From 9b577b10dee14b58bc0ded2a4def1e94ac6eed1e Mon Sep 17 00:00:00 2001 From: aknysh Date: Tue, 28 May 2019 23:11:44 -0400 Subject: [PATCH 1/8] Update `web-app` version --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 739dedb..b5d4bf6 100644 --- a/main.tf +++ b/main.tf @@ -57,7 +57,7 @@ module "webhooks" { } module "web_app" { - source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=tags/0.21.0" + source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=update-codepipeline" namespace = "${var.namespace}" stage = "${var.stage}" name = "${var.name}" From 26238b4bb10b044324ec9d0b07931d76c5aaa902 Mon Sep 17 00:00:00 2001 From: aknysh Date: Tue, 28 May 2019 23:26:17 -0400 Subject: [PATCH 2/8] Update `web-app` version --- README.md | 4 ++-- docs/terraform.md | 4 ++-- main.tf | 40 +++++++++++++++++++++++++++++++--------- variables.tf | 12 +++++++++--- 4 files changed, 44 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 0f19c86..e6d9183 100644 --- a/README.md +++ b/README.md @@ -260,9 +260,9 @@ Available targets: | ecs_cluster_arn | ARN of the ECS cluster to deploy Atlantis | string | - | yes | | ecs_cluster_name | Name of the ECS cluster to deploy Atlantis | string | - | yes | | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | string | `false` | no | -| github_oauth_token | GitHub Oauth token. If not provided the token is looked up from SSM. | string | `` | no | +| github_oauth_token | GitHub Oauth token. If not provided the token is looked up from SSM | string | `` | no | | github_oauth_token_ssm_name | SSM param name to lookup GitHub OAuth token if not provided | string | `` | no | -| github_webhooks_token | GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the `GITHUB_TOKEN` environment variable | string | `` | no | +| github_webhooks_token | GitHub OAuth Token with permissions to create webhooks. If not provided the token is looked up from SSM | string | `` | no | | healthcheck_path | Healthcheck path | string | `/healthz` | no | | hostname | Atlantis URL | string | `` | no | | kms_key_id | KMS key ID used to encrypt SSM SecureString parameters | string | `` | no | diff --git a/docs/terraform.md b/docs/terraform.md index ccd91e4..4c35607 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -60,9 +60,9 @@ | ecs_cluster_arn | ARN of the ECS cluster to deploy Atlantis | string | - | yes | | ecs_cluster_name | Name of the ECS cluster to deploy Atlantis | string | - | yes | | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | string | `false` | no | -| github_oauth_token | GitHub Oauth token. If not provided the token is looked up from SSM. | string | `` | no | +| github_oauth_token | GitHub Oauth token. If not provided the token is looked up from SSM | string | `` | no | | github_oauth_token_ssm_name | SSM param name to lookup GitHub OAuth token if not provided | string | `` | no | -| github_webhooks_token | GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the `GITHUB_TOKEN` environment variable | string | `` | no | +| github_webhooks_token | GitHub OAuth Token with permissions to create webhooks. If not provided the token is looked up from SSM | string | `` | no | | healthcheck_path | Healthcheck path | string | `/healthz` | no | | hostname | Atlantis URL | string | `` | no | | kms_key_id | KMS key ID used to encrypt SSM SecureString parameters | string | `` | no | diff --git a/main.tf b/main.tf index b5d4bf6..11c23c6 100644 --- a/main.tf +++ b/main.tf @@ -11,6 +11,11 @@ data "aws_ssm_parameter" "atlantis_gh_token" { name = "${local.github_oauth_token_ssm_name}" } +data "aws_ssm_parameter" "github_webhooks_token" { + count = "${local.enabled && length(var.github_webhooks_token) == 0 ? 1 : 0}" + name = "${local.github_webhooks_token_ssm_name}" +} + data "aws_kms_key" "chamber_kms_key" { count = "${local.enabled && length(var.kms_key_id) == 0 ? 1 : 0}" key_id = "${local.kms_key_id}" @@ -19,16 +24,23 @@ data "aws_kms_key" "chamber_kms_key" { # Locals #-------------------------------------------------------------- locals { - enabled = "${var.enabled == "true" ? true : false}" - atlantis_gh_webhook_secret = "${length(var.atlantis_gh_webhook_secret) > 0 ? var.atlantis_gh_webhook_secret : join("", random_string.atlantis_gh_webhook_secret.*.result)}" - atlantis_webhook_url = "${format(var.atlantis_webhook_format, local.hostname)}" - atlantis_url = "${format(var.atlantis_url_format, local.hostname)}" - attributes = "${concat(list(var.short_name), var.attributes)}" - default_hostname = "${join("", aws_route53_record.default.*.fqdn)}" + enabled = "${var.enabled == "true" ? true : false}" + atlantis_gh_webhook_secret = "${length(var.atlantis_gh_webhook_secret) > 0 ? var.atlantis_gh_webhook_secret : join("", random_string.atlantis_gh_webhook_secret.