diff --git a/.github/labeler.yaml b/.github/labeler.yaml new file mode 100644 index 0000000..dedaded --- /dev/null +++ b/.github/labeler.yaml @@ -0,0 +1,20 @@ +github-actions: + - changed-files: + - any-glob-to-any-file: + - '.github/**' + +documentation: + - changed-files: + - any-glob-to-any-file: + - 'README.md' + - '**/*.md' + +legal: + - changed-files: + - any-glob-to-any-file: + - 'LICENSE' + +examples: + - changed-files: + - any-glob-to-any-file: + - 'example/**' diff --git a/.github/stale.yaml b/.github/stale.yaml new file mode 100644 index 0000000..9a6f235 --- /dev/null +++ b/.github/stale.yaml @@ -0,0 +1,17 @@ +# Number of days of inactivity before an issue becomes stale +daysUntilStale: 30 +# Number of days of inactivity before a stale issue is closed +daysUntilClose: 14 +# Issues with these labels will never be considered stale +exemptLabels: + - pinned + - security +# Label to use when marking an issue as stale +staleLabel: wontfix +# Comment to post when marking an issue as stale. Set to `false` to disable +markComment: > + This issue has been automatically marked as stale because it has not had + recent activity. It will be closed if no further activity occurs. Thank you + for your contributions. +# Comment to post when closing a stale issue. Set to `false` to disable +closeComment: false diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..97d0c80 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,68 @@ +name: ci +on: + - pull_request + +jobs: + ci: + runs-on: ubuntu-latest + permissions: + # Give the default GITHUB_TOKEN write permission to commit and push the + # added or changed files to the repository. + contents: write + + steps: + # Setup dependencies + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + # Run a couple of native Terraform checks + - uses: hashicorp/setup-terraform@v3 + - run: terraform init + - run: terraform fmt -recursive -check + - run: terraform validate + + # Checkov + - uses: bridgecrewio/checkov-action@v12 + with: + directory: . + quiet: true + skip_check: CKV_TF_1,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18,CKV_TF_2 + framework: terraform + + # Terraform-docs + - uses: terraform-docs/gh-actions@v1.1.0 + id: terraform-docs + with: + working-dir: . + output-file: README.md + output-method: inject + fail-on-diff: true + args: --lockfile=false + git-push: 'false' + + # Push Terraform-docs changes + - uses: planetscale/ghcommit-action@v0.1.38 + # Run this step even if previous steps fails (there are changes to commit) + # but skip when on forks + if: ${{ !cancelled() && github.repository_owner == 'runatlantis' }} + with: + commit_message: "terraform-docs: automated action" + repo: ${{ github.repository }} + branch: ${{ github.head_ref || github.ref_name }} + file_pattern: 'README.md' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Print instructions to run terraform-docs locally if changes are needed and workflow is running on fork + - if: ${{ !cancelled() && github.repository_owner != 'runatlantis' && steps.terraform-docs.outputs.num_changed > 0 }} + run: | + echo '### Please run terraform-docs locally and commit the changes:' >> $GITHUB_STEP_SUMMARY + echo '' >> $GITHUB_STEP_SUMMARY + echo '```sh' >> $GITHUB_STEP_SUMMARY + echo 'docker run --rm --volume "$(pwd):/terraform-docs" -u $(id -u) quay.io/terraform-docs/terraform-docs:0.17.0 markdown --output-file README.md --output-mode inject /terraform-docs' >> $GITHUB_STEP_SUMMARY + echo 'git add README.md' >> $GITHUB_STEP_SUMMARY + echo 'git commit --amend --no-edit' >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + echo '' >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml deleted file mode 100644 index 7d1a97c..0000000 --- a/.github/workflows/pre-commit.yaml +++ /dev/null @@ -1,38 +0,0 @@ -name: precommit -on: - pull_request: -permissions: - contents: read -defaults: - run: - shell: bash -jobs: - precommit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Python - uses: actions/setup-python@v2 - with: - python-version: 3.8 - - name: Create virtual environment - run: python3 -m venv venv && source venv/bin/activate - - name: Install pre-commit and checkov - run: | - python3 -m pip install --upgrade pip - python3 -m pip install pre-commit==3.5.0 checkov==2.5.10 - - name: install terraform-docs - run: | - curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz - tar -xzf terraform-docs.tar.gz - chmod +x terraform-docs - mv terraform-docs /usr/local/bin/ - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} - restore-keys: | - ${{ runner.os }}-pip- - - name: Run pre-commit - run: pre-commit run --show-diff-on-failure --color=always --all-files diff --git a/.github/workflows/triage-ci.yaml b/.github/workflows/triage-ci.yaml new file mode 100644 index 0000000..8143e18 --- /dev/null +++ b/.github/workflows/triage-ci.yaml @@ -0,0 +1,14 @@ +name: "Triage PRs" +on: +- pull_request_target + +jobs: + triage: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@v5 + with: + configuration-path: .github/labeler.yaml diff --git a/.github/workflows/triage.yaml b/.github/workflows/triage.yaml new file mode 100644 index 0000000..bf96abb --- /dev/null +++ b/.github/workflows/triage.yaml @@ -0,0 +1,18 @@ +name: Label issues +on: + issues: + types: + - reopened + - opened +jobs: + label_issues: + runs-on: ubuntu-latest + permissions: + issues: write + steps: + - run: gh issue edit "$NUMBER" --add-label "$LABELS" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + LABELS: needs-triage diff --git a/.gitignore b/.gitignore index 53074ba..06948e9 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,8 @@ override.tf.json # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* + +# Checkov files +checkov-problem-matcher-softfail.json +checkov-problem-matcher.json +results.sarif \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index f5bb6d1..0000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -repos: - - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.74.1 - hooks: - - id: terraform_checkov - args: - - --args=--quiet - - --args=--compact - - --args=--framework=terraform - - --args=--skip-check=CKV_TF_1,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18 - - id: terraform_fmt - exclude: ^examples/ - - id: terraform_validate - exclude: ^examples/ - - id: terraform_docs - args: ["--args=--lockfile=false"] - exclude: ^examples/ - - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.4.0 - hooks: - - id: check-merge-conflict diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..629f30d --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @runatlantis/terraform-contributors diff --git a/README.md b/README.md index 7700dcf..c7cccd6 100644 --- a/README.md +++ b/README.md @@ -1,29 +1,36 @@ # Atlantis on Google Compute Engine +![Header](./static/banner.png) + This Terraform module deploys various resources to run Atlantis on Google Compute Engine. -- [Feature highlights](#feature-highlights) -- [Prerequisites](#prerequisites) -- [Example Usage](#example-usage) - - [Basic](examples/basic) - - [Complete](examples/complete) - - [Cloud Armor](examples/cloud-armor) - - [Secured Environment Variables](examples/secure-env-vars) -- [How to deploy](#how-to-deploy) - - [Important](#important) - - [After it's successfully deployed](#after-its-successfully-deployed) -- [Configuring Atlantis](#configuring-atlantis) - - [Setting sensitive environment variables](#setting-sensitive-environment-variables) -- [Service Account](#service-account) - - [Permissions](#permissions) -- [DNS Record](#dns-record) - - [Example](#example) -- [Identity-Aware Proxy](#identity-aware-proxy) - - [Enabling IAP](#enabling-iap) - - [What's exactly protected?](#whats-exactly-protected) - - [Permissions](#permissions) -- [FAQ](#faq) -- [Requirements](#requirements) +- [Atlantis on Google Compute Engine](#atlantis-on-google-compute-engine) + - [Feature highlights](#feature-highlights) + - [Prerequisites](#prerequisites) + - [Example Usage](#example-usage) + - [How to deploy](#how-to-deploy) + - [Important](#important) + - [After it's successfully deployed](#after-its-successfully-deployed) + - [Configuring Atlantis](#configuring-atlantis) + - [Setting sensitive environment variables](#setting-sensitive-environment-variables) + - [Service Account](#service-account) + - [Permissions](#permissions) + - [DNS Record](#dns-record) + - [Example](#example) + - [Identity-Aware Proxy](#identity-aware-proxy) + - [Enabling IAP](#enabling-iap) + - [What's exactly protected?](#whats-exactly-protected) + - [Permissions](#permissions-1) + - [FAQ](#faq) + - [When sending an HTTP request, I'm receiving an ERR\_EMPTY\_RESPONSE error](#when-sending-an-http-request-im-receiving-an-err_empty_response-error) + - [My VM experienced an outage and is taking some time to restart](#my-vm-experienced-an-outage-and-is-taking-some-time-to-restart) + - [Even though terraform apply worked correctly, I'm receiving an ERR\_SSL\_VERSION\_OR\_CIPHER\_MISMATCH error](#even-though-terraform-apply-worked-correctly-im-receiving-an-err_ssl_version_or_cipher_mismatch-error) + - [Requirements](#requirements) + - [Providers](#providers) + - [Modules](#modules) + - [Resources](#resources) + - [Inputs](#inputs) + - [Outputs](#outputs) ## Feature highlights @@ -55,29 +62,28 @@ This module expects that you already own or create the below resources yourself. - Service account - Domain -If you prefer an example that includes the above resources, see [`complete example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete). +If you prefer an example that includes the above resources, see [`complete example`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete). ## Example Usage Here are some examples to choose from. Look at the prerequisites above to find one that is appropriate for your