Merge remote-tracking branch 'upstream/main' into d-costa/update

.github/labeler.yaml

@@ -0,0 +1,20 @@
+github-actions:
+  - changed-files:
+      - any-glob-to-any-file:
+        - '.github/**'
+
+documentation:
+  - changed-files:
+      - any-glob-to-any-file:
+        - 'README.md'
+        - '**/*.md'
+
+legal:
+  - changed-files:
+      - any-glob-to-any-file:
+        - 'LICENSE'
+
+examples:
+  - changed-files:
+      - any-glob-to-any-file:
+        - 'example/**'

.github/stale.yaml

@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 30
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 14
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

.github/workflows/ci.yaml

@@ -0,0 +1,68 @@
+name: ci
+on:
+  - pull_request
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    permissions:
+      # Give the default GITHUB_TOKEN write permission to commit and push the
+      # added or changed files to the repository.
+      contents: write
+
+    steps:
+      # Setup dependencies
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      # Run a couple of native Terraform checks
+      - uses: hashicorp/setup-terraform@v3
+      - run: terraform init
+      - run: terraform fmt -recursive -check
+      - run: terraform validate
+
+      # Checkov
+      - uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: .
+          quiet: true
+          skip_check: CKV_TF_1,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18
+          framework: terraform
+
+      # Terraform-docs
+      - uses: terraform-docs/[email protected]
+        id: terraform-docs
+        with:
+          working-dir: .
+          output-file: README.md
+          output-method: inject
+          fail-on-diff: true
+          args: --lockfile=false
+          git-push: 'false'
+
+      # Push Terraform-docs changes
+      - uses: planetscale/[email protected]
+        # Run this step even if previous steps fails (there are changes to commit)
+        # but skip when on forks
+        if: ${{ !cancelled() && github.repository_owner == 'runatlantis' }}
+        with:
+          commit_message: "terraform-docs: automated action"
+          repo: ${{ github.repository }}
+          branch: ${{ github.head_ref || github.ref_name }}
+          file_pattern: 'README.md'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Print instructions to run terraform-docs locally if changes are needed and workflow is running on fork
+      - if: ${{ !cancelled() && github.repository_owner != 'runatlantis' && steps.terraform-docs.outputs.num_changed > 0 }}
+        run: |
+          echo '### Please run terraform-docs locally and commit the changes:' >> $GITHUB_STEP_SUMMARY
+          echo '' >> $GITHUB_STEP_SUMMARY
+          echo '```sh' >> $GITHUB_STEP_SUMMARY
+          echo 'docker run --rm --volume "$(pwd):/terraform-docs" -u $(id -u) quay.io/terraform-docs/terraform-docs:0.17.0 markdown --output-file README.md --output-mode inject /terraform-docs' >> $GITHUB_STEP_SUMMARY
+          echo 'git add README.md' >> $GITHUB_STEP_SUMMARY
+          echo 'git commit --amend --no-edit' >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          echo '' >> $GITHUB_STEP_SUMMARY

.github/workflows/triage-ci.yaml

@@ -0,0 +1,14 @@
+name: "Triage PRs"
+on:
+- pull_request_target
+
+jobs:
+  triage:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/labeler@v5
+      with:
+        configuration-path: .github/labeler.yaml

.github/workflows/triage.yaml

@@ -0,0 +1,18 @@
+name: Label issues
+on:
+  issues:
+    types:
+      - reopened
+      - opened
+jobs:
+  label_issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - run: gh issue edit "$NUMBER" --add-label "$LABELS"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.issue.number }}
+          LABELS: needs-triage

.gitignore

@@ -30,3 +30,8 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+
+# Checkov files
+checkov-problem-matcher-softfail.json
+checkov-problem-matcher.json
+results.sarif

CODEOWNERS

@@ -0,0 +1 @@
+* @runatlantis/terraform-contributors

README.md

@@ -1,29 +1,36 @@
 # Atlantis on Google Compute Engine
 
+![Header](./static/banner.png)
+
 This Terraform module deploys various resources to run Atlantis on Google Compute Engine.
 
