runatlantis · bschaatsbergen · Dec 31, 2022 · Dec 31, 2022 · Dec 31, 2022
@@ -0,0 +1,62 @@
+# Example usage
+
+
+## Prerequisites
+
+This module expects that you already own or create the below resources yourself.
+
+- Domain
+- Google network and subnetwork
+- Service account
+
+## How to deploy
+
+See [`main.tf`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/example/main.tf) and the [`server-atlantis.yaml`](https://github.com/bschaatsbergen/atlantis-on-gcp-vm/tree/master/example/server-atlantis.yaml).
+
+
+## Service Account
+
+As Google recommends custom service accounts and permissions granted via IAM Roles. We decided that you must bring your own service account.
+
+Note that you must grant the relevant permissions to your service account yourself, e.g. Storage related permissions for the Terraform state bucket and other permissions in order to create resources through Terraform.
+
+### Important
+
+The `roles/logging.logWriter` role should be attached to the service account in order to write logs to Cloud Logging.
+
+### Example
+
+```hcl
+resource "google_service_account" "atlantis" {
+  account_id   = "atlantis-sa"
+  display_name = "Service Account for Atlantis"
+  project      = var.project_id
+}
+
+resource "google_project_iam_member" "atlantis_log_writer" {
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.atlantis.email}"
+  project = var.project_id
+}
+```
+
+## DNS Record
+
+As this module creates an External HTTPS Load Balancer together with a managed SSL certificate for the domain you provided, an A record has to be created for your domain to successfully provision the certificate.
+
+### Example
+
+If you use Cloud DNS and own a managed zone for your domain, use the IP address that's part of the module output to create the A record.
+
+```hcl
+resource "google_dns_record_set" "default" {
+  name         = "atlantis.example.com."
+  type         = "A"
+  ttl          = 60
+  managed_zone = "example-com"
+  rrdatas = [
+    module.atlantis.ip_address
+  ]
+  project = var.project_id
+}
+```
@@ -0,0 +1,51 @@
+# As your DNS records might be managed at another registrar's site, we create the DNS record outside of the module.
+# This record is mandatory in order to provision the managed SSL certificate successfully.
+resource "google_dns_record_set" "default" {
+  name         = "atlantis.example.com."
+  type         = "A"
+  ttl          = 60
+  managed_zone = "example-com"
+  rrdatas = [
+    module.atlantis.ip_address
+  ]
+  project = var.project_id
+}
+
+module "atlantis" {
+  source     = "bschaatsbergen/atlantis-on-gce"
+  name       = "atlantis"
+  subnetwork = google_compute_network.default.name
+  region     = google_compute_subnetwork.default.name
+  service_account = {
+    email  = google_service_account.atlantis.email
+    scopes = ["cloud-platform"]
+  }
+  env_vars = [
+    {
+      name  = "ATLANTIS_GH_USER"
+      value = "myuser"
+    },
+    {
+      name  = "ATLANTIS_GH_TOKEN"
+      value = "token"
+    },
+    {
+      name  = "ATLANTIS_GH_WEBHOOK_SECRET"
+      value = "secret"
+    },
+    {
+      name  = "ATLANTIS_REPO_ALLOWLIST"
+      value = "github.com/myorg/*"
+    },
+    {
+      name  = "ATLANTIS_ATLANTIS_URL"
+      value = "https://atlantis.example.com"
+    },
+    {
+      name  = "ATLANTIS_REPO_CONFIG_JSON"
+      value = jsonencode(yamldecode(file("server-atlantis.yaml")))
+    }
+  ]
+  domain     = "atlantis.example.com"
+  project_id = var.project_id
+}
@@ -0,0 +1,6 @@
+repos:
+- id: /.*/
+  apply_requirements: [mergeable]
+  allowed_overrides: [apply_requirements, workflow]
+  allow_custom_workflows: true
+  delete_source_branch_on_merge: true
@@ -68,7 +68,6 @@ resource "google_compute_instance_template" "atlantis" {
   }
 
   service_account {
-    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
     email  = var.service_account.email
     scopes = var.service_account.scopes
   }