Module: github-action-token-rotator

This module deploys a lambda function that runs as a GitHub Application and periodically gets a new GitHub Runner Registration Token from the GitHub API. This token is then stored in AWS Systems Manager Parameter Store.

Usage

module "github_action_token_rotator" {
    source = "cloudposse/github-action-token-rotator/aws"
    # Cloud Posse recommends pinning every module to a specific version
    # version = "x.x.x"
    parameter_store_token_path       = "/github/runners/cloudposse/registrationToken"
    parameter_store_private_key_path = "/github/runners/cloudposse/privateKey"
    github_app_id                    = "111111"
    github_app_installation_id       = "22222222"
    github_org                       = "cloudposse"
}

Quick Start

1. Browse to https://github.com/organizations/{YOUR_ORG}/settings/apps and click the New GitHub App button
2. Set the name to "GitHub Action Token Rotator"
3. Set the Homepage URL to https://github.com/cloudposse/lambda-github-action-token-rotator
4. Uncheck the Active checkbox under the Webhook heading
5. Select Read and write under Organization permissions -> Self-hosted runners
6. Click the Create GitHub App button at the bottom of the page
7. Under the Client secrets section, click the Generate a new client secret button
8. Copy the Client secret to a safe place, it will be needed to install the app
9. Under the Private key section, click the Generate a private key button
10. Download the private key to a safe place, it will be needed to install the app
11. Convert the private key to a PEM file using the following command: openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in {DOWNLOADED_FILE_NAME}.pem -out private-key-pkcs8.key
12. Base64 encode the private key using the following command: cat private-key-pkcs8.key | base64
13. Copy the Base64 value to AWS SSM Parameter store at /github/runners/${YOUR_GITHUB_ORG}/privateKey