Merge pull request #74 from bschaatsbergen/port-startup-script-to-clo…

…udinit

Ported the startup script to a cloudinit config

.pre-commit-config.yaml

@@ -13,7 +13,3 @@ repos:
     rev: v3.4.0
     hooks:
       - id: check-merge-conflict
-  - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.7.2
-    hooks:
-      - id: shellcheck

README.md

@@ -46,19 +46,21 @@ You can check the status of the certificate in the Google Cloud Console.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
+| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >=2.2.0 |
 | <a name="requirement_google"></a> [google](#requirement\_google) | >=4.47.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | >=2.2.0 |
 | <a name="provider_google"></a> [google](#provider\_google) | >=4.47.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_atlantis"></a> [atlantis](#module\_atlantis) | terraform-google-modules/container-vm/google | 3.1.0 |
+| <a name="module_container"></a> [container](#module\_container) | terraform-google-modules/container-vm/google | 3.1.0 |
 
 ## Resources
 
@@ -76,6 +78,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | [google_compute_route.public_internet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource |
 | [google_compute_target_https_proxy.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy) | resource |
 | [google_compute_url_map.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_url_map) | resource |
+| [cloudinit_config.config](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
 | [google_compute_image.cos](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_image) | data source |
 
 ## Inputs

main.tf

@@ -11,6 +11,90 @@ data "google_compute_image" "cos" {
   project = "cos-cloud"
 }
 
+data "cloudinit_config" "config" {
+  gzip          = false
+  base64_encode = false
+
+  part {
+    filename     = "atlantis-chown-disk.service"
+    content_type = "text/cloud-config"
+    content = yamlencode({
+      write_files = [
+        {
+          path        = "/etc/systemd/system/atlantis-chown-disk.service"
+          permissions = "0644"
+          owner       = "root"
+          content     = <<EOF
+          [Unit]
+          Description=Change ownership of the mount path to the Atlantis uid
+          Wants=konlet-startup.service
+          After=konlet-startup.service
+          [Service]
+          ExecStart=/bin/chown 100 /mnt/disks/gce-containers-mounts/gce-persistent-disks/atlantis-disk-0
+          Restart=on-failure
+          RestartSec=30
+          StandardOutput=journal+console
+          [Install]
+          WantedBy=multi-user.target
+          EOF
+        }
+      ]
+    })
+  }
+
+  part {
+    filename     = "runcmda"
+    content_type = "text/cloud-config"
+    merge_type   = "list(append)+dict(no_replace, recurse_list)+str()"
+    content = yamlencode({
+      runcmd = [
+        "systemctl daemon-reload",
+        "systemctl start --no-block atlantis-chown-disk.service"
+      ]
+    })
+  }
+}
+
+module "container" {
+  source  = "terraform-google-modules/container-vm/google"
+  version = "3.1.0"
+
+  container = {
+    image = var.image
+    securityContext = {
+      privileged = true
+    }
+    tty = true
+    env = [for key, value in var.env_vars : {
+      name  = key
+      value = value
+    }]
+
+    # Declare volumes to be mounted.
+    # This is similar to how docker volumes are declared.
+    volumeMounts = [
+      {
+        mountPath = local.atlantis_data_dir
+        name      = "atlantis-disk-0"
+        readOnly  = false
+      },
+    ]
+  }
+
+  volumes = [
+    {
+      name = "atlantis-disk-0"
+
+      gcePersistentDisk = {
+        pdName = "atlantis-disk-0"
+        fsType = "ext4"
+      }
+    },
+  ]
+
+  restart_policy = "Always"
+}
+
 resource "google_compute_instance_template" "default" {
   # checkov:skip=CKV_GCP_32:Ensure 'Block Project-wide SSH keys' is enabled for VM instances
   name_prefix = "${var.name}-"
@@ -19,10 +103,9 @@ resource "google_compute_instance_template" "default" {
 
   tags = concat(["atlantis"], var.tags)
 
-  metadata_startup_script = templatefile("${path.module}/startup-script.sh", { disk_name = "atlantis-disk-0" })
-
   metadata = {
     "gce-container-declaration" = module.container.metadata_value
+    "user-data"                 = data.cloudinit_config.config.rendered
     "google-logging-enabled"    = true
     "block-project-ssh-keys"    = var.block_project_ssh_keys_enabled
   }
@@ -101,46 +184,6 @@ resource "google_compute_instance_template" "default" {
   }
 }
 
-module "container" {
-  source  = "terraform-google-modules/container-vm/google"
-  version = "3.1.0"
-
-  container = {
-    image = var.image
-    securityContext = {
-      privileged = true
-    }
-    tty = true
-    env = [for key, value in var.env_vars : {
-      name  = key
-      value = value
-    }]
-
-    # Declare volumes to be mounted.
-    # This is similar to how docker volumes are declared.
-    volumeMounts = [
-      {
-        mountPath = local.atlantis_data_dir
-        name      = "atlantis-disk-0"
-        readOnly  = false
-      },
-    ]
-  }
-
-  volumes = [
-    {
-      name = "atlantis-disk-0"
-
-      gcePersistentDisk = {
-        pdName = "atlantis-disk-0"
-        fsType = "ext4"
-      }
-    },
-  ]
-
-  restart_policy = "Always"
-}
-
 resource "google_compute_health_check" "default" {
   name                = var.name
   check_interval_sec  = 1

versions.tf

@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/google"
       version = ">=4.47.0"
     }
+    cloudinit = {
+      source  = "hashicorp/cloudinit"
+      version = ">=2.2.0"
+    }
   }
 }