feat: integrate google oidc for UI authentication

Author: Rahul-4480

.header.md

@@ -1,34 +1,27 @@
-# Terraform Module to setup Atlantis in ECS with self managed EC2 instances
+# Terraform Module to Setup Atlantis in ECS with Self-Managed EC2 Instances
 
 This Terraform module automates the deployment of the Atlantis server on an ECS cluster with self-managed EC2 instances. It includes the configuration of an Application Load Balancer (ALB) for traffic routing. The module simplifies the process of setting up and managing Atlantis, enabling automated Terraform pull request workflows.
 
 ## Prerequisites
 
-- Domain with acm certificate attached
+- Domain with ACM certificate attached
 - Application secrets stored in AWS SSM Parameter Store with the following names and descriptions:
-
-  - `/atlantis/ATLANTIS_GH_USER`: The GitHub username used by Atlantis. Obtain this from your GitHub account settings.
   - `/atlantis/ATLANTIS_GH_TOKEN`: A GitHub personal access token with repo and admin:repo_hook permissions. Generate this from GitHub Developer settings.
   - `/atlantis/ATLANTIS_GH_WEBHOOK_SECRET`: The secret used to validate GitHub webhooks. Create a random secret string for this.
   - `/atlantis/AWS_ACCESS_KEY_ID`: The AWS Access Key ID for an IAM user with necessary permissions. Obtain this from AWS IAM user security credentials.
   - `/atlantis/AWS_SECRET_ACCESS_KEY`: The AWS Secret Access Key for the same IAM user. Obtain this from AWS IAM user security credentials.
+  - `/atlantis/ATLANTIS_GOOGLE_CLIENT_ID`: The Client ID for Google OAuth. Obtain this from Google Cloud Console.
+  - `/atlantis/ATLANTIS_GOOGLE_CLIENT_SECRET`: The Client Secret for Google OAuth. Obtain this from Google Cloud Console.
 
+- Set up the following in the Google Cloud Console for the OAuth consent screen:
+  - **Authorized JavaScript origins**:
+    - Use the value of `ATLANTIS_URL` from your `locals.tf`, which is defined as:
+      ```hcl
+      ATLANTIS_URL = "https://${local.atlantis_url}"
+      ```
 
-## Example tfvars configuration
-
-```
-public_subnet_ids              = ["subnet-0123456789", "subnet-1234567890"]
-system_name                    = "atlantis"
-private_subnet_ids             = ["subnet-9876543210", "subnet-6543217890"]
-vpc_id                         = "vpc-1234567890"
-ecs_cluster_name               = "atlantis"
-ecs_service_name               = "atlantis"
-ecs_task_definition_family     = "atlantis"
-ecs_launch_type_cpu            = 256
-ecs_launch_type_memory         = 512
-ecs_container_definations_name = "atlantis"
-vpc_cidr_block                 = "10.0.0.0/16"
-base_domain                    = "base_domain.io"
-sub_domain                     = "testatlantis"
-launch_template_key_name       = "test-atlantis"
-```
+  - **Authorized redirect URIs**:
+    - Use the value of `ATLANTIS_GOOGLE_REDIRECT_URI` from your `locals.tf`, which is defined as:
+      ```hcl
+      ATLANTIS_GOOGLE_REDIRECT_URI = "https://${local.atlantis_url}/oauth2/idpresponse"
+      ```

README.md

@@ -1,49 +1,43 @@
-# Terraform Module to setup Atlantis in ECS with self managed EC2 instances
+# Terraform Module to Setup Atlantis in ECS with Self-Managed EC2 Instances
 
 This Terraform module automates the deployment of the Atlantis server on an ECS cluster with self-managed EC2 instances. It includes the configuration of an Application Load Balancer (ALB) for traffic routing. The module simplifies the process of setting up and managing Atlantis, enabling automated Terraform pull request workflows.
 
