docs: modify secure-env-vars example to use a custom entrypoint

runatlantis · Dec 8, 2023 · 4f54269 · 4f54269
1 parent ea98f5a
commit 4f54269
Show file tree

Hide file tree

Showing 8 changed files with 93 additions and 145 deletions.
diff --git a/examples/secure-env-vars/.github/workflows/docker-gcp-secrets.yaml b/examples/secure-env-vars/.github/workflows/docker-gcp-secrets.yaml
diff --git a/examples/secure-env-vars/.github/workflows/docker-github-secrets.yaml b/examples/secure-env-vars/.github/workflows/docker-github-secrets.yaml
diff --git a/examples/secure-env-vars/Dockerfile b/examples/secure-env-vars/Dockerfile
diff --git a/examples/secure-env-vars/README.md b/examples/secure-env-vars/README.md
@@ -2,18 +2,24 @@
 
 This guide explains how to secure environment variables when using the Atlantis module on Google Cloud Platform. For more information on using this module, see the [`basic example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/basic).
 
+Additionally, this example uses a GitHub App for authenticatioon, and a custom image entrypoint to set environment variables at container startup time.
+
 - [Prerequisites](#prerequisites)
 - [How to deploy](#how-to-deploy)
-  - [Important](#Important)
+  - [Important](#important)
 - [Setting sensitive environment variables](#setting-sensitive-environment-variables)
 - [Setting non sensitive environment variables](#setting-non-sensitive-environment-variables)
 
 ## Prerequisites
 
 You should already have the following resources:
 
-- An Artifact or Container Registry in Google Cloud.
-- A CI/CD system with a secret manager integration (such as GitHub, Gitlab, Jenkins, or Cloud Build).
+- Google network, subnetwork and a Cloud NAT
+- Service account, [specifics can be found here](../../README.md#service-account)
+- Domain, [specifics can be found here](../../README.md#dns-record)
+- The secrets for the GitHub app id, secret, and webhook secret.
+
+If you prefer an example that includes the above resources, see [`complete example`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/complete)
 
 ## How to deploy
 
@@ -29,11 +35,8 @@ Atlantis allows you to configure everything using environment variables. However
 
 ### Setting sensitive environment variables
 
-Use a wrapper Atlantis Docker image to set environment variables that contain sensitive values. See the following examples for more details:
-
-- [**Cloud Build**: pull secrets from Google Secret Manager](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars/cloudbuild.yaml)
-- [**GitHub Actions**: pull secrets from Google Secret Manager](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars/.github/workflows/docker-gcp-secrets.yaml)
-- [**GitHub Actions**: use GitHub secrets](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/examples/secure-env-vars/.github/workflows/docker-github-secrets.yaml)
+You can export sensitive values in the [`custom-entrypoint.sh.tftpl`](custom-entrypoint.sh.tftpl) script, which will be executed as the container entrypoint.
+This strategy allow us to use the base Atlantis image, and to export environment variables that do not appear in the Console (e.g. ATLANTIS_GH_WEBHOOK_SECRET).
 
