Azure Verified Module for CI/CD Agents and Runners

This module deploys self-hosted Azure DevOps Agents and Github Runners.

Features

• Deploys and configures Azure DevOps Agents
• Deploys and configures Github Runners
• Supports Azure Container Apps with auto scaling from zero
• Supports Azure Container Instances as an alternative or complementary compute option
• Supports Public or Private Networking
• Deploys all Azure resource required or optionally supply your own

Example Usage

This example shows how to deploy Azure DevOps Agents to Azure Container Apps using the minimal set of required variables with private networking.

module "azure_devops_agents" {
  source                                       = "Azure/avm-ptn-cicd-agents-and-runners/azurerm"
  version                                      = "~> 0.2"
  postfix                                      = "my-agents"
  location                                     = "uksouth"
  version_control_system_type                  = "azuredevops"
  version_control_system_personal_access_token = "**************************************"
  version_control_system_organization          = "my-organization"
  version_control_system_pool_name             = "my-agent-pool"
  virtual_network_address_space                = "10.0.0.0/16"
}

This example shows how to deploy GitHub Runners to Azure Container Apps using the minimal set of required variables with private networking.

module "github_runners" {
  source                                       = "Azure/avm-ptn-cicd-agents-and-runners/azurerm"
  version                                      = "~> 0.2"
  postfix                                      = "my-runners"
  location                                     = "uksouth"
  version_control_system_type                  = "github"
  version_control_system_personal_access_token = "**************************************"
  version_control_system_organization          = "my-organization"
  version_control_system_repository            = "my-reository"
  virtual_network_address_space                = "10.0.0.0/16"
}

Requirements

The following requirements are needed by this module:

• terraform (>= 1.9.0)

• azurerm (~> 3.113)

• modtm (~> 0.3)

• random (~> 3.5)

• time (~> 0.12)

Resources

The following resources are used by this module:

• azurerm_container_app_environment.this (resource)
• azurerm_management_lock.this (resource)
• azurerm_nat_gateway.this (resource)
• azurerm_nat_gateway_public_ip_association.this (resource)
• azurerm_private_dns_zone.container_registry (resource)
• azurerm_private_dns_zone_virtual_network_link.container_registry (resource)
• azurerm_public_ip.this (resource)
• azurerm_resource_group.this (resource)
• modtm_telemetry.telemetry (resource)
• random_uuid.telemetry (resource)
• time_sleep.delay_after_container_image_build (resource)
• azurerm_client_config.current (data source)
• azurerm_client_config.telemetry (data source)
• modtm_module_source.telemetry (data source)

Required Inputs

The following input variables are required:

location

Description: Azure region where the resource should be deployed.

Type: string

postfix

Description: A postfix used to build default names if no name has been supplied for a specific resource type.

Type: string

version_control_system_organization

Description: The version control system organization to deploy the agents too.

Type: string

version_control_system_personal_access_token

Description: The personal access token for the version control system.

Type: string

version_control_system_type

Description: The type of the version control system to deploy the agents too. Allowed values are 'azuredevops' or 'github'

Type: string

Optional Inputs

The following input variables are optional (have default values):

compute_types

Description: The types of compute to use. Allowed values are 'azure_container_app' and 'azure_container_instance'.

Type: set(string)

Default:

[
  "azure_container_app"
]

container_app_container_cpu

Description: Required CPU in cores, e.g. 0.5

Type: number

Default: 1

container_app_container_memory

Description: Required memory, e.g. '250Mb'

Type: string

Default: "2Gi"

container_app_environment_creation_enabled

Description: Whether or not to create a Container App Environment.

Type: bool

Default: true

container_app_environment_id

Description: The resource id of the Container App Environment. Only required if container_app_environment_creation_enabled is false.

Type: string

Default: null

container_app_environment_name

Description: The name of the Container App Environment. Only required if container_app_environment_creation_enabled is true.

Type: string

Default: null

container_app_environment_variables

Description: List of additional environment variables to pass to the container.

Type:

set(object({
    name  = string
    value = string
  }))

Default: []

container_app_infrastructure_resource_group_name

Description: The name of the resource group where the Container Apps infrastructure is deployed.

Type: string

Default: null

container_app_job_container_name

Description: The name of the container for the runner Container Apps job.