 ## Prerequisites
 
-- Domain with acm certificate attached
+- Domain with ACM certificate attached
 - Application secrets stored in AWS SSM Parameter Store with the following names and descriptions:
-
-  - `/atlantis/ATLANTIS_GH_USER`: The GitHub username used by Atlantis. Obtain this from your GitHub account settings.
   - `/atlantis/ATLANTIS_GH_TOKEN`: A GitHub personal access token with repo and admin:repo\_hook permissions. Generate this from GitHub Developer settings.
   - `/atlantis/ATLANTIS_GH_WEBHOOK_SECRET`: The secret used to validate GitHub webhooks. Create a random secret string for this.
   - `/atlantis/AWS_ACCESS_KEY_ID`: The AWS Access Key ID for an IAM user with necessary permissions. Obtain this from AWS IAM user security credentials.
   - `/atlantis/AWS_SECRET_ACCESS_KEY`: The AWS Secret Access Key for the same IAM user. Obtain this from AWS IAM user security credentials.
-
-## Example tfvars configuration
-
-```
-public_subnet_ids              = ["subnet-0123456789", "subnet-1234567890"]
-system_name                    = "atlantis"
-private_subnet_ids             = ["subnet-9876543210", "subnet-6543217890"]
-vpc_id                         = "vpc-1234567890"
-ecs_cluster_name               = "atlantis"
-ecs_service_name               = "atlantis"
-ecs_task_definition_family     = "atlantis"
-ecs_launch_type_cpu            = 256
-ecs_launch_type_memory         = 512
-ecs_container_definations_name = "atlantis"
-vpc_cidr_block                 = "10.0.0.0/16"
-base_domain                    = "base_domain.io"
-sub_domain                     = "testatlantis"
-launch_template_key_name       = "test-atlantis"
-```
+  - `/atlantis/ATLANTIS_GOOGLE_CLIENT_ID`: The Client ID for Google OAuth. Obtain this from Google Cloud Console.
+  - `/atlantis/ATLANTIS_GOOGLE_CLIENT_SECRET`: The Client Secret for Google OAuth. Obtain this from Google Cloud Console.
+
+- Set up the following in the Google Cloud Console for the OAuth consent screen:
+  - **Authorized JavaScript origins**:
+    - Use the value of `ATLANTIS_URL` from your `locals.tf`, which is defined as:
+      ```hcl
+      ATLANTIS_URL = "https://${local.atlantis_url}"
+      ```
+
+  - **Authorized redirect URIs**:
+    - Use the value of `ATLANTIS_GOOGLE_REDIRECT_URI` from your `locals.tf`, which is defined as:
+      ```hcl
+      ATLANTIS_GOOGLE_REDIRECT_URI = "https://${local.atlantis_url}/oauth2/idpresponse"
+      ```
 
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.58.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.5.0 |
 
 ## Modules
 
@@ -56,34 +50,40 @@ launch_template_key_name       = "test-atlantis"
 
