From f6e684290af1d0a4d0952812ffeff603240a3375 Mon Sep 17 00:00:00 2001 From: Mark Iannucci Date: Fri, 18 Feb 2022 05:04:24 -0700 Subject: [PATCH 1/8] fixes #254 --- main.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 5d087058..d709fec3 100644 --- a/main.tf +++ b/main.tf @@ -433,7 +433,10 @@ resource "aws_efs_file_system" "this" { resource "aws_efs_mount_target" "this" { # we coalescelist in order to specify the resource keys when we create the subnets using the VPC or they're specified for us. This works around the for_each value depends on attributes which can't be determined until apply error - for_each = zipmap(coalescelist(var.private_subnets, var.private_subnet_ids), local.private_subnet_ids) + for_each = { + for k, v in zipmap(coalescelist(var.private_subnets, var.private_subnet_ids), local.private_subnet_ids) : k => v + if var.enable_ephemeral_storage == false + } file_system_id = aws_efs_file_system.this[0].id subnet_id = each.value From e297d6b8ffa04d20dedb27fbc9b238d3ec23e21f Mon Sep 17 00:00:00 2001 From: Mark Iannucci Date: Fri, 18 Feb 2022 12:31:30 +0000 Subject: [PATCH 2/8] fixup formatting --- main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index d709fec3..a97ab48c 100644 --- a/main.tf +++ b/main.tf @@ -433,10 +433,10 @@ resource "aws_efs_file_system" "this" { resource "aws_efs_mount_target" "this" { # we coalescelist in order to specify the resource keys when we create the subnets using the VPC or they're specified for us. This works around the for_each value depends on attributes which can't be determined until apply error - for_each = { - for k, v in zipmap(coalescelist(var.private_subnets, var.private_subnet_ids), local.private_subnet_ids) : k => v - if var.enable_ephemeral_storage == false - } + for_each = { + for k, v in zipmap(coalescelist(var.private_subnets, var.private_subnet_ids), local.private_subnet_ids) : k => v + if var.enable_ephemeral_storage == false + } file_system_id = aws_efs_file_system.this[0].id subnet_id = each.value From e7146f376d17f6fe8dfd4755825bf126992d08cc Mon Sep 17 00:00:00 2001 From: Mark Iannucci Date: Sun, 20 Feb 2022 00:42:54 -0700 Subject: [PATCH 3/8] add ephemeral storage example --- examples/github-complete/main.tf | 3 + examples/github-complete/variables.tf | 6 + .../README.md | 79 ++++++ .../github-ephemeral-storage-noreuse/main.tf | 224 ++++++++++++++++++ .../outputs.tf | 32 +++ .../terraform.tfvars.sample | 6 + .../variables.tf | 24 ++ .../versions.tf | 15 ++ examples/github-ephemeral-storage/README.md | 79 ++++++ examples/github-ephemeral-storage/main.tf | 39 +++ .../terraform.tfvars.sample | 7 + .../github-ephemeral-storage/variables.tf | 30 +++ 12 files changed, 544 insertions(+) create mode 100644 examples/github-ephemeral-storage-noreuse/README.md create mode 100644 examples/github-ephemeral-storage-noreuse/main.tf create mode 100644 examples/github-ephemeral-storage-noreuse/outputs.tf create mode 100644 examples/github-ephemeral-storage-noreuse/terraform.tfvars.sample create mode 100644 examples/github-ephemeral-storage-noreuse/variables.tf create mode 100644 examples/github-ephemeral-storage-noreuse/versions.tf create mode 100644 examples/github-ephemeral-storage/README.md create mode 100644 examples/github-ephemeral-storage/main.tf create mode 100644 examples/github-ephemeral-storage/terraform.tfvars.sample create mode 100644 examples/github-ephemeral-storage/variables.tf diff --git a/examples/github-complete/main.tf b/examples/github-complete/main.tf index b8c9c8a7..110bbd98 100644 --- a/examples/github-complete/main.tf +++ b/examples/github-complete/main.tf @@ -46,6 +46,9 @@ module "atlantis" { container_cpu = 512 container_memory = 1024 + # EFS + enable_ephemeral_storage = var.enable_ephemeral_storage + entrypoint = ["docker-entrypoint.sh"] command = ["server"] working_directory = "/tmp" diff --git a/examples/github-complete/variables.tf b/examples/github-complete/variables.tf index f0d60ee9..08920ec7 100644 --- a/examples/github-complete/variables.tf +++ b/examples/github-complete/variables.tf @@ -22,3 +22,9 @@ variable "github_user" { description = "Github user for Atlantis to utilize when performing Github activities" type = string } + +variable "enable_ephemeral_storage" { + description = "By default this example uses EFS storage, switch to true to use ephemeral storage" + type = bool + default = false +} \ No newline at end of file diff --git a/examples/github-ephemeral-storage-noreuse/README.md b/examples/github-ephemeral-storage-noreuse/README.md new file mode 100644 index 00000000..976807af --- /dev/null +++ b/examples/github-ephemeral-storage-noreuse/README.md @@ -0,0 +1,79 @@ +# Complete Atlantis example with GitHub Webhooks + +Configuration in this directory creates the necessary infrastructure and resources for running Atlantis on Fargate plus GitHub repository webhooks configured to Atlantis URL. + +An existing Route53 hosted zone and domain is required to deploy this example. + +GitHub's personal access token can be generated at https://github.com/settings/tokens + +## Usage + +To run this code you need to copy `terraform.tfvars.sample` into `terraform.tfvars` and update the values locally or specify them using environment variables (`TF_VAR_github_token=xxx`, `TF_VAR_github_owner=xxx`, etc.). Once ready, execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note - if you receive the following error when running apply: + +`Error: InvalidParameterException: The new ARN and resource ID format must be enabled to add tags to the service. Opt in to the new format and try again. "atlantiscomplete"` + +Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settings (update for your region of use) and change `Container instance`, `Service`, and `Task` to `Enabled`. + +⚠️ This example will create resources which cost money. Run `terraform destroy` when you don't need these resources. ⚠️ + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | ~> 3.45 | +| [github](#requirement\_github) | >= 4.8 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 3.45 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [atlantis](#module\_atlantis) | ../../ | n/a | +| [atlantis\_access\_log\_bucket](#module\_atlantis\_access\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 2 | +| [github\_repository\_webhook](#module\_github\_repository\_webhook) | ../../modules/github-repository-webhook | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_elb_service_account.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | +| [aws_iam_policy_document.atlantis_access_log_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alb\_ingress\_cidr\_blocks](#input\_alb\_ingress\_cidr\_blocks) | List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing | `list(string)` | n/a | yes | +| [domain](#input\_domain) | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance | `string` | n/a | yes | +| [github\_owner](#input\_github\_owner) | Github owner | `string` | n/a | yes | +| [github\_token](#input\_github\_token) | Github token | `string` | n/a | yes | +| [github\_user](#input\_github\_user) | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [atlantis\_repo\_allowlist](#output\_atlantis\_repo\_allowlist) | Git repositories where webhook should be created | +| [atlantis\_url](#output\_atlantis\_url) | URL of Atlantis | +| [ecs\_task\_definition](#output\_ecs\_task\_definition) | Task definition for ECS service (used for external triggers) | +| [github\_webhook\_secret](#output\_github\_webhook\_secret) | Github webhook secret | +| [github\_webhook\_urls](#output\_github\_webhook\_urls) | Github webhook URL | +| [task\_role\_arn](#output\_task\_role\_arn) | The Atlantis ECS task role arn | + diff --git a/examples/github-ephemeral-storage-noreuse/main.tf b/examples/github-ephemeral-storage-noreuse/main.tf new file mode 100644 index 00000000..aa52ffc4 --- /dev/null +++ b/examples/github-ephemeral-storage-noreuse/main.tf @@ -0,0 +1,224 @@ +provider "aws" { + region = local.region +} + +locals { + name = "github-efs" + region = "eu-west-1" + + tags = { + Owner = "user" + Environment = "dev" + } +} + +################################################################################ +# Supporting Resources +################################################################################ + +data "aws_caller_identity" "current" {} + +data "aws_region" "current" {} + +data "aws_elb_service_account" "current" {} + +############################################################## +# Atlantis Service +############################################################## + +module "atlantis" { + source = "../../" + + name = local.name + + # VPC + cidr = "10.20.0.0/16" + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"] + public_subnets = ["10.20.101.0/24", "10.20.102.0/24", "10.20.103.0/24"] + + # ECS + ecs_service_platform_version = "LATEST" + ecs_container_insights = true + ecs_task_cpu = 512 + ecs_task_memory = 1024 + container_memory_reservation = 256 + container_cpu = 512 + container_memory = 1024 + + enable_ephemeral_storage = true + + entrypoint = ["docker-entrypoint.sh"] + command = ["server"] + working_directory = "/tmp" + docker_labels = { + "org.opencontainers.image.title" = "Atlantis" + "org.opencontainers.image.description" = "A self-hosted golang application that listens for Terraform pull request events via webhooks." + "org.opencontainers.image.url" = "https://github.com/runatlantis/atlantis/pkgs/container/atlantis" + } + start_timeout = 30 + stop_timeout = 30 + + readonly_root_filesystem = false # atlantis currently mutable access to root filesystem + ulimits = [{ + name = "nofile" + softLimit = 4096 + hardLimit = 16384 + }] + + # DNS + route53_zone_name = var.domain + + # Trusted roles + trusted_principals = ["ssm.amazonaws.com"] + + # Atlantis + atlantis_github_user = var.github_user + atlantis_github_user_token = var.github_token + atlantis_repo_allowlist = ["github.com/${var.github_owner}/*"] + + # ALB access + alb_ingress_cidr_blocks = var.alb_ingress_cidr_blocks + alb_logging_enabled = true + alb_log_bucket_name = module.atlantis_access_log_bucket.s3_bucket_id + alb_log_location_prefix = "atlantis-alb" + alb_listener_ssl_policy_default = "ELBSecurityPolicy-TLS-1-2-2017-01" + alb_drop_invalid_header_fields = true + + allow_unauthenticated_access = true + allow_github_webhooks = true + allow_repo_config = true + + tags = local.tags +} + +################################################################################ +# GitHub Webhooks +################################################################################ + +module "github_repository_webhook" { + source = "../../modules/github-repository-webhook" + + github_owner = var.github_owner + github_token = var.github_token + + atlantis_repo_allowlist = module.atlantis.atlantis_repo_allowlist + + webhook_url = module.atlantis.atlantis_url_events + webhook_secret = module.atlantis.webhook_secret +} + +################################################################################ +# ALB Access Log Bucket + Policy +################################################################################ +module "atlantis_access_log_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "~> 2" + + bucket = "atlantis-access-logs-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}" + + attach_policy = true + policy = data.aws_iam_policy_document.atlantis_access_log_bucket_policy.json + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + + force_destroy = true + + tags = local.tags + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + sse_algorithm = "AES256" + } + } + } + + lifecycle_rule = [ + { + id = "all" + enabled = true + + transition = [ + { + days = 30 + storage_class = "ONEZONE_IA" + }, { + days = 60 + storage_class = "GLACIER" + } + ] + + expiration = { + days = 90 + } + + noncurrent_version_expiration = { + days = 30 + } + }, + ] +} + +data "aws_iam_policy_document" "atlantis_access_log_bucket_policy" { + statement { + sid = "LogsLogDeliveryWrite" + effect = "Allow" + actions = ["s3:PutObject"] + resources = [ + "${module.atlantis_access_log_bucket.s3_bucket_arn}/*/AWSLogs/${data.aws_caller_identity.current.account_id}/*" + ] + + principals { + type = "AWS" + identifiers = [ + # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions + data.aws_elb_service_account.current.arn, + ] + } + } + + statement { + sid = "AWSLogDeliveryWrite" + effect = "Allow" + actions = ["s3:PutObject"] + resources = [ + "${module.atlantis_access_log_bucket.s3_bucket_arn}/*/AWSLogs/${data.aws_caller_identity.current.account_id}/*" + ] + + principals { + type = "Service" + identifiers = [ + "delivery.logs.amazonaws.com" + ] + } + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + + values = [ + "bucket-owner-full-control" + ] + } + } + + statement { + sid = "AWSLogDeliveryAclCheck" + effect = "Allow" + actions = ["s3:GetBucketAcl"] + resources = [ + module.atlantis_access_log_bucket.s3_bucket_arn + ] + + principals { + type = "Service" + identifiers = [ + "delivery.logs.amazonaws.com" + ] + } + } +} diff --git a/examples/github-ephemeral-storage-noreuse/outputs.tf b/examples/github-ephemeral-storage-noreuse/outputs.tf new file mode 100644 index 00000000..59959e1f --- /dev/null +++ b/examples/github-ephemeral-storage-noreuse/outputs.tf @@ -0,0 +1,32 @@ +# Atlantis +output "atlantis_url" { + description = "URL of Atlantis" + value = module.atlantis.atlantis_url +} + +output "atlantis_repo_allowlist" { + description = "Git repositories where webhook should be created" + value = module.atlantis.atlantis_repo_allowlist +} + +output "task_role_arn" { + description = "The Atlantis ECS task role arn" + value = module.atlantis.task_role_arn +} + +output "ecs_task_definition" { + description = "Task definition for ECS service (used for external triggers)" + value = module.atlantis.ecs_task_definition +} + +# Webhooks +output "github_webhook_urls" { + description = "Github webhook URL" + value = module.github_repository_webhook.repository_webhook_urls +} + +output "github_webhook_secret" { + description = "Github webhook secret" + value = module.github_repository_webhook.repository_webhook_secret + sensitive = true +} diff --git a/examples/github-ephemeral-storage-noreuse/terraform.tfvars.sample b/examples/github-ephemeral-storage-noreuse/terraform.tfvars.sample new file mode 100644 index 00000000..64987023 --- /dev/null +++ b/examples/github-ephemeral-storage-noreuse/terraform.tfvars.sample @@ -0,0 +1,6 @@ +domain = "mydomain.com" +alb_ingress_cidr_blocks = ["x.x.x.x/32"] +github_owner = "myorg" +github_user = "atlantis" +github_token = "mygithubpersonalaccesstokenforatlantis" +allowed_repo_names = ["repo1", "repo2"] diff --git a/examples/github-ephemeral-storage-noreuse/variables.tf b/examples/github-ephemeral-storage-noreuse/variables.tf new file mode 100644 index 00000000..f0d60ee9 --- /dev/null +++ b/examples/github-ephemeral-storage-noreuse/variables.tf @@ -0,0 +1,24 @@ +variable "domain" { + description = "Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance" + type = string +} + +variable "alb_ingress_cidr_blocks" { + description = "List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing" + type = list(string) +} + +variable "github_token" { + description = "Github token" + type = string +} + +variable "github_owner" { + description = "Github owner" + type = string +} + +variable "github_user" { + description = "Github user for Atlantis to utilize when performing Github activities" + type = string +} diff --git a/examples/github-ephemeral-storage-noreuse/versions.tf b/examples/github-ephemeral-storage-noreuse/versions.tf new file mode 100644 index 00000000..815437b6 --- /dev/null +++ b/examples/github-ephemeral-storage-noreuse/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.13.