCH 1/5] fix(ec2): handle runner role tuple output --- modules/platform/ec2_deployment/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/platform/ec2_deployment/outputs.tf b/modules/platform/ec2_deployment/outputs.tf index 2a0e73b1..1527e2d5 100644 --- a/modules/platform/ec2_deployment/outputs.tf +++ b/modules/platform/ec2_deployment/outputs.tf @@ -5,7 +5,7 @@ output "webhook_endpoint" { output "ec2_runners_arn_map" { value = { - for runner_key, runner in module.runners.runners_map : runner_key => runner.role_runner.arn + for runner_key, runner in module.runners.runners_map : runner_key => runner.role_runner[0].arn } description = "Map of EC2 runner keys to their IAM role ARNs." } From 625b4a35bf8745a23b118585b15f79930272b3f9 Mon Sep 17 00:00:00 2001 From: edersonbrilhante Date: Thu, 11 Jun 2026 13:11:37 +0200 Subject: [PATCH 2/5] chore: ignore ansible cache directory --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 77738e97..d46b7706 100644 --- a/.gitignore +++ b/.gitignore @@ -22,6 +22,7 @@ override.tf.json *.tflock .terraform.lock.hcl .terragrunt-cache +.ansible/ providers # Auth files. Sensitive. From 9fe1f1e105b45cea8edd1815099e77cb0407ec29 Mon Sep 17 00:00:00 2001 From: edersonbrilhante Date: Thu, 11 Jun 2026 13:13:57 +0200 Subject: [PATCH 3/5] docs(ec2): update runner module reference --- modules/platform/ec2_deployment/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/platform/ec2_deployment/README.md b/modules/platform/ec2_deployment/README.md index 3355f369..95bb1944 100644 --- a/modules/platform/ec2_deployment/README.md +++ b/modules/platform/ec2_deployment/README.md @@ -21,7 +21,7 @@ | ---- | ------ | ------- | | [ec2\_update\_runner\_ssm\_ami](#module\_ec2\_update\_runner\_ssm\_ami) | ./ec2_update_runner_ssm_ami | n/a | | [ec2\_update\_runner\_tags](#module\_ec2\_update\_runner\_tags) | ./ec2_update_runner_tags | n/a | -| [runners](#module\_runners) | git::https://github.com/edersonbrilhante/terraform-aws-github-runner.git//modules/multi-runner | pre-7.7.0 | +| [runners](#module\_runners) | git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner | v7.7.0 | ## Resources From 88dda75e0bd9111611737a9b5585bb26e622ac66 Mon Sep 17 00:00:00 2001 From: edersonbrilhante Date: Thu, 11 Jun 2026 13:22:24 +0200 Subject: [PATCH 4/5] docs: update terraform module docs --- modules/core/arc/README.md | 2 +- modules/core/arc/scale_set/README.md | 2 +- modules/infra/ami_policy/README.md | 2 +- modules/infra/ami_sharing/README.md | 2 +- modules/infra/cloud_custodian/README.md | 2 +- modules/infra/cloud_formation/README.md | 2 +- modules/infra/ecr/README.md | 2 +- modules/infra/eks/README.md | 2 +- modules/infra/opt_in_regions/README.md | 2 +- modules/infra/service_linked_roles/README.md | 2 +- modules/infra/storage/README.md | 2 +- modules/integrations/github_webhook_relay_destination/README.md | 2 +- .../github_webhook_relay_destination_receivers/README.md | 2 +- .../webex_webhook_relay/README.md | 2 +- modules/integrations/github_webhook_relay_source/README.md | 2 +- modules/integrations/splunk_aws_billing/README.md | 2 +- modules/integrations/splunk_cloud_conf_shared/README.md | 2 +- modules/integrations/splunk_cloud_data_manager_common/README.md | 2 +- modules/integrations/splunk_cloud_s3_runner_logs/README.md | 2 +- modules/integrations/splunk_o11y_aws_integration/README.md | 2 +- .../integrations/splunk_o11y_aws_integration_common/README.md | 2 +- modules/integrations/splunk_o11y_conf_shared/README.md | 2 +- modules/integrations/splunk_otel_eks/README.md | 2 +- modules/integrations/teleport/README.md | 2 +- .../platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md | 2 +- .../platform/ec2_deployment/ec2_update_runner_tags/README.md | 2 +- modules/platform/forge_runners/README.md | 2 +- modules/platform/forge_runners/forge_trust_validator/README.md | 2 +- .../platform/forge_runners/github_actions_job_logs/README.md | 2 +- .../platform/forge_runners/github_app_runner_group/README.md | 2 +- modules/platform/forge_runners/github_global_lock/README.md | 2 +- modules/platform/forge_runners/github_webhook_relay/README.md | 2 +- modules/platform/forge_runners/redrive_deadletter/README.md | 2 +- 33 files changed, 33 insertions(+), 33 deletions(-) diff --git a/modules/core/arc/README.md b/modules/core/arc/README.md index edb9f315..b57ada88 100644 --- a/modules/core/arc/README.md +++ b/modules/core/arc/README.md @@ -14,7 +14,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [external](#provider\_external) | 2.4.0 | | [kubernetes](#provider\_kubernetes) | 3.2.0 | | [null](#provider\_null) | 3.3.0 | diff --git a/modules/core/arc/scale_set/README.md b/modules/core/arc/scale_set/README.md index 2c3ff26e..0eb4e22c 100644 --- a/modules/core/arc/scale_set/README.md +++ b/modules/core/arc/scale_set/README.md @@ -12,7 +12,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [helm](#provider\_helm) | 3.2.0 | | [kubernetes](#provider\_kubernetes) | 3.2.0 | diff --git a/modules/infra/ami_policy/README.md b/modules/infra/ami_policy/README.md index 6b883c3b..582f3d22 100644 --- a/modules/infra/ami_policy/README.md +++ b/modules/infra/ami_policy/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/infra/ami_sharing/README.md b/modules/infra/ami_sharing/README.md index d37c25d4..d36b6236 100644 --- a/modules/infra/ami_sharing/README.md +++ b/modules/infra/ami_sharing/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/infra/cloud_custodian/README.md b/modules/infra/cloud_custodian/README.md index fd3ebed0..8e04e60b 100644 --- a/modules/infra/cloud_custodian/README.md +++ b/modules/infra/cloud_custodian/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/infra/cloud_formation/README.md b/modules/infra/cloud_formation/README.md index 2503bf57..088926a1 100644 --- a/modules/infra/cloud_formation/README.md +++ b/modules/infra/cloud_formation/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/infra/ecr/README.md b/modules/infra/ecr/README.md index 847a20ee..a3275d7d 100644 --- a/modules/infra/ecr/README.md +++ b/modules/infra/ecr/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/infra/eks/README.md b/modules/infra/eks/README.md index 27f41c83..45fc32cd 100644 --- a/modules/infra/eks/README.md +++ b/modules/infra/eks/README.md @@ -16,7 +16,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [external](#provider\_external) | 2.4.0 | | [null](#provider\_null) | 3.3.0 | diff --git a/modules/infra/opt_in_regions/README.md b/modules/infra/opt_in_regions/README.md index 144bd4d5..cc6b0fcf 100644 --- a/modules/infra/opt_in_regions/README.md +++ b/modules/infra/opt_in_regions/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/infra/service_linked_roles/README.md b/modules/infra/service_linked_roles/README.md index b59cf7e8..445a0f53 100644 --- a/modules/infra/service_linked_roles/README.md +++ b/modules/infra/service_linked_roles/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/infra/storage/README.md b/modules/infra/storage/README.md index 24f2876c..47238f4a 100644 --- a/modules/infra/storage/README.md +++ b/modules/infra/storage/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination/README.md b/modules/integrations/github_webhook_relay_destination/README.md index f7983a43..01a4ccc4 100644 --- a/modules/integrations/github_webhook_relay_destination/README.md +++ b/modules/integrations/github_webhook_relay_destination/README.md @@ -48,7 +48,7 @@ graph TD | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [external](#provider\_external) | 2.4.0 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination_receivers/README.md b/modules/integrations/github_webhook_relay_destination_receivers/README.md index c3c59bd2..4e868c97 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md index 3b16cd53..80f7c871 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md @@ -55,7 +55,7 @@ Both `token` and `room_id` keys are required. The function will prepend `Bearer | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [time](#provider\_time) | 0.14.0 | ## Modules diff --git a/modules/integrations/github_webhook_relay_source/README.md b/modules/integrations/github_webhook_relay_source/README.md index e03ecea2..d17dcfa5 100644 --- a/modules/integrations/github_webhook_relay_source/README.md +++ b/modules/integrations/github_webhook_relay_source/README.md @@ -66,7 +66,7 @@ curl -X POST "$(terraform output -raw webhook_endpoint)/webhook" \ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/integrations/splunk_aws_billing/README.md b/modules/integrations/splunk_aws_billing/README.md index 7143ad49..710577e1 100644 --- a/modules/integrations/splunk_aws_billing/README.md +++ b/modules/integrations/splunk_aws_billing/README.md @@ -14,7 +14,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/integrations/splunk_cloud_conf_shared/README.md b/modules/integrations/splunk_cloud_conf_shared/README.md index ac125719..afd7be49 100644 --- a/modules/integrations/splunk_cloud_conf_shared/README.md +++ b/modules/integrations/splunk_cloud_conf_shared/README.md @@ -11,7 +11,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [splunk](#provider\_splunk) | 1.5.1 | ## Modules diff --git a/modules/integrations/splunk_cloud_data_manager_common/README.md b/modules/integrations/splunk_cloud_data_manager_common/README.md index 802fc933..36dae8c9 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/README.md +++ b/modules/integrations/splunk_cloud_data_manager_common/README.md @@ -11,7 +11,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [external](#provider\_external) | 2.4.0 | ## Modules diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/README.md b/modules/integrations/splunk_cloud_s3_runner_logs/README.md index 88adac9e..084160e6 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/README.md +++ b/modules/integrations/splunk_cloud_s3_runner_logs/README.md @@ -11,7 +11,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [external](#provider\_external) | 2.4.0 | ## Modules diff --git a/modules/integrations/splunk_o11y_aws_integration/README.md b/modules/integrations/splunk_o11y_aws_integration/README.md index 9da25cb0..a8e48d43 100644 --- a/modules/integrations/splunk_o11y_aws_integration/README.md +++ b/modules/integrations/splunk_o11y_aws_integration/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/integrations/splunk_o11y_aws_integration_common/README.md b/modules/integrations/splunk_o11y_aws_integration_common/README.md index 3cb21a26..bf72d09f 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/README.md +++ b/modules/integrations/splunk_o11y_aws_integration_common/README.md @@ -12,7 +12,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [signalfx](#provider\_signalfx) | 9.30.1 | | [time](#provider\_time) | 0.14.0 | diff --git a/modules/integrations/splunk_o11y_conf_shared/README.md b/modules/integrations/splunk_o11y_conf_shared/README.md index e1b8a8bc..30b3c986 100644 --- a/modules/integrations/splunk_o11y_conf_shared/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/README.md @@ -11,7 +11,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [signalfx](#provider\_signalfx) | 9.30.1 | ## Modules diff --git a/modules/integrations/splunk_otel_eks/README.md b/modules/integrations/splunk_otel_eks/README.md index 2d037879..39b8f0cf 100644 --- a/modules/integrations/splunk_otel_eks/README.md +++ b/modules/integrations/splunk_otel_eks/README.md @@ -12,7 +12,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [helm](#provider\_helm) | 3.2.0 | ## Modules diff --git a/modules/integrations/teleport/README.md b/modules/integrations/teleport/README.md index b59c1603..3cc2aaf4 100644 --- a/modules/integrations/teleport/README.md +++ b/modules/integrations/teleport/README.md @@ -12,7 +12,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [kubernetes](#provider\_kubernetes) | 3.2.0 | ## Modules diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md index 60d86a0c..208170f3 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md index 40c3d5bf..42432861 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/platform/forge_runners/README.md b/modules/platform/forge_runners/README.md index d0a13240..8a1cfb8b 100644 --- a/modules/platform/forge_runners/README.md +++ b/modules/platform/forge_runners/README.md @@ -16,7 +16,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [null](#provider\_null) | 3.3.0 | | [random](#provider\_random) | 3.9.0 | | [time](#provider\_time) | 0.14.0 | diff --git a/modules/platform/forge_runners/forge_trust_validator/README.md b/modules/platform/forge_runners/forge_trust_validator/README.md index e8c123ac..4ee94990 100644 --- a/modules/platform/forge_runners/forge_trust_validator/README.md +++ b/modules/platform/forge_runners/forge_trust_validator/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/platform/forge_runners/github_actions_job_logs/README.md b/modules/platform/forge_runners/github_actions_job_logs/README.md index f5bc6697..a001f524 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/README.md +++ b/modules/platform/forge_runners/github_actions_job_logs/README.md @@ -130,7 +130,7 @@ See parent repository license. | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/platform/forge_runners/github_app_runner_group/README.md b/modules/platform/forge_runners/github_app_runner_group/README.md index 1add9e7b..386778dd 100644 --- a/modules/platform/forge_runners/github_app_runner_group/README.md +++ b/modules/platform/forge_runners/github_app_runner_group/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/platform/forge_runners/github_global_lock/README.md b/modules/platform/forge_runners/github_global_lock/README.md index 6c001af3..d581b5a9 100644 --- a/modules/platform/forge_runners/github_global_lock/README.md +++ b/modules/platform/forge_runners/github_global_lock/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules diff --git a/modules/platform/forge_runners/github_webhook_relay/README.md b/modules/platform/forge_runners/github_webhook_relay/README.md index de2974cf..2af79df4 100644 --- a/modules/platform/forge_runners/github_webhook_relay/README.md +++ b/modules/platform/forge_runners/github_webhook_relay/README.md @@ -11,7 +11,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | | [random](#provider\_random) | 3.9.0 | ## Modules diff --git a/modules/platform/forge_runners/redrive_deadletter/README.md b/modules/platform/forge_runners/redrive_deadletter/README.md index 0e5066a5..cb8d47f8 100644 --- a/modules/platform/forge_runners/redrive_deadletter/README.md +++ b/modules/platform/forge_runners/redrive_deadletter/README.md @@ -10,7 +10,7 @@ | Name | Version | | ---- | ------- | -| [aws](#provider\_aws) | 6.49.0 | +| [aws](#provider\_aws) | 6.50.0 | ## Modules From aafa237de082d35f218b0bc5f63f3b80efb3b571 Mon Sep 17 00:00:00 2001 From: edersonbrilhante Date: Thu, 11 Jun 2026 13:24:36 +0200 Subject: [PATCH 5/5] fix(subscription): restrict forge runner trust policy --- modules/infra/forge_subscription/roles.tf | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/modules/infra/forge_subscription/roles.tf b/modules/infra/forge_subscription/roles.tf index 9edecc81..d4d1a2bd 100644 --- a/modules/infra/forge_subscription/roles.tf +++ b/modules/infra/forge_subscription/roles.tf @@ -1,18 +1,5 @@ # Role assumed by Forge Runners data "aws_iam_policy_document" "assume_role_for_forge_runners" { - # Allows us to access S3, SecretsManager immediately when we SSH into a runner VM. - statement { - actions = [ - "sts:AssumeRole", - ] - principals { - type = "Service" - identifiers = [ - "ec2.amazonaws.com", - "s3.amazonaws.com", - ] - } - } # Allow GH runners to assume dedicated role. statement {