From a68863ad36bfc6b1331e8dc9d186897fc59829ce Mon Sep 17 00:00:00 2001 From: Stephen Coe Date: Thu, 7 Feb 2019 11:34:35 +0000 Subject: [PATCH 1/2] adding custom secrets and environment variables --- README.md | 20 +++++++++++--------- main.tf | 2 ++ variables.tf | 12 ++++++++++++ 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 0d105973..34c087ba 100644 --- a/README.md +++ b/README.md @@ -109,9 +109,9 @@ If all provided subnets are public (no NAT gateway) then `ecs_service_assign_pub | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | acm\_certificate\_domain\_name | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance. Specify if it is different from value in `route53_zone_name` | string | `""` | no | -| alb\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules of the ALB. | list | `[ "0.0.0.0/0" ]` | no | +| alb\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules of the ALB. | list | `` | no | | allow\_repo\_config | When true allows the use of atlantis.yaml config files within the source repos. | string | `"false"` | no | -| atlantis\_allowed\_repo\_names | Github repositories where webhook should be created | list | `[]` | no | +| atlantis\_allowed\_repo\_names | Github repositories where webhook should be created | list | `` | no | | atlantis\_github\_user | GitHub username that is running the Atlantis command | string | `""` | no | | atlantis\_github\_user\_token | GitHub token of the user that is running the Atlantis command | string | `""` | no | | atlantis\_github\_user\_token\_ssm\_parameter\_name | Name of SSM parameter to keep atlantis_github_user_token | string | `"/atlantis/github/user/token"` | no | @@ -123,12 +123,14 @@ If all provided subnets are public (no NAT gateway) then `ecs_service_assign_pub | atlantis\_port | Local port Atlantis should be running on. Default value is most likely fine. | string | `"4141"` | no | | atlantis\_repo\_whitelist | List of allowed repositories Atlantis can be used with | list | n/a | yes | | atlantis\_version | Verion of Atlantis to run. If not specified latest will be used | string | `"latest"` | no | -| azs | A list of availability zones in the region | list | `[]` | no | +| azs | A list of availability zones in the region | list | `` | no | | certificate\_arn | ARN of certificate issued by AWS ACM. If empty, a new ACM certificate will be created and validated using Route53 DNS | string | `""` | no | | cidr | The CIDR block for the VPC which will be created if `vpc_id` is not specified | string | `""` | no | | cloudwatch\_log\_retention\_in\_days | Retention period of Atlantis CloudWatch logs | string | `"7"` | no | | create\_route53\_record | Whether to create Route53 record for Atlantis | string | `"true"` | no | | custom\_container\_definitions | A list of valid container definitions provided as a single valid JSON document. By default, the standard container definition is used. | string | `""` | no | +| custom\_environment\_secrets | Additional SSM Params that the container will use | list | `` | no | +| custom\_environment\_variables | Additional environment variables that the container will use | list | `` | no | | ecs\_service\_assign\_public\_ip | Should be true, if ECS service is using public subnets (more info: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_cannot_pull_image.html) | string | `"false"` | no | | ecs\_service\_deployment\_maximum\_percent | The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment | string | `"200"` | no | | ecs\_service\_deployment\_minimum\_healthy\_percent | The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment | string | `"50"` | no | @@ -136,14 +138,14 @@ If all provided subnets are public (no NAT gateway) then `ecs_service_assign_pub | ecs\_task\_cpu | The number of cpu units used by the task | string | `"256"` | no | | ecs\_task\_memory | The amount (in MiB) of memory used by the task | string | `"512"` | no | | name | Name to use on all resources created (VPC, ALB, etc) | string | `"atlantis"` | no | -| policies\_arn | A list of the ARN of the policies you want to apply | list | `[ "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" ]` | no | -| private\_subnet\_ids | A list of IDs of existing private subnets inside the VPC | list | `[]` | no | -| private\_subnets | A list of private subnets inside the VPC | list | `[]` | no | -| public\_subnet\_ids | A list of IDs of existing public subnets inside the VPC | list | `[]` | no | -| public\_subnets | A list of public subnets inside the VPC | list | `[]` | no | +| policies\_arn | A list of the ARN of the policies you want to apply | list | `` | no | +| private\_subnet\_ids | A list of IDs of existing private subnets inside the VPC | list | `` | no | +| private\_subnets | A list of private subnets inside the VPC | list | `` | no | +| public\_subnet\_ids | A list of IDs of existing public subnets inside the VPC | list | `` | no | +| public\_subnets | A list of public subnets inside the VPC | list | `` | no | | route53\_zone\_name | Route53 zone name to create ACM certificate in and main A-record, without trailing dot | string | `""` | no | | ssm\_kms\_key\_arn | ARN of KMS key to use for entryption and decryption of SSM Parameters. Required only if your key uses a custom KMS key and not the default key | string | `""` | no | -| tags | A map of tags to use on all resources | map | `{}` | no | +| tags | A map of tags to use on all resources | map | `` | no | | vpc\_id | ID of an existing VPC where resources will be created | string | `""` | no | | webhook\_ssm\_parameter\_name | Name of SSM parameter to keep webhook secret | string | `"/atlantis/webhook/secret"` | no | diff --git a/main.tf b/main.tf index ae0cdce5..cec6e1a4 100644 --- a/main.tf +++ b/main.tf @@ -367,6 +367,7 @@ module "container_definition" { name = "ATLANTIS_REPO_WHITELIST" value = "${join(",", var.atlantis_repo_whitelist)}" }, + "${var.custom_environment_variables}", ] secrets = [ { @@ -377,6 +378,7 @@ module "container_definition" { name = "${local.secret_webhook_key}" valueFrom = "${var.webhook_ssm_parameter_name}" }, + "${var.custom_environment_secrets}", ] } diff --git a/variables.tf b/variables.tf index ab29ecb5..88ef6cdf 100644 --- a/variables.tf +++ b/variables.tf @@ -206,3 +206,15 @@ variable "atlantis_gitlab_hostname" { description = "Gitlab server hostname, defaults to gitlab.com" default = "gitlab.com" } + +variable "custom_environment_secrets" { + type = "list" + description = "Additional SSM Params that the container will use" + default = [] +} + +variable "custom_environment_variables" { + type = "list" + description = "Additional environment variables that the container will use" + default = [] +} From b7c8692bd2287552e04f2f291de68211450514ad Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 7 Feb 2019 18:17:51 +0100 Subject: [PATCH 2/2] Follow up for #35 and #36 --- README.md | 23 ++++++------ main.tf | 104 ++++++++++++++++++++++++++------------------------- variables.tf | 11 ++++-- 3 files changed, 73 insertions(+), 65 deletions(-) diff --git a/README.md b/README.md index 34c087ba..b50a773a 100644 --- a/README.md +++ b/README.md @@ -109,9 +109,9 @@ If all provided subnets are public (no NAT gateway) then `ecs_service_assign_pub | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | acm\_certificate\_domain\_name | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance. Specify if it is different from value in `route53_zone_name` | string | `""` | no | -| alb\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules of the ALB. | list | `` | no | +| alb\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules of the ALB. | list | `[ "0.0.0.0/0" ]` | no | | allow\_repo\_config | When true allows the use of atlantis.yaml config files within the source repos. | string | `"false"` | no | -| atlantis\_allowed\_repo\_names | Github repositories where webhook should be created | list | `` | no | +| atlantis\_allowed\_repo\_names | Github repositories where webhook should be created | list | `[]` | no | | atlantis\_github\_user | GitHub username that is running the Atlantis command | string | `""` | no | | atlantis\_github\_user\_token | GitHub token of the user that is running the Atlantis command | string | `""` | no | | atlantis\_github\_user\_token\_ssm\_parameter\_name | Name of SSM parameter to keep atlantis_github_user_token | string | `"/atlantis/github/user/token"` | no | @@ -123,14 +123,15 @@ If all provided subnets are public (no NAT gateway) then `ecs_service_assign_pub | atlantis\_port | Local port Atlantis should be