From 72acf2bcde81726a5407224ab86f57b18aca102e Mon Sep 17 00:00:00 2001 From: David Costa Date: Thu, 1 Aug 2024 14:58:34 +0100 Subject: [PATCH 01/24] feat: add option to expose /healthz without IAP --- README.md | 1 + main.tf | 8 ++++++++ variables.tf | 6 ++++++ 3 files changed, 15 insertions(+) diff --git a/README.md b/README.md index 2f4cbea..58a0569 100644 --- a/README.md +++ b/README.md @@ -239,6 +239,7 @@ You can check the status of the certificate in the Google Cloud Console. | [enable\_confidential\_vm](#input\_enable\_confidential\_vm) | Enable Confidential VM. If true, on host maintenance will be set to TERMINATE | `bool` | `false` | no | | [enable\_oslogin](#input\_enable\_oslogin) | Enables OS Login service on the VM | `bool` | `false` | no | | [env\_vars](#input\_env\_vars) | Key-value pairs representing environment variables and their respective values | `map(any)` | n/a | yes | +| [expose\_healthz\_publicly](#input\_expose\_healthz\_publicly) | Exposes the /healthz endpoint publicly even if Atlantis is protected by IAP | `bool` | `false` | no | | [expose\_metrics\_publicly](#input\_expose\_metrics\_publicly) | Exposes the /metrics endpoint publicly even if Atlantis is protected by IAP | `bool` | `false` | no | | [google\_logging\_enabled](#input\_google\_logging\_enabled) | Enable Google Cloud Logging | `bool` | `true` | no | | [google\_logging\_use\_fluentbit](#input\_google\_logging\_use\_fluentbit) | Enable Google Cloud Logging using Fluent Bit | `bool` | `false` | no | diff --git a/main.tf b/main.tf index ea25b07..a349248 100644 --- a/main.tf +++ b/main.tf @@ -405,6 +405,14 @@ resource "google_compute_url_map" "default" { service = google_compute_backend_service.default.id } } + + dynamic "path_rule" { + for_each = var.expose_healthz_publicly ? [1] : [] + content { + paths = ["/healthz"] + service = google_compute_backend_service.default.id + } + } } } } diff --git a/variables.tf b/variables.tf index 1ec7677..4a57c63 100644 --- a/variables.tf +++ b/variables.tf @@ -146,6 +146,12 @@ variable "expose_metrics_publicly" { default = false } +variable "expose_healthz_publicly" { + type = bool + description = "Exposes the /healthz endpoint publicly even if Atlantis is protected by IAP" + default = false +} + variable "google_logging_enabled" { type = bool description = "Enable Google Cloud Logging" From 2eee881d7ea724da4a6488830a2fb3a92d5c1e71 Mon Sep 17 00:00:00 2001 From: David Costa Date: Thu, 1 Aug 2024 15:11:20 +0100 Subject: [PATCH 02/24] chore: skip CKV_TF_2 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8b565e8..be915a0 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -28,7 +28,7 @@ jobs: with: directory: . quiet: true - skip_check: CKV_TF_1,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18 + skip_check: CKV_TF_1,CKV_TF_2,CKV_GCP_32,CKV_GCP_34,CKV2_GCP_18 framework: terraform # Terraform-docs From b50a6f52bb7bd579411dff7cdd4011d481d9a36c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 1 Aug 2024 15:15:43 +0000 Subject: [PATCH 03/24] chore(deps): update planetscale/ghcommit-action action to v0.1.43 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index be915a0..08ff2e4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -43,7 +43,7 @@ jobs: git-push: 'false' # Push Terraform-docs changes - - uses: planetscale/ghcommit-action@v0.1.38 + - uses: planetscale/ghcommit-action@v0.1.43 # Run this step even if previous steps fails (there are changes to commit) # but skip when on forks if: ${{ !cancelled() && github.repository_owner == 'runatlantis' }} From 71cb09a8efcdf76cd34892c512e41ebd62802d99 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 1 Aug 2024 18:35:41 +0000 Subject: [PATCH 04/24] chore(deps): update terraform-docs/gh-actions action to v1.2.0 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 08ff2e4..07c9805 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -32,7 +32,7 @@ jobs: framework: terraform # Terraform-docs - - uses: terraform-docs/gh-actions@v1.1.0 + - uses: terraform-docs/gh-actions@v1.2.0 id: terraform-docs with: working-dir: . From 54374a077626bc1f5513956c361c5547005ad6e4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 17:02:07 +0000 Subject: [PATCH 05/24] chore(deps): update planetscale/ghcommit-action action to v0.1.44 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 07c9805..789538e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -43,7 +43,7 @@ jobs: git-push: 'false' # Push Terraform-docs changes - - uses: planetscale/ghcommit-action@v0.1.43 + - uses: planetscale/ghcommit-action@v0.1.44 # Run this step even if previous steps fails (there are changes to commit) # but skip when on forks if: ${{ !cancelled() && github.repository_owner == 'runatlantis' }} From d4c17da6832540e2bb8b8d0eb2e775a328c460a1 Mon Sep 17 00:00:00 2001 From: David Costa Date: Tue, 6 Aug 2024 14:42:06 +0100 Subject: [PATCH 06/24] feat: add persistent_disk_type variable --- README.md | 1 + main.tf | 2 +- variables.tf | 6 ++++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 58a0569..666b948 100644 --- a/README.md +++ b/README.md @@ -253,6 +253,7 @@ You can check the status of the certificate in the Google Cloud Console. | [name](#input\_name) | Custom name that's used during resource creation | `string` | n/a | yes | | [network](#input\_network) | Name of the network | `string` | n/a | yes | | [persistent\_disk\_size\_gb](#input\_persistent\_disk\_size\_gb) | The size of the persistent disk that Atlantis uses to store its data on | `number` | `50` | no | +| [persistent\_disk\_type](#input\_persistent\_disk\_type) | The type of persistent disk that Atlantis uses to store its data on | `string` | `"pd-ssd"` | no | | [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no | | [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes | | [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | diff --git a/main.tf b/main.tf index a349248..9b88757 100644 --- a/main.tf +++ b/main.tf @@ -171,7 +171,7 @@ resource "google_compute_instance_template" "default" { # Persistent disk for Atlantis disk { device_name = "atlantis-disk-0" - disk_type = "pd-ssd" + disk_type = var.persistent_disk_type mode = "READ_WRITE" disk_size_gb = var.persistent_disk_size_gb auto_delete = false diff --git a/variables.tf b/variables.tf index 4a57c63..5c864d5 100644 --- a/variables.tf +++ b/variables.tf @@ -201,3 +201,9 @@ variable "shared_vpc" { }) default = null } + +variable "persistent_disk_type" { + type = string + description = "The type of persistent disk that Atlantis uses to store its data on" + default = "pd-ssd" +} From 94f94501e19376860455c2507c5788e6c8005070 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 22:01:55 +0000 Subject: [PATCH 07/24] chore(deps): update terraform-docs/gh-actions action to v1.2.2 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 789538e..fc403b1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -32,7 +32,7 @@ jobs: framework: terraform # Terraform-docs - - uses: terraform-docs/gh-actions@v1.2.0 + - uses: terraform-docs/gh-actions@v1.2.2 id: terraform-docs with: working-dir: . From a7050135ef293789e4a7fd33af3386f8b64808a7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 14 Sep 2024 02:16:05 +0000 Subject: [PATCH 08/24] chore(deps): update planetscale/ghcommit-action action to v0.1.45 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index fc403b1..7c7b125 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -43,7 +43,7 @@ jobs: git-push: 'false' # Push Terraform-docs changes - - uses: planetscale/ghcommit-action@v0.1.44 + - uses: planetscale/ghcommit-action@v0.1.45 # Run this step even if previous steps fails (there are changes to commit) # but skip when on forks if: ${{ !cancelled() && github.repository_owner == 'runatlantis' }} From a042d61043035db0a358607dd719ca0c02eb1f55 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 13:45:31 +0000 Subject: [PATCH 09/24] chore(deps): update planetscale/ghcommit-action action to v0.1.47 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7c7b125..701364a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -43,7 +43,7 @@ jobs: git-push: 'false' # Push Terraform-docs changes - - uses: planetscale/ghcommit-action@v0.1.45 + - uses: planetscale/ghcommit-action@v0.1.47 # Run this step even if previous steps fails (there are changes to commit) # but skip when on forks if: ${{ !cancelled() && github.repository_owner == 'runatlantis' }} From 9af1122ebc6b19c999d562e820e75b9ff0f3af58 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 21:04:17 +0000 Subject: [PATCH 10/24] chore(deps): update planetscale/ghcommit-action action to v0.2.0 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 701364a..84fc8d9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -43,7 +43,7 @@ jobs: git-push: 'false' # Push Terraform-docs changes - - uses: planetscale/ghcommit-action@v0.1.47 + - uses: planetscale/ghcommit-action@v0.2.0 # Run this step even if previous steps fails (there are changes to commit) # but skip when on forks if: ${{ !cancelled() && github.repository_owner == 'runatlantis' }} From d0fd04d3d2444e63c6b364bb8440b6482ddb7df3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 13:20:08 +0000 Subject: [PATCH 11/24] chore(deps): update terraform-docs/gh-actions action to v1.3.0 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 84fc8d9..bb406ca 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -32,7 +32,7 @@ jobs: framework: terraform # Terraform-docs - - uses: terraform-docs/gh-actions@v1.2.2 + - uses: terraform-docs/gh-actions@v1.3.0 id: terraform-docs with: working-dir: . From 35e8388494612dfb59239b929e7d3d4352cfc7ad Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 13:20:44 +0000 Subject: [PATCH 12/24] terraform-docs: automated action --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 666b948..e5741b8 100644 --- a/README.md +++ b/README.md @@ -244,7 +244,7 @@ You can check the status of the certificate in the Google Cloud Console. | [google\_logging\_enabled](#input\_google\_logging\_enabled) | Enable Google Cloud Logging | `bool` | `true` | no | | [google\_logging\_use\_fluentbit](#input\_google\_logging\_use\_fluentbit) | Enable Google Cloud Logging using Fluent Bit | `bool` | `false` | no | | [google\_monitoring\_enabled](#input\_google\_monitoring\_enabled) | Enable Google Cloud Monitoring | `bool` | `true` | no | -| [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | 
object({
    oauth2_client_id     = string
    oauth2_client_secret = string
  })
| `null` | no | +| [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | 
object({
    oauth2_client_id     = string
    oauth2_client_secret = string
  })
| `null` | no | | [iap\_backend\_security\_policy](#input\_iap\_backend\_security\_policy) | Name of the security policy to apply to the IAP backend service | `string` | `null` | no | | [image](#input\_image) | Docker image. This is most often a reference to a container located in a container registry | `string` | `"ghcr.io/runatlantis/atlantis:latest"` | no | | [labels](#input\_labels) | Key-value pairs representing labels attaching to instance & instance template | `map(any)` | `{}` | no | @@ -256,9 +256,9 @@ You can check the status of the certificate in the Google Cloud Console. | [persistent\_disk\_type](#input\_persistent\_disk\_type) | The type of persistent disk that Atlantis uses to store its data on | `string` | `"pd-ssd"` | no | | [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no | | [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes | -| [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | -| [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | 
object({
    host_project_id = string
  })
| `null` | no | -| [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | 
object({
    enable_integrity_monitoring = optional(bool)
    enable_vtpm                 = optional(bool)
    enable_secure_boot          = optional(bool)
  })
| 
{
  "enable_integrity_monitoring": true,
  "enable_secure_boot": true,
  "enable_vtpm": true
}
| no | +| [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | +| [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | 
object({
    host_project_id = string
  })
| `null` | no | +| [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | 
object({
    enable_integrity_monitoring = optional(bool)
    enable_vtpm                 = optional(bool)
    enable_secure_boot          = optional(bool)
  })
| 
{
  "enable_integrity_monitoring": true,
  "enable_secure_boot": true,
  "enable_vtpm": true
}
| no | | [spot\_machine\_enabled](#input\_spot\_machine\_enabled) | A Spot VM is discounted Compute Engine capacity that may be preemptively stopped or deleted by Compute Engine if the capacity is needed | `bool` | `false` | no | | [ssl\_policy](#input\_ssl\_policy) | The SSL policy name that the certificate must follow | `string` | `null` | no | | [startup\_script](#input\_startup\_script) | A startup script that runs during the boot cycle when you first launch an instance | `string` | `null` | no | From 1bb3dd24ac9e443e3d10272c357549155179004c Mon Sep 17 00:00:00 2001 From: cblkwell Date: Fri, 1 Nov 2024 13:45:54 -0500 Subject: [PATCH 13/24] Loosen module version requirements for container-vm Signed-off-by: cblkwell --- README.md | 20 ++++++++++---------- main.tf | 3 ++- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 666b948..9dacc80 100644 --- a/README.md +++ b/README.md @@ -195,16 +195,16 @@ You can check the status of the certificate in the Google Cloud Console. | Name | Version | |------|---------| -| [cloudinit](#provider\_cloudinit) | >=2.2.0 | -| [google](#provider\_google) | >=4.79.0 | -| [google-beta](#provider\_google-beta) | >=4.79.0 | -| [random](#provider\_random) | >=3.4.3 | +| [cloudinit](#provider\_cloudinit) | 2.3.3 | +| [google](#provider\_google) | 4.84.0 | +| [google-beta](#provider\_google-beta) | 5.8.0 | +| [random](#provider\_random) | 3.6.