configuration. -- [Basic](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic) -- [Complete](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete) -- [Secure Environment Variables](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars) -- [Cloud Armor](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/cloud-armor) -- [Shared VPC](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/shared-vpc) +- [Basic](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic) +- [Complete](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete) +- [Secure Environment Variables](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/secure-env-vars) +- [Cloud Armor](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/cloud-armor) +- [Shared VPC](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/shared-vpc) ```hcl module "atlantis" { - source = "bschaatsbergen/atlantis/gce" - version = "1.3.1" + source = "runatlantis/atlantis/gce" # insert the 7 required variables here } ``` ## How to deploy -See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/server-atlantis.yaml). +See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic/server-atlantis.yaml). ### Important @@ -105,7 +111,7 @@ For an overview of all possible environment variables, see: [Atlantis Server Con ### Setting sensitive environment variables -See [secured environment variables](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars) for an example on how to deal with sensitive values in environment variables. +See [secured environment variables](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/secure-env-vars) for an example on how to deal with sensitive values in environment variables. ## Service Account @@ -117,7 +123,7 @@ Note that you must grant the relevant permissions to your service account yourse The `roles/logging.logWriter` & `roles/monitoring.metricWriter` roles should be attached to the service account in order to write logs to Cloud Logging and ingest metric data into Cloud Monitoring. -See [`main.tf`](https://github.com/bschaatsbergen/terraform-gce-atlantis/blob/main/examples/basic/main.tf#L16-L33) +See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/blob/main/examples/basic/main.tf#L16-L33) ## DNS Record @@ -129,7 +135,7 @@ It's a requirement to add the A record to the domain record set in order to suce If you use Cloud DNS and own a managed zone for your domain, use the IP address that's part of the module output to create the A record. -See [`main.tf`](https://github.com/bschaatsbergen/terraform-gce-atlantis/blob/main/examples/basic/main.tf#L60-L71) +See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/blob/main/examples/basic/main.tf#L60-L71) ## Identity-Aware Proxy @@ -180,7 +186,7 @@ This error indicates that the Google Cloud Managed SSL certificate is not yet fu If all configurations are correct, it may take up to 25 minutes for the certificate to be provisioned. You can check the status of the certificate in the Google Cloud Console. - + ## Requirements | Name | Version | @@ -204,15 +210,17 @@ You can check the status of the certificate in the Google Cloud Console. | Name | Source | Version | |------|--------|---------| -| [container](#module\_container) | terraform-google-modules/container-vm/google | 3.1.0 | +| [container](#module\_container) | terraform-google-modules/container-vm/google | 3.1.1 | ## Resources | Name | Type | |------|------| | [google-beta_google_compute_instance_group_manager.default](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_compute_instance_group_manager) | resource | +| [google_compute_autoscaler.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler) | resource | | [google_compute_backend_service.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_service) | resource | | [google_compute_backend_service.iap](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_service) | resource | +| [google_compute_disk.persistent](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk) | resource | | [google_compute_firewall.lb_health_check](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource | | [google_compute_global_address.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_address) | resource | | [google_compute_global_forwarding_rule.https](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_forwarding_rule) | resource | @@ -232,10 +240,15 @@ You can check the status of the certificate in the Google Cloud Console. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [args](#input\_args) | Arguments to override the container image default command (CMD). | `list(string)` | `null` | no | +| [autoscaling](#input\_autoscaling) | Allow the instance group to scale down to zero based on signals | 
object({
    schedules = list(object({
      name         = string
      description  = string
      schedule     = string
      time_zone    = string
      duration_sec = number
    }))
  })
