Skip to main content

Component: actions-runner-controller

This component creates a Helm release for actions-runner-controller on an EKS cluster.


Stack Level: Regional

Once the catalog file is created, the file can be imported as follows.

- catalog/eks/actions-runner-controller

The default catalog values e.g. stacks/catalog/eks/actions-runner-controller.yaml

workspace_enabled: true
enabled: true
name: "actions-runner" # avoids hitting name length limit on IAM role
chart: "actions-runner-controller"
chart_repository: ""
chart_version: "0.21.0"
kubernetes_namespace: "actions-runner-system"
create_namespace: true
cpu: 100m
memory: 128Mi
cpu: 100m
memory: 128Mi
ssm_github_token_path: "/github_runners/controller_github_app_secret"
ssm_github_webhook_secret_token_path: "/github_runners/controller_github_app_secret"
github_app_id: "123456"
github_app_installation_id: "234567890"
enabled: true
hostname_template: "gha-webhook.%[3]v.%[2]v.%[1]"
timeout: 120
type: "repository" # can be either 'organization' or 'repository'
dind_enabled: false # If `true`, a Docker sidecar container will be deployed
# To run Docker in Docker (dind), change image from summerwind/actions-runner to summerwind/actions-runner-dind
image: summerwind/actions-runner
scope: "acme/infrastructure"
scale_down_delay_seconds: 300
min_replicas: 1
max_replicas: 5
cpu: 200m
memory: 256Mi
cpu: 100m
memory: 128Mi
webhook_driven_scaling_enabled: true
pull_driven_scaling_enabled: false
- "Ubuntu"
- "self-hosted"

Generating Required Secrets

AWS SSM is used to store and retrieve secrets.

Decide on the SSM path for the GitHub secret (PAT or Application private key) and GitHub webhook secret.

Since the secret is automatically scoped by AWS to the account and region where the secret is stored, we recommend the secret be stored at /github_runners/controller_github_app_secret unless you plan on running multiple instances of the controller. If you plan on running multiple instances of the controller, and want to give them different access (otherwise they could share the same secret), then you can add a path component to the SSM path. For example /github_runners/cicd/controller_github_app_secret.

ssm_github_secret_path: "/github_runners/controller_github_app_secret"

The preferred way to authenticate is by creating and installing a GitHub App. This is the recommended approach as it allows for more much more restricted access than using a personal access token, at least until fine-grained personal access token permissions are generally available. Follow the instructions here to create and install the GitHub App.

At the creation stage, you will be asked to generate a private key. This is the private key that will be used to authenticate the Action Runner Controller. Download the file and store the contents in SSM using the following command, adjusting the profile and file name. The profile should be the admin role in the account to which you are deploying the runner controller. The file name should be the name of the private key file you downloaded.

AWS_PROFILE=acme-mgmt-use2-auto-admin chamber write github_runners controller_github_app_secret -- "$(cat APP_NAME.DATE.private-key.pem)"

You can verify the file was correctly written to SSM by matching the private key fingerprint reported by GitHub with:

AWS_PROFILE=acme-mgmt-use2-auto-admin chamber read -q github_runners controller_github_app_secret | openssl rsa -in - -pubout -outform DER | openssl sha256 -binary | openssl base64

At this stage, record the Application ID and the private key fingerprint in your secrets manager (e.g. 1Password). You will need the Application ID to configure the runner controller, and want the fingerprint to verify the private key.

Proceed to install the GitHub App in the organization or repository you want to use the runner controller for, and record the Installation ID (the final numeric part of the URL, as explained in the instructions linked above) in your secrets manager. You will need the Installation ID to configure the runner controller.

In your stack configuration, set the following variables, making sure to quote the values so they are treated as strings, not numbers.

github_app_id: "12345"
github_app_installation_id: "12345"

OR (obsolete)

  • A PAT with the scope outlined in this document. Save this to the value specified by ssm_github_token_path using the following command, adjusting the AWS_PROFILE to refer to the admin role in the account to which you are deploying the runner controller:
AWS_PROFILE=acme-mgmt-use2-auto-admin chamber write github_runners controller_github_app_secret -- "<PAT>"
  1. If using the Webhook Driven autoscaling (recommended), generate a random string to use as the Secret when creating the webhook in GitHub.