*.result)}" + atlantis_webhook_url = "${format(var.atlantis_webhook_format, local.hostname)}" + atlantis_url = "${format(var.atlantis_url_format, local.hostname)}" + attributes = "${concat(list(var.short_name), var.attributes)}" + default_hostname = "${join("", aws_route53_record.default.*.fqdn)}" + hostname = "${length(var.hostname) > 0 ? var.hostname : local.default_hostname}" + kms_key_id = "${length(var.kms_key_id) > 0 ? var.kms_key_id : format("alias/%s-%s-chamber", var.namespace, var.stage)}" +} + +# GitHub tokens +locals { github_oauth_token = "${length(join("", data.aws_ssm_parameter.atlantis_gh_token.*.value)) > 0 ? join("", data.aws_ssm_parameter.atlantis_gh_token.*.value) : var.github_oauth_token}" github_oauth_token_ssm_name = "${length(var.github_oauth_token_ssm_name) > 0 ? var.github_oauth_token_ssm_name : format(var.chamber_format, var.chamber_service, "atlantis_gh_token")}" - hostname = "${length(var.hostname) > 0 ? var.hostname : local.default_hostname}" - kms_key_id = "${length(var.kms_key_id) > 0 ? var.kms_key_id : format("alias/%s-%s-chamber", var.namespace, var.stage)}" + + github_webhooks_token = "${length(join("", data.aws_ssm_parameter.github_webhooks_token.*.value)) > 0 ? join("", data.aws_ssm_parameter.github_webhooks_token.*.value) : var.github_webhooks_token}" + github_webhooks_token_ssm_name = "${length(var.github_webhooks_token_ssm_name) > 0 ? var.github_webhooks_token_ssm_name : format(var.chamber_format, var.chamber_service, "github_webhooks_token")}" } # Modules @@ -111,7 +123,7 @@ module "web_app" { alb_ingress_healthcheck_path = "${var.healthcheck_path}" github_oauth_token = "${local.github_oauth_token}" - github_webhooks_token = "${var.github_webhooks_token}" + github_webhooks_token = "${local.github_webhooks_token}" repo_owner = "${var.repo_owner}" repo_name = "${var.repo_name}" branch = "${var.branch}" @@ -282,6 +294,16 @@ resource "aws_ssm_parameter" "atlantis_gh_token" { value = "${local.github_oauth_token}" } +resource "aws_ssm_parameter" "github_webhooks_token" { + count = "${local.enabled ? 1 : 0}" + description = "GitHub OAuth token with permission to create webhooks" + key_id = "${join("", data.aws_kms_key.chamber_kms_key.*.id)}" + name = "${local.github_webhooks_token_ssm_name}" + overwrite = "${var.overwrite_ssm_parameter}" + type = "SecureString" + value = "${local.github_webhooks_token}" +} + resource "aws_security_group_rule" "egress_http" { count = "${local.enabled ? 1 : 0}" cidr_blocks = ["0.0.0.0/0"] diff --git a/variables.tf b/variables.tf index deda96f..8d139c6 100644 --- a/variables.tf +++ b/variables.tf @@ -40,19 +40,25 @@ variable "default_backend_image" { variable "github_oauth_token" { type = "string" - description = "GitHub Oauth token. If not provided the token is looked up from SSM." + description = "GitHub Oauth token. If not provided the token is looked up from SSM" default = "" } variable "github_webhooks_token" { type = "string" - description = "GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the `GITHUB_TOKEN` environment variable" + description = "GitHub OAuth Token with permissions to create webhooks. If not provided the token is looked up from SSM" default = "" } variable "github_oauth_token_ssm_name" { type = "string" - description = "SSM param name to lookup GitHub OAuth token if not provided" + description = "SSM param name to lookup `github_oauth_token` if not provided" + default = "" +} + +variable "github_webhooks_token_ssm_name" { + type = "string" + description = "SSM param name to lookup `github_webhooks_token` if not provided" default = "" } From 675be50968852bcc508d9e4a2521ff7ea5c3a6c5 Mon Sep 17 00:00:00 2001 From: aknysh Date: Tue, 28 May 2019 23:29:46 -0400 Subject: [PATCH 3/8] Update `web-app` version --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 11c23c6..3642466 100644 --- a/main.tf +++ b/main.tf @@ -59,7 +59,7 @@ module "ssh_key_pair" { module "webhooks" { source = "git::https://github.com/cloudposse/terraform-github-repository-webhooks.git?ref=tags/0.4.0" - github_token = "${var.github_webhooks_token}" + github_token = "${local.github_webhooks_token}" webhook_secret = "${local.atlantis_gh_webhook_secret}" webhook_url = "${local.atlantis_webhook_url}" enabled = "${local.enabled}" From 43ba7a479db6b4c2700e2f30d6d45b1c934a24d8 Mon Sep 17 00:00:00 2001 From: aknysh Date: Wed, 29 May 2019 10:10:23 -0400 Subject: [PATCH 4/8] Update `web-app` version. Add `github_webhooks_token` --- README.md | 15 ++++++++++++--- README.yaml | 12 ++++++++++-- docs/terraform.md | 3 ++- main.tf | 2 +- 4 files changed, 25 