/atlantis-on-gke

A set of @HashiCorp Terraform configurations for running Atlantis on @GoogleCloud GKE

Primary LanguageHCLApache License 2.0Apache-2.0

Atlantis on GKE with Terraform

These Terraform configurations provision an Atlantis cluster on Google Kubernetes Engine using HashiCorp Terraform as the provisioning tool.

Feature Highlights

  • Google Cloud Storage Backend - Automatically creates a GSC storage bucket for use with Terraform.

  • Dedicated Service Account - There's a dedicated service account with access to the storage bucket which can be given to Terraform or attached to instances executing Terraform.

  • (Self-signed) TLS - Automatically generates certificates and secures the Atlantis server with them. This could be replaced with real certificates if needed.

  • Automatic GitHub Repo Creation & Configuration - Automatically creates a dedicated (private) GitHub repository with the Atlantis webhook configured automatically.

Requirements

  1. A Google Cloud Organization because these configurations create a new project which (through Terraform) must be associated with an organization.

  2. A GitHub Organization (not a personal account) because the Terraform GitHub provider does not support personal accounts

Tutorial

  1. Download and install Terraform

  2. Download, install, and configure the Google Cloud SDK. You will need to configure your default application credentials so Terraform can run. It will run against your default project, but all resources are created in the (new) project that it creates.

  3. Run Terraform:

    $ cd terraform/
    $ terraform init
    $ terraform apply
    

    This operation will take some time as it:

    1. Creates a new project
    2. Enables the required services on that project
    3. Creates a bucket for Terraform remote state
    4. Creates a service account with the most restrictive permissions to those resources
    5. Creates a GKE cluster with the configured service account attached
    6. Creates a public IP
    7. Generates a self-signed certificate authority (CA)
    8. Generates a certificate signed by that CA
    9. Configures Terraform to talk to Kubernetes
    10. Creates a Kubernetes secret with the TLS file contents
    11. Submits the Atlantis Pod and Service (LoadBalancer) to the Kubernetes API
    12. Creates a sample "demo" folder with Terraform configurations that are pre-configured to connect to the provisioned Google Cloud Storage backend with customer-provided encryption keys.

Run Locally

  1. Configure local Terraform with the correct credentials

    cd demo/
    source env.sh
    
  2. Run some commands

    $ terraform plan
    $ terraform apply
    
  3. Go to GitHub

  4. Make a change

    n1-standard-1 -> n1-standard-2
    
  5. Open a Pull Request with the changes on a new branch

  6. Plan changes

    atlantis plan
    
  7. Apply changes

    atlantis apply
    

Cleaning Up

$ cd terraform/

# If you ran locally
$ unset GOOGLE_PROJECT
$ unset GOOGLE_ENCRYPTION_KEY
$ unset GOOGLE_CREDENTIALS

$ terraform destroy

Note that this can sometimes fail. Re-run it and it should succeed. If things get into a bad state, you can always just delete the project.

Security

This set of Terraform configurations is designed to make your life easy. Some data, including the TLS certificates and webhook secrets will be stored in your state file in plain text.

License & Author

Copyright 2018 Google, Inc.
Copyright 2018 Seth Vargo

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.