Type: string

Default: null

container_app_job_name

Description: The name of the Container App runner job.

Type: string

Default: null

container_app_max_execution_count

Description: The maximum number of executions (ADO jobs) to spawn per polling interval.

Type: number

Default: 100

container_app_min_execution_count

Description: The minimum number of executions (ADO jobs) to spawn per polling interval.

Type: number

Default: 0

container_app_placeholder_container_name

Description: The name of the container for the placeholder Container Apps job.

Type: string

Default: null

container_app_placeholder_job_name

Description: The name of the Container App placeholder job.

Type: string

Default: null

container_app_placeholder_replica_retry_limit

Description: The number of times to retry the placeholder Container Apps job.

Type: number

Default: 0

container_app_placeholder_replica_timeout

Description: The timeout in seconds for the placeholder Container Apps job.

Type: number

Default: 300

container_app_polling_interval_seconds

Description: How often should the pipeline queue be checked for new events, in seconds.

Type: number

Default: 30

container_app_replica_retry_limit

Description: The number of times to retry the runner Container Apps job.

Type: number

Default: 3

container_app_replica_timeout

Description: The timeout in seconds for the runner Container Apps job.

Type: number

Default: 1800

container_app_sensitive_environment_variables

Description: List of additional sensitive environment variables to pass to the container.

Type:

set(object({
    name                      = string
    value                     = string
    container_app_secret_name = string
    keda_auth_name            = optional(string)
  }))

Default: []

container_app_subnet_address_prefix

Description: The address prefix for the Container App Environment. Either subnet_id or subnet_name and subnet_address_prefix must be specified.

Type: string

Default: null

container_app_subnet_cidr_size

Description: The CIDR size for the container instance subnet.

Type: number

Default: 27

container_app_subnet_id

Description: The ID of a pre-existing subnet to use. Required if virtual_network_creation_enabled is false.

Type: string

Default: null

container_app_subnet_name

Description: The name of the subnet. Must be specified if virtual_network_creation_enabled == false.

Type: string

Default: null

container_instance_container_cpu

Description: The CPU value for the container instance

Type: number

Default: 2

container_instance_container_cpu_limit

Description: The CPU limit value for the container instance

Type: number

Default: 2

container_instance_container_memory

Description: The memory value for the container instance

Type: number

Default: 4

container_instance_container_memory_limit

Description: The memory limit value for the container instance

Type: number

Default: 4

container_instance_container_name

Description: The name of the container instance

Type: string

Default: null

container_instance_count

Description: The number of container instances to create

Type: number

Default: 2

container_instance_environment_variables

Description: List of additional environment variables to pass to the container.

Type:

set(object({
    name  = string
    value = string
  }))

Default: []

container_instance_name_prefix

Description: The name prefix of the container instance

Type: string

Default: null

container_instance_sensitive_environment_variables

Description: List of additional sensitive environment variables to pass to the container.

Type:

set(object({
    name  = string
    value = string
  }))

Default: []

container_instance_subnet_address_prefix

Description: The address prefix for the Container App Environment. Either subnet_id or subnet_name and subnet_address_prefix must be specified.

Type: string

Default: null

container_instance_subnet_cidr_size

Description: The CIDR size for the container instance subnet.

Type: number

Default: 28

container_instance_subnet_id

Description: The ID of a pre-existing subnet to use. Required if virtual_network_creation_enabled is false.

Type: string

Default: null

container_instance_subnet_name

Description: The name of the subnet. Must be specified if virtual_network_creation_enabled == false.

Type: string

Default: null

container_registry_creation_enabled

Description: Whether or not to create a container registry.

Type: bool

Default: true

container_registry_dns_zone_id

Description: The ID of the private DNS zone to create for the container registry. Only required if container_registry_private_dns_zone_creation_enabled is false.

Type: string

Default: null

container_registry_name

Description: The name of the container registry. Only required if container_registry_creation_enabled is true.

Type: string

Default: null

container_registry_private_dns_zone_creation_enabled

Description: Whether or not to create a private DNS zone for the container registry.

Type: bool

Default: true

container_registry_private_endpoint_subnet_address_prefix

Description: The address prefix for the Container App Environment. Either subnet_id or subnet_name and subnet_address_prefix must be specified.

