skyscrapers / terraform-concourse Goto Github PK

Terraform setup to deploy an ECS based concourse-ci setup.

License: Apache License 2.0

HCL 76.72% Shell 3.10% Smarty 0.73% Dockerfile 0.86% Go 18.59%

terraform terraform-modules aws ecs concourse concourse-ci

terraform-concourse's Introduction

UNMAINTAINED: this project is not being actively maintained anymore. It works as it is, but we won't be working on new features or bug fixes anymore. If you are using this module and are willing to maintain it, open an issue and we'll be more than happy to transfer the repo.

terraform-concourse

Terraform module to setup Concourse CI. This repository contains the following modules:

keys: Creates an S3 bucket and uploads an auto-generated set of keys for concourse.
ecs-web: ECS based setup for the Concourse web service, which is currently the combination of the ATC and TSA. (See the Concourse Concepts documentation what these acronyms mean)
ec2-worker: EC2 based setup for a (pool of) Concourse worker(s).
vault-auth: Sets up the required resources in Vault so it can be integrated in Concourse

keys

Creates an S3 bucket and uploads an auto-generated set of keys for concourse.

The following resources are created:

S3 bucket for concourse keys
Uploads concourse keys to bucket

Available variables

Name	Description	Type	Default	Required
bucket_force_destroy	A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable	string	`false`	no
concourse_keys_version	Change this if you want to re-generate Concourse keys	string	`1`	no
concourse_workers_iam_role_arns	List of ARNs for the IAM roles that will be able to assume the role to access concourse keys in S3. Normally you'll include the Concourse worker IAM role here	list	-	yes
environment	The name of the environment these subnets belong to (prod,stag,dev)	string	-	yes
generate_keys	If set to `true` this module will generate the necessary RSA keys with the `tls_private_key` resource and upload them to S3 (server-side encrypted). Be aware that this will store the generated unencrypted keys in the Terraform state, so be sure to use a secure state backend (e.g. S3 encrypted), or set this to `false` and generate the keys manually	string	`true`	no
name	The name of the Concourse deployment, used to distinguish different Concourse setups	string	-	yes

Outputs

Name	Description
concourse_keys_cross_account_role_arn	IAM role ARN that Concourse workers on other AWS accounts will need to assume to access the Concourse keys bucket
keys_bucket_arn	The ARN of the S3 bucket where the concourse keys are stored
keys_bucket_id	The id (name) of the S3 bucket where the concourse keys are stored

ecs-web

This sets up Concourse Web on an ECS cluster.

The following resources are created:

ELB
Web concourse ECS service

Available variables

Name	Description	Type	Default	Required
backend_security_group_id	Security group ID of the ECS servers	`string`	n/a	yes
concourse_db_host	Postgresql server hostname or IP	`string`	n/a	yes
concourse_db_password	Password to logon to postgresql	`string`	n/a	yes
ecs_cluster	Name of the ecs cluster	`string`	n/a	yes
ecs_service_role_arn	IAM role to use for the service to be able to let it register to the ELB	`string`	n/a	yes
elb_subnets	Subnets to deploy the ELB in	`list(string)`	n/a	yes
environment	The name of the environment these subnets belong to (prod,stag,dev)	`string`	n/a	yes
keys_bucket_arn	The S3 bucket ARN which contains the SSH keys to connect to the TSA	`string`	n/a	yes
keys_bucket_id	The S3 bucket id which contains the SSH keys to connect to the TSA	`string`	n/a	yes
name	The name of the Concourse deployment, used to distinguish different Concourse setups	`string`	n/a	yes
ssl_certificate_id	SSL certificate arn to attach to the ELB	`string`	n/a	yes
allowed_incoming_cidr_blocks	Allowed CIDR blocks in Concourse ATC+TSA. Defaults to 0.0.0.0/0	`list(string)`	[ "0.0.0.0/0" ]	no
auto_create_db	If set to `true`, the Concourse web container will attempt to create the postgres database if it's not already created	`bool`	`false`	no
concourse_auth_main_team_local_user	Local user to allow access to the main team	`string`	`null`	no
concourse_auth_password	Basic authentication password	`string`	`null`	no
concourse_auth_username	Basic authentication username	`string`	`null`	no
concourse_db_name	Database name to use on the postgresql server	`string`	`"concourse"`	no
concourse_db_port	Port of the postgresql server	`string`	`"5432"`	no
concourse_db_postgres_engine_version	Postgres engine version used in the Concourse database server. Only needed if `auto_create_db` is set to `true`	`string`	`null`	no
concourse_db_root_password	Root password of the Postgres database server. Only needed if `auto_create_db` is set to `true`	`string`	`""`	no
concourse_db_username	Database user to logon to postgresql	`string`	`"concourse"`	no
concourse_default_build_logs_to_retain	Default number of build logs that are kept. This can be overridden on job level	`string`	`"100"`	no
concourse_default_days_to_retain_build_logs	Default days of build logs that are kept. This can be overridden on job level	`string`	`"90"`	no
concourse_docker_image	Docker image to use to start concourse	`string`	`"concourse/concourse"`	no
concourse_extra_args	Extra arguments to pass to Concourse Web	`string`	`null`	no
concourse_extra_env	Extra ENV variables to pass to Concourse Web. Use a map with the ENV var name as key and value as value	`map(string)`	`null`	no
concourse_github_auth_client_id	Github client id	`string`	`null`	no
concourse_github_auth_client_secret	Github client secret	`string`	`null`	no
concourse_github_auth_team	Github team that can login	`string`	`null`	no
concourse_hostname	Hostname on which concourse will be available, this hostname needs to point to the ELB. If ommitted, the hostname of the AWS ELB will be used instead	`string`	`null`	no
concourse_prometheus_bind_ip	IP address where Concourse will listen for the Prometheus scraper	`string`	`"0.0.0.0"`	no
concourse_prometheus_bind_port	Port where Concourse will listen for the Prometheus scraper	`string`	`"9391"`	no
concourse_version	Concourse CI version to use. Defaults to the latest tested version	`string`	`"7.7.1"`	no
concourse_version_override	Variable to override the default Concourse version. Leave it empty to fallback to `concourse_version`. Useful if you want to default to the module's default but also give the users the option to override it	`string`	`null`	no
concourse_web_instance_count	Number of containers running Concourse web	`number`	`1`	no
container_cpu	The number of cpu units to reserve for the container. This parameter maps to CpuShares in the Create a container section of the Docker Remote API	`number`	`256`	no
container_memory	The amount of memory (in MiB) used by the task	`number`	`256`	no
prometheus_cidrs	CIDR blocks that'll allowed to access the Prometheus scraper port	`list(string)`	`[]`	no
vault_auth_concourse_role_name	The Vault role that Concourse will use. This is normally fetched from the `vault-auth` Terraform module	`string`	`null`	no
vault_docker_image_tag	Docker image version to use for the Vault auth container	`string`	`"1.3.2"`	no
vault_server_url	The Vault server URL to configure in Concourse. Leaving it empty will disable the Vault integration	`string`	`null`	no

Outputs

Name	Description
concourse_hostname	Final Concourse hostname
concourse_version	Concourse version deployed
ecs_service_name	ECS Service Name of concourse web
elb_dns_name	DNS name of the loadbalancer
elb_sg_id	Security group id of the loadbalancer
elb_zone_id	Zone ID of the ELB
iam_role_arn	ARN of the IAM role created for the Concourse ECS task

Examples

You can use concourse_extra_args or concourse_extra_env to pass any Concourse configuration to the deployment. For example, to add GitLab authentication for a self-hosted instance:

concourse_extra_env = {
  CONCOURSE_GITLAB_CLIENT_ID       = "my_client_id",
  CONCOURSE_GITLAB_CLIENT_SECRET   = "my_client_secret",
  CONCOURSE_GITLAB_HOST            = "https://gitlab.example.com",
  # If you want a GitLab group to access the `main` Concourse team:
  CONCOURSE_MAIN_TEAM_GITLAB_GROUP = "my_group"
}

ec2-worker

This sets up a Concourse CI worker pool as EC2 instances running in an Autoscaling group.