| `null` | no | | [block\_project\_ssh\_keys\_enabled](#input\_block\_project\_ssh\_keys\_enabled) | Blocks the use of project-wide publich SSH keys | `bool` | `false` | no | +| [command](#input\_command) | Command to override the container image ENTRYPOINT | `list(string)` | `null` | no | | [default\_backend\_security\_policy](#input\_default\_backend\_security\_policy) | Name of the security policy to apply to the default backend service | `string` | `null` | no | | [disk\_kms\_key\_self\_link](#input\_disk\_kms\_key\_self\_link) | The self link of the encryption key that is stored in Google Cloud KMS | `string` | `null` | no | | [domain](#input\_domain) | Domain to associate Atlantis with and to request a managed SSL certificate for. Without `https://` | `string` | n/a | yes | +| [enable\_autoupdate](#input\_enable\_autoupdate) | Enable automatic updates for the OS and installed packages \| https://cloud.google.com/container-optimized-os/docs/concepts/auto-update#disable_automatic_updates | `bool` | `null` | no | +| [enable\_confidential\_vm](#input\_enable\_confidential\_vm) | Enable Confidential VM. If true, on host maintenance will be set to TERMINATE | `bool` | `false` | no | | [enable\_oslogin](#input\_enable\_oslogin) | Enables OS Login service on the VM | `bool` | `false` | no | | [env\_vars](#input\_env\_vars) | Key-value pairs representing environment variables and their respective values | `map(any)` | n/a | yes | | [expose\_metrics\_publicly](#input\_expose\_metrics\_publicly) | Exposes the /metrics endpoint publicly even if Atlantis is protected by IAP | `bool` | `false` | no | @@ -254,6 +267,7 @@ You can check the status of the certificate in the Google Cloud Console. | [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no | | [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes | | [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | +| [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | 
object({
    host_project_id = string
  })
| `null` | no | | [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | 
object({
    enable_integrity_monitoring = optional(bool)
    enable_vtpm                 = optional(bool)
    enable_secure_boot          = optional(bool)
  })
| 
{
  "enable_integrity_monitoring": true,
  "enable_secure_boot": true,
  "enable_vtpm": true
}
| no | | [spot\_machine\_enabled](#input\_spot\_machine\_enabled) | A Spot VM is discounted Compute Engine capacity that may be preemptively stopped or deleted by Compute Engine if the capacity is needed | `bool` | `false` | no | | [ssl\_policy](#input\_ssl\_policy) | The SSL policy name that the certificate must follow | `string` | `null` | no | @@ -271,4 +285,4 @@ You can check the status of the certificate in the Google Cloud Console. | [ip\_address](#output\_ip\_address) | The IPv4 address of the load balancer | | [managed\_ssl\_certificate\_certificate\_id](#output\_managed\_ssl\_certificate\_certificate\_id) | The unique identifier of the Google Managed SSL certificate | | [managed\_ssl\_certificate\_expire\_time](#output\_managed\_ssl\_certificate\_expire\_time) | Expire time of the Google Managed SSL certificate | - + diff --git a/examples/autoscaling/main.tf b/examples/autoscaling/main.tf index 448b09f..0f3fb42 100644 --- a/examples/autoscaling/main.tf +++ b/examples/autoscaling/main.tf @@ -66,7 +66,7 @@ module "atlantis" { }, ] } - + domain = local.domain project = local.project_id } diff --git a/examples/basic/README.md b/examples/basic/README.md index 9fca622..eb7774e 100644 --- a/examples/basic/README.md +++ b/examples/basic/README.md @@ -14,11 +14,11 @@ This module expects that you already own or create the below resources yourself. - Service account, [specifics can be found here](../../README.md#service-account) - Domain, [specifics can be found here](../../README.md#dns-record) -If you prefer an example that includes the above resources, see [`complete example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete). +If you prefer an example that includes the above resources, see [`complete example`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete). ## How to deploy -See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/server-atlantis.yaml). +See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic/server-atlantis.yaml). ## After it's successfully deployed diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 0c9fca7..1ad8110 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -33,7 +33,7 @@ resource "google_project_iam_member" "atlantis_metric_writer" { } module "atlantis" { - source = "bschaatsbergen/atlantis/gce" + source = "runatlantis/atlantis/gce" name = "atlantis" network = local.network subnetwork = local.subnetwork diff --git a/examples/cloud-armor/README.md b/examples/cloud-armor/README.md index d4151e2..619cc55 100644 --- a/examples/cloud-armor/README.md +++ b/examples/cloud-armor/README.md @@ -21,11 +21,11 @@ This module expects that you already own or create the