Merge pull request #21 from nosportugal/d-costa/sync

Upstream sync
nosportugal · Nov 11, 2024 · c0f5476 · c0f5476
2 parents e649cb4 + 61d83b5
commit c0f5476
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 19 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -28,11 +28,11 @@ jobs:
         with:
           directory: .
           quiet: true
-          skip_check: CKV_TF_1,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18,CKV_TF_2
+          skip_check: CKV_TF_1,CKV_TF_2,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18
           framework: terraform
 
       # Terraform-docs
-      - uses: terraform-docs/gh-actions@v1.1.0
+      - uses: terraform-docs/gh-actions@v1.3.0
         id: terraform-docs
         with:
           working-dir: .
@@ -43,10 +43,10 @@ jobs:
           git-push: 'false'
 
       # Push Terraform-docs changes
-      - uses: planetscale/ghcommit-action@v0.1.38
+      - uses: planetscale/ghcommit-action@v0.2.0
         # Run this step even if previous steps fails (there are changes to commit)
         # but skip when on forks
-        if: ${{ !cancelled() && github.repository_owner == 'runatlantis' }}
+        if: ${{ !cancelled() }}
         with:
           commit_message: "terraform-docs: automated action"
           repo: ${{ github.repository }}
@@ -56,12 +56,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       # Print instructions to run terraform-docs locally if changes are needed and workflow is running on fork
-      - if: ${{ !cancelled() && github.repository_owner != 'runatlantis' && steps.terraform-docs.outputs.num_changed > 0 }}
+      - if: ${{ !cancelled() && steps.terraform-docs.outputs.num_changed > 0 }}
         run: |
           echo '### Please run terraform-docs locally and commit the changes:' >> $GITHUB_STEP_SUMMARY
           echo '' >> $GITHUB_STEP_SUMMARY
           echo '```sh' >> $GITHUB_STEP_SUMMARY
-          echo 'docker run --rm --volume "$(pwd):/terraform-docs" -u $(id -u) quay.io/terraform-docs/terraform-docs:0.17.0 markdown --output-file README.md --output-mode inject /terraform-docs' >> $GITHUB_STEP_SUMMARY
+          echo 'docker run --rm --volume "$(pwd):/terraform-docs" -u $(id -u) quay.io/terraform-docs/terraform-docs markdown --output-file README.md --output-mode inject /terraform-docs' >> $GITHUB_STEP_SUMMARY
           echo 'git add README.md' >> $GITHUB_STEP_SUMMARY
           echo 'git commit --amend --no-edit' >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY

diff --git a/.terraform-docs.yml b/.terraform-docs.yml
@@ -0,0 +1,5 @@
+settings:
+  # https://github.com/terraform-docs/gh-actions/issues/98
+  # Since we do not commit the lockfile, it has no effect in gh workflows.
+  # Changes local runs to match the gh workflow behavior.
+  lockfile: false
diff --git a/README.md b/README.md
@@ -193,7 +193,7 @@ You can check the status of the certificate in the Google Cloud Console.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
 | <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >=2.2.0 |
-| <a name="requirement_google"></a> [google](#requirement\_google) | >=4.79.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >=6.9.0 |
 | <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | >=4.79.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >=3.4.3 |
 
@@ -202,15 +202,15 @@ You can check the status of the certificate in the Google Cloud Console.
 | Name | Version |
 |------|---------|
 | <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | >=2.2.0 |
-| <a name="provider_google"></a> [google](#provider\_google) | >=4.79.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | >=6.9.0 |
 | <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | >=4.79.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >=3.4.3 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_container"></a> [container](#module\_container) | terraform-google-modules/container-vm/google | 3.1.1 |
+| <a name="module_container"></a> [container](#module\_container) | terraform-google-modules/container-vm/google | ~> 3.2 |
 
