This guide explains how to secure environment variables when using the Atlantis module on Google Cloud Platform. For more information on using this module, see the basic example.
- Prerequisites
- How to deploy
- Setting sensitive environment variables
- Setting non sensitive environment variables
You should already have the following resources:
- An Artifact or Container Registry in Google Cloud.
- A CI/CD system with a secret manager integration (such as GitHub, Gitlab, Jenkins, or Cloud Build).
To deploy the Atlantis module, see Dockerfile and the main.tf.
- If you bring your own Docker image (not using any Atlantis image as base image), be sure to create an Atlantis user using a uid (user ID) of 100.
Atlantis allows you to configure everything using environment variables. However, these variables may contain sensitive values, and are therefore visible in the Google Cloud console when deploying a container. To protect these values, follow the steps below.
Use a wrapper Atlantis Docker image to set environment variables that contain sensitive values. See the following examples for more details:
- Cloud Build: pull secrets from Google Secret Manager
- GitHub Actions: pull secrets from Google Secret Manager
- GitHub Actions: use GitHub secrets
Use the var.env_vars variable to set non-sensitive environment variables.
env_vars = {
ATLANTIS_EXAMPLE = "example"
}Important: Do not specify the same environment variable in both the env_vars and the Dockerfile, as this might cause the deployment to fail.
Once you're done, see Configuring Webhooks for Atlantis