 | Name | Type |
 |------|------|
+| [aws_iam_openid_connect_provider.google](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
+| [aws_ecs_cluster.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecs_cluster) | data source |
 | [aws_ssm_parameter.environment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_atlantis_repo_allowlist"></a> [atlantis\_repo\_allowlist](#input\_atlantis\_repo\_allowlist) | Comma delimited string containing repos to use atlantis | `string` | `"github.com/Rahul-4480/test-atlantis"` | no |
+| <a name="input_atlantis_gh_user"></a> [atlantis\_gh\_user](#input\_atlantis\_gh\_user) | The GitHub username used by Atlantis to access repositories | `string` | n/a | yes |
+| <a name="input_atlantis_repo_allowlist"></a> [atlantis\_repo\_allowlist](#input\_atlantis\_repo\_allowlist) | Comma delimited string containing repos to use atlantis | `string` | n/a | yes |
 | <a name="input_base_domain"></a> [base\_domain](#input\_base\_domain) | Your base domain with acm certificate attached to it. | `string` | n/a | yes |
-| <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | (Required) Name of the cluster. | `string` | n/a | yes |
-| <a name="input_ecs_container_definations_name"></a> [ecs\_container\_definations\_name](#input\_ecs\_container\_definations\_name) | Name of the ECS container defination. | `string` | n/a | yes |
-| <a name="input_ecs_launch_type_cpu"></a> [ecs\_launch\_type\_cpu](#input\_ecs\_launch\_type\_cpu) | EC2 instance CPU | `number` | n/a | yes |
-| <a name="input_ecs_launch_type_memory"></a> [ecs\_launch\_type\_memory](#input\_ecs\_launch\_type\_memory) | EC2 instance memory | `number` | n/a | yes |
-| <a name="input_ecs_service_name"></a> [ecs\_service\_name](#input\_ecs\_service\_name) | (Required) Name of the service. | `string` | n/a | yes |
-| <a name="input_ecs_task_definition_family"></a> [ecs\_task\_definition\_family](#input\_ecs\_task\_definition\_family) | (Required) A unique name for your task definition. | `string` | n/a | yes |
-| <a name="input_launch_template_key_name"></a> [launch\_template\_key\_name](#input\_launch\_template\_key\_name) | (Optional) The key name to use for the instance. | `string` | n/a | yes |
+| <a name="input_container_memory_reservation"></a> [container\_memory\_reservation](#input\_container\_memory\_reservation) | Soft limit (in MiB) of memory to reserve for the container. When system memory is under contention, Docker attempts to keep the container memory to this soft limit | `number` | n/a | yes |
+| <a name="input_ecs_auto_scaling_group_desired_capacity"></a> [ecs\_auto\_scaling\_group\_desired\_capacity](#input\_ecs\_auto\_scaling\_group\_desired\_capacity) | (Optional) Number of Amazon EC2 instances that should be running in the group. | `number` | `null` | no |
+| <a name="input_ecs_auto_scaling_group_max_size"></a> [ecs\_auto\_scaling\_group\_max\_size](#input\_ecs\_auto\_scaling\_group\_max\_size) | (Required) Maximum size of the Auto Scaling Group. | `number` | n/a | yes |
+| <a name="input_ecs_auto_scaling_group_min_size"></a> [ecs\_auto\_scaling\_group\_min\_size](#input\_ecs\_auto\_scaling\_group\_min\_size) | (Required) Minimum size of the Auto Scaling Group | `number` | n/a | yes |
+| <a name="input_ecs_launch_template_image_id"></a> [ecs\_launch\_template\_image\_id](#input\_ecs\_launch\_template\_image\_id) | (Optional) The AMI from which to launch the instance. | `string` | `null` | no |
+| <a name="input_ecs_launch_template_instance_type"></a> [ecs\_launch\_template\_instance\_type](#input\_ecs\_launch\_template\_instance\_type) | (Optional) The type of the instance. | `string` | `null` | no |
+| <a name="input_ecs_launch_type_cpu"></a> [ecs\_launch\_type\_cpu](#input\_ecs\_launch\_type\_cpu) | EC2 instance CPU | `number` | `null` | no |
+| <a name="input_ecs_launch_type_memory"></a> [ecs\_launch\_type\_memory](#input\_ecs\_launch\_type\_memory) | EC2 instance memory | `number` | `null` | no |
+| <a name="input_ecs_service_desired_count"></a> [ecs\_service\_desired\_count](#input\_ecs\_service\_desired\_count) | (Optional) Number of instances of the task definition to place and keep running. | `number` | `null` | no |
+| <a name="input_launch_template_key_name"></a> [launch\_template\_key\_name](#input\_launch\_template\_key\_name) | The key name to use for the instance. | `string` | n/a | yes |
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of Private subnet ids to deploy Atlantis server. | `list(string)` | n/a | yes |
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of Public subnet ids to deploy application load balancers. | `list(string)` | n/a | yes |
-| <a name="input_region"></a> [region](#input\_region) | AWS region to create resources in | `string` | `"ap-south-1"` | no |
 | <a name="input_sub_domain"></a> [sub\_domain](#input\_sub\_domain) | Your desired sub domain | `string` | n/a | yes |
-| <a name="input_system_name"></a> [system\_name](#input\_system\_name) | Name of the System | `string` | n/a | yes |
-| <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR block for creating security groups. | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID for creating Atlantis Resources. | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_alb_dns_name"></a> [alb\_dns\_name](#output\_alb\_dns\_name) | The DNS name of the ALB |
+| <a name="output_authorized_javascript_origin"></a> [authorized\_javascript\_origin](#output\_authorized\_javascript\_origin) | The base URL for your application that is authorized to use JavaScript for OAuth requests. |
+| <a name="output_authorized_redirect_uri"></a> [authorized\_redirect\_uri](#output\_authorized\_redirect\_uri) | The redirect URI used by your OAuth provider to return responses to your application. |
 | <a name="output_ecs_service_name"></a> [ecs\_service\_name](#output\_ecs\_service\_name) | The name of the ECS service |
 | <a name="output_ecs_task_definition_arn"></a> [ecs\_task\_definition\_arn](#output\_ecs\_task\_definition\_arn) | The ARN of the ECS task definition |
 | <a name="output_github_webhook_url"></a> [github\_webhook\_url](#output\_github\_webhook\_url) | The URL for GitHub webhook |

data.tf

@@ -2,3 +2,11 @@ data "aws_ssm_parameter" "environment" {
   for_each = toset(local.secret_variables)
   name     = "/atlantis/${each.key}"
 }
+
+data "aws_vpc" "selected" {
+  id = var.vpc_id
+}
+
+data "aws_ecs_cluster" "default" {
+  cluster_name = "default"
+}

locals.tf

@@ -1,23 +1,32 @@
 locals {
+  google_oidc_endpoint            = "https://accounts.google.com"
+  thumbprint_list                 = ["e252aa6e92432f32cbc1b182056627c239652678"]
+  container_port                  = 4141
+  launch_type                     = "EC2"
+  ecs_container_definations_name  = "atlantis"
+  alb_system_name                 = "atlantis"
   atlantis_url                    = "${var.sub_domain}.${var.base_domain}"
   ecs_container_definations_image = "ghcr.io/runatlantis/atlantis:v0.23.1"
 
