4.1.0

What's Changed

• Adding security policy variable for IAP backend by @cblkwell in #138
• feat: add option to enable confidential vm by @d-costa in #130
• feat: shared vpc support by @d-costa in #137
• chore: fix a reference to the Shared VPC example by @bschaatsbergen in #140
• chore(deps): update container-vm to 3.1.1 by @kpocius in #141
• run tfdocs by @bschaatsbergen in #142
• replace precommit with a CI job by @bschaatsbergen in #143

Full Changelog: 3.0.3...4.1.0

3.0.3

Update README.md @bschaatsbergen (#135)

v3.0.2

Minor fix in Cloud Armor README @bschaatsbergen (#134)

what

• Fix a typo in the README.

why

• It's referencing the incorrect example usage.

v3.0.1

feat: add monitoring and fluentbit tags @bschaatsbergen (#126)

what

• See #116

why

• See #116

references

• Closes #116

🚀 Enhancements

feat: add option to attach a security policy to the default backend @d-costa (#132)

what

• Give clients the option to attach a security policy to the default backend service.
• Create a new deployment example, using IAP and Cloud Armor, allowing only events coming from GitHub Webhooks.

why

• Google Cloud Armor security policies to protect applications running behind a load balancer from distributed denial-of-service (DDoS) and other web-based attacks. It also features preconfigured security policies.
• Improve the security of the default backend service: even if the webhook secret is compromised, only requests coming from the whitelisted IPs are allowed.

references

• GitHub Webhook IPs: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses
• Log4j preconfigured WAF rule: https://cloud.google.com/armor/docs/waf-rules

v3.0.0

Allow metrics to be exposed publicly @bschaatsbergen (#123)

what

• Added a host rule and patch matcher to possibly expose metrics publicly.

why

• As Atlantis uses the /metrics path to expose certain metrics, we should make it possible to access it without IAP.

references

• Closes #120

v2.1.5

chore: fix typo in IAP example related to oauth2 config @bschaatsbergen (#124)

what

• Fixed a typo in the IAP section related to oauth2 config.

references

• Closes #121

v2.1.4

🚀 Enhancements

feat: add checkov @bschaatsbergen (#125)

what

• Added checkov to pre-commit
• Fixed some checkov warnings in the /examples.
• Added a GitHub Workflow to run pre-commit on each PR.

references

• Closes #63

v2.1.3

🚀 Enhancements

feat: add simple Terraform registry syntax example @bschaatsbergen (#119)

what

• Adds a simple example of the Terraform Module Registry syntax.

why

• Makes it easier to implement as there's a bit of reference code.

references

• Closes #56

v2.1.2

SSL Policy for Certificate is configurable @artusiep (#118)

what

• Adding new optional variable for SSL Policy
• Adding example with the most secure SSL Policy GCP provide

why

• configurable SSL Policy should be possible for Atlantis Server to be more secure

v2.1.1

🚀 Enhancements

Allow configuring Shielded VM options @kpocius (#113)

Secure Boot (enabled in #93 -- my bad) causes issues when updating COS image, as noted by @dennislapchenko in #112. This is because it saves the known boot configuration and compares to it upon instance restart, but since we're swapping out the image, it fails.

One way around it is to run gcloud compute instances update <atlantis-vm-name> --shielded-learn-integrity-policy, but there's no way to handle it gracefully in terraform.

This PR introduces an option to turn off secure boot, but does not change the current default behavior as it would cause instances to be recreated.

However, long term it would probably make sense to have secure boot set to off by default for most but the most locked down deployments. Otherwise as it currently stands, the instance needs to be either manually removed or the command given above needs to be executed after each COS update.