 ## Resources
 
@@ -241,7 +241,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_args"></a> [args](#input\_args) | Arguments to override the container image default command (CMD). | `list(string)` | `null` | no |
-| <a name="input_autoscaling"></a> [autoscaling](#input\_autoscaling) | Allow the instance group to scale down to zero based on signals | <pre>object({<br>    schedules = list(object({<br>      name         = string<br>      description  = string<br>      schedule     = string<br>      time_zone    = string<br>      duration_sec = number<br>    }))<br>  })</pre> | `null` | no |
+| <a name="input_autoscaling"></a> [autoscaling](#input\_autoscaling) | Allow the instance group to scale down to zero based on signals | <pre>object({<br/>    schedules = list(object({<br/>      name         = string<br/>      description  = string<br/>      schedule     = string<br/>      time_zone    = string<br/>      duration_sec = number<br/>    }))<br/>  })</pre> | `null` | no |
 | <a name="input_block_project_ssh_keys_enabled"></a> [block\_project\_ssh\_keys\_enabled](#input\_block\_project\_ssh\_keys\_enabled) | Blocks the use of project-wide publich SSH keys | `bool` | `false` | no |
 | <a name="input_command"></a> [command](#input\_command) | Command to override the container image ENTRYPOINT | `list(string)` | `null` | no |
 | <a name="input_default_backend_security_policy"></a> [default\_backend\_security\_policy](#input\_default\_backend\_security\_policy) | Name of the security policy to apply to the default backend service | `string` | `null` | no |
@@ -256,7 +256,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | <a name="input_google_logging_enabled"></a> [google\_logging\_enabled](#input\_google\_logging\_enabled) | Enable Google Cloud Logging | `bool` | `true` | no |
 | <a name="input_google_logging_use_fluentbit"></a> [google\_logging\_use\_fluentbit](#input\_google\_logging\_use\_fluentbit) | Enable Google Cloud Logging using Fluent Bit | `bool` | `false` | no |
 | <a name="input_google_monitoring_enabled"></a> [google\_monitoring\_enabled](#input\_google\_monitoring\_enabled) | Enable Google Cloud Monitoring | `bool` | `true` | no |
-| <a name="input_iap"></a> [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | <pre>object({<br>    oauth2_client_id     = string<br>    oauth2_client_secret = string<br>  })</pre> | `null` | no |
+| <a name="input_iap"></a> [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | <pre>object({<br/>    oauth2_client_id     = string<br/>    oauth2_client_secret = string<br/>  })</pre> | `null` | no |
 | <a name="input_iap_backend_security_policy"></a> [iap\_backend\_security\_policy](#input\_iap\_backend\_security\_policy) | Name of the security policy to apply to the IAP backend service | `string` | `null` | no |
 | <a name="input_image"></a> [image](#input\_image) | Docker image. This is most often a reference to a container located in a container registry | `string` | `"ghcr.io/runatlantis/atlantis:latest"` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Key-value pairs representing labels attaching to instance & instance template | `map(any)` | `{}` | no |
@@ -265,11 +265,12 @@ You can check the status of the certificate in the Google Cloud Console.
 | <a name="input_name"></a> [name](#input\_name) | Custom name that's used during resource creation | `string` | n/a | yes |
 | <a name="input_network"></a> [network](#input\_network) | Name of the network | `string` | n/a | yes |
 | <a name="input_persistent_disk_size_gb"></a> [persistent\_disk\_size\_gb](#input\_persistent\_disk\_size\_gb) | The size of the persistent disk that Atlantis uses to store its data on | `number` | `50` | no |
+| <a name="input_persistent_disk_type"></a> [persistent\_disk\_type](#input\_persistent\_disk\_type) | The type of persistent disk that Atlantis uses to store its data on | `string` | `"pd-ssd"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes |
-| <a name="input_service_account"></a> [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | <pre>object({<br>    email  = string,<br>    scopes = list(string)<br>  })</pre> | <pre>{<br>  "email": "",<br>  "scopes": [<br>    "cloud-platform"<br>  ]<br>}</pre> | no |
-| <a name="input_shared_vpc"></a> [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | <pre>object({<br>    host_project_id = string<br>  })</pre> | `null` | no |
-| <a name="input_shielded_instance_config"></a> [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | <pre>object({<br>    enable_integrity_monitoring = optional(bool)<br>    enable_vtpm                 = optional(bool)<br>    enable_secure_boot          = optional(bool)<br>  })</pre> | <pre>{<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": true,<br>  "enable_vtpm": true<br>}</pre> | no |
+| <a name="input_service_account"></a> [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | <pre>object({<br/>    email  = string,<br/>    scopes = list(string)<br/>  })</pre> | <pre>{<br/>  "email": "",<br/>  "scopes": [<br/>    "cloud-platform"<br/>  ]<br/>}</pre> | no |
+| <a name="input_shared_vpc"></a> [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | <pre>object({<br/>    host_project_id = string<br/>  })</pre> | `null` | no |
+| <a name="input_shielded_instance_config"></a> [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | <pre>object({<br/>    enable_integrity_monitoring = optional(bool)<br/>    enable_vtpm                 = optional(bool)<br/>    enable_secure_boot          = optional(bool)<br/>  })</pre> | <pre>{<br/>  "enable_integrity_monitoring": true,<br/>  "enable_secure_boot": true,<br/>  "enable_vtpm": true<br/>}</pre> | no |
 | <a name="input_spot_machine_enabled"></a> [spot\_machine\_enabled](#input\_spot\_machine\_enabled) | A Spot VM is discounted Compute Engine capacity that may be preemptively stopped or deleted by Compute Engine if the capacity is needed | `bool` | `false` | no |
 | <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | The SSL policy name that the certificate must follow | `string` | `null` | no |
 | <a name="input_startup_script"></a> [startup\_script](#input\_startup\_script) | A startup script that runs during the boot cycle when you first launch an instance | `string` | `null` | no |

diff --git a/main.tf b/main.tf
@@ -1,4 +1,5 @@
 locals {
+
   # The default port that Atlantis runs on is 4141, we default to this.
   atlantis_port = lookup(var.env_vars, "ATLANTIS_PORT", 4141)
   # Atlantis' home directory is "/home/atlantis", we default to this.
@@ -79,7 +80,7 @@ data "cloudinit_config" "config" {
 
 module "container" {
   source  = "terraform-google-modules/container-vm/google"
-  version = "3.2.0"
+  version = "~> 3.2"
 
   container = {
     image = var.image
@@ -218,7 +219,7 @@ resource "google_compute_instance_template" "default" {
 
 resource "google_compute_disk" "persistent" {
   name = var.name
-  type = "pd-ssd"
+  type = var.persistent_disk_type
   size = var.persistent_disk_size_gb
   zone = var.zone
   labels = merge(
@@ -382,7 +383,7 @@ resource "google_compute_backend_service" "iap" {
   }
 
   iap {
-    enabled              = var.iap.enabled
+    enabled              = true
     oauth2_client_id     = var.iap.oauth2_client_id
     oauth2_client_secret = var.iap.oauth2_client_secret
   }

diff --git a/variables.tf b/variables.tf
@@ -141,7 +141,6 @@ variable "enable_oslogin" {
 
 variable "iap" {
   type = object({
-    enabled              = bool
     oauth2_client_id     = string
     oauth2_client_secret = string
   })
@@ -234,3 +233,9 @@ variable "shared_vpc" {
   })
   default = null
 }
+
+variable "persistent_disk_type" {
+  type        = string
+  description = "The type of persistent disk that Atlantis uses to store its data on"
+  default     = "pd-ssd"
+}
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">=4.79.0"
+      version = ">=6.9.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"