The following resources will be created:

Autoscaling launch configuration & autoscaling group
- The EC2 instances have an additional EBS volume attached, automatically formatted as btrfs
Security group
IAM role

Requirements

Name	Version
terraform	~> 1.0
aws	~> 3.74

Providers

Name	Version
aws	~> 3.74
template	n/a

Modules

Name	Source	Version
is_ebs_optimised	github.com/skyscrapers/terraform-instances//is_ebs_optimised	3.1.0
teleport_bootstrap_script	github.com/skyscrapers/terraform-teleport//teleport-bootstrap-script	7.2.1

Resources

Name	Type
aws_autoscaling_group.concourse_worker_asg	resource
aws_iam_instance_profile.concourse_worker_instance_profile	resource
aws_iam_role.concourse_worker_role	resource
aws_iam_role_policy.concourse_worker_cross_account_policy	resource
aws_iam_role_policy.concourse_worker_policy	resource
aws_launch_template.concourse_worker_launchtemplate	resource
aws_launch_template.concourse_worker_launchtemplate_ephemeral	resource
aws_security_group.worker_instances_sg	resource
aws_security_group_rule.worker_instances_to_tsa	resource
aws_ami.AL2	data source
aws_iam_policy_document.concourse_worker_cross_account_policy	data source
aws_iam_policy_document.concourse_worker_policy	data source
aws_iam_policy_document.concourse_worker_role	data source
template_cloudinit_config.concourse_bootstrap	data source
template_file.check_attachment	data source
template_file.concourse_bootstrap	data source
template_file.concourse_systemd	data source

Inputs

Name	Description	Type	Default	Required
concourse_hostname	Hostname on what concourse will be available, this hostname needs to point to the ELB.	`string`	n/a	yes
environment	The name of the environment these subnets belong to (prod,stag,dev)	`string`	n/a	yes
instance_type	EC2 instance type for the worker instances	`string`	n/a	yes
keys_bucket_arn	The S3 bucket ARN which contains the SSH keys to connect to the TSA	`string`	n/a	yes
keys_bucket_id	The S3 bucket id which contains the SSH keys to connect to the TSA	`string`	n/a	yes
name	A descriptive name of the purpose of this Concourse worker pool	`string`	n/a	yes
ssh_key_name	The key name to use for the instance	`string`	n/a	yes
subnet_ids	List of subnet ids where to deploy the worker instances	`list(string)`	n/a	yes
vpc_id	The VPC id where to deploy the worker instances	`string`	n/a	yes
additional_security_group_ids	Additional security group ids to attach to the worker instances	`list(string)`	`[]`	no
baggageclaim_driver	Which Concourse Worker baggageclaim driver to use. Supported choices: `btrfs` and `overlay`	`string`	`"overlay"`	no
concourse_tags	List of tags to add to the worker to use for assigning jobs and tasks	`list(string)`	`[]`	no
concourse_version	Concourse CI version to use. Defaults to the latest tested version	`string`	`"7.7.1"`	no
concourse_version_override	Variable to override the default Concourse version. Leave it empty to fallback to `concourse_version`. Useful if you want to default to the module's default but also give the users the option to override it	`string`	`null`	no
concourse_worker_instance_count	Number of Concourse worker instances	`number`	`1`	no
cpu_credits	The credit option for CPU usage. Can be `standard` or `unlimited`	`string`	`"standard"`	no
cross_account_worker_role_arn	IAM role ARN to assume to access the Concourse keys bucket in another AWS account	`string`	`null`	no
custom_ami	Use a custom AMI for the worker instances. If omitted the latest Ubuntu 16.04 AMI will be used.	`string`	`null`	no
project	Project where the concourse claster belongs to. This is mainly used to identify it in Teleport	`string`	`""`	no
public	Whether to assign these worker nodes a public IP (when public subnets are defined in `var.subnet_ids`)	`bool`	`false`	no
root_disk_volume_size	Size of the worker instances root disk	`string`	`"10"`	no
root_disk_volume_type	Volume type of the worker instances root disk	`string`	`"gp2"`	no
teleport_auth_token	Teleport node token to authenticate with the auth server	`string`	`""`	no
teleport_server	Teleport auth server hostname	`string`	`""`	no
teleport_version	Teleport version for the client	`string`	`"10.1.4"`	no
work_disk_device_name	Device name of the external EBS volume to use as Concourse worker storage	`string`	`"/dev/sdf"`	no
work_disk_ephemeral	Whether to use ephemeral volumes as Concourse worker storage. You must use an `instance_type` that supports this	`string`	`false`	no
work_disk_internal_device_name	Device name of the internal volume as identified by the Linux kernel, which can differ from `work_disk_device_name` depending on used AMI. Make sure this is set according the `instance_type`, eg. `/dev/xvdf` when using an older AMI	`string`	`"/dev/nvme1n1"`	no
work_disk_volume_size	Size of the external EBS volume to use as Concourse worker storage	`string`	`"100"`	no
work_disk_volume_type	Volume type of the external EBS volume to use as Concourse worker storage	`string`	`"gp2"`	no
worker_tsa_port	tsa port that the worker can use to connect to the web	`string`	`"2222"`	no