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [container](#module\_container) | terraform-google-modules/container-vm/google | 3.1.1 | +| [container](#module\_container) | terraform-google-modules/container-vm/google | ~> 3.2 | ## Resources @@ -244,7 +244,7 @@ You can check the status of the certificate in the Google Cloud Console. | [google\_logging\_enabled](#input\_google\_logging\_enabled) | Enable Google Cloud Logging | `bool` | `true` | no | | [google\_logging\_use\_fluentbit](#input\_google\_logging\_use\_fluentbit) | Enable Google Cloud Logging using Fluent Bit | `bool` | `false` | no | | [google\_monitoring\_enabled](#input\_google\_monitoring\_enabled) | Enable Google Cloud Monitoring | `bool` | `true` | no | -| [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | 
object({
    oauth2_client_id     = string
    oauth2_client_secret = string
  })
| `null` | no | +| [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | 
object({
    oauth2_client_id     = string
    oauth2_client_secret = string
  })
| `null` | no | | [iap\_backend\_security\_policy](#input\_iap\_backend\_security\_policy) | Name of the security policy to apply to the IAP backend service | `string` | `null` | no | | [image](#input\_image) | Docker image. This is most often a reference to a container located in a container registry | `string` | `"ghcr.io/runatlantis/atlantis:latest"` | no | | [labels](#input\_labels) | Key-value pairs representing labels attaching to instance & instance template | `map(any)` | `{}` | no | @@ -256,9 +256,9 @@ You can check the status of the certificate in the Google Cloud Console. | [persistent\_disk\_type](#input\_persistent\_disk\_type) | The type of persistent disk that Atlantis uses to store its data on | `string` | `"pd-ssd"` | no | | [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no | | [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes | -| [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | -| [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | 
object({
    host_project_id = string
  })
| `null` | no | -| [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | 
object({
    enable_integrity_monitoring = optional(bool)
    enable_vtpm                 = optional(bool)
    enable_secure_boot          = optional(bool)
  })
| 
{
  "enable_integrity_monitoring": true,
  "enable_secure_boot": true,
  "enable_vtpm": true
}
| no | +| [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | +| [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | 
object({
    host_project_id = string
  })
| `null` | no | +| [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | 
object({
    enable_integrity_monitoring = optional(bool)
    enable_vtpm                 = optional(bool)
    enable_secure_boot          = optional(bool)
  })
| 
{
  "enable_integrity_monitoring": true,
  "enable_secure_boot": true,
  "enable_vtpm": true
}
| no | | [spot\_machine\_enabled](#input\_spot\_machine\_enabled) | A Spot VM is discounted Compute Engine capacity that may be preemptively stopped or deleted by Compute Engine if the capacity is needed | `bool` | `false` | no | | [ssl\_policy](#input\_ssl\_policy) | The SSL policy name that the certificate must follow | `string` | `null` | no | | [startup\_script](#input\_startup\_script) | A startup script that runs during the boot cycle when you first launch an instance | `string` | `null` | no | @@ -275,4 +275,4 @@ You can check the status of the certificate in the Google Cloud Console. | [ip\_address](#output\_ip\_address) | The IPv4 address of the load balancer | | [managed\_ssl\_certificate\_certificate\_id](#output\_managed\_ssl\_certificate\_certificate\_id) | The unique identifier of the Google Managed SSL certificate | | [managed\_ssl\_certificate\_expire\_time](#output\_managed\_ssl\_certificate\_expire\_time) | Expire time of the Google Managed SSL certificate | - \ No newline at end of file + diff --git a/main.tf b/main.tf index 9b88757..28c200f 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,5 @@ locals { + # The default port that Atlantis runs on is 4141, we default to this. atlantis_port = lookup(var.env_vars, "ATLANTIS_PORT", 4141) # Atlantis' home directory is "/home/atlantis", we default to this. @@ -79,7 +80,7 @@ data "cloudinit_config" "config" { module "container" { source = "terraform-google-modules/container-vm/google" - version = "3.1.1" + version = "~> 3.2" container = { image = var.image From 632db8bb2b76ffff8b108f5c9fd16fbdc100d171 Mon Sep 17 00:00:00 2001 From: cblkwell Date: Mon, 4 Nov 2024 08:42:40 -0600 Subject: [PATCH 14/24] Fixing README Signed-off-by: cblkwell --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9dacc80..7be3f9d 100644 --- a/README.md +++ b/README.md @@ -195,10 +195,10 @@ You can check the status of the certificate in the Google Cloud Console. | Name | Version | |------|---------| -| [cloudinit](#provider\_cloudinit) | 2.3.3 | -| [google](#provider\_google) | 4.84.0 | -| [google-beta](#provider\_google-beta) | 5.8.0 | -| [random](#provider\_random) | 3.6.0 | +| [cloudinit](#provider\_cloudinit) | >=2.2.0 | +| [google](#provider\_google) | >=4.79.0 | +| [google-beta](#provider\_google-beta) | >=4.79.0 | +| [random](#provider\_random) | >=3.4.3 | ## Modules From 7c1ad5953a049bec23bc663aa5570f1b4724bad2 Mon Sep 17 00:00:00 2001 From: cblkwell Date: Mon, 4 Nov 2024 08:54:10 -0600 Subject: [PATCH 15/24] Adding enabled = true for iap backend Signed-off-by: cblkwell --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 28c200f..a6201be 100644 --- a/main.tf +++ b/main.tf @@ -345,6 +345,7 @@ resource "google_compute_backend_service" "iap" { } iap { + enabled = true oauth2_client_id = var.iap.oauth2_client_id oauth2_client_secret = var.iap.oauth2_client_secret } From 14395491ddb70540d9b97e4846f46f8e0521458d Mon Sep 17 00:00:00 2001 From: cblkwell Date: Mon, 4 Nov 2024 08:58:14 -0600 Subject: [PATCH 16/24] Bumping version requirement due to iap enabled setting Signed-off-by: cblkwell --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index d184637..b4d8a93 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">=4.79.0" + version = ">=6.9.0" } google-beta = { source = "hashicorp/google-beta" From b9dca8e56f1976575a392122c6453a25f4c2877f Mon Sep 17 00:00:00 2001 From: cblkwell Date: Mon, 4 Nov 2024 09:21:58 -0600 Subject: [PATCH 17/24] Fixing README Signed-off-by: cblkwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7be3f9d..7d4b6b9 100644 --- a/README.md +++ b/README.md @@ -187,7 +187,7 @@ You can check the status of the certificate in the Google Cloud Console. |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.0 | | [cloudinit](#requirement\_cloudinit) | >=2.2.0 | -| [google](#requirement\_google) | >=4.79.0 | +| [google](#requirement\_google) | >=6.9.0 | | [google-beta](#requirement\_google-beta) | >=4.79.0 | | [random](#requirement\_random) | >=3.4.3 | @@ -196,7 +196,7 @@ You can check the status of the certificate in the Google Cloud Console. | Name | Version | |------|---------| | [cloudinit](#provider\_cloudinit) | >=2.2.0 | -| [google](#provider\_google) | >=4.79.0 | +| [google](#provider\_google) | >=6.9.0 | | [google-beta](#provider\_google-beta) | >=4.79.0 | | [random](#provider\_random) | >=3.4.3 | From db0ccce80f677e655b0121c8614fdf560af72099 Mon Sep 17 00:00:00 2001 From: cblkwell Date: Thu, 7 Nov 2024 08:39:53 -0600 Subject: [PATCH 18/24] Fixing README Signed-off-by: cblkwell --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7d4b6b9..6ce5d3b 100644 --- a/README.md +++ b/README.md @@ -244,7 +244,7 @@ You can check the status of the certificate in the Google Cloud Console. | [google\_logging\_enabled](#input\_google\_logging\_enabled) | Enable Google Cloud Logging | `bool` | `true` | no | | [google\_logging\_use\_fluentbit](#input\_google\_logging\_use\_fluentbit) | Enable Google Cloud Logging using Fluent Bit | `bool` | `false` | no | | [google\_monitoring\_enabled](#input\_google\_monitoring\_enabled) | Enable Google Cloud Monitoring | `bool` | `true` | no | -| [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | 
object({
    oauth2_client_id     = string
    oauth2_client_secret = string
  })