running on. Default value is most likely fine. | string | `"4141"` | no | | atlantis\_repo\_whitelist | List of allowed repositories Atlantis can be used with | list | n/a | yes | | atlantis\_version | Verion of Atlantis to run. If not specified latest will be used | string | `"latest"` | no | -| azs | A list of availability zones in the region | list | `` | no | +| azs | A list of availability zones in the region | list | `[]` | no | | certificate\_arn | ARN of certificate issued by AWS ACM. If empty, a new ACM certificate will be created and validated using Route53 DNS | string | `""` | no | | cidr | The CIDR block for the VPC which will be created if `vpc_id` is not specified | string | `""` | no | | cloudwatch\_log\_retention\_in\_days | Retention period of Atlantis CloudWatch logs | string | `"7"` | no | +| container\_memory\_reservation | The amount of memory (in MiB) to reserve for the container | string | `"128"` | no | | create\_route53\_record | Whether to create Route53 record for Atlantis | string | `"true"` | no | | custom\_container\_definitions | A list of valid container definitions provided as a single valid JSON document. By default, the standard container definition is used. | string | `""` | no | -| custom\_environment\_secrets | Additional SSM Params that the container will use | list | `` | no | -| custom\_environment\_variables | Additional environment variables that the container will use | list | `` | no | +| custom\_environment\_secrets | List of additional secrets the container will use (list should contain maps with `name` and `valueFrom`) | list | `[]` | no | +| custom\_environment\_variables | List of additional environment variables the container will use (list should contain maps with `name` and `value`) | list | `[]` | no | | ecs\_service\_assign\_public\_ip | Should be true, if ECS service is using public subnets (more info: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_cannot_pull_image.html) | string | `"false"` | no | | ecs\_service\_deployment\_maximum\_percent | The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment | string | `"200"` | no | | ecs\_service\_deployment\_minimum\_healthy\_percent | The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment | string | `"50"` | no | @@ -138,14 +139,14 @@ If all provided subnets are public (no NAT gateway) then `ecs_service_assign_pub | ecs\_task\_cpu | The number of cpu units used by the task | string | `"256"` | no | | ecs\_task\_memory | The amount (in MiB) of memory used by the task | string | `"512"` | no | | name | Name to use on all resources created (VPC, ALB, etc) | string | `"atlantis"` | no | -| policies\_arn | A list of the ARN of the policies you want to apply | list | `` | no | -| private\_subnet\_ids | A list of IDs of existing private subnets inside the VPC | list | `` | no | -| private\_subnets | A list of private subnets inside the VPC | list | `` | no | -| public\_subnet\_ids | A list of IDs of existing public subnets inside the VPC | list | `` | no | -| public\_subnets | A list of public subnets inside the VPC | list | `` | no | +| policies\_arn | A list of the ARN of the policies you want to apply | list | `[ "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" ]` | no | +| private\_subnet\_ids | A list of IDs of existing private subnets inside the VPC | list | `[]` | no | +| private\_subnets | A list of private subnets inside the VPC | list | `[]` | no | +| public\_subnet\_ids | A list of IDs of existing public subnets inside the VPC | list | `[]` | no | +| public\_subnets | A list of public subnets inside the VPC | list | `[]` | no | | route53\_zone\_name | Route53 zone name to create ACM certificate in and main A-record, without trailing dot | string | `""` | no | | ssm\_kms\_key\_arn | ARN of KMS key to use for entryption and decryption of SSM Parameters. Required only if your key uses a custom KMS key and not the default key | string | `""` | no | -| tags | A map of tags to use on all resources | map | `` | no | +| tags | A map of tags to use on all resources | map | `{}` | no | | vpc\_id | ID of an existing VPC where resources will be created | string | `""` | no | | webhook\_ssm\_parameter\_name | Name of SSM parameter to keep webhook secret | string | `"/atlantis/webhook/secret"` | no | diff --git a/main.tf b/main.tf index cec6e1a4..89dfd575 100644 --- a/main.tf +++ b/main.tf @@ -20,6 +20,52 @@ locals { # Container definitions container_definitions = "${var.custom_container_definitions == "" ? module.container_definition.json : var.custom_container_definitions}" + container_definition_environment = [ + { + name = "ATLANTIS_ALLOW_REPO_CONFIG" + value = "${var.allow_repo_config}" + }, + { + name = "ATLANTIS_GITLAB_HOSTNAME" + value = "${var.atlantis_gitlab_hostname}" + }, + { + name = "ATLANTIS_LOG_LEVEL" + value = "debug" + }, + { + name = "ATLANTIS_PORT" + value = "${var.atlantis_port}" + }, + { + name = "ATLANTIS_ATLANTIS_URL" + value = "${local.atlantis_url}" + }, + { + name = "ATLANTIS_GH_USER" + value = "${var.atlantis_github_user}" + }, + { + name = "ATLANTIS_GITLAB_USER" + value = "${var.atlantis_gitlab_user}" + }, + { + name = "ATLANTIS_REPO_WHITELIST" + value = "${join(",", var.atlantis_repo_whitelist)}" + }, + ] + + container_definition_secrets = [ + { + name = "${local.secret_name_key}" + valueFrom = "${local.secret_name_value_from}" + }, + { + name = "${local.secret_webhook_key}" + valueFrom = "${var.webhook_ssm_parameter_name}" + }, + ] + tags = "${merge(map("Name", var.name), var.tags)}" } @@ -315,10 +361,9 @@ module "container_definition" { container_name = "${var.name}" container_image = "${local.atlantis_image}" - container_cpu = "${var.ecs_task_cpu}" - container_memory = "${var.ecs_task_memory}" - - // container_memory_reservation = "${var.ecs_task_memory_reservation}" + container_cpu = "${var.ecs_task_cpu}" + container_memory = "${var.ecs_task_memory}" + container_memory_reservation = "${var.container_memory_reservation}" port_mappings = [ { @@ -327,6 +372,7 @@ module "container_definition" { protocol = "tcp" }, ] + log_options = [ { "awslogs-region" = "${data.aws_region.current.name}" @@ -334,52 +380,10 @@ module "container_definition" { "awslogs-stream-prefix" = "ecs" }, ] - environment = [ - { - name = "ATLANTIS_ALLOW_REPO_CONFIG" - value = "${var.allow_repo_config}" - }, - { - name = "ATLANTIS_GITLAB_HOSTNAME" - value = "${var.atlantis_gitlab_hostname}" - }, - { - name = "ATLANTIS_LOG_LEVEL" - value = "debug" - }, - { - name = "ATLANTIS_PORT" - value = "${var.atlantis_port}" - }, - { - name = "ATLANTIS_ATLANTIS_URL" - value = "${local.atlantis_url}" - }, - { - name = "ATLANTIS_GH_USER" - value = "${var.atlantis_github_user}" - }, - { - name = "ATLANTIS_GITLAB_USER" - value = "${var.atlantis_gitlab_user}" - }, - { - name = "ATLANTIS_REPO_WHITELIST" - value = "${join(",", var.atlantis_repo_whitelist)}" - }, - "${var.custom_environment_variables}", - ] - secrets = [ - { - name = "${local.secret_name_key}" - valueFrom = "${local.secret_name_value_from}" - }, - { - name = "${local.secret_webhook_key}" - valueFrom = "${var.webhook_ssm_parameter_name}" - }, - "${var.custom_environment_secrets}", - ] + + environment = ["${concat(local.container_definition_environment, var.custom_environment_variables)}"] + + secrets = ["${concat(local.container_definition_secrets, var.custom_environment_secrets)}"] } resource "aws_ecs_task_definition" "atlantis" { diff --git a/variables.tf b/variables.tf index 88ef6cdf..90944b70 100644 --- a/variables.tf +++ b/variables.tf @@ -142,6 +142,11 @@ variable "ecs_task_memory" { default = 512 } +variable "container_memory_reservation" { + description = "The amount of memory (in MiB) to reserve for the container" + default = 128 +} + variable "custom_container_definitions" { description = "A list of valid container definitions provided as a single valid JSON document. By default, the standard container definition is used." default = "" @@ -208,13 +213,11 @@ variable "atlantis_gitlab_hostname" { } variable "custom_environment_secrets" { - type = "list" - description = "Additional SSM Params that the container will use" + description = "List of additional secrets the container will use (list should contain maps with `name` and `valueFrom`)" default = [] } variable "custom_environment_variables" { - type = "list" - description = "Additional environment variables that the container will use" + description = "List of additional environment variables the container will use (list should contain maps with `name` and `value`)" default = [] }