below resources yourself. - Service account, [specifics can be found here](../../README.md#service-account) - Domain, [specifics can be found here](../../README.md#dns-record) -If you prefer an example that includes the above resources, see [`complete example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete). +If you prefer an example that includes the above resources, see [`complete example`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete). ## How to deploy -See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/cloud-armor/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/cloud-armor/server-atlantis.yaml). +See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/cloud-armor/main.tf) and the [`server-atlantis.yaml`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/cloud-armor/server-atlantis.yaml). ## After it's successfully deployed diff --git a/examples/cloud-armor/main.tf b/examples/cloud-armor/main.tf index 30e0aa3..704a3ec 100644 --- a/examples/cloud-armor/main.tf +++ b/examples/cloud-armor/main.tf @@ -35,7 +35,7 @@ resource "google_project_iam_member" "atlantis_metric_writer" { } module "atlantis" { - source = "bschaatsbergen/atlantis/gce" + source = "runatlantis/atlantis/gce" name = "atlantis" network = local.network subnetwork = local.subnetwork diff --git a/examples/complete/README.md b/examples/complete/README.md index 4869782..9776278 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -14,11 +14,11 @@ This module expects that you already own or create the below resources yourself. ## How to deploy -See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete/server-atlantis.yaml). +See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete/main.tf) and the [`server-atlantis.yaml`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete/server-atlantis.yaml). ### Important -- The [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete/main.tf) contains resources that are set up with only the minimum required attributes to function properly. It is recommended to add additional attributes if you plan to use this in a production environment. +- The [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete/main.tf) contains resources that are set up with only the minimum required attributes to function properly. It is recommended to add additional attributes if you plan to use this in a production environment. ## After it's successfully deployed diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 59e881b..23f63bd 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -75,7 +75,7 @@ resource "google_compute_router_nat" "default" { } module "atlantis" { - source = "bschaatsbergen/atlantis/gce" + source = "runatlantis/atlantis/gce" name = "atlantis" network = google_compute_network.default.name subnetwork = google_compute_subnetwork.default.name diff --git a/examples/secure-env-vars/README.md b/examples/secure-env-vars/README.md index b0ff32c..04882ae 100644 --- a/examples/secure-env-vars/README.md +++ b/examples/secure-env-vars/README.md @@ -1,6 +1,6 @@ # Securing sensitive environment variables -This guide explains how to secure environment variables when using the Atlantis module on Google Cloud Platform. For more information on using this module, see the [`basic example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic). +This guide explains how to secure environment variables when using the Atlantis module on Google Cloud Platform. For more information on using this module, see the [`basic example`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/basic). Additionally, this example uses a GitHub App for authenticatioon, and a custom image entrypoint to set environment variables at container startup time. @@ -23,7 +23,7 @@ If you prefer an example that includes the above resources, see [`complete examp ## How to deploy -To deploy the Atlantis module, see [`Dockerfile`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars/Dockerfile) and the [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars/main.tf). +To deploy the Atlantis module, see [`Dockerfile`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/secure-env-vars/Dockerfile) and the [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/secure-env-vars/main.tf). ### Important @@ -35,8 +35,11 @@ Atlantis allows you to configure everything using environment variables. However ### Setting sensitive environment variables -You can export sensitive values in the [`custom-entrypoint.sh.tftpl`](custom-entrypoint.sh.tftpl) script, which will be executed as the container entrypoint. -This strategy allow us to use the base Atlantis image, and to export environment variables that do not appear in the Console (e.g. ATLANTIS_GH_WEBHOOK_SECRET). +Use a wrapper Atlantis Docker image to set environment variables that contain sensitive values. See the following examples for more details: + +- [**Cloud Build**: pull secrets from Google Secret