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index e6d9183..a8fffeb 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ What this module does not provision: ### GitHub Repo Scopes -This module accepts two GitHub tokens: +This module accepts two GitHub OAuth tokens: 1. `github_oauth_token` with permissions to pull private repos. Used by CodePipeline to clone repos before the build, and by the atlantis server to clone repos and comment on Pull Requests. @@ -104,7 +104,6 @@ This module accepts two GitHub tokens: 2. `github_webhooks_token` with permissions to create GitHub webhooks. Only used by [Terraform GitHub Provider](https://www.terraform.io/docs/providers/github/index.html) when provisioning the module. - It must be provided either in the `github_webhooks_token` variable, or it can also be sourced from the `GITHUB_TOKEN` environment variable. The token needs the following OAuth scopes: @@ -127,6 +126,15 @@ We suggest the following steps when creating the tokens and provisioning the mod **IMPORTANT:** Do not commit the tokens to source control (_e.g._ via `terraform.tvfars`). +**NOTE:** If the two tokens are not provided (left empty), they will be looked up from SSM Parameter Store. +You can write `atlantis atlantis_gh` and `github_webhooks_token` to SSM Parameter Store before provisioning the module. +For example, by using [chamber](https://github.com/segmentio/chamber): + +```sh + chamber write atlantis atlantis_gh_token "....." + chamber write atlantis github_webhooks_token "....." +``` + ## Usage @@ -261,8 +269,9 @@ Available targets: | ecs_cluster_name | Name of the ECS cluster to deploy Atlantis | string | - | yes | | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | string | `false` | no | | github_oauth_token | GitHub Oauth token. If not provided the token is looked up from SSM | string | `` | no | -| github_oauth_token_ssm_name | SSM param name to lookup GitHub OAuth token if not provided | string | `` | no | +| github_oauth_token_ssm_name | SSM param name to lookup `github_oauth_token` if not provided | string | `` | no | | github_webhooks_token | GitHub OAuth Token with permissions to create webhooks. If not provided the token is looked up from SSM | string | `` | no | +| github_webhooks_token_ssm_name | SSM param name to lookup `github_webhooks_token` if not provided | string | `` | no | | healthcheck_path | Healthcheck path | string | `/healthz` | no | | hostname | Atlantis URL | string | `` | no | | kms_key_id | KMS key ID used to encrypt SSM SecureString parameters | string | `` | no | diff --git a/README.yaml b/README.yaml index 7a71348..ca25fb1 100644 --- a/README.yaml +++ b/README.yaml @@ -111,7 +111,7 @@ introduction: |- ### GitHub Repo Scopes - This module accepts two GitHub tokens: + This module accepts two GitHub OAuth tokens: 1. `github_oauth_token` with permissions to pull private repos. Used by CodePipeline to clone repos before the build, and by the atlantis server to clone repos and comment on Pull Requests. @@ -125,7 +125,6 @@ introduction: |- 2. `github_webhooks_token` with permissions to create GitHub webhooks. Only used by [Terraform GitHub Provider](https://www.terraform.io/docs/providers/github/index.html) when provisioning the module. - It must be provided either in the `github_webhooks_token` variable, or it can also be sourced from the `GITHUB_TOKEN` environment variable. The token needs the following OAuth scopes: @@ -148,6 +147,15 @@ introduction: |- **IMPORTANT:** Do not commit the tokens to source control (_e.g._ via `terraform.tvfars`). + **NOTE:** If the two tokens are not provided (left empty), they will be looked up from SSM Parameter Store. + You can write `atlantis atlantis_gh` and `github_webhooks_token` to SSM Parameter Store before provisioning the module. + For example, by using [chamber](https://github.com/segmentio/chamber): + + ```sh + chamber write atlantis atlantis_gh_token "....." + chamber write atlantis github_webhooks_token "....." + ``` + # How to use this project usage: |- diff --git a/docs/terraform.md b/docs/terraform.md index 4c35607..91c4adc 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -61,8 +61,9 @@ | ecs_cluster_name | Name of the ECS cluster to deploy Atlantis | string | - | yes | | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | string | `false` | no | | github_oauth_token | GitHub Oauth token. If not provided the token is looked up from SSM | string | `` | no | -| github_oauth_token_ssm_name | SSM param name to lookup GitHub OAuth token if not provided | string | `` | no | +| github_oauth_token_ssm_name | SSM param name to lookup `github_oauth_token` if not provided | string | `` | no | | github_webhooks_token | GitHub