| `null` | no | +| [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | 
object({
    oauth2_client_id     = string
    oauth2_client_secret = string
  })
| `null` | no | | [iap\_backend\_security\_policy](#input\_iap\_backend\_security\_policy) | Name of the security policy to apply to the IAP backend service | `string` | `null` | no | | [image](#input\_image) | Docker image. This is most often a reference to a container located in a container registry | `string` | `"ghcr.io/runatlantis/atlantis:latest"` | no | | [labels](#input\_labels) | Key-value pairs representing labels attaching to instance & instance template | `map(any)` | `{}` | no | @@ -256,9 +256,9 @@ You can check the status of the certificate in the Google Cloud Console. | [persistent\_disk\_type](#input\_persistent\_disk\_type) | The type of persistent disk that Atlantis uses to store its data on | `string` | `"pd-ssd"` | no | | [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no | | [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes | -| [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | -| [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | 
object({
    host_project_id = string
  })
| `null` | no | -| [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | 
object({
    enable_integrity_monitoring = optional(bool)
    enable_vtpm                 = optional(bool)
    enable_secure_boot          = optional(bool)
  })
| 
{
  "enable_integrity_monitoring": true,
  "enable_secure_boot": true,
  "enable_vtpm": true
}
| no | +| [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | +| [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | 
object({
    host_project_id = string
  })
| `null` | no | +| [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | 
object({
    enable_integrity_monitoring = optional(bool)
    enable_vtpm                 = optional(bool)
    enable_secure_boot          = optional(bool)
  })
| 
{
  "enable_integrity_monitoring": true,
  "enable_secure_boot": true,
  "enable_vtpm": true
}
| no | | [spot\_machine\_enabled](#input\_spot\_machine\_enabled) | A Spot VM is discounted Compute Engine capacity that may be preemptively stopped or deleted by Compute Engine if the capacity is needed | `bool` | `false` | no | | [ssl\_policy](#input\_ssl\_policy) | The SSL policy name that the certificate must follow | `string` | `null` | no | | [startup\_script](#input\_startup\_script) | A startup script that runs during the boot cycle when you first launch an instance | `string` | `null` | no | From dbeba678cb22022e84fb08e2a36286ed71fbea26 Mon Sep 17 00:00:00 2001 From: David Costa Date: Mon, 11 Nov 2024 15:55:15 +0000 Subject: [PATCH 19/24] Allow terraform-docs push --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index bb406ca..c1c63f1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -46,7 +46,7 @@ jobs: - uses: planetscale/ghcommit-action@v0.2.0 # Run this step even if previous steps fails (there are changes to commit) # but skip when on forks - if: ${{ !cancelled() && github.repository_owner == 'runatlantis' }} + if: ${{ !cancelled() }} with: commit_message: "terraform-docs: automated action" repo: ${{ github.repository }} @@ -56,7 +56,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Print instructions to run terraform-docs locally if changes are needed and workflow is running on fork - - if: ${{ !cancelled() && github.repository_owner != 'runatlantis' && steps.terraform-docs.outputs.num_changed > 0 }} + - if: ${{ !cancelled() && steps.terraform-docs.outputs.num_changed > 0 }} run: | echo '### Please run terraform-docs locally and commit the changes:' >> $GITHUB_STEP_SUMMARY echo '' >> $GITHUB_STEP_SUMMARY From bef3ea218e32c196e1cf0d2bcb102611f69d68c4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 15:56:07 +0000 Subject: [PATCH 20/24] terraform-docs: automated action --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 2bac1b2..97876ac 100644 --- a/README.md +++ b/README.md @@ -201,10 +201,10 @@ You can check the status of the certificate in the Google Cloud Console. | Name | Version | |------|---------| -| [cloudinit](#provider\_cloudinit) | 2.3.4 | -| [google](#provider\_google) | 5.38.0 | -| [google-beta](#provider\_google-beta) | 5.38.0 | -| [random](#provider\_random) | 3.6.2 | +| [cloudinit](#provider\_cloudinit) | >=2.2.0 | +| [google](#provider\_google) | >=6.9.0 | +| [google-beta](#provider\_google-beta) | >=4.79.0 | +| [random](#provider\_random) | >=3.4.3 | ## Modules @@ -241,7 +241,7 @@ You can check the status of the certificate in the Google Cloud Console. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [args](#input\_args) | Arguments to override the container image default command (CMD). | `list(string)` | `null` | no | -| [autoscaling](#input\_autoscaling) | Allow the instance group to scale down to zero based on signals | 