Generate the string using 1Password (no special characters, length 45) or by running

dd if=/dev/random bs=1 count=33  2>/dev/null | base64

Store this key in AWS SSM under the same path specified by ssm_github_webhook_secret_token_path

ssm_github_webhook_secret_token_path: "/github_runners/github_webhook_secret"

Using Webhook Driven Autoscaling

To use the Webhook Driven autoscaling, you must also install the GitHub organization-level webhook after deploying the component (specifically, the webhook server). The URL for the webhook is determined by the webhook.hostname_template and where it is deployed. Recommended URL is https://gha-webhook.[environment].[stage].[tenant].[service-discovery-domain].

As a GitHub organization admin, go to[organization]/settings/hooks, and then:

  • Click"Add webhook" and create a new webhook with the following settings:
    • Payload URL: copy from Terraform output webhook_payload_url
    • Content type: application/json
    • Secret: whatever you configured in the sops secret above
    • Which events would you like to trigger this webhook:
      • Select "Let me select individual events"
      • Uncheck everything ("Pushes" is likely the only thing already selected)
      • Check "Workflow jobs"
    • Ensure that "Active" is checked (should be checked by default)
    • Click "Add webhook" at the bottom of the settings page

After the webhook is created, select "edit" for the webhook and go to the "Recent Deliveries" tab and verify that there is a delivery (of a "ping" event) with a green check mark. If not, verify all the settings and consult the logs of the actions-runner-controller-github-webhook-server pod.

Updating CRDs

When updating the chart or application version of actions-runner-controller, it is possible you will need to install new CRDs. Such a requirement should be indicated in the actions-runner-controller release notes and may require some adjustment to our custom chart or configuration.

This component uses helm to manage the deployment, and helm will not auto-update CRDs. If new CRDs are needed, install them manually via a command like

kubectl create -f

Useful Reference

Consult actions-runner-controller documentation for further details.


terraform>= 1.3.0
aws>= 4.9.0
helm>= 2.0
kubernetes>= 2.0


aws>= 4.9.0




aws_eks_cluster_auth.eksdata source
aws_ssm_parameter.github_tokendata source
aws_ssm_parameter.github_webhook_secret_tokendata source


additional_tag_mapAdditional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.
atomicIf set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used.booltrueno
attributesID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.
chartChart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if repository is specified. It is also possible to use the <repository>/<chart> format here if you are running Terraform on a system that the repository has been added to with helm repo add but this is not recommended.stringn/ayes
chart_descriptionSet release description attribute (visible in the history).stringnullno
chart_repositoryRepository URL where to locate the requested chart.stringn/ayes
chart_valuesAdditional values to yamlencode as helm_release values.any{}no
chart_versionSpecify the exact chart version to install. If this is not specified, the latest version is installed.stringnullno
cleanup_on_failAllow deletion of new resources created in this upgrade when upgrade fails.booltrueno
contextSingle object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
create_namespaceCreate the namespace if it does not yet exist. Defaults to false.boolnullno
delimiterDelimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.
descriptor_formatsDescribe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
{<br/> format = string<br/> labels = list(string)<br/>}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).
eks_component_nameThe name of the eks componentstring"eks/cluster"no
enabledSet to false to prevent the module from creating any resourcesboolnullno
environmentID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'stringnullno
existing_kubernetes_secret_nameIf you are going to create the Kubernetes Secret the runner-controller will use
by some means (such as SOPS) outside of this component, set the name of the secret
here and it will be used. In this case, this component will not create a secret
and you can leave the secret-related inputs with their default (empty) values.
The same secret will be used by both the runner-controller and the webhook-server.
github_app_idThe ID of the GitHub App to use for the runner controller.string""no
github_app_installation_idThe "Installation ID" of the GitHub App to use for the runner controller.string""no
helm_manifest_experiment_enabledEnable storing of the rendered manifest for helm_release so the full diff of what is changing can been seen in the planbooltrueno
id_length_limitLimit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.
import_profile_nameAWS Profile name to use when importing a resourcestringnullno
import_role_arnIAM Role ARN to use when importing a resourcestringnullno
kube_data_auth_enabledIf true, use an aws_eks_cluster_auth data source to authenticate to the EKS cluster.
Disabled by kubeconfig_file_enabled or kube_exec_auth_enabled.
kube_exec_auth_aws_profileThe AWS config profile for aws eks get-token to usestring""no
kube_exec_auth_aws_profile_enabledIf true, pass kube_exec_auth_aws_profile as the profile to aws eks get-tokenboolfalseno
kube_exec_auth_enabledIf true, use the Kubernetes provider exec feature to execute aws eks get-token to authenticate to the EKS cluster.
Disabled by kubeconfig_file_enabled, overrides kube_data_auth_enabled.
kube_exec_auth_role_arnThe role ARN for aws eks get-token to usestring""no
kube_exec_auth_role_arn_enabledIf true, pass kube_exec_auth_role_arn as the role ARN to aws eks get-tokenbooltrueno
kubeconfig_contextContext to choose from the Kubernetes kube config filestring""no
kubeconfig_exec_auth_api_versionThe Kubernetes API version of the credentials returned by the exec auth pluginstring""no
kubeconfig_fileThe Kubernetes provider config_path setting to use when kubeconfig_file_enabled is truestring""no
kubeconfig_file_enabledIf true, configure the Kubernetes provider with kubeconfig_file and use that kubeconfig file for authenticating to the EKS clusterboolfalseno
kubernetes_namespaceThe namespace to install the release into.stringn/ayes
label_key_caseControls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.
label_orderThe order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
label_value_caseControls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.
labels_as_tagsSet of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.
nameID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.
namespaceID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally uniquestringnullno
rbac_enabledService Account for pods.booltrueno
regex_replace_charsTerraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.
regionAWS Region.stringn/ayes
resourcesThe cpu and memory of the deployment's limits and requests.
limits = object({
cpu = string
memory = string
requests = object({
cpu = string
memory = string
runnersMap of Action Runner configurations, with the key being the name of the runner. Please note that the name must be in