-- [Feature highlights](#feature-highlights)
-- [Prerequisites](#prerequisites)
-- [Example Usage](#example-usage)
-  - [Basic](examples/basic)
-  - [Complete](examples/complete)
-  - [Cloud Armor](examples/cloud-armor)
-  - [Secured Environment Variables](examples/secure-env-vars)
-- [How to deploy](#how-to-deploy)
-  - [Important](#important)
-  - [After it's successfully deployed](#after-its-successfully-deployed)
-- [Configuring Atlantis](#configuring-atlantis)
-  - [Setting sensitive environment variables](#setting-sensitive-environment-variables)
-- [Service Account](#service-account)
-  - [Permissions](#permissions)
-- [DNS Record](#dns-record)
-  - [Example](#example)
-- [Identity-Aware Proxy](#identity-aware-proxy)
-  - [Enabling IAP](#enabling-iap)
-  - [What's exactly protected?](#whats-exactly-protected)
-  - [Permissions](#permissions)
-- [FAQ](#faq)
-- [Requirements](#requirements)
+- [Atlantis on Google Compute Engine](#atlantis-on-google-compute-engine)
+  - [Feature highlights](#feature-highlights)
+  - [Prerequisites](#prerequisites)
+  - [Example Usage](#example-usage)
+  - [How to deploy](#how-to-deploy)
+    - [Important](#important)
+    - [After it's successfully deployed](#after-its-successfully-deployed)
+  - [Configuring Atlantis](#configuring-atlantis)
+    - [Setting sensitive environment variables](#setting-sensitive-environment-variables)
+  - [Service Account](#service-account)
+    - [Permissions](#permissions)
+  - [DNS Record](#dns-record)
+    - [Example](#example)
+  - [Identity-Aware Proxy](#identity-aware-proxy)
+    - [Enabling IAP](#enabling-iap)
+    - [What's exactly protected?](#whats-exactly-protected)
+    - [Permissions](#permissions-1)
+  - [FAQ](#faq)
+    - [When sending an HTTP request, I'm receiving an ERR\_EMPTY\_RESPONSE error](#when-sending-an-http-request-im-receiving-an-err_empty_response-error)
+    - [My VM experienced an outage and is taking some time to restart](#my-vm-experienced-an-outage-and-is-taking-some-time-to-restart)
+    - [Even though terraform apply worked correctly, I'm receiving an ERR\_SSL\_VERSION\_OR\_CIPHER\_MISMATCH error](#even-though-terraform-apply-worked-correctly-im-receiving-an-err_ssl_version_or_cipher_mismatch-error)
+  - [Requirements](#requirements)
+  - [Providers](#providers)
+  - [Modules](#modules)
+  - [Resources](#resources)
+  - [Inputs](#inputs)
+  - [Outputs](#outputs)
 
 ## Feature highlights
 
@@ -55,29 +62,28 @@ This module expects that you already own or create the below resources yourself.
 - Service account
 - Domain
 
-If you prefer an example that includes the above resources, see [`complete example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete).
+If you prefer an example that includes the above resources, see [`complete example`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete).
 
 ## Example Usage
 
 Here are some examples to choose from. Look at the prerequisites above to find one that is appropriate for your configuration.
 
-- [Basic](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic)
-- [Complete](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete)
-- [Secure Environment Variables](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars)
-- [Cloud Armor](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/cloud-armor)
-- [Shared VPC](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/shared-vpc)
+- [Basic](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic)
+- [Complete](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete)
+- [Secure Environment Variables](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/secure-env-vars)
+- [Cloud Armor](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/cloud-armor)
+- [Shared VPC](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/shared-vpc)
 
 ```hcl
 module "atlantis" {
-  source  = "bschaatsbergen/atlantis/gce"
-  version = "1.3.1"
+  source  = "runatlantis/atlantis/gce"
   # insert the 7 required variables here
 }
 ```
 
 ## How to deploy
 
-See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/server-atlantis.yaml).
+See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic/server-atlantis.yaml).
 
 ### Important
 
@@ -105,7 +111,7 @@ For an overview of all possible environment variables, see: [Atlantis Server Con
 
 ### Setting sensitive environment variables
 
-See [secured environment variables](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars) for an example on how to deal with sensitive values in environment variables.
+See [secured environment variables](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/secure-env-vars) for an example on how to deal with sensitive values in environment variables.
 
 ## Service Account
 
@@ -117,7 +123,7 @@ Note that you must grant the relevant permissions to your service account yourse
 
 The `roles/logging.logWriter` & `roles/monitoring.metricWriter` roles should be attached to the service account in order to write logs to Cloud Logging and ingest metric data into Cloud Monitoring.
 
-See [`main.tf`](https://github.com/bschaatsbergen/terraform-gce-atlantis/blob/main/examples/basic/main.tf#L16-L33)
+See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/blob/main/examples/basic/main.tf#L16-L33)
 
 ## DNS Record
 
@@ -129,7 +135,7 @@ It's a requirement to add the A record to the domain record set in order to suce
 
 If you use Cloud DNS and own a managed zone for your domain, use the IP address that's part of the module output to create the A record.
 