object({
    schedules = list(object({
      name         = string
      description  = string
      schedule     = string
      time_zone    = string
      duration_sec = number
    }))
  })
| `null` | no | +| [autoscaling](#input\_autoscaling) | Allow the instance group to scale down to zero based on signals | 
object({
    schedules = list(object({
      name         = string
      description  = string
      schedule     = string
      time_zone    = string
      duration_sec = number
    }))
  })
| `null` | no | | [block\_project\_ssh\_keys\_enabled](#input\_block\_project\_ssh\_keys\_enabled) | Blocks the use of project-wide publich SSH keys | `bool` | `false` | no | | [command](#input\_command) | Command to override the container image ENTRYPOINT | `list(string)` | `null` | no | | [default\_backend\_security\_policy](#input\_default\_backend\_security\_policy) | Name of the security policy to apply to the default backend service | `string` | `null` | no | @@ -256,7 +256,7 @@ You can check the status of the certificate in the Google Cloud Console. | [google\_logging\_enabled](#input\_google\_logging\_enabled) | Enable Google Cloud Logging | `bool` | `true` | no | | [google\_logging\_use\_fluentbit](#input\_google\_logging\_use\_fluentbit) | Enable Google Cloud Logging using Fluent Bit | `bool` | `false` | no | | [google\_monitoring\_enabled](#input\_google\_monitoring\_enabled) | Enable Google Cloud Monitoring | `bool` | `true` | no | -| [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | 
object({
    oauth2_client_id     = string
    oauth2_client_secret = string
  })
| `null` | no | +| [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | 
object({
    oauth2_client_id     = string
    oauth2_client_secret = string
  })
| `null` | no | | [iap\_backend\_security\_policy](#input\_iap\_backend\_security\_policy) | Name of the security policy to apply to the IAP backend service | `string` | `null` | no | | [image](#input\_image) | Docker image. This is most often a reference to a container located in a container registry | `string` | `"ghcr.io/runatlantis/atlantis:latest"` | no | | [labels](#input\_labels) | Key-value pairs representing labels attaching to instance & instance template | `map(any)` | `{}` | no | @@ -268,9 +268,9 @@ You can check the status of the certificate in the Google Cloud Console. | [persistent\_disk\_type](#input\_persistent\_disk\_type) | The type of persistent disk that Atlantis uses to store its data on | `string` | `"pd-ssd"` | no | | [project](#input\_project) | The ID of the project in which the resource belongs | `string` | `null` | no | | [region](#input\_region) | The region that resources should be created in | `string` | n/a | yes | -| [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | -| [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | 
object({
    host_project_id = string
  })
| `null` | no | -| [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | 
object({
    enable_integrity_monitoring = optional(bool)
    enable_vtpm                 = optional(bool)
    enable_secure_boot          = optional(bool)
  })
| 
{
  "enable_integrity_monitoring": true,
  "enable_secure_boot": true,
  "enable_vtpm": true
}
| no | +| [service\_account](#input\_service\_account) | Service account to attach to the instance running Atlantis | 
object({
    email  = string,
    scopes = list(string)
  })
| 
{
  "email": "",
  "scopes": [
    "cloud-platform"
  ]
}
| no | +| [shared\_vpc](#input\_shared\_vpc) | Whether to deploy within a shared VPC | 
object({
    host_project_id = string
  })
| `null` | no | +| [shielded\_instance\_config](#input\_shielded\_instance\_config) | Shielded VM provides verifiable integrity to prevent against malware and rootkits | 
object({
    enable_integrity_monitoring = optional(bool)
    enable_vtpm                 = optional(bool)
    enable_secure_boot          = optional(bool)
  })
| 
{
  "enable_integrity_monitoring": true,
  "enable_secure_boot": true,