For example:
organization_runner = {
type = "organization" # can be either 'organization' or 'repository'
dind_enabled: false # A Docker sidecar container will be deployed
image: summerwind/actions-runner # If dind_enabled=true, set this to 'summerwind/actions-runner-dind'
scope = "ACME" # org name for Organization runners, repo name for Repository runners
scale_down_delay_seconds = 300
min_replicas = 1
max_replicas = 5
busy_metrics = {
scale_up_threshold = 0.75
scale_down_threshold = 0.25
scale_up_factor = 2
scale_down_factor = 0.5
labels = [
type = string
scope = string
image = optional(string, "")
dind_enabled = bool
scale_down_delay_seconds = number
min_replicas = number
max_replicas = number
busy_metrics = optional(object({
scale_up_threshold = string
scale_down_threshold = string
scale_up_adjustment = optional(string)
scale_down_adjustment = optional(string)
scale_up_factor = optional(string)
scale_down_factor = optional(string)
webhook_driven_scaling_enabled = bool
webhook_startup_timeout = optional(string, null)
pull_driven_scaling_enabled = bool
labels = list(string)
storage = optional(string, null)
pvc_enabled = optional(string, false)
resources = object({
limits = object({
cpu = string
memory = string
ephemeral_storage = optional(string, null)
requests = object({
cpu = string
memory = string
s3_bucket_arnsList of ARNs of S3 Buckets to which the runners will have read-write access to.list(string)[]no
ssm_github_secret_pathThe path in SSM to the GitHub app private key file contents or GitHub PAT token.string""no
ssm_github_webhook_secret_token_pathThe path in SSM to the GitHub Webhook Secret token.string""no
stageID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'stringnullno
tagsAdditional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.
tenantID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is forstringnullno
timeoutTime in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to 300 secondsnumbernullno
waitWill wait until all resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to true.boolnullno
webhookConfiguration for the GitHub Webhook Server.
hostname_template is the format() string to use to generate the hostname via format(var.hostname_template, var.tenant, var.stage, var.environment)"
Typically something like "echo.%[3]v.%[2]".
enabled = bool
hostname_template = string
"enabled": false,
"hostname_template": null


metadataBlock status of the deployed release
metadata_action_runner_releasesBlock statuses of the deployed actions-runner chart releases
webhook_payload_urlPayload URL for GitHub webhook