Skip to content

Commit

Permalink
feat: shared vpc support
Browse files Browse the repository at this point in the history
  • Loading branch information
d-costa committed Dec 8, 2023
1 parent 0bc790d commit 06aacb0
Show file tree
Hide file tree
Showing 6 changed files with 129 additions and 1 deletion.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ Here are some examples to choose from. Look at the prerequisites above to find o
- [Complete](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete)
- [Secure Environment Variables](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars)
- [Cloud Armor](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/cloud-armor)
- [Shared VPC](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/shared-vpc)

```hcl
module "atlantis" {
Expand Down
33 changes: 33 additions & 0 deletions examples/shared-vpc/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Example usage

Read through the below before you deploy this module.

- [Prerequisites](#prerequisites)
- [How to deploy](#how-to-deploy)
- [After it's successfully deployed](#after-its-successfully-deployed)

## Prerequisites

This module expects that you already own or create the below resources yourself.

- Service account, [specifics can be found here](../../README.md#service-account)
- Domain, [specifics can be found here](../../README.md#dns-record)
- A host project with a Google network, subnetwork, a Cloud NAT, and the following firewall rules configured in the host network:
- Allow load balancer healthchecks: (<https://cloud.google.com/load-balancing/docs/health-checks#fw-rule>)
- source ip ranges: [130.211.0.0/22, 35.191.0.0/16]
- target tags [allow-lb-health-checks]
- tcp
- Allow IAP access, if applicable (<https://cloud.google.com/iap/docs/using-tcp-forwarding#create-firewall-rule>)
- source ip ranges: [35.235.240.0/20]
- target tags: [allow-iap]
- tcp, port 22

If you prefer an example that includes the above resources, see [`complete example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete).

## How to deploy

See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic/server-atlantis.yaml).

## After it's successfully deployed

Once you're done, see [Configuring Webhooks for Atlantis](https://www.runatlantis.io/docs/configuring-webhooks.html#configuring-webhooks)
78 changes: 78 additions & 0 deletions examples/shared-vpc/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
locals {
project_id = "<your-project-id>"
network = "<your-network>"
subnetwork = "<your-subnetwork>"
region = "<your-region>"
zone = "<your-zone>"
domain = "<example.com>"
managed_zone = "<your-managed-zone>"
host_project_id = "<your-host-project-id>"

github_repo_allow_list = "github.com/example/*"
github_user = "<your-github-handle>"
github_token = "<your-github-user>"
github_webhook_secret = "<your-github-webhook-secret>"
}

# Create a service account and attach the required Cloud Logging permissions to it.
resource "google_service_account" "atlantis" {
account_id = "atlantis"
display_name = "Service Account for Atlantis"
project = local.project_id
}

resource "google_project_iam_member" "atlantis_log_writer" {
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.atlantis.email}"
project = local.project_id
}

resource "google_project_iam_member" "atlantis_metric_writer" {
role = "roles/monitoring.metricWriter"
member = "serviceAccount:${google_service_account.atlantis.email}"
project = local.project_id
}

module "atlantis" {
source = "bschaatsbergen/atlantis/gce"
name = "atlantis"
network = local.network
subnetwork = local.subnetwork
region = local.region
zone = local.zone
service_account = {
email = google_service_account.atlantis.email
scopes = ["cloud-platform"]
}
# Note: environment variables are shown in the Google Cloud UI
# See the `examples/secure-env-vars` if you want to protect sensitive information
env_vars = {
ATLANTIS_GH_USER = local.github_user
ATLANTIS_GH_TOKEN = local.github_token
ATLANTIS_GH_WEBHOOK_SECRET = local.github_webhook_secret
ATLANTIS_REPO_ALLOWLIST = local.github_repo_allow_list
ATLANTIS_ATLANTIS_URL = "https://${local.domain}"
ATLANTIS_REPO_CONFIG_JSON = jsonencode(yamldecode(file("${path.module}/server-atlantis.yaml")))
}
domain = local.domain
project = local.project_id

shared_vpc = {
host_project_id = local.host_project_id
}

tags = ["allow-lb-health-checks", "allow-iap"]
}

# As your DNS records might be managed at another registrar's site, we create the DNS record outside of the module.
# This record is mandatory in order to provision the managed SSL certificate successfully.
resource "google_dns_record_set" "default" {
name = "${local.domain}."
type = "A"
ttl = 60
managed_zone = local.managed_zone
rrdatas = [
module.atlantis.ip_address
]
project = local.project_id
}
6 changes: 6 additions & 0 deletions examples/shared-vpc/server-atlantis.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
repos:
- id: /.*/
apply_requirements: [mergeable]
allowed_overrides: [apply_requirements, workflow]
allow_custom_workflows: true
delete_source_branch_on_merge: true
4 changes: 3 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ resource "google_compute_instance_template" "default" {

network_interface {
subnetwork = var.subnetwork
subnetwork_project = var.project
subnetwork_project = try(var.shared_vpc.host_project_id, var.project)
}

shielded_instance_config {
Expand Down Expand Up @@ -426,6 +426,7 @@ resource "google_compute_global_forwarding_rule" "https" {

# Route public internet traffic to the default internet gateway
resource "google_compute_route" "public_internet" {
count = var.shared_vpc == null ? 1 : 0
network = var.network
name = "${var.name}-public-internet"
description = "Custom static route for Altantis to communicate with the public internet"
Expand All @@ -438,6 +439,7 @@ resource "google_compute_route" "public_internet" {

# This firewall rule allows Google Cloud to issue the health checks
resource "google_compute_firewall" "lb_health_check" {
count = var.shared_vpc == null ? 1 : 0
name = "${var.name}-lb-health-checks"
description = "Firewall rule to allow inbound Google Load Balancer health checks to the Atlantis instance"
priority = 0
Expand Down
8 changes: 8 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -181,3 +181,11 @@ variable "iap_backend_security_policy" {
description = "Name of the security policy to apply to the IAP backend service"
default = null
}

variable "shared_vpc" {
description = "Whether to deploy within a shared VPC"
type = object({
host_project_id = string
})
default = null
}

0 comments on commit 06aacb0

Please sign in to comment.