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.45" + } + + github = { + source = "integrations/github" + version = ">= 4.8" + } + } +} diff --git a/examples/github-ephemeral-storage/README.md b/examples/github-ephemeral-storage/README.md new file mode 100644 index 00000000..976807af --- /dev/null +++ b/examples/github-ephemeral-storage/README.md @@ -0,0 +1,79 @@ +# Complete Atlantis example with GitHub Webhooks + +Configuration in this directory creates the necessary infrastructure and resources for running Atlantis on Fargate plus GitHub repository webhooks configured to Atlantis URL. + +An existing Route53 hosted zone and domain is required to deploy this example. + +GitHub's personal access token can be generated at https://github.com/settings/tokens + +## Usage + +To run this code you need to copy `terraform.tfvars.sample` into `terraform.tfvars` and update the values locally or specify them using environment variables (`TF_VAR_github_token=xxx`, `TF_VAR_github_owner=xxx`, etc.). Once ready, execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note - if you receive the following error when running apply: + +`Error: InvalidParameterException: The new ARN and resource ID format must be enabled to add tags to the service. Opt in to the new format and try again. "atlantiscomplete"` + +Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settings (update for your region of use) and change `Container instance`, `Service`, and `Task` to `Enabled`. + +⚠️ This example will create resources which cost money. Run `terraform destroy` when you don't need these resources. ⚠️ + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | ~> 3.45 | +| [github](#requirement\_github) | >= 4.8 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 3.45 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [atlantis](#module\_atlantis) | ../../ | n/a | +| [atlantis\_access\_log\_bucket](#module\_atlantis\_access\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 2 | +| [github\_repository\_webhook](#module\_github\_repository\_webhook) | ../../modules/github-repository-webhook | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_elb_service_account.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | +| [aws_iam_policy_document.atlantis_access_log_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alb\_ingress\_cidr\_blocks](#input\_alb\_ingress\_cidr\_blocks) | List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing | `list(string)` | n/a | yes | +| [domain](#input\_domain) | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance | `string` | n/a | yes | +| [github\_owner](#input\_github\_owner) | Github owner | `string` | n/a | yes | +| [github\_token](#input\_github\_token) | Github token | `string` | n/a | yes | +| [github\_user](#input\_github\_user) | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [atlantis\_repo\_allowlist](#output\_atlantis\_repo\_allowlist) | Git repositories where webhook should be created | +| [atlantis\_url](#output\_atlantis\_url) | URL of Atlantis | +| [ecs\_task\_definition](#output\_ecs\_task\_definition) | Task definition for ECS service (used for external triggers) | +| [github\_webhook\_secret](#output\_github\_webhook\_secret) | Github webhook secret | +| [github\_webhook\_urls](#output\_github\_webhook\_urls) | Github webhook URL | +| [task\_role\_arn](#output\_task\_role\_arn) | The Atlantis ECS task role arn | + diff --git a/examples/github-ephemeral-storage/main.tf b/examples/github-ephemeral-storage/main.tf new file mode 100644 index 00000000..5bc89ea4 --- /dev/null +++ b/examples/github-ephemeral-storage/main.tf @@ -0,0 +1,39 @@ +provider "aws" { + region = local.region +} + +locals { + name = "github-complete" + region = "eu-west-1" + + tags = { + Owner = "user" + Environment = "dev" + } +} + + +################################################################################ +# Supporting Resources +################################################################################ + +data "aws_caller_identity" "current" {} + +data "aws_region" "current" {} + +data "aws_elb_service_account" "current" {} + +############################################################## +# Atlantis Service +############################################################## + +module "atlantis" { + source = "../github-complete" + + domain = var.domain + alb_ingress_cidr_blocks = var.alb_ingress_cidr_blocks + github_token = var.github_token + github_owner = var.github_owner + github_user = var.github_user + enable_ephemeral_storage = var.enable_ephemeral_storage +} \ No newline at end of file diff --git a/examples/github-ephemeral-storage/terraform.tfvars.sample b/examples/github-ephemeral-storage/terraform.tfvars.sample new file mode 100644 index 00000000..f7377be6 --- /dev/null +++ b/examples/github-ephemeral-storage/terraform.tfvars.sample @@ -0,0 +1,7 @@ +domain = "mydomain.com" +alb_ingress_cidr_blocks = ["x.x.x.x/32"] +github_owner = "myorg" +github_user = "atlantis" +github_token = "mygithubpersonalaccesstokenforatlantis" +allowed_repo_names = ["repo1", "repo2"] +enable_ephemeral_storage = true diff --git a/examples/github-ephemeral-storage/variables.tf b/examples/github-ephemeral-storage/variables.tf new file mode 100644 index 00000000..dc13dae4 --- /dev/null +++ b/examples/github-ephemeral-storage/variables.tf @@ -0,0 +1,30 @@ +variable "domain" { + description = "Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance" + type = string +} + +variable "alb_ingress_cidr_blocks" { + description = "List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing" + type = list(string) +} + +variable "github_token" { + description = "Github token" + type = string +} + +variable "github_owner" { + description = "Github owner" + type = string +} + +variable "github_user" { + description = "Github user for Atlantis to utilize when performing Github activities" + type = string +} + +variable "enable_ephemeral_storage" { + description = "By default this example uses ephemeral storage" + type = bool + default = true +} \ No newline at end of file From 1adbfb4820d3ce1062d570edafa17b4fef3213a0 Mon Sep 17 00:00:00 2001 From: Mark Iannucci Date: Sun, 20 Feb 2022 07:48:17 +0000 Subject: [PATCH 4/8] use the re-use approach instead --- .../README.md | 79 ------ .../github-ephemeral-storage-noreuse/main.tf | 224 ------------------ .../outputs.tf | 32 --- .../terraform.tfvars.sample | 6 - .../variables.tf | 24 -- .../versions.tf | 15 -- 6 files changed, 380 deletions(-) delete mode 100644 examples/github-ephemeral-storage-noreuse/README.md delete mode 100644 examples/github-ephemeral-storage-noreuse/main.tf delete mode 100644 examples/github-ephemeral-storage-noreuse/outputs.tf delete mode 100644 examples/github-ephemeral-storage-noreuse/terraform.tfvars.sample delete mode 100644 examples/github-ephemeral-storage-noreuse/variables.tf delete mode 100644 examples/github-ephemeral-storage-noreuse/versions.tf diff --git a/examples/github-ephemeral-storage-noreuse/README.md b/examples/github-ephemeral-storage-noreuse/README.md deleted file mode 100644 index 976807af..00000000 --- a/examples/github-ephemeral-storage-noreuse/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Complete Atlantis example with GitHub Webhooks - -Configuration in this directory creates the necessary infrastructure and resources for running Atlantis on Fargate plus GitHub repository webhooks configured to Atlantis URL. - -An existing Route53 hosted zone and domain is required to deploy this example. - -GitHub's personal access token can be generated at https://github.com/settings/tokens - -## Usage - -To run this code you need to copy `terraform.tfvars.sample` into `terraform.tfvars` and update the values locally or specify them using environment variables (`TF_VAR_github_token=xxx`, `TF_VAR_github_owner=xxx`, etc.). Once ready, execute: - -```bash -$ terraform init -$ terraform plan -$ terraform apply -``` - -Note - if you receive the following error when running apply: - -`Error: InvalidParameterException: The new ARN and resource ID format must be enabled to add tags to the service. Opt in to the new format and try again. "atlantiscomplete"` - -Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settings (update for your region of use) and change `Container instance`, `Service`, and `Task` to `Enabled`. - -⚠️ This example will create resources which cost money. Run `terraform destroy` when you don't need these resources. ⚠️ - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | ~> 3.45 | -| [github](#requirement\_github) | >= 4.8 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | ~> 3.45 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [atlantis](#module\_atlantis) | ../../ | n/a | -| [atlantis\_access\_log\_bucket](#module\_atlantis\_access\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 2 | -| [github\_repository\_webhook](#module\_github\_repository\_webhook) | ../../modules/github-repository-webhook | n/a | - -## Resources - -| Name | Type | -|------|------| -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_elb_service_account.