  "enable_vtpm": true
}
| no | | [spot\_machine\_enabled](#input\_spot\_machine\_enabled) | A Spot VM is discounted Compute Engine capacity that may be preemptively stopped or deleted by Compute Engine if the capacity is needed | `bool` | `false` | no | | [ssl\_policy](#input\_ssl\_policy) | The SSL policy name that the certificate must follow | `string` | `null` | no | | [startup\_script](#input\_startup\_script) | A startup script that runs during the boot cycle when you first launch an instance | `string` | `null` | no | From e1eaaa11ca8662266822bcadf456cf75b26e842d Mon Sep 17 00:00:00 2001 From: David Costa Date: Mon, 11 Nov 2024 16:18:42 +0000 Subject: [PATCH 21/24] chore: add terraform-docs.yaml --- terraform-docs.yaml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 terraform-docs.yaml diff --git a/terraform-docs.yaml b/terraform-docs.yaml new file mode 100644 index 0000000..704fb0e --- /dev/null +++ b/terraform-docs.yaml @@ -0,0 +1,2 @@ +settings: + lockfile: false # https://github.com/terraform-docs/gh-actions/issues/98 From e2d5d82f13856efd9691552bcc5f2dd33ab2dcb7 Mon Sep 17 00:00:00 2001 From: David Costa Date: Mon, 11 Nov 2024 16:19:44 +0000 Subject: [PATCH 22/24] docs: fix readme --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 97876ac..2cce9de 100644 --- a/README.md +++ b/README.md @@ -201,10 +201,10 @@ You can check the status of the certificate in the Google Cloud Console. | Name | Version | |------|---------| -| [cloudinit](#provider\_cloudinit) | >=2.2.0 | -| [google](#provider\_google) | >=6.9.0 | -| [google-beta](#provider\_google-beta) | >=4.79.0 | -| [random](#provider\_random) | >=3.4.3 | +| [cloudinit](#provider\_cloudinit) | 2.3.4 | +| [google](#provider\_google) | 5.38.0 | +| [google-beta](#provider\_google-beta) | 5.38.0 | +| [random](#provider\_random) | 3.6.2 | ## Modules From 2605e69b1a815ad8fe9f8fd93f88c315db23b9ce Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 16:20:33 +0000 Subject: [PATCH 23/24] terraform-docs: automated action --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2cce9de..97876ac 100644 --- a/README.md +++ b/README.md @@ -201,10 +201,10 @@ You can check the status of the certificate in the Google Cloud Console. | Name | Version | |------|---------| -| [cloudinit](#provider\_cloudinit) | 2.3.4 | -| [google](#provider\_google) | 5.38.0 | -| [google-beta](#provider\_google-beta) | 5.38.0 | -| [random](#provider\_random) | 3.6.2 | +| [cloudinit](#provider\_cloudinit) | >=2.2.0 | +| [google](#provider\_google) | >=6.9.0 | +| [google-beta](#provider\_google-beta) | >=4.79.0 | +| [random](#provider\_random) | >=3.4.3 | ## Modules From 61d83b5857960467c35cf1045b8dc9537366ac21 Mon Sep 17 00:00:00 2001 From: David Costa Date: Mon, 11 Nov 2024 16:18:42 +0000 Subject: [PATCH 24/24] chore: add .terraform-docs.yaml --- .github/workflows/ci.yaml | 2 +- .terraform-docs.yml | 5 +++++ terraform-docs.yaml | 2 -- 3 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 .terraform-docs.yml delete mode 100644 terraform-docs.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c1c63f1..8b96cb3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -61,7 +61,7 @@ jobs: echo '### Please run terraform-docs locally and commit the changes:' >> $GITHUB_STEP_SUMMARY echo '' >> $GITHUB_STEP_SUMMARY echo '```sh' >> $GITHUB_STEP_SUMMARY - echo 'docker run --rm --volume "$(pwd):/terraform-docs" -u $(id -u) quay.io/terraform-docs/terraform-docs:0.17.0 markdown --output-file README.md --output-mode inject /terraform-docs' >> $GITHUB_STEP_SUMMARY + echo 'docker run --rm --volume "$(pwd):/terraform-docs" -u $(id -u) quay.io/terraform-docs/terraform-docs markdown --output-file README.md --output-mode inject /terraform-docs' >> $GITHUB_STEP_SUMMARY echo 'git add README.md' >> $GITHUB_STEP_SUMMARY echo 'git commit --amend --no-edit' >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..e5a1d09 --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,5 @@ +settings: + # https://github.com/terraform-docs/gh-actions/issues/98 + # Since we do not commit the lockfile, it has no effect in gh workflows. + # Changes local runs to match the gh workflow behavior. + lockfile: false diff --git a/terraform-docs.yaml b/terraform-docs.yaml deleted file mode 100644 index 704fb0e..0000000 --- a/terraform-docs.yaml +++ /dev/null @@ -1,2 +0,0 @@ -settings: - lockfile: false # https://github.com/terraform-docs/gh-actions/issues/98