diff --git a/README.md b/README.md
index 28a449c..5acd35e 100644
--- a/README.md
+++ b/README.md
@@ -179,7 +179,8 @@ You can check the status of the certificate in the Google Cloud Console.
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13.0 |
| [cloudinit](#requirement\_cloudinit) | >=2.2.0 |
-| [google](#requirement\_google) | >=4.47.0 |
+| [google](#requirement\_google) | >=4.79.0 |
+| [google-beta](#requirement\_google-beta) | >=4.79.0 |
| [random](#requirement\_random) | >=3.4.3 |
## Providers
@@ -187,7 +188,8 @@ You can check the status of the certificate in the Google Cloud Console.
| Name | Version |
|------|---------|
| [cloudinit](#provider\_cloudinit) | >=2.2.0 |
-| [google](#provider\_google) | >=4.47.0 |
+| [google](#provider\_google) | >=4.79.0 |
+| [google-beta](#provider\_google-beta) | >=4.79.0 |
| [random](#provider\_random) | >=3.4.3 |
## Modules
@@ -200,6 +202,7 @@ You can check the status of the certificate in the Google Cloud Console.
| Name | Type |
|------|------|
+| [google-beta_google_compute_instance_group_manager.default](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_compute_instance_group_manager) | resource |
| [google_compute_backend_service.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_service) | resource |
| [google_compute_backend_service.iap](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_service) | resource |
| [google_compute_firewall.lb_health_check](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
@@ -207,7 +210,6 @@ You can check the status of the certificate in the Google Cloud Console.
| [google_compute_global_forwarding_rule.https](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_forwarding_rule) | resource |
| [google_compute_health_check.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_health_check) | resource |
| [google_compute_health_check.default_instance_group_manager](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_health_check) | resource |
-| [google_compute_instance_group_manager.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_group_manager) | resource |
| [google_compute_instance_template.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_template) | resource |
| [google_compute_managed_ssl_certificate.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_managed_ssl_certificate) | resource |
| [google_compute_route.public_internet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource |
@@ -227,6 +229,7 @@ You can check the status of the certificate in the Google Cloud Console.
| [domain](#input\_domain) | Domain to associate Atlantis with and to request a managed SSL certificate for. Without `https://` | `string` | n/a | yes |
| [enable\_oslogin](#input\_enable\_oslogin) | Enables OS Login service on the VM | `bool` | `false` | no |
| [env\_vars](#input\_env\_vars) | Key-value pairs representing environment variables and their respective values | `map(any)` | n/a | yes |
+| [expose\_metrics\_publicly](#input\_expose\_metrics\_publicly) | Exposes the /metrics endpoint publicly even if Atlantis is protected by IAP | `bool` | `false` | no |
| [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | object({
oauth2_client_id = string
oauth2_client_secret = string
}) | `null` | no |
| [image](#input\_image) | Docker image. This is most often a reference to a container located in a container registry | `string` | `"ghcr.io/runatlantis/atlantis:latest"` | no |
| [labels](#input\_labels) | Key-value pairs representing labels attaching to instance & instance template | `map(any)` | `{}` | no |
diff --git a/main.tf b/main.tf
index 5193d79..48e05ce 100644
--- a/main.tf
+++ b/main.tf
@@ -1,11 +1,16 @@
locals {
- # The default port that Atlantis runs on is 4141.
+ # The default port that Atlantis runs on is 4141, we default to this.
atlantis_port = lookup(var.env_vars, "ATLANTIS_PORT", 4141)
- # Atlantis its home directory is "/home/atlantis".
- atlantis_data_dir = lookup(var.env_vars, "ATLANTIS_DATA_DIR", "/home/atlantis")
- port_name = "atlantis"
- network_traffic_tags = ["atlantis-${random_string.random.result}"]
- labels = merge(var.labels, { "container-vm" = module.container.vm_container_label })
+ # Atlantis' home directory is "/home/atlantis", we default to this.