 ### Setting non-sensitive environment variables
 

diff --git a/examples/secure-env-vars/cloudbuild.yaml b/examples/secure-env-vars/cloudbuild.yaml
diff --git a/examples/secure-env-vars/custom-entrypoint.sh.tftpl b/examples/secure-env-vars/custom-entrypoint.sh.tftpl
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+
+mkdir -p ${mount_folder}
+chown 100 ${mount_folder}
+cat <<'EOF' > "${mount_folder}/${entrypoint_filename}"
+#!/bin/bash
+
+set -e
+
+fetch_secret() {
+    local secret="$1"
+    local filepath="$2"
+
+    gcloud secrets versions access latest --secret="$secret" > "$filepath"
+    chmod 400 "$filepath"
+    chown atlantis "$filepath"
+}
+ARCH="x86_64"
+apk --no-cache upgrade && apk --no-cache add \
+        curl \
+        python3 \
+        py3-crcmod \
+        py3-openssl \
+        bash \
+        libc6-compat \
+        openssh-client \
+        git \
+        gnupg \
+    && curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${cloud_sdk_version}-linux-$${ARCH}.tar.gz && \
+    tar xzf google-cloud-cli-${cloud_sdk_version}-linux-$${ARCH}.tar.gz && \
+    rm google-cloud-cli-${cloud_sdk_version}-linux-$${ARCH}.tar.gz
+
+export PATH=$PATH:/google-cloud-sdk/bin
+gcloud config set core/disable_usage_reporting true
+gcloud config set component_manager/disable_update_check true
+gcloud config set metrics/environment github_docker_image
+gcloud --version
+
+fetch_secret "${app_key_secret_name}" "${key_file_path}"
+
+export ATLANTIS_GH_APP_ID=$(gcloud secrets versions access latest --secret="${app_id_secret_name}")
+export ATLANTIS_GH_APP_KEY_FILE="${key_file_path}"
+export ATLANTIS_GH_WEBHOOK_SECRET=$(gcloud secrets versions access latest --secret="${webhook_secret_secret_name}")
+
+# Call original atlantis entrypoint, passing along all arguments
+docker-entrypoint.sh "$@"
+EOF
+
+chmod 0755 "${mount_folder}/${entrypoint_filename}"
diff --git a/examples/secure-env-vars/main.tf b/examples/secure-env-vars/main.tf
@@ -4,11 +4,16 @@ locals {
   subnetwork   = "<your-subnetwork>"
   region       = "<your-region>"
   zone         = "<your-zone>"
-  image        = "<your-image>"
   domain       = "<example.com>"
   managed_zone = "<your-managed-zone>"
 
   github_repo_allow_list = "github.com/example/*"
+
+  secret_names = {
+    app_id  = "<your_secret_name_for_app_id>"
+    app_key = "<your_secret_name_for_app_key>"
+    webhook = "<your_secret_name_for_webhook>"
+  }
 }
 
 # Create a service account and attach the required Cloud Logging permissions to it.
@@ -33,7 +38,6 @@ resource "google_project_iam_member" "atlantis_metric_writer" {
 module "atlantis" {
   source     = "bschaatsbergen/atlantis/gce"
   name       = "atlantis"
-  image      = local.image # Your wrapper Atlantis Docker image
   network    = local.network
   subnetwork = local.subnetwork
   region     = local.region
@@ -42,14 +46,29 @@ module "atlantis" {
     email  = google_service_account.atlantis.email
     scopes = ["cloud-platform"]
   }
-  # Declare the non-sensitive environment variables here
-  # The sensitive environment variables are set in the Dockerfile!
+
   env_vars = {
-    ATLANTIS_REPO_ALLOWLIST = local.github_repo_allow_list
-    ATLANTIS_ATLANTIS_URL   = "https://${local.domain}"
+    ATLANTIS_REPO_ALLOWLIST   = local.github_repo_allow_list
+    ATLANTIS_ATLANTIS_URL     = "https://${local.domain}"
+    ATLANTIS_REPO_CONFIG_JSON = jsonencode(yamldecode(file("${path.module}/server-atlantis.yaml")))
+    ATLANTIS_WRITE_GIT_CREDS  = "true"
   }
   domain  = local.domain
   project = local.project_id
+
+  image   = "ghcr.io/runatlantis/atlantis:latest"
+  command = ["/home/atlantis/custom-entrypoint.sh"]
+  args    = ["server"]
+
+  startup_script = templatefile("${path.module}/custom-entrypoint.sh.tftpl", {
+    cloud_sdk_version          = "455.0.0"
+    app_key_secret_name        = local.secret_names.app_key
+    app_id_secret_name         = local.secret_names.app_id
+    webhook_secret_secret_name = local.secret_names.webhook
+    key_file_path              = "/home/atlantis/gh_app_key.pem"
+    mount_folder               = "/mnt/disks/gce-containers-mounts/gce-persistent-disks/atlantis-disk-0"
+    entrypoint_filename        = "custom-entrypoint.sh"
+  })
 }
 
 # As your DNS records might be managed at another registrar's site, we create the DNS record outside of the module.

diff --git a/examples/secure-env-vars/server-atlantis.yaml b/examples/secure-env-vars/server-atlantis.yaml
@@ -0,0 +1,6 @@
+repos:
+- id: /.*/
+  apply_requirements: [mergeable]
+  allowed_overrides: [apply_requirements, workflow]
+  allow_custom_workflows: true
+  delete_source_branch_on_merge: true