   env_variables = {
-    ATLANTIS_ATLANTIS_URL                = "https://${local.atlantis_url}"
+    ATLANTIS_GH_USER                     = var.atlantis_gh_user
+    ATLANTIS_URL                         = "https://${local.atlantis_url}"
     ATLANTIS_REPO_ALLOWLIST              = var.atlantis_repo_allowlist
     ATLANTIS_WRITE_GIT_CREDS             = "true"
     ATLANTIS_DISABLE_APPLY_ALL           = "true"
     ATLANTIS_SILENCE_NO_PROJECTS         = "true"
     ATLANTIS_PORT                        = "4141"
     ATLANTIS_ENABLE_DIFF_MARKDOWN_FORMAT = "true"
+    ATLANTIS_GOOGLE_REDIRECT_URI         = "https://${local.atlantis_url}/oauth2/idpresponse"
   }
 
   secret_variables = [
-    "ATLANTIS_GH_USER",
     "ATLANTIS_GH_TOKEN",
     "ATLANTIS_GH_WEBHOOK_SECRET",
     "AWS_ACCESS_KEY_ID",
-    "AWS_SECRET_ACCESS_KEY"
+    "AWS_SECRET_ACCESS_KEY",
+    "ATLANTIS_GOOGLE_CLIENT_ID",
+    "ATLANTIS_GOOGLE_CLIENT_SECRET"
   ]
 
   secrets = {

main.tf

@@ -1,40 +1,58 @@
 module "alb" {
   source            = "./modules/alb"
   base_domain       = var.base_domain
-  system_name       = var.system_name
+  system_name       = local.alb_system_name
   endpoints         = [var.sub_domain]
   public_subnet_ids = var.public_subnet_ids
   vpc_id            = var.vpc_id
 }
 
 module "ecs" {
   source                   = "./modules/ecs"
-  cluster_name             = var.ecs_cluster_name
-  service_name             = var.ecs_service_name
-  task_definition_family   = var.ecs_task_definition_family
+  cluster_arn              = data.aws_ecs_cluster.default.arn
   launch_template_key_name = var.launch_template_key_name
 
   launch_type = {
-    type   = "EC2"
-    cpu    = var.ecs_launch_type_cpu
-    memory = var.ecs_launch_type_memory
+    type   = local.launch_type
+    cpu    = try(var.ecs_launch_type_cpu, null)
+    memory = try(var.ecs_launch_type_memory, null)
   }
 
+  service_desired_count               = try(var.ecs_service_desired_count, null)
+  launch_template_instance_type       = try(var.ecs_launch_template_instance_type, null)
+  launch_template_image_id            = try(var.ecs_launch_template_image_id, null)
+  auto_scaling_group_desired_capacity = try(var.ecs_auto_scaling_group_desired_capacity, null)
+  auto_scaling_group_min_size         = var.ecs_auto_scaling_group_min_size
+  auto_scaling_group_max_size         = var.ecs_auto_scaling_group_max_size
 
   container_definitions = jsonencode([{
-    name           = var.ecs_container_definations_name
-    image          = local.ecs_container_definations_image
-    container_port = 4141
-    environment    = local.env_variables
-    secrets        = local.secrets
-    command        = ["server"]
+    name              = local.ecs_container_definations_name
+    image             = local.ecs_container_definations_image
+    container_port    = local.container_port
+    environment       = local.env_variables
+    secrets           = local.secrets
+    command           = ["server"]
+    memoryReservation = var.container_memory_reservation
   }])
+
   vpc_id             = var.vpc_id
-  vpc_cidr_block     = var.vpc_cidr_block
+  vpc_cidr_block     = data.aws_vpc.selected.cidr_block
   private_subnet_ids = var.private_subnet_ids
 
   endpoint_details = {
     lb_listener_arn = module.alb.alb_listener_arn
     domain_url      = local.atlantis_url
   }
+
+  authenticate_oidc_details = {
+    oidc_endpoint = local.google_oidc_endpoint
+    client_id     = data.aws_ssm_parameter.environment["ATLANTIS_GOOGLE_CLIENT_ID"].value
+    client_secret = data.aws_ssm_parameter.environment["ATLANTIS_GOOGLE_CLIENT_SECRET"].value
+  }
+}
+
+resource "aws_iam_openid_connect_provider" "google" {
+  client_id_list  = [data.aws_ssm_parameter.environment["ATLANTIS_GOOGLE_CLIENT_ID"].value]
+  thumbprint_list = local.thumbprint_list
+  url             = local.google_oidc_endpoint
 }

modules/alb/README.md

@@ -1,6 +1,9 @@
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.5.0 |
 
 ## Providers
 

modules/alb/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.6.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.5.0"
+    }
+  }
+}