Outputs

Name	Description
concourse_version	Concourse version deployed
worker_autoscaling_group_arn	The AWS region configured in the provider
worker_autoscaling_group_id	The Concourse workers autoscaling group ARN
worker_autoscaling_group_name	The Concourse workers autoscaling group name
worker_iam_role	Role name of the worker instances
worker_iam_role_arn	Role ARN of the worker instances
worker_instances_sg_id	Security group ID used for the worker instances

NOTE on the external EBS volume

The EC2 instances created by this module will include an external EBS volume that will automatically be attached and mounted. You should pay special attention to the device name that those volumes will have inside the OS once attached, as that name can vary depending on the instance type you selected. For example, in general for t2 instances, if you attach the EBS volume as /dev/xvdf it'll have the same device name inside the OS, but on m5 or c4 instances that's not the case, as it'll be named /dev/nvme1n1.

As of now, this situation is not being handled automatically by the module, so depending on the instance type you select, you might have to change the internal device name via the variable work_disk_internal_device_name.

vault-auth

This module sets up the needed Vault resources for Concourse:

It creates a Vault policy that allows read-only access to /concourse/*
It creates a Vault role in the aws auth method (which should be previously created - explained below) for Concourse and attaches the previously mentioned policy

Available variables

Name	Description	Type	Default	Required
additional_vault_policies	Additional Vault policies to attach to the Concourse role	string	`<list>`	no
concourse_iam_role_arn	IAM role ARN of the Concourse ATC server. You can get this from the concourse web module outputs	string	-	yes
vault_aws_auth_backend_path	The path the AWS auth backend being configured was mounted at	string	`aws`	no
vault_concourse_role_name	Name to give to the Vault role and policy for Concourse	string	-	yes
vault_server_url	The Vault server url	string	-	yes
vault_token_period	Vault token renewal period, in seconds. This sets the token to never expire, but it still has to be renewed within the duration specified by this value	string	`43200`	no

Output

How to enable and configure the AWS auth method

If the AWS auth method is not previously enabled, you'll need to do it before applying this module. To do that you'll need to follow the first two steps described in the official Vault documentation.

Enable the auth method
Configure the AWS credentials so Vault can make calls to the AWS API. Note that you can skip this step if you're going to use Vault's IAM EC2 instance role to access the AWS API.

Examples

Check out the examples folder.

terraform-concourse's People

Contributors

Stargazers

Watchers

Forkers

dancashman bytecubed kasunmadura muthhus remix rodel-talampas arun9theja doytsujin krishnamurtyp praveenraghav01 isabella232 philschatz dylanohp

terraform-concourse's Issues

[RFC] Support for all possible combinations of `concourse web` arguments

This ticket is a Request For Comments to discuss the future evolution of this module given the set of CLI arguments or environment variables in upstream Concourse will still evolve quite a bit.

Below is the full list of arguments that concourse web supports:

Usage:
  concourse [OPTIONS] web [web-OPTIONS]

Application Options:
  -v, --version                                                         Print the version of Concourse and exit [$CONCOURSE_VERSION]

Help Options:
  -h, --help                                                            Show this help message