+ atlantis_data_dir = lookup(var.env_vars, "ATLANTIS_DATA_DIR", "/home/atlantis")
+ atlantis_port_name = "atlantis"
+ atlantis_network_traffic_tags = ["atlantis-${random_string.random.result}"]
+ atlantis_labels = merge(
+ var.labels,
+ module.container.container_vm.labels,
+ { "vm" = module.container.container_vm.name },
+ { "app" = "atlantis" }
+ )
}
resource "random_string" "random" {
@@ -146,7 +151,12 @@ resource "google_compute_instance_template" "default" {
boot = true
disk_type = "pd-ssd"
disk_size_gb = 10
- labels = local.labels
+ labels = merge(
+ local.atlantis_labels,
+ {
+ "disk-type" = "boot"
+ },
+ )
dynamic "disk_encryption_key" {
for_each = var.disk_kms_key_self_link != null ? [1] : []
@@ -163,7 +173,12 @@ resource "google_compute_instance_template" "default" {
mode = "READ_WRITE"
disk_size_gb = var.persistent_disk_size_gb
auto_delete = false
- labels = local.labels
+ labels = merge(
+ local.atlantis_labels,
+ {
+ "disk-type" = "data"
+ },
+ )
dynamic "disk_encryption_key" {
for_each = var.disk_kms_key_self_link != null ? [1] : []
@@ -189,10 +204,8 @@ resource "google_compute_instance_template" "default" {
scopes = var.service_account.scopes
}
- tags = concat(local.network_traffic_tags, var.tags)
-
- labels = local.labels
-
+ tags = concat(local.atlantis_network_traffic_tags, var.tags)
+ labels = local.atlantis_labels
project = var.project
# Instance Templates cannot be updated after creation with the Google Cloud Platform API.
@@ -239,8 +252,12 @@ resource "google_compute_instance_group_manager" "default" {
instance_template = google_compute_instance_template.default.id
}
+ all_instances_config {
+ labels = local.atlantis_labels
+ }
+
named_port {
- name = local.port_name
+ name = local.atlantis_port_name
port = local.atlantis_port
}
@@ -264,7 +281,8 @@ resource "google_compute_instance_group_manager" "default" {
max_unavailable_fixed = 1
replacement_method = "RECREATE"
}
- project = var.project
+ project = var.project
+ provider = google-beta
}
resource "google_compute_global_address" "default" {
@@ -283,7 +301,7 @@ resource "google_compute_managed_ssl_certificate" "default" {
resource "google_compute_backend_service" "default" {
name = var.name
protocol = "HTTP"
- port_name = local.port_name
+ port_name = local.atlantis_port_name
timeout_sec = 10
connection_draining_timeout_sec = 5
load_balancing_scheme = "EXTERNAL_MANAGED"
@@ -306,7 +324,7 @@ resource "google_compute_backend_service" "iap" {
count = var.iap != null ? 1 : 0
name = "${var.name}-iap"
protocol = "HTTP"
- port_name = local.port_name
+ port_name = local.atlantis_port_name
timeout_sec = 10
connection_draining_timeout_sec = 5
load_balancing_scheme = "EXTERNAL_MANAGED"
@@ -358,19 +376,27 @@ resource "google_compute_url_map" "default" {
for_each = var.iap != null ? [1] : []
content {
hosts = [var.domain]
- path_matcher = "events"
+ path_matcher = "public"
}
}
dynamic "path_matcher" {
for_each = var.iap != null ? [1] : []
content {
- name = "events"
+ name = "public"
default_service = google_compute_backend_service.iap[0].id
path_rule {
paths = ["/events"]
service = google_compute_backend_service.default.id
}
+
+ dynamic "path_rule" {
+ for_each = var.expose_metrics_publicly ? [1] : []
+ content {
+ paths = ["/metrics"]
+ service = google_compute_backend_service.default.id
+ }
+ }
}
}
}
@@ -403,7 +429,7 @@ resource "google_compute_route" "public_internet" {
next_hop_gateway = "default-internet-gateway"
priority = 0
project = var.project
- tags = local.network_traffic_tags
+ tags = local.atlantis_network_traffic_tags
}
# This firewall rule allows Google Cloud to issue the health checks
@@ -422,5 +448,5 @@ resource "google_compute_firewall" "lb_health_check" {
data.google_netblock_ip_ranges.this["legacy-health-checkers"].cidr_blocks_ipv4,
))
project = var.project
- target_tags = local.network_traffic_tags
+ target_tags = local.atlantis_network_traffic_tags
}
diff --git a/variables.tf b/variables.tf
index 265c7b8..9ff201a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -140,6 +140,12 @@ variable "project" {
default = null
}
+variable "expose_metrics_publicly" {
+ type = bool
+ description = "Exposes the /metrics endpoint publicly even if Atlantis is protected by IAP"
+ default = false
+}
+
variable "labels" {
type = map(any)
description = "Key-value pairs representing labels attaching to instance & instance template"
diff --git a/versions.tf b/versions.tf
index 64b8914..d184637 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">=4.47.0"
+ version = ">=4.79.0"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = ">=4.79.0"
}
cloudinit = {
source = "hashicorp/cloudinit"