docs: add startup-env-vars example

runatlantis · Dec 4, 2023 · 39bd03e · 39bd03e
1 parent 35ded3d
commit 39bd03e
Show file tree

Hide file tree

Showing 4 changed files with 171 additions and 0 deletions.
diff --git a/examples/startup-env-vars/README.md b/examples/startup-env-vars/README.md
@@ -0,0 +1,29 @@
+# Example usage
+
+This example uses a GitHub App for authenticatioon, and a custom image entrypoint to set environment variables at container startup time.
+This allows you to use the base Atlantis image, to export environment variables that do not appear in the Console (e.g. ATLANTIS_GH_WEBHOOK_SECRET), and to avoid having the GitHub app key available as an environment variable.
+
+Read through the below before you deploy this module.
+
+- [Prerequisites](#prerequisites)
+- [How to deploy](#how-to-deploy)
+- [After it's successfully deployed](#after-its-successfully-deployed)
+
+## Prerequisites
+
+This module expects that you already own or create the below resources yourself.
+
+- Google network, subnetwork and a Cloud NAT
+- Service account, [specifics can be found here](../../README.md#service-account)
+- Domain, [specifics can be found here](../../README.md#dns-record)
+- The secrets for the GitHub app id, secret, and webhook secret.
+
+If you prefer an example that includes the above resources, see [`complete example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete).
+
+## How to deploy
+
+See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/server-atlantis.yaml).
+
+## After it's successfully deployed
+
+Once you're done, see [Configuring Webhooks for Atlantis](https://www.runatlantis.io/docs/configuring-webhooks.html#configuring-webhooks)
diff --git a/examples/startup-env-vars/custom-entrypoint.sh.tftpl b/examples/startup-env-vars/custom-entrypoint.sh.tftpl
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+
+mkdir -p ${mount_folder}
+chown 100 ${mount_folder}
+cat <<'EOF' > "${mount_folder}/${entrypoint_filename}"
+#!/bin/bash
+
+set -e
+
+fetch_secret() {
+    local secret="$1"
+    local filepath="$2"
+
+    gcloud secrets versions access latest --secret="$secret" > "$filepath"
+    chmod 400 "$filepath"
+    chown atlantis "$filepath"
+}
+ARCH="x86_64"
+apk --no-cache upgrade && apk --no-cache add \
+        curl \
+        python3 \
+        py3-crcmod \
+        py3-openssl \
+        bash \
+        libc6-compat \
+        openssh-client \
+        git \
+        gnupg \
+    && curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${cloud_sdk_version}-linux-$${ARCH}.tar.gz && \
+    tar xzf google-cloud-cli-${cloud_sdk_version}-linux-$${ARCH}.tar.gz && \
+    rm google-cloud-cli-${cloud_sdk_version}-linux-$${ARCH}.tar.gz
+
+export PATH=$PATH:/google-cloud-sdk/bin
+gcloud config set core/disable_usage_reporting true
+gcloud config set component_manager/disable_update_check true
+gcloud config set metrics/environment github_docker_image
+gcloud --version
+
+fetch_secret "${app_key_secret_name}" "${key_file_path}"
+
+export ATLANTIS_GH_APP_ID=$(gcloud secrets versions access latest --secret="${app_id_secret_name}")
+export ATLANTIS_GH_APP_KEY_FILE="${key_file_path}"
+export ATLANTIS_GH_WEBHOOK_SECRET=$(gcloud secrets versions access latest --secret="${webhook_secret_secret_name}")
+
+# Call original atlantis entrypoint, passing along all arguments
+docker-entrypoint.sh "$@"
+EOF
+
+chmod 0755 "${mount_folder}/${entrypoint_filename}"
diff --git a/examples/startup-env-vars/main.tf b/examples/startup-env-vars/main.tf
@@ -0,0 +1,85 @@
+locals {
+  project_id   = "<your-project-id>"
+  network      = "<your-network>"
+  subnetwork   = "<your-subnetwork>"
+  region       = "<your-region>"
+  zone         = "<your-zone>"
+  domain       = "<example.com>"
+  managed_zone = "<your-managed-zone>"
+
+  github_repo_allow_list = "github.com/example/*"
+
+  secret_names = {
+    app_id  = "<your_secret_name_for_app_id>"
+    app_key = "<your_secret_name_for_app_key>"
+    webhook = "<your_secret_name_for_webhook>"
+  }
+}
+
+# Create a service account and attach the required Cloud Logging permissions to it.
+resource "google_service_account" "atlantis" {
+  account_id   = "atlantis"
+  display_name = "Service Account for Atlantis"
+  project      = local.project_id
+}
+
+resource "google_project_iam_member" "atlantis_log_writer" {
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.atlantis.email}"
+  project = local.project_id
+}
+
+resource "google_project_iam_member" "atlantis_metric_writer" {
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.atlantis.email}"
+  project = local.project_id
+}
+
+module "atlantis" {
+  source     = "bschaatsbergen/atlantis/gce"
+  name       = "atlantis"
+  network    = local.network
+  subnetwork = local.subnetwork
+  region     = local.region
+  zone       = local.zone
+  service_account = {
+    email  = google_service_account.atlantis.email
+    scopes = ["cloud-platform"]
+  }
+
+  env_vars = {
+    ATLANTIS_REPO_ALLOWLIST   = local.github_repo_allow_list
+    ATLANTIS_ATLANTIS_URL     = "https://${local.domain}"
+    ATLANTIS_REPO_CONFIG_JSON = jsonencode(yamldecode(file("${path.module}/server-atlantis.yaml")))
+    ATLANTIS_WRITE_GIT_CREDS  = "true"
+  }
+  domain  = local.domain
+  project = local.project_id
+
+  image   = "ghcr.io/runatlantis/atlantis:latest"
+  command = ["/home/atlantis/custom-entrypoint.sh"]
+  args    = ["server"]
+
+  startup_script = templatefile("${path.module}/custom-entrypoint.sh.tftpl", {
+    cloud_sdk_version          = "455.0.0"
+    app_key_secret_name        = local.secret_names.app_key
+    app_id_secret_name         = local.secret_names.app_id
+    webhook_secret_secret_name = local.secret_names.webhook
+    key_file_path              = "/home/atlantis/gh_app_key.pem"
+    mount_folder               = "/mnt/disks/gce-containers-mounts/gce-persistent-disks/atlantis-disk-0/"
+    entrypoint_filename        = "custom-entrypoint.sh"
+  })
+}
+
+# As your DNS records might be managed at another registrar's site, we create the DNS record outside of the module.
+# This record is mandatory in order to provision the managed SSL certificate successfully.
+resource "google_dns_record_set" "default" {
+  name         = "${local.domain}."
+  type         = "A"
+  ttl          = 60
+  managed_zone = local.managed_zone
+  rrdatas = [
+    module.atlantis.ip_address
+  ]
+  project = local.project_id
+}
diff --git a/examples/startup-env-vars/server-atlantis.yaml b/examples/startup-env-vars/server-atlantis.yaml
@@ -0,0 +1,6 @@
+repos:
+- id: /.*/
+  apply_requirements: [mergeable]
+  allowed_overrides: [apply_requirements, workflow]
+  allow_custom_workflows: true
+  delete_source_branch_on_merge: true