-See [`main.tf`](https://github.com/bschaatsbergen/terraform-gce-atlantis/blob/main/examples/basic/main.tf#L60-L71)
+See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/blob/main/examples/basic/main.tf#L60-L71)
 
 ## Identity-Aware Proxy
 
@@ -180,7 +186,8 @@ This error indicates that the Google Cloud Managed SSL certificate is not yet fu
 If all configurations are correct, it may take up to 25 minutes for the certificate to be provisioned.
 You can check the status of the certificate in the Google Cloud Console.
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -204,7 +211,7 @@ You can check the status of the certificate in the Google Cloud Console.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_container"></a> [container](#module\_container) | terraform-google-modules/container-vm/google | 3.1.0 |
+| <a name="module_container"></a> [container](#module\_container) | terraform-google-modules/container-vm/google | 3.1.1 |
 
 ## Resources
 
@@ -236,6 +243,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | <a name="input_default_backend_security_policy"></a> [default\_backend\_security\_policy](#input\_default\_backend\_security\_policy) | Name of the security policy to apply to the default backend service | `string` | `null` | no |
 | <a name="input_disk_kms_key_self_link"></a> [disk\_kms\_key\_self\_link](#input\_disk\_kms\_key\_self\_link) | The self link of the encryption key that is stored in Google Cloud KMS | `string` | `null` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | Domain to associate Atlantis with and to request a managed SSL certificate for. Without `https://` | `string` | n/a | yes |
+| <a name="input_enable_confidential_vm"></a> [enable\_confidential\_vm](#input\_enable\_confidential\_vm) | Enable Confidential VM. If true, on host maintenance will be set to TERMINATE | `bool` | `false` | no |
 | <a name="input_enable_oslogin"></a> [enable\_oslogin](#input\_enable\_oslogin) | Enables OS Login service on the VM | `bool` | `false` | no |
 | <a name="input_env_vars"></a> [env\_vars](#input\_env\_vars) | Key-value pairs representing environment variables and their respective values | `map(any)` | n/a | yes |
 | <a name="input_expose_metrics_publicly"></a> [expose\_metrics\_publicly](#input\_expose\_metrics\_publicly) | Exposes the /metrics endpoint publicly even if Atlantis is protected by IAP | `bool` | `false` | no |
@@ -254,6 +262,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | <a name="input_project"></a> [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | <pre>object({<br>    email  = string,<br>    scopes = list(string)<br>  })</pre> | <pre>{<br>  "email": "",<br>  "scopes": [<br>    "cloud-platform"<br>  ]<br>}</pre> | no |
+| <a name="input_shared_vpc"></a> [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | <pre>object({<br>    host_project_id = string<br>  })</pre> | `null` | no |
 | <a name="input_shielded_instance_config"></a> [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | <pre>object({<br>    enable_integrity_monitoring = optional(bool)<br>    enable_vtpm                 = optional(bool)<br>    enable_secure_boot          = optional(bool)<br>  })</pre> | <pre>{<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": true,<br>  "enable_vtpm": true<br>}</pre> | no |
 | <a name="input_spot_machine_enabled"></a> [spot\_machine\_enabled](#input\_spot\_machine\_enabled) | A Spot VM is discounted Compute Engine capacity that may be preemptively stopped or deleted by Compute Engine if the capacity is needed | `bool` | `false` | no |
 | <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | The SSL policy name that the certificate must follow | `string` | `null` | no |
@@ -271,4 +280,4 @@ You can check the status of the certificate in the Google Cloud Console.
 | <a name="output_ip_address"></a> [ip\_address](#output\_ip\_address) | The IPv4 address of the load balancer |
 | <a name="output_managed_ssl_certificate_certificate_id"></a> [managed\_ssl\_certificate\_certificate\_id](#output\_managed\_ssl\_certificate\_certificate\_id) | The unique identifier of the Google Managed SSL certificate |
 | <a name="output_managed_ssl_certificate_expire_time"></a> [managed\_ssl\_certificate\_expire\_time](#output\_managed\_ssl\_certificate\_expire\_time) | Expire time of the Google Managed SSL certificate |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

examples/basic/README.md

@@ -14,11 +14,11 @@ This module expects that you already own or create the below resources yourself.
 - Service account, [specifics can be found here](../../README.md#service-account)
 - Domain, [specifics can be found here](../../README.md#dns-record)
 
-If you prefer an example that includes the above resources, see [`complete example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete).
+If you prefer an example that includes the above resources, see [`complete example`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete).
 
 ## How to deploy
 
-See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/server-atlantis.yaml).
+See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic/server-atlantis.yaml).
 
 ## After it's successfully deployed