[web command options]
          --log-level=[debug|info|error|fatal]                          Minimum level of logs to see. (default: info) [$CONCOURSE_LOG_LEVEL]
          --bind-ip=                                                    IP address on which to listen for web traffic. (default: 0.0.0.0) [$CONCOURSE_BIND_IP]
          --bind-port=                                                  Port on which to listen for HTTP traffic. (default: 8080) [$CONCOURSE_BIND_PORT]
          --tls-bind-port=                                              Port on which to listen for HTTPS traffic. [$CONCOURSE_TLS_BIND_PORT]
          --tls-cert=                                                   File containing an SSL certificate. [$CONCOURSE_TLS_CERT]
          --tls-key=                                                    File containing an RSA private key, used to encrypt HTTPS traffic. [$CONCOURSE_TLS_KEY]
          --external-url=                                               URL used to reach any ATC from the outside world. [$CONCOURSE_EXTERNAL_URL]
          --peer-url=                                                   URL used to reach this ATC from other ATCs in the cluster. [$CONCOURSE_PEER_URL]
          --encryption-key=                                             A 16 or 32 length key used to encrypt sensitive information before storing it in the database.
                                                                        [$CONCOURSE_ENCRYPTION_KEY]
          --old-encryption-key=                                         Encryption key previously used for encrypting sensitive information. If provided without a new key, data is
                                                                        encrypted. If provided with a new key, data is re-encrypted. [$CONCOURSE_OLD_ENCRYPTION_KEY]
          --debug-bind-ip=                                              IP address on which to listen for the pprof debugger endpoints. (default: 127.0.0.1)
                                                                        [$CONCOURSE_DEBUG_BIND_IP]
          --debug-bind-port=                                            Port on which to listen for the pprof debugger endpoints. (default: 8079) [$CONCOURSE_DEBUG_BIND_PORT]
          --intercept-idle-timeout=                                     Length of time for a intercepted session to be idle before terminating. (default: 0m)
                                                                        [$CONCOURSE_INTERCEPT_IDLE_TIMEOUT]
          --global-resource-check-timeout=                              Time limit on checking for new versions of resources. (default: 1h) [$CONCOURSE_GLOBAL_RESOURCE_CHECK_TIMEOUT]
          --resource-checking-interval=                                 Interval on which to check for new versions of resources. (default: 1m)
                                                                        [$CONCOURSE_RESOURCE_CHECKING_INTERVAL]
          --resource-type-checking-interval=                            Interval on which to check for new versions of resource types. (default: 1m)
                                                                        [$CONCOURSE_RESOURCE_TYPE_CHECKING_INTERVAL]
          --container-placement-strategy=[volume-locality|random]       Method by which a worker is selected during container placement. (default: volume-locality)
                                                                        [$CONCOURSE_CONTAINER_PLACEMENT_STRATEGY]
          --baggageclaim-response-header-timeout=                       How long to wait for Baggageclaim to send the response header. (default: 1m)
                                                                        [$CONCOURSE_BAGGAGECLAIM_RESPONSE_HEADER_TIMEOUT]
          --cli-artifacts-dir=                                          Directory containing downloadable CLI binaries. [$CONCOURSE_CLI_ARTIFACTS_DIR]
          --log-db-queries                                              Log database queries. [$CONCOURSE_LOG_DB_QUERIES]
          --build-tracker-interval=                                     Interval on which to run build tracking. (default: 10s) [$CONCOURSE_BUILD_TRACKER_INTERVAL]
          --default-build-logs-to-retain=                               Default build logs to retain, 0 means all [$CONCOURSE_DEFAULT_BUILD_LOGS_TO_RETAIN]
          --max-build-logs-to-retain=                                   Maximum build logs to retain, 0 means not specified. Will override values configured in jobs
                                                                        [$CONCOURSE_MAX_BUILD_LOGS_TO_RETAIN]
          --default-task-cpu-limit=                                     Default max number of cpu shares per task, 0 means unlimited [$CONCOURSE_DEFAULT_TASK_CPU_LIMIT]
          --default-task-memory-limit=                                  Default maximum memory per task, 0 means unlimited [$CONCOURSE_DEFAULT_TASK_MEMORY_LIMIT]