Manager](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/secure-env-vars/cloudbuild.yaml) +- [**GitHub Actions**: pull secrets from Google Secret Manager](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/secure-env-vars/.github/workflows/docker-gcp-secrets.yaml) +- [**GitHub Actions**: use GitHub secrets](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/secure-env-vars/.github/workflows/docker-github-secrets.yaml) ### Setting non-sensitive environment variables diff --git a/examples/secure-env-vars/main.tf b/examples/secure-env-vars/main.tf index cd5f247..e72520c 100644 --- a/examples/secure-env-vars/main.tf +++ b/examples/secure-env-vars/main.tf @@ -36,7 +36,7 @@ resource "google_project_iam_member" "atlantis_metric_writer" { } module "atlantis" { - source = "bschaatsbergen/atlantis/gce" + source = "runatlantis/atlantis/gce" name = "atlantis" network = local.network subnetwork = local.subnetwork diff --git a/examples/shared-vpc/README.md b/examples/shared-vpc/README.md index 9d70555..9a56cf4 100644 --- a/examples/shared-vpc/README.md +++ b/examples/shared-vpc/README.md @@ -2,32 +2,32 @@ Read through the below before you deploy this module. -- [Prerequisites](#prerequisites) -- [How to deploy](#how-to-deploy) -- [After it's successfully deployed](#after-its-successfully-deployed) +- [Example usage](#example-usage) + - [Prerequisites](#prerequisites) + - [How to deploy](#how-to-deploy) + - [After it's successfully deployed](#after-its-successfully-deployed) ## Prerequisites This module expects that you already own or create the below resources yourself. -- Google network, subnetwork and a Cloud NAT - Service account, [specifics can be found here](../../README.md#service-account) - Domain, [specifics can be found here](../../README.md#dns-record) -- The following firewall rules configured in the host network: - - Allow IAP access () - - source ip ranges: `[35.235.240.0/20]` - - target tags: `[allow-iap]` - - tcp, port 22 +- A host project with a Google network, subnetwork, a Cloud NAT, and the following firewall rules configured in the host network: - Allow load balancer healthchecks: () - - source ip ranges: `[130.211.0.0/22, 35.191.0.0/16]` - - target tags `[allow-lb-health-checks]` + - source ip ranges: [130.211.0.0/22, 35.191.0.0/16] + - target tags [allow-lb-health-checks] - tcp + - Allow IAP access, if applicable () + - source ip ranges: [35.235.240.0/20] + - target tags: [allow-iap] + - tcp, port 22 -If you prefer an example that includes the above resources, see [`complete example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete). +If you prefer an example that includes the above resources, see [`complete example`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/complete). ## How to deploy -See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/server-atlantis.yaml). +See [`main.tf`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/shared-vpc/main.tf) and the [`server-atlantis.yaml`](https://github.com/runatlantis/terraform-gce-atlantis/tree/master/examples/shared-vpc/server-atlantis.yaml). ## After it's successfully deployed diff --git a/examples/shared-vpc/main.tf b/examples/shared-vpc/main.tf index 40aa6d4..6ec3e3c 100644 --- a/examples/shared-vpc/main.tf +++ b/examples/shared-vpc/main.tf @@ -34,7 +34,7 @@ resource "google_project_iam_member" "atlantis_metric_writer" { } module "atlantis" { - source = "bschaatsbergen/atlantis/gce" + source = "runatlantis/atlantis/gce" name = "atlantis" network = local.network subnetwork = local.subnetwork diff --git a/main.tf b/main.tf index de8a2c3..9adbe86 100644 --- a/main.tf +++ b/main.tf @@ -79,7 +79,7 @@ data "cloudinit_config" "config" { module "container" { source = "terraform-google-modules/container-vm/google" - version = "3.1.0" + version = "3.1.1" container = { image = var.image @@ -137,7 +137,7 @@ resource "google_compute_instance_template" "default" { metadata = merge({ gce-container-declaration = module.container.metadata_value user-data = data.cloudinit_config.config.rendered - google-logging-enabled = var.google_monitoring_enabled + google-logging-enabled = var.google_logging_enabled google-monitoring-enabled = var.google_monitoring_enabled google-logging-use-fluentbit = var.google_logging_use_fluentbit block-project-ssh-keys = var.block_project_ssh_keys_enabled diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..5db72dd --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended" + ] +} diff --git a/static/banner.png b/static/banner.png new file mode 100644 index 0000000..4d68c55 Binary files /dev/null and b/static/banner.png differ diff --git a/variables.tf b/variables.tf index d530bda..f9076f9 100644 --- a/variables.tf +++ b/variables.tf @@ -220,7 +220,6 @@ variable "enable_autoupdate" { default = null # use a null value to not set the metadata key } - variable "shared_vpc" { description = "Whether to deploy within a shared VPC" type = object({