OAuth Token with permissions to create webhooks. If not provided the token is looked up from SSM | string | `` | no | +| github_webhooks_token_ssm_name | SSM param name to lookup `github_webhooks_token` if not provided | string | `` | no | | healthcheck_path | Healthcheck path | string | `/healthz` | no | | hostname | Atlantis URL | string | `` | no | | kms_key_id | KMS key ID used to encrypt SSM SecureString parameters | string | `` | no | diff --git a/main.tf b/main.tf index 3642466..a0eee2a 100644 --- a/main.tf +++ b/main.tf @@ -69,7 +69,7 @@ module "webhooks" { } module "web_app" { - source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=update-codepipeline" + source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=tags/0.22.0" namespace = "${var.namespace}" stage = "${var.stage}" name = "${var.name}" From c8bf11da80be8b9de3fbeda7d56ee74ce1299ee0 Mon Sep 17 00:00:00 2001 From: aknysh Date: Wed, 29 May 2019 10:13:19 -0400 Subject: [PATCH 5/8] Pin `aws` provider --- main.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/main.tf b/main.tf index a0eee2a..c91152e 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,10 @@ +# Pin the `aws` provider +# https://www.terraform.io/docs/configuration/providers.html +# Any non-beta version >= 2.12.0 and < 2.13.0, e.g. 2.12.X +provider "aws" { + version = "~> 2.12.0" +} + # Terraform #-------------------------------------------------------------- terraform { From e95bc2c046275ac3cad3e0db09077941c28aa7af Mon Sep 17 00:00:00 2001 From: aknysh Date: Wed, 29 May 2019 13:25:24 -0400 Subject: [PATCH 6/8] Pin `terraform` version --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index c91152e..562c18e 100644 --- a/main.tf +++ b/main.tf @@ -8,7 +8,7 @@ provider "aws" { # Terraform #-------------------------------------------------------------- terraform { - required_version = ">= 0.10.7" + required_version = "~> 0.11.0" } # Data From aaa55c4eb725a2e295f2ec26ba7846943e5133a6 Mon Sep 17 00:00:00 2001 From: Erik Osterman Date: Wed, 29 May 2019 10:33:30 -0700 Subject: [PATCH 7/8] Update variables.tf --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 8d139c6..c77bbab 100644 --- a/variables.tf +++ b/variables.tf @@ -40,7 +40,7 @@ variable "default_backend_image" { variable "github_oauth_token" { type = "string" - description = "GitHub Oauth token. If not provided the token is looked up from SSM" + description = "GitHub OAuth token. If not provided the token is looked up from SSM" default = "" } From 839580ef9fb09e984ae8175251d2fb99a25a0399 Mon Sep 17 00:00:00 2001 From: aknysh Date: Wed, 29 May 2019 13:34:41 -0400 Subject: [PATCH 8/8] Update README --- README.md | 2 +- docs/terraform.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a8fffeb..afbced4 100644 --- a/README.md +++ b/README.md @@ -268,7 +268,7 @@ Available targets: | ecs_cluster_arn | ARN of the ECS cluster to deploy Atlantis | string | - | yes | | ecs_cluster_name | Name of the ECS cluster to deploy Atlantis | string | - | yes | | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | string | `false` | no | -| github_oauth_token | GitHub Oauth token. If not provided the token is looked up from SSM | string | `` | no | +| github_oauth_token | GitHub OAuth token. If not provided the token is looked up from SSM | string | `` | no | | github_oauth_token_ssm_name | SSM param name to lookup `github_oauth_token` if not provided | string | `` | no | | github_webhooks_token | GitHub OAuth Token with permissions to create webhooks. If not provided the token is looked up from SSM | string | `` | no | | github_webhooks_token_ssm_name | SSM param name to lookup `github_webhooks_token` if not provided | string | `` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 91c4adc..426c57a 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -60,7 +60,7 @@ | ecs_cluster_arn | ARN of the ECS cluster to deploy Atlantis | string | - | yes | | ecs_cluster_name | Name of the ECS cluster to deploy Atlantis | string | - | yes | | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | string | `false` | no | -| github_oauth_token | GitHub Oauth token. If not provided the token is looked up from SSM | string | `` | no | +| github_oauth_token | GitHub OAuth token. If not provided the token is looked up from SSM | string | `` | no | | github_oauth_token_ssm_name | SSM param name to lookup `github_oauth_token` if not provided | string | `` | no | | github_webhooks_token | GitHub OAuth Token with permissions to create webhooks. If not provided the token is looked up from SSM | string | `` | no | | github_webhooks_token_ssm_name | SSM param name to lookup `github_webhooks_token` if not provided | string | `` | no |