Type: string

Default: null

container_registry_private_endpoint_subnet_id

Description: The ID of a pre-existing subnet to use. Required if virtual_network_creation_enabled is false.

Type: string

Default: null

container_registry_private_endpoint_subnet_name

Description: The name of the subnet. Must be specified if virtual_network_creation_enabled == false.

Type: string

Default: null

container_registry_subnet_cidr_size

Description: The CIDR size for the container registry subnet.

Type: number

Default: 29

custom_container_registry_images

Description: The images to build and push to the container registry. This is only relevant if container_registry_creation_enabled is true and use_default_container_image is set to false.

• task_name: The name of the task to create for building the image (e.g. image-build-task)
• dockerfile_path: The path to the Dockerfile to use for building the image (e.g. dockerfile)
• context_path: The path to the context of the Dockerfile in three sections <repository-url>#<repository-commit>:<repository-folder-path> (e.g. https://github.com/Azure/avm-container-images-cicd-agents-and-runners#bc4087f:azure-devops-agent)
• context_access_token: The access token to use for accessing the context. Supply a PAT if targetting a private repository.
• image_names: A list of the names of the images to build (e.g. ["image-name:tag"])

Type:

map(object({
    task_name            = string
    dockerfile_path      = string
    context_path         = string
    context_access_token = optional(string, "a") # This `a` is a dummy value because the context_access_token should not be required in the provider
    image_names          = list(string)
  }))

Default: null

custom_container_registry_login_server

Description: The login server of the container registry to use if container_registry_creation_enabled is false.

Type: string

Default: null

custom_container_registry_password

Description: The password of the container registry to use if container_registry_creation_enabled is false.

Type: string

Default: null

custom_container_registry_username

Description: The username of the container registry to use if container_registry_creation_enabled is false.

Type: string

Default: null

default_image_name

Description: The default image name to use if no custom image is provided.

Type: string

Default: null

default_image_registry_dockerfile_path

Description: The default image registry Dockerfile path to use if no custom image is provided.

Type: string

Default: "dockerfile"

default_image_repository_commit

Description: The default image repository commit to use if no custom image is provided.

Type: string

Default: "bc4087f"

default_image_repository_folder_paths

Description: The default image repository folder path to use if no custom image is provided.

Type: map(string)

Default:

{
  "azuredevops-container-app": "azure-devops-agent-aca",
  "azuredevops-container-instance": "azure-devops-agent-aci",
  "github-container-app": "github-runner-aca",
  "github-container-instance": "github-runner-aci"
}

default_image_repository_url

Description: The default image repository URL to use if no custom image is provided.

Type: string

Default: "https://github.com/Azure/avm-container-images-cicd-agents-and-runners"

delays

Description: Delays (in seconds) to apply to the module operations.

Type:

object({
    delay_after_container_image_build = number
  })

Default:

{
  "delay_after_container_image_build": 30
}

enable_telemetry

Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.

Type: bool

Default: true

lock

Description: Controls the Resource Lock configuration for this resource. The following properties can be specified:

• kind - (Required) The type of lock. Possible values are \"CanNotDelete\" and \"ReadOnly\".
• name - (Optional) The name of the lock. If not specified, a name will be generated based on the kind value. Changing this forces the creation of a new resource.

Type:

object({
    kind = string
    name = optional(string, null)
  })

Default: null

log_analytics_workspace_creation_enabled

Description: Whether or not to create a log analytics workspace.

Type: bool

Default: true

log_analytics_workspace_id

Description: The resource Id of the Log Analytics Workspace.

Type: string

Default: null

log_analytics_workspace_name

Description: The name of the log analytics workspace. Only required if log_analytics_workspace_creation_enabled == false.

Type: string

Default: null

log_analytics_workspace_retention_in_days

Description: The retention period for the Log Analytics Workspace.

Type: number

Default: 30

log_analytics_workspace_sku

Description: The SKU of the Log Analytics Workspace.

Type: string

Default: "PerGB2018"

nat_gateway_creation_enabled

Description: Whether or not to create a NAT Gateway.

Type: bool

Default: true

nat_gateway_id

Description: The ID of the NAT Gateway. Only required if nat_gateway_creation_enabled is false.

Type: string

Default: null

nat_gateway_name

Description: The name of the NAT Gateway.

Type: string

Default: null

public_ip_creation_enabled

Description: Whether or not to create a public IP.