    PostgreSQL Configuration:
          --postgres-host=                                              The host to connect to. (default: 127.0.0.1) [$CONCOURSE_POSTGRES_HOST]
          --postgres-port=                                              The port to connect to. (default: 5432) [$CONCOURSE_POSTGRES_PORT]
          --postgres-socket=                                            Path to a UNIX domain socket to connect to. [$CONCOURSE_POSTGRES_SOCKET]
          --postgres-user=                                              The user to sign in as. [$CONCOURSE_POSTGRES_USER]
          --postgres-password=                                          The user's password. [$CONCOURSE_POSTGRES_PASSWORD]
          --postgres-sslmode=[disable|require|verify-ca|verify-full]    Whether or not to use SSL. (default: disable) [$CONCOURSE_POSTGRES_SSLMODE]
          --postgres-ca-cert=                                           CA cert file location, to verify when connecting with SSL. [$CONCOURSE_POSTGRES_CA_CERT]
          --postgres-client-cert=                                       Client cert file location. [$CONCOURSE_POSTGRES_CLIENT_CERT]
          --postgres-client-key=                                        Client key file location. [$CONCOURSE_POSTGRES_CLIENT_KEY]
          --postgres-connect-timeout=                                   Dialing timeout. (0 means wait indefinitely) (default: 5m) [$CONCOURSE_POSTGRES_CONNECT_TIMEOUT]
          --postgres-database=                                          The name of the database to use. (default: atc) [$CONCOURSE_POSTGRES_DATABASE]

    Vault Credential Management:
          --vault-url=                                                  Vault server address used to access secrets. [$CONCOURSE_VAULT_URL]
          --vault-path-prefix=                                          Path under which to namespace credential lookup. (default: /concourse) [$CONCOURSE_VAULT_PATH_PREFIX]
          --vault-cache                                                 Cache returned secrets for their lease duration in memory [$CONCOURSE_VAULT_CACHE]
          --vault-max-lease=                                            If the cache is enabled, and this is set, override secrets lease duration with a maximum value
                                                                        [$CONCOURSE_VAULT_MAX_LEASE]
          --vault-ca-cert=                                              Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert. [$CONCOURSE_VAULT_CA_CERT]
          --vault-ca-path=                                              Path to a directory of PEM-encoded CA cert files to verify the vault server SSL cert.
                                                                        [$CONCOURSE_VAULT_CA_PATH]
          --vault-client-cert=                                          Path to the client certificate for Vault authorization. [$CONCOURSE_VAULT_CLIENT_CERT]
          --vault-client-key=                                           Path to the client private key for Vault authorization. [$CONCOURSE_VAULT_CLIENT_KEY]
          --vault-server-name=                                          If set, is used to set the SNI host when connecting via TLS. [$CONCOURSE_VAULT_SERVER_NAME]
          --vault-insecure-skip-verify                                  Enable insecure SSL verification. [$CONCOURSE_VAULT_INSECURE_SKIP_VERIFY]
          --vault-client-token=                                         Client token for accessing secrets within the Vault server. [$CONCOURSE_VAULT_CLIENT_TOKEN]
          --vault-auth-backend=                                         Auth backend to use for logging in to Vault. [$CONCOURSE_VAULT_AUTH_BACKEND]
          --vault-auth-backend-max-ttl=                                 Time after which to force a re-login. If not set, the token will just be continuously renewed.
                                                                        [$CONCOURSE_VAULT_AUTH_BACKEND_MAX_TTL]
          --vault-retry-max=                                            The maximum time between retries when logging in or re-authing a secret. (default: 5m)
                                                                        [$CONCOURSE_VAULT_RETRY_MAX]
          --vault-retry-initial=                                        The initial time between retries when logging in or re-authing a secret. (default: 1s)
                                                                        [$CONCOURSE_VAULT_RETRY_INITIAL]
          --vault-auth-param=NAME=VALUE                                 Paramter to pass when logging in via the backend. Can be specified multiple times.
                                                                        [$CONCOURSE_VAULT_AUTH_PARAM]

    CredHub Credential Management:
          --credhub-url=                                                CredHub server address used to access secrets. [$CONCOURSE_CREDHUB_URL]
          --credhub-path-prefix=                                        Path under which to namespace credential lookup. (default: /concourse) [$CONCOURSE_CREDHUB_PATH_PREFIX]
          --credhub-ca-cert=                                            Paths to PEM-encoded CA cert files to use to verify the CredHub server SSL cert. [$CONCOURSE_CREDHUB_CA_CERT]
          --credhub-client-cert=                                        Path to the client certificate for mutual TLS authorization. [$CONCOURSE_CREDHUB_CLIENT_CERT]
          --credhub-client-key=                                         Path to the client private key for mutual TLS authorization. [$CONCOURSE_CREDHUB_CLIENT_KEY]
          --credhub-insecure-skip-verify                                Enable insecure SSL verification