This guide explains how to secure environment variables when using the Atlantis module on Google Cloud Platform. For more information on using this module, see the basic example.
Additionally, this example uses a GitHub App for authentication, and a custom image entrypoint to set environment variables at container startup time.
- Prerequisites
- How to deploy
- Setting sensitive environment variables
- Setting non sensitive environment variables
You should already have the following resources:
- Google network, subnetwork and a Cloud NAT
- Service account, specifics can be found here
- Domain, specifics can be found here
- The secrets for the GitHub app id, secret, and webhook secret.
If you prefer an example that includes the above resources, see complete example
To deploy the Atlantis module, see Dockerfile and the main.tf.
- If you bring your own Docker image (not using any Atlantis image as base image), be sure to create an Atlantis user using a uid (user ID) of 100.
- As per Docker spec, the base image's
CMDwill be overridden when you define a newENTRYPOINTthrough thecommandvariable: https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact
Atlantis allows you to configure everything using environment variables. However, these variables may contain sensitive values, and are therefore visible in the Google Cloud console when deploying a container. To protect these values, follow the steps below.
Use a wrapper Atlantis Docker image to set environment variables that contain sensitive values. See the following examples for more details:
- Cloud Build: pull secrets from Google Secret Manager
- GitHub Actions: pull secrets from Google Secret Manager
- GitHub Actions: use GitHub secrets
You can export sensitive values in the custom-entrypoint.sh.tftpl script, which will be executed as the container entrypoint.
This strategy allow us to use the base Atlantis image, and to export environment variables that do not appear in the Console (e.g. ATLANTIS_GH_WEBHOOK_SECRET).
Use the var.env_vars variable to set non-sensitive environment variables.
env_vars = {
ATLANTIS_EXAMPLE = "example"
}Important: Do not specify the same environment variable in both the env_vars and the Dockerfile, as this might cause the deployment to fail.
Once you're done, see Configuring Webhooks for Atlantis