Type: bool

Default: true

public_ip_id

Description: The ID of the public IP. Only required if public_ip_creation_enabled is false.

Type: string

Default: null

public_ip_name

Description: The name of the public IP.

Type: string

Default: null

resource_group_creation_enabled

Description: Whether or not to create a resource group.

Type: bool

Default: true

resource_group_name

Description: The resource group where the resources will be deployed. Must be specified if resource_group_creation_enabled == false

Type: string

Default: null

tags

Description: (Optional) Tags of the resource.

Type: map(string)

Default: null

use_default_container_image

Description: Whether or not to use the default container image provided by the module.

Type: bool

Default: true

use_private_networking

Description: Whether or not to use private networking for the container registry.

Type: bool

Default: true

user_assigned_managed_identity_creation_enabled

Description: Whether or not to create a user assigned managed identity.

Type: bool

Default: true

user_assigned_managed_identity_id

Description: The resource Id of the user assigned managed identity. Only required if user_assigned_managed_identity_creation_enabled == false.

Type: string

Default: null

user_assigned_managed_identity_name

Description: The name of the user assigned managed identity. Must be specified if user_assigned_managed_identity_creation_enabled == true.

Type: string

Default: null

user_assigned_managed_identity_principal_id

Description: The principal id of the user assigned managed identity. Only required if user_assigned_managed_identity_creation_enabled == false.

Type: string

Default: null

version_control_system_agent_name_prefix

Description: The version control system agent name prefix.

Type: string

Default: null

version_control_system_agent_target_queue_length

Description: The target value for the amound of pending jobs to scale on.

Type: number

Default: 1

version_control_system_enterprise

Description: The enterprise name for the version control system.

Type: string

Default: null

version_control_system_placeholder_agent_name

Description: The version control system placeholder agent name.

Type: string

Default: null

version_control_system_pool_name

Description: The name of the agent pool in the version control system.

Type: string

Default: null

version_control_system_repository

Description: The version control system repository to deploy the agents too.

Type: string

Default: null

version_control_system_runner_group

Description: The runner group to add the runner to.

Type: string

Default: null

version_control_system_runner_scope

Description: The scope of the runner. Must be ent, org, or repo. This is ignored for Azure DevOps.

Type: string

Default: "repo"

virtual_network_address_space

Description: The address space for the virtual network. Must be specified if virtual_network_creation_enabled == false.

Type: string

Default: null

virtual_network_creation_enabled

Description: Whether or not to create a virtual network.

Type: bool

Default: true

virtual_network_name

Description: The name of the virtual network. Must be specified if virtual_network_creation_enabled == false.

Type: string

Default: null

Outputs

The following outputs are exported:

container_app_subnet_resource_id

Description: The subnet id of the container app job.

container_instance_names

Description: The names of the container instances.

container_instance_resource_ids

Description: The resource ids of the container instances.

container_registry_login_server

Description: The container registry login server.

container_registry_name

Description: The container registry name.

container_registry_resource_id

Description: The container registry resource id.

job_name

Description: The name of the container app job.

job_resource_id

Description: The resource id of the container app job.

name

Description: The name of the container app environment.

placeholder_job_name

Description: The name of the placeholder contaienr app job.

placeholder_job_resource_id

Description: The resource id of the placeholder container app job.

private_dns_zone_subnet_resource_id

Description: The private dns zone id of the container registry.

resource_id

Description: The resource id of the container app environment.

user_assigned_managed_identity_id

Description: The resource id of the user assigned managed identity.

user_assigned_managed_identity_principal_id

Description: The principal id of the user assigned managed identity.

virtual_network_name

Description: The virtual network name.

virtual_network_resource_id

Description: The virtual network resource id.

Modules

The following Modules are called:

container_app_job

Source: ./modules/container-app-job

Version:

container_instance

Source: ./modules/container-instance

Version:

container_registry

Source: ./modules/container-registry

Version:

log_analytics_workspace

Source: Azure/avm-res-operationalinsights-workspace/azurerm

Version: 0.3.3

user_assigned_managed_identity

Source: Azure/avm-res-managedidentity-userassignedidentity/azurerm

Version: 0.3.1

virtual_network

Source: Azure/avm-res-network-virtualnetwork/azurerm

Version: 0.4.0

Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.