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | -| [aws_iam_policy_document.atlantis_access_log_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [alb\_ingress\_cidr\_blocks](#input\_alb\_ingress\_cidr\_blocks) | List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing | `list(string)` | n/a | yes | -| [domain](#input\_domain) | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance | `string` | n/a | yes | -| [github\_owner](#input\_github\_owner) | Github owner | `string` | n/a | yes | -| [github\_token](#input\_github\_token) | Github token | `string` | n/a | yes | -| [github\_user](#input\_github\_user) | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| [atlantis\_repo\_allowlist](#output\_atlantis\_repo\_allowlist) | Git repositories where webhook should be created | -| [atlantis\_url](#output\_atlantis\_url) | URL of Atlantis | -| [ecs\_task\_definition](#output\_ecs\_task\_definition) | Task definition for ECS service (used for external triggers) | -| [github\_webhook\_secret](#output\_github\_webhook\_secret) | Github webhook secret | -| [github\_webhook\_urls](#output\_github\_webhook\_urls) | Github webhook URL | -| [task\_role\_arn](#output\_task\_role\_arn) | The Atlantis ECS task role arn | - diff --git a/examples/github-ephemeral-storage-noreuse/main.tf b/examples/github-ephemeral-storage-noreuse/main.tf deleted file mode 100644 index aa52ffc4..00000000 --- a/examples/github-ephemeral-storage-noreuse/main.tf +++ /dev/null @@ -1,224 +0,0 @@ -provider "aws" { - region = local.region -} - -locals { - name = "github-efs" - region = "eu-west-1" - - tags = { - Owner = "user" - Environment = "dev" - } -} - -################################################################################ -# Supporting Resources -################################################################################ - -data "aws_caller_identity" "current" {} - -data "aws_region" "current" {} - -data "aws_elb_service_account" "current" {} - -############################################################## -# Atlantis Service -############################################################## - -module "atlantis" { - source = "../../" - - name = local.name - - # VPC - cidr = "10.20.0.0/16" - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] - private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"] - public_subnets = ["10.20.101.0/24", "10.20.102.0/24", "10.20.103.0/24"] - - # ECS - ecs_service_platform_version = "LATEST" - ecs_container_insights = true - ecs_task_cpu = 512 - ecs_task_memory = 1024 - container_memory_reservation = 256 - container_cpu = 512 - container_memory = 1024 - - enable_ephemeral_storage = true - - entrypoint = ["docker-entrypoint.sh"] - command = ["server"] - working_directory = "/tmp" - docker_labels = { - "org.opencontainers.image.title" = "Atlantis" - "org.opencontainers.image.description" = "A self-hosted golang application that listens for Terraform pull request events via webhooks." - "org.opencontainers.image.url" = "https://github.com/runatlantis/atlantis/pkgs/container/atlantis" - } - start_timeout = 30 - stop_timeout = 30 - - readonly_root_filesystem = false # atlantis currently mutable access to root filesystem - ulimits = [{ - name = "nofile" - softLimit = 4096 - hardLimit = 16384 - }] - - # DNS - route53_zone_name = var.domain - - # Trusted roles - trusted_principals = ["ssm.amazonaws.com"] - - # Atlantis - atlantis_github_user = var.github_user - atlantis_github_user_token = var.github_token - atlantis_repo_allowlist = ["github.com/${var.github_owner}/*"] - - # ALB access - alb_ingress_cidr_blocks = var.alb_ingress_cidr_blocks - alb_logging_enabled = true - alb_log_bucket_name = module.atlantis_access_log_bucket.s3_bucket_id - alb_log_location_prefix = "atlantis-alb" - alb_listener_ssl_policy_default = "ELBSecurityPolicy-TLS-1-2-2017-01" - alb_drop_invalid_header_fields = true - - allow_unauthenticated_access = true - allow_github_webhooks = true - allow_repo_config = true - - tags = local.tags -} - -################################################################################ -# GitHub Webhooks -################################################################################ - -module "github_repository_webhook" { - source = "../../modules/github-repository-webhook" - - github_owner = var.github_owner - github_token = var.github_token - - atlantis_repo_allowlist = module.atlantis.atlantis_repo_allowlist - - webhook_url = module.atlantis.atlantis_url_events - webhook_secret = module.atlantis.webhook_secret -} - -################################################################################ -# ALB Access Log Bucket + Policy -################################################################################ -module "atlantis_access_log_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "~> 2" - - bucket = "atlantis-access-logs-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}" - - attach_policy = true - policy = data.aws_iam_policy_document.atlantis_access_log_bucket_policy.json - - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - - force_destroy = true - - tags = local.tags - - server_side_encryption_configuration = { - rule = { - apply_server_side_encryption_by_default = { - sse_algorithm = "AES256" - } - } - } - - lifecycle_rule = [ - { - id = "all" - enabled = true - - transition = [ - { - days = 30 - storage_class = "ONEZONE_IA" - }, { - days = 60 - storage_class = "GLACIER" - } - ] - - expiration = { - days = 90 - } - - noncurrent_version_expiration = { - days = 30 - } - }, - ] -} - -data "aws_iam_policy_document" "atlantis_access_log_bucket_policy" { - statement { - sid = "LogsLogDeliveryWrite" - effect = "Allow" - actions = ["s3:PutObject"] - resources = [ - "${module.atlantis_access_log_bucket.s3_bucket_arn}/*/AWSLogs/${data.aws_caller_identity.current.account_id}/*" - ] - - principals { - type = "AWS" - identifiers = [ - # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions - data.aws_elb_service_account.current.arn, - ] - } - } - - statement { - sid = "AWSLogDeliveryWrite" - effect = "Allow" - actions = ["s3:PutObject"] - resources = [ - "${module.atlantis_access_log_bucket.s3_bucket_arn}/*/AWSLogs/${data.aws_caller_identity.current.account_id}/*" - ] - - principals { - type = "Service" - identifiers = [ - "delivery.logs.amazonaws.com" - ] - } - - condition { - test = "StringEquals" - variable = "s3:x-amz-acl" - - values = [ - "bucket-owner-full-control" - ] - } - } - - statement { - sid = "AWSLogDeliveryAclCheck" - effect = "Allow" - actions = ["s3:GetBucketAcl"] - resources = [ - module.atlantis_access_log_bucket.s3_bucket_arn - ] - - principals { - type = "Service" - identifiers = [ - "delivery.logs.amazonaws.com" - ] - } - } -} diff --git a/examples/github-ephemeral-storage-noreuse/outputs.tf b/examples/github-ephemeral-storage-noreuse/outputs.tf deleted file mode 100644 index 59959e1f..00000000 --- a/examples/github-ephemeral-storage-noreuse/outputs.tf +++ /dev/null @@ -1,32 +0,0 @@ -# Atlantis -output "atlantis_url" { - description = "URL of Atlantis" - value = module.atlantis.atlantis_url -} - -output "atlantis_repo_allowlist" { - description = "Git repositories where webhook should be created" - value = module.atlantis.atlantis_repo_allowlist -} - -output "task_role_arn" { - description = "The Atlantis ECS task role arn" - value = module.atlantis.task_role_arn -} - -output "ecs_task_definition" { - description = "Task definition for ECS service (used for external triggers)" - value = module.atlantis.ecs_task_definition -} - -# Webhooks -output "github_webhook_urls" { - description = "Github webhook URL" - value = module.github_repository_webhook.repository_webhook_urls -} - -output "github_webhook_secret" { - description = "Github webhook secret" - value = module.github_repository_webhook.repository_webhook_secret - sensitive = true -} diff --git a/examples/github-ephemeral-storage-noreuse/terraform.tfvars.sample b/examples/github-ephemeral-storage-noreuse/terraform.tfvars.sample deleted file mode 100644 index 64987023..00000000 --- a/examples/github-ephemeral-storage-noreuse/terraform.tfvars.sample +++ /dev/null @@ -1,6 +0,0 @@ -domain = "mydomain.com" -alb_ingress_cidr_blocks = ["x.x.x.x/32"] -github_owner = "myorg" -github_user = "atlantis" -github_token = "mygithubpersonalaccesstokenforatlantis" -allowed_repo_names = ["repo1", "repo2"] diff --git a/examples/github-ephemeral-storage-noreuse/variables.tf b/examples/github-ephemeral-storage-noreuse/variables.tf deleted file mode 100644 index f0d60ee9..00000000 --- a/examples/github-ephemeral-storage-noreuse/variables.tf +++ /dev/null @@ -1,24 +0,0 @@ -variable "domain" { - description = "Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance" - type = string -} - -variable "alb_ingress_cidr_blocks" { - description = "List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing" - type = list(string) -} - -variable "github_token" { - description = "Github token" - type = string -} - -variable "github_owner" { - description = "Github owner" - type = string -} - -variable "github_user" { - description = "Github user for Atlantis to utilize when performing Github activities" - type = string -} diff --git a/examples/github-ephemeral-storage-noreuse/versions.tf b/examples/github-ephemeral-storage-noreuse/versions.tf deleted file mode 100644 index 815437b6..00000000 --- a/examples/github-ephemeral-storage-noreuse/versions.tf +++ /dev/null @@ -1,15 +0,0 @@ -terraform { - required_version = ">= 0.13.1" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.45" - } - - github = { - source = "integrations/github" - version = ">= 4.8" - } - } -} From 4964ff317318dad5313eb5eff647484f58756d07 Mon Sep 17 00:00:00 2001 From: Mark Iannucci Date: Sun, 20 Feb 2022 07:50:21 +0000 Subject: [PATCH 5/8] after pre-commit fixes --- examples/github-complete/README.md | 1 + examples/github-complete/variables.tf | 4 ++-- examples/github-ephemeral-storage/README.md | 23 ++++--------------- examples/github-ephemeral-storage/main.tf | 12 +++++----- .../github-ephemeral-storage/variables.tf | 4 ++-- 5 files changed, 16 insertions(+), 28 deletions(-) diff --git a/examples/github-complete/README.md b/examples/github-complete/README.md index 976807af..e5124208 100644 --- a/examples/github-complete/README.md +++ b/examples/github-complete/README.md @@ -62,6 +62,7 @@ Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settin |------|-------------|------|---------|:--------:| | [alb\_ingress\_cidr\_blocks](#input\_alb\_ingress\_cidr\_blocks) | List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing | `list(string)` | n/a | yes | | [domain](#input\_domain) | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance | `string` | n/a | yes | +| [enable\_ephemeral\_storage](#input\_enable\_ephemeral\_storage) | By default this example uses EFS storage, switch to true to use ephemeral storage | `bool` | `false` | no | | [github\_owner](#input\_github\_owner) | Github owner | `string` | n/a | yes | | [github\_token](#input\_github\_token) | Github token | `string` | n/a | yes | | [github\_user](#input\_github\_user) | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes | diff --git a/examples/github-complete/variables.tf b/examples/github-complete/variables.tf index 08920ec7..9ffe1f24 100644 --- a/examples/github-complete/variables.tf +++ b/examples/github-complete/variables.tf @@ -25,6 +25,6 @@ variable "github_user" { variable "enable_ephemeral_storage" { description = "By default this example uses EFS storage, switch to true to use ephemeral storage" - type = bool - default = false + type = bool + default = false } \ No newline at end of file diff --git a/examples/github-ephemeral-storage/README.md b/examples/github-ephemeral-storage/README.md index 976807af..45061c5e 100644 --- a/examples/github-ephemeral-storage/README.md +++ b/examples/github-ephemeral-storage/README.md @@ -27,25 +27,19 @@ Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settin ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | ~> 3.45 | -| [github](#requirement\_github) | >= 4.8 | +No requirements. ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 3.45 | +| [aws](#provider\_aws) | n/a | ## Modules | Name | Source | Version | |------|--------|---------| -| [atlantis](#module\_atlantis) | ../../ | n/a | -| [atlantis\_access\_log\_bucket](#module\_atlantis\_access\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 2 | -| [github\_repository\_webhook](#module\_github\_repository\_webhook) | ../../modules/github-repository-webhook | n/a | +| [atlantis](#module\_atlantis) | ../github-complete | n/a | ## Resources @@ -53,7 +47,6 @@ Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settin |------|------| | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_elb_service_account.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | -| [aws_iam_policy_document.atlantis_access_log_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs @@ -62,18 +55,12 @@ Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settin |------|-------------|------|---------|:--------:| | [alb\_ingress\_cidr\_blocks](#input\_alb\_ingress\_cidr\_blocks) | List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing | `list(string)` | n/a | yes | | [domain](#input\_domain) | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance | `string` | n/a | yes | +| [enable\_ephemeral\_storage](#input\_enable\_ephemeral\_storage) | By default this example uses ephemeral storage | `bool` | `true` | no | | [github\_owner](#input\_github\_owner) | Github owner | `string` | n/a | yes | | [github\_token](#input\_github\_token) | Github token | `string` | n/a | yes | | [github\_user](#input\_github\_user) | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes | ## Outputs -| Name | Description | -|------|-------------| -| [atlantis\_repo\_allowlist](#output\_atlantis\_repo\_allowlist) | Git repositories where webhook should be created | -| [atlantis\_url](#output\_atlantis\_url) | URL of Atlantis | -| [ecs\_task\_definition](#output\_ecs\_task\_definition) | Task definition for ECS service (used for external triggers) | -| [github\_webhook\_secret](#output\_github\_webhook\_secret) | Github webhook secret | -| [github\_webhook\_urls](#output\_github\_webhook\_urls) | Github webhook URL | -| [task\_role\_arn](#output\_task\_role\_arn) | The Atlantis ECS task role arn | +No outputs. diff --git a/examples/github-ephemeral-storage/main.tf b/examples/github-ephemeral-storage/main.tf index 5bc89ea4..df667472 100644 --- a/examples/github-ephemeral-storage/main.tf +++ b/examples/github-ephemeral-storage/main.tf @@ -30,10 +30,10 @@ data "aws_elb_service_account" "current" {} module "atlantis" { source = "../github-complete" - domain = var.domain - alb_ingress_cidr_blocks = var.alb_ingress_cidr_blocks - github_token = var.github_token - github_owner = var.github_owner - github_user = var.github_user - enable_ephemeral_storage = var.enable_ephemeral_storage + domain = var.domain + alb_ingress_cidr_blocks = var.alb_ingress_cidr_blocks + github_token = var.github_token + github_owner = var.github_owner + github_user = var.github_user + enable_ephemeral_storage = var.enable_ephemeral_storage } \ No newline at end of file diff --git a/examples/github-ephemeral-storage/variables.tf b/examples/github-ephemeral-storage/variables.tf index dc13dae4..6d0b2bb5 100644 --- a/examples/github-ephemeral-storage/variables.tf +++ b/examples/github-ephemeral-storage/variables.tf @@ -25,6 +25,6 @@ variable "github_user" { variable "enable_ephemeral_storage" { description = "By default this example uses ephemeral storage" - type = bool - default = true + type = bool + default = true } \ No newline at end of file From 3d199f3e357b32e35addeccd6db0387347f3a06d Mon Sep 17 00:00:00 2001 From: Mark Iannucci Date: Sun, 20 Feb 2022 01:16:35 -0700 Subject: [PATCH 6/8] move locals to variables to hopefully improve linting situation --- examples/github-complete/main.tf | 20 +++++------------- examples/github-complete/variables.tf | 21 +++++++++++++++++++ examples/github-ephemeral-storage/main.tf | 2 +- .../github-ephemeral-storage/variables.tf | 21 +++++++++++++++++++ 4 files changed, 48 insertions(+), 16 deletions(-) diff --git a/examples/github-complete/main.tf b/examples/github-complete/main.tf index 110bbd98..d463c312 100644 --- a/examples/github-complete/main.tf +++ b/examples/github-complete/main.tf @@ -1,15 +1,5 @@ provider "aws" { - region = local.region -} - -locals { - name = "github-complete" - region = "eu-west-1" - - tags = { - Owner = "user" - Environment = "dev" - } + region = var.region } ################################################################################ @@ -29,11 +19,11 @@ data "aws_elb_service_account" "current" {} module "atlantis" { source = "../../" - name = local.name + name = var.name # VPC cidr = "10.20.0.0/16" - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + azs = ["${var.region}a", "${var.region}b", "${var.region}c"] private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"] public_subnets = ["10.20.101.0/24", "10.20.102.0/24", "10.20.103.0/24"] @@ -90,7 +80,7 @@ module "atlantis" { allow_github_webhooks = true allow_repo_config = true - tags = local.tags + tags = var.tags } ################################################################################ @@ -128,7 +118,7 @@ module "atlantis_access_log_bucket" { force_destroy = true - tags = local.tags + tags = var.tags server_side_encryption_configuration = { rule = { diff --git a/examples/github-complete/variables.tf b/examples/github-complete/variables.tf index 08920ec7..f3f75d8e 100644 --- a/examples/github-complete/variables.tf +++ b/examples/github-complete/variables.tf @@ -27,4 +27,25 @@ variable "enable_ephemeral_storage" { description = "By default this example uses EFS storage, switch to true to use ephemeral storage" type = bool default = false +} + +variable "name" { + description = "Name of the resource" + type = string + default = "github-complete" +} + +variable "region" { + description = "AWS region to deploy the resources" + type = string + default = "eu-west-1" +} + +variable "tags" { + description = "tags to be applied to the resources" + type = map + default = { + Owner = "user" + Environment = "dev" + } } \ No newline at end of file diff --git a/examples/github-ephemeral-storage/main.tf b/examples/github-ephemeral-storage/main.tf index 5bc89ea4..6ebf72bd 100644 --- a/examples/github-ephemeral-storage/main.tf +++ b/examples/github-ephemeral-storage/main.tf @@ -3,7 +3,7 @@ provider "aws" { } locals { - name = "github-complete" + name = "github-ephemeral-storage" region = "eu-west-1" tags = { diff --git a/examples/github-ephemeral-storage/variables.tf b/examples/github-ephemeral-storage/variables.tf index dc13dae4..61aa4102 100644 --- a/examples/github-ephemeral-storage/variables.tf +++ b/examples/github-ephemeral-storage/variables.tf @@ -27,4 +27,25 @@ variable "enable_ephemeral_storage" { description = "By default this example uses ephemeral storage" type = bool default = true +} + +variable "name" { + description = "Name of the resource" + type = string + default = "github-complete" +} + +variable "region" { + description = "AWS region to deploy the resources" + type = string + default = "eu-west-1" +} + +variable "tags" { + description = "tags to be applied to the resources" + type = map + default = { + Owner = "user" + Environment = "dev" + } } \ No newline at end of file From 7d25ac1a7cc25fbe242935cde9b71379a7ae0bd5 Mon Sep 17 00:00:00 2001 From: Mark Iannucci Date: Sun, 20 Feb 2022 08:28:07 +0000 Subject: [PATCH 7/8] after pre-commit scripts --- examples/github-complete/README.md | 3 +++ examples/github-complete/variables.tf | 14 +++++----- examples/github-ephemeral-storage/README.md | 26 ++++++++++++------- examples/github-ephemeral-storage/main.tf | 25 +++--------------- examples/github-ephemeral-storage/outputs.tf | 20 ++++++++++++++ .../github-ephemeral-storage/variables.tf | 14 +++++----- examples/github-ephemeral-storage/versions.tf | 15 +++++++++++ 7 files changed, 71 insertions(+), 46 deletions(-) create mode 100644 examples/github-ephemeral-storage/outputs.tf create mode 100644 examples/github-ephemeral-storage/versions.tf diff --git a/examples/github-complete/README.md b/examples/github-complete/README.md index e5124208..ef69b0f5 100644 --- a/examples/github-complete/README.md +++ b/examples/github-complete/README.md @@ -66,6 +66,9 @@ Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settin | [github\_owner](#input\_github\_owner) | Github owner | `string` | n/a | yes | | [github\_token](#input\_github\_token) | Github token | `string` | n/a | yes | | [github\_user](#input\_github\_user) | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes | +| [name](#input\_name) | Name of the resource | `string` | `"github-complete"` | no | +| [region](#input\_region) | AWS region to deploy the resources | `string` | `"eu-west-1"` | no | +| [tags](#input\_tags) | tags to be applied to the resources | `map(any)` | 
{
  "Environment": "dev",
  "Owner": "user"
}
| no | ## Outputs diff --git a/examples/github-complete/variables.tf b/examples/github-complete/variables.tf index f3f75d8e..854e59a6 100644 --- a/examples/github-complete/variables.tf +++ b/examples/github-complete/variables.tf @@ -25,25 +25,25 @@ variable "github_user" { variable "enable_ephemeral_storage" { description = "By default this example uses EFS storage, switch to true to use ephemeral storage" - type = bool - default = false + type = bool + default = false } variable "name" { description = "Name of the resource" - type = string - default = "github-complete" + type = string + default = "github-complete" } variable "region" { description = "AWS region to deploy the resources" - type = string - default = "eu-west-1" + type = string + default = "eu-west-1" } variable "tags" { description = "tags to be applied to the resources" - type = map + type = map(any) default = { Owner = "user" Environment = "dev" diff --git a/examples/github-ephemeral-storage/README.md b/examples/github-ephemeral-storage/README.md index 45061c5e..3396defc 100644 --- a/examples/github-ephemeral-storage/README.md +++ b/examples/github-ephemeral-storage/README.md @@ -27,13 +27,15 @@ Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settin ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | ~> 3.45 | +| [github](#requirement\_github) | >= 4.8 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | +No providers. ## Modules @@ -43,11 +45,7 @@ No requirements. ## Resources -| Name | Type | -|------|------| -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_elb_service_account.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +No resources. ## Inputs @@ -59,8 +57,16 @@ No requirements. | [github\_owner](#input\_github\_owner) | Github owner | `string` | n/a | yes | | [github\_token](#input\_github\_token) | Github token | `string` | n/a | yes | | [github\_user](#input\_github\_user) | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes | +| [name](#input\_name) | Name of the resource | `string` | `"github-complete"` | no | +| [region](#input\_region) | AWS region to deploy the resources | `string` | `"eu-west-1"` | no | +| [tags](#input\_tags) | tags to be applied to the resources | `map(any)` | 
{
  "Environment": "dev",
  "Owner": "user"
}
| no | ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [atlantis\_repo\_allowlist](#output\_atlantis\_repo\_allowlist) | Git repositories where webhook should be created | +| [atlantis\_url](#output\_atlantis\_url) | URL of Atlantis | +| [ecs\_task\_definition](#output\_ecs\_task\_definition) | Task definition for ECS service (used for external triggers) | +| [task\_role\_arn](#output\_task\_role\_arn) | The Atlantis ECS task role arn | diff --git a/examples/github-ephemeral-storage/main.tf b/examples/github-ephemeral-storage/main.tf index 71e44c85..1f61ce9c 100644 --- a/examples/github-ephemeral-storage/main.tf +++ b/examples/github-ephemeral-storage/main.tf @@ -1,28 +1,7 @@ provider "aws" { - region = local.region + region = var.region } -locals { - name = "github-ephemeral-storage" - region = "eu-west-1" - - tags = { - Owner = "user" - Environment = "dev" - } -} - - -################################################################################ -# Supporting Resources -################################################################################ - -data "aws_caller_identity" "current" {} - -data "aws_region" "current" {} - -data "aws_elb_service_account" "current" {} - ############################################################## # Atlantis Service ############################################################## @@ -30,10 +9,12 @@ data "aws_elb_service_account" "current" {} module "atlantis" { source = "../github-complete" + name = var.name domain = var.domain alb_ingress_cidr_blocks = var.alb_ingress_cidr_blocks github_token = var.github_token github_owner = var.github_owner github_user = var.github_user enable_ephemeral_storage = var.enable_ephemeral_storage + tags = var.tags } \ No newline at end of file diff --git a/examples/github-ephemeral-storage/outputs.tf b/examples/github-ephemeral-storage/outputs.tf new file mode 100644 index 00000000..4a77d356 --- /dev/null +++ b/examples/github-ephemeral-storage/outputs.tf @@ -0,0 +1,20 @@ +# Atlantis +output "atlantis_url" { + description = "URL of Atlantis" + value = module.atlantis.atlantis_url +} + +output "atlantis_repo_allowlist" { + description = "Git repositories where webhook should be created" + value = module.atlantis.atlantis_repo_allowlist +} + +output "task_role_arn" { + description = "The Atlantis ECS task role arn" + value = module.atlantis.task_role_arn +} + +output "ecs_task_definition" { + description = "Task definition for ECS service (used for external triggers)" + value = module.atlantis.ecs_task_definition +} diff --git a/examples/github-ephemeral-storage/variables.tf b/examples/github-ephemeral-storage/variables.tf index 61aa4102..be484354 100644 --- a/examples/github-ephemeral-storage/variables.tf +++ b/examples/github-ephemeral-storage/variables.tf @@ -25,25 +25,25 @@ variable "github_user" { variable "enable_ephemeral_storage" { description = "By default this example uses ephemeral storage" - type = bool - default = true + type = bool + default = true } variable "name" { description = "Name of the resource" - type = string - default = "github-complete" + type = string + default = "github-complete" } variable "region" { description = "AWS region to deploy the resources" - type = string - default = "eu-west-1" + type = string + default = "eu-west-1" } variable "tags" { description = "tags to be applied to the resources" - type = map + type = map(any) default = { Owner = "user" Environment = "dev" diff --git a/examples/github-ephemeral-storage/versions.tf b/examples/github-ephemeral-storage/versions.tf new file mode 100644 index 00000000..815437b6 --- /dev/null +++ b/examples/github-ephemeral-storage/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.13.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.45" + } + + github = { + source = "integrations/github" + version = ">= 4.8" + } + } +} From bc27bb8a9b270501642fe406f745308570701094 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 1 Apr 2022 17:07:51 +0200 Subject: [PATCH 8/8] Removed copied example --- examples/github-complete/README.md | 10 +-- examples/github-complete/main.tf | 28 +++++--- .../github-complete/terraform.tfvars.sample | 1 - examples/github-complete/variables.tf | 27 ------- examples/github-complete/versions.tf | 2 +- examples/github-ephemeral-storage/README.md | 72 ------------------- examples/github-ephemeral-storage/main.tf | 20 ------ examples/github-ephemeral-storage/outputs.tf | 20 ------ .../terraform.tfvars.sample | 7 -- .../github-ephemeral-storage/variables.tf | 51 ------------- examples/github-ephemeral-storage/versions.tf | 15 ---- 11 files changed, 23 insertions(+), 230 deletions(-) delete mode 100644 examples/github-ephemeral-storage/README.md delete mode 100644 examples/github-ephemeral-storage/main.tf delete mode 100644 examples/github-ephemeral-storage/outputs.tf delete mode 100644 examples/github-ephemeral-storage/terraform.tfvars.sample delete mode 100644 examples/github-ephemeral-storage/variables.tf delete mode 100644 examples/github-ephemeral-storage/versions.tf diff --git a/examples/github-complete/README.md b/examples/github-complete/README.md index ef69b0f5..79b6ecb8 100644 --- a/examples/github-complete/README.md +++ b/examples/github-complete/README.md @@ -30,21 +30,21 @@ Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settin | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | ~> 3.45 | +| [aws](#requirement\_aws) | >= 3.45 | | [github](#requirement\_github) | >= 4.8 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 3.45 | +| [aws](#provider\_aws) | >= 3.45 | ## Modules | Name | Source | Version | |------|--------|---------| | [atlantis](#module\_atlantis) | ../../ | n/a | -| [atlantis\_access\_log\_bucket](#module\_atlantis\_access\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 2 | +| [atlantis\_access\_log\_bucket](#module\_atlantis\_access\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 | | [github\_repository\_webhook](#module\_github\_repository\_webhook) | ../../modules/github-repository-webhook | n/a | ## Resources @@ -62,13 +62,9 @@ Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settin |------|-------------|------|---------|:--------:| | [alb\_ingress\_cidr\_blocks](#input\_alb\_ingress\_cidr\_blocks) | List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing | `list(string)` | n/a | yes | | [domain](#input\_domain) | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance | `string` | n/a | yes | -| [enable\_ephemeral\_storage](#input\_enable\_ephemeral\_storage) | By default this example uses EFS storage, switch to true to use ephemeral storage | `bool` | `false` | no | | [github\_owner](#input\_github\_owner) | Github owner | `string` | n/a | yes | | [github\_token](#input\_github\_token) | Github token | `string` | n/a | yes | | [github\_user](#input\_github\_user) | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes | -| [name](#input\_name) | Name of the resource | `string` | `"github-complete"` | no | -| [region](#input\_region) | AWS region to deploy the resources | `string` | `"eu-west-1"` | no | -| [tags](#input\_tags) | tags to be applied to the resources | `map(any)` | 
{
  "Environment": "dev",
  "Owner": "user"
}
| no | ## Outputs diff --git a/examples/github-complete/main.tf b/examples/github-complete/main.tf index d463c312..7270f77b 100644 --- a/examples/github-complete/main.tf +++ b/examples/github-complete/main.tf @@ -1,5 +1,15 @@ provider "aws" { - region = var.region + region = local.region +} + +locals { + name = "github-complete" + region = "eu-west-1" + + tags = { + Owner = "user" + Environment = "dev" + } } ################################################################################ @@ -19,14 +29,17 @@ data "aws_elb_service_account" "current" {} module "atlantis" { source = "../../" - name = var.name + name = local.name # VPC cidr = "10.20.0.0/16" - azs = ["${var.region}a", "${var.region}b", "${var.region}c"] + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"] public_subnets = ["10.20.101.0/24", "10.20.102.0/24", "10.20.103.0/24"] + # EFS + enable_ephemeral_storage = true + # ECS ecs_service_platform_version = "LATEST" ecs_container_insights = true @@ -36,9 +49,6 @@ module "atlantis" { container_cpu = 512 container_memory = 1024 - # EFS - enable_ephemeral_storage = var.enable_ephemeral_storage - entrypoint = ["docker-entrypoint.sh"] command = ["server"] working_directory = "/tmp" @@ -80,7 +90,7 @@ module "atlantis" { allow_github_webhooks = true allow_repo_config = true - tags = var.tags + tags = local.tags } ################################################################################ @@ -104,7 +114,7 @@ module "github_repository_webhook" { ################################################################################ module "atlantis_access_log_bucket" { source = "terraform-aws-modules/s3-bucket/aws" - version = "~> 2" + version = "~> 3.0" bucket = "atlantis-access-logs-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}" @@ -118,7 +128,7 @@ module "atlantis_access_log_bucket" { force_destroy = true - tags = var.tags + tags = local.tags server_side_encryption_configuration = { rule = { diff --git a/examples/github-complete/terraform.tfvars.sample b/examples/github-complete/terraform.tfvars.sample index 64987023..beec2573 100644 --- a/examples/github-complete/terraform.tfvars.sample +++ b/examples/github-complete/terraform.tfvars.sample @@ -3,4 +3,3 @@ alb_ingress_cidr_blocks = ["x.x.x.x/32"] github_owner = "myorg" github_user = "atlantis" github_token = "mygithubpersonalaccesstokenforatlantis" -allowed_repo_names = ["repo1", "repo2"] diff --git a/examples/github-complete/variables.tf b/examples/github-complete/variables.tf index 854e59a6..f0d60ee9 100644 --- a/examples/github-complete/variables.tf +++ b/examples/github-complete/variables.tf @@ -22,30 +22,3 @@ variable "github_user" { description = "Github user for Atlantis to utilize when performing Github activities" type = string } - -variable "enable_ephemeral_storage" { - description = "By default this example uses EFS storage, switch to true to use ephemeral storage" - type = bool - default = false -} - -variable "name" { - description = "Name of the resource" - type = string - default = "github-complete" -} - -variable "region" { - description = "AWS region to deploy the resources" - type = string - default = "eu-west-1" -} - -variable "tags" { - description = "tags to be applied to the resources" - type = map(any) - default = { - Owner = "user" - Environment = "dev" - } -} \ No newline at end of file diff --git a/examples/github-complete/versions.tf b/examples/github-complete/versions.tf index 815437b6..28ce680e 100644 --- a/examples/github-complete/versions.tf +++ b/examples/github-complete/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 3.45" + version = ">= 3.45" } github = { diff --git a/examples/github-ephemeral-storage/README.md b/examples/github-ephemeral-storage/README.md deleted file mode 100644 index 3396defc..00000000 --- a/examples/github-ephemeral-storage/README.md +++ /dev/null @@ -1,72 +0,0 @@ -# Complete Atlantis example with GitHub Webhooks - -Configuration in this directory creates the necessary infrastructure and resources for running Atlantis on Fargate plus GitHub repository webhooks configured to Atlantis URL. - -An existing Route53 hosted zone and domain is required to deploy this example. - -GitHub's personal access token can be generated at https://github.com/settings/tokens - -## Usage - -To run this code you need to copy `terraform.tfvars.sample` into `terraform.tfvars` and update the values locally or specify them using environment variables (`TF_VAR_github_token=xxx`, `TF_VAR_github_owner=xxx`, etc.). Once ready, execute: - -```bash -$ terraform init -$ terraform plan -$ terraform apply -``` - -Note - if you receive the following error when running apply: - -`Error: InvalidParameterException: The new ARN and resource ID format must be enabled to add tags to the service. Opt in to the new format and try again. "atlantiscomplete"` - -Go to https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/settings (update for your region of use) and change `Container instance`, `Service`, and `Task` to `Enabled`. - -⚠️ This example will create resources which cost money. Run `terraform destroy` when you don't need these resources. ⚠️ - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | ~> 3.45 | -| [github](#requirement\_github) | >= 4.8 | - -## Providers - -No providers. - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [atlantis](#module\_atlantis) | ../github-complete | n/a | - -## Resources - -No resources. - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [alb\_ingress\_cidr\_blocks](#input\_alb\_ingress\_cidr\_blocks) | List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing | `list(string)` | n/a | yes | -| [domain](#input\_domain) | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance | `string` | n/a | yes | -| [enable\_ephemeral\_storage](#input\_enable\_ephemeral\_storage) | By default this example uses ephemeral storage | `bool` | `true` | no | -| [github\_owner](#input\_github\_owner) | Github owner | `string` | n/a | yes | -| [github\_token](#input\_github\_token) | Github token | `string` | n/a | yes | -| [github\_user](#input\_github\_user) | Github user for Atlantis to utilize when performing Github activities | `string` | n/a | yes | -| [name](#input\_name) | Name of the resource | `string` | `"github-complete"` | no | -| [region](#input\_region) | AWS region to deploy the resources | `string` | `"eu-west-1"` | no | -| [tags](#input\_tags) | tags to be applied to the resources | `map(any)` | 
{
  "Environment": "dev",
  "Owner": "user"
}
| no | - -## Outputs - -| Name | Description | -|------|-------------| -| [atlantis\_repo\_allowlist](#output\_atlantis\_repo\_allowlist) | Git repositories where webhook should be created | -| [atlantis\_url](#output\_atlantis\_url) | URL of Atlantis | -| [ecs\_task\_definition](#output\_ecs\_task\_definition) | Task definition for ECS service (used for external triggers) | -| [task\_role\_arn](#output\_task\_role\_arn) | The Atlantis ECS task role arn | - diff --git a/examples/github-ephemeral-storage/main.tf b/examples/github-ephemeral-storage/main.tf deleted file mode 100644 index 1f61ce9c..00000000 --- a/examples/github-ephemeral-storage/main.tf +++ /dev/null @@ -1,20 +0,0 @@ -provider "aws" { - region = var.region -} - -############################################################## -# Atlantis Service -############################################################## - -module "atlantis" { - source = "../github-complete" - - name = var.name - domain = var.domain - alb_ingress_cidr_blocks = var.alb_ingress_cidr_blocks - github_token = var.github_token - github_owner = var.github_owner - github_user = var.github_user - enable_ephemeral_storage = var.enable_ephemeral_storage - tags = var.tags -} \ No newline at end of file diff --git a/examples/github-ephemeral-storage/outputs.tf b/examples/github-ephemeral-storage/outputs.tf deleted file mode 100644 index 4a77d356..00000000 --- a/examples/github-ephemeral-storage/outputs.tf +++ /dev/null @@ -1,20 +0,0 @@ -# Atlantis -output "atlantis_url" { - description = "URL of Atlantis" - value = module.atlantis.atlantis_url -} - -output "atlantis_repo_allowlist" { - description = "Git repositories where webhook should be created" - value = module.atlantis.atlantis_repo_allowlist -} - -output "task_role_arn" { - description = "The Atlantis ECS task role arn" - value = module.atlantis.task_role_arn -} - -output "ecs_task_definition" { - description = "Task definition for ECS service (used for external triggers)" - value = module.atlantis.ecs_task_definition -} diff --git a/examples/github-ephemeral-storage/terraform.tfvars.sample b/examples/github-ephemeral-storage/terraform.tfvars.sample deleted file mode 100644 index f7377be6..00000000 --- a/examples/github-ephemeral-storage/terraform.tfvars.sample +++ /dev/null @@ -1,7 +0,0 @@ -domain = "mydomain.com" -alb_ingress_cidr_blocks = ["x.x.x.x/32"] -github_owner = "myorg" -github_user = "atlantis" -github_token = "mygithubpersonalaccesstokenforatlantis" -allowed_repo_names = ["repo1", "repo2"] -enable_ephemeral_storage = true diff --git a/examples/github-ephemeral-storage/variables.tf b/examples/github-ephemeral-storage/variables.tf deleted file mode 100644 index be484354..00000000 --- a/examples/github-ephemeral-storage/variables.tf +++ /dev/null @@ -1,51 +0,0 @@ -variable "domain" { - description = "Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance" - type = string -} - -variable "alb_ingress_cidr_blocks" { - description = "List of IPv4 CIDR ranges to use on all ingress rules of the ALB - use your personal IP in the form of `x.x.x.x/32` for restricted testing" - type = list(string) -} - -variable "github_token" { - description = "Github token" - type = string -} - -variable "github_owner" { - description = "Github owner" - type = string -} - -variable "github_user" { - description = "Github user for Atlantis to utilize when performing Github activities" - type = string -} - -variable "enable_ephemeral_storage" { - description = "By default this example uses ephemeral storage" - type = bool - default = true -} - -variable "name" { - description = "Name of the resource" - type = string - default = "github-complete" -} - -variable "region" { - description = "AWS region to deploy the resources" - type = string - default = "eu-west-1" -} - -variable "tags" { - description = "tags to be applied to the resources" - type = map(any) - default = { - Owner = "user" - Environment = "dev" - } -} \ No newline at end of file diff --git a/examples/github-ephemeral-storage/versions.tf b/examples/github-ephemeral-storage/versions.tf deleted file mode 100644 index 815437b6..00000000 --- a/examples/github-ephemeral-storage/versions.tf +++ /dev/null @@ -1,15 +0,0 @@ -terraform { - required_version = ">= 0.13.1" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.45" - } - - github = { - source = "integrations/github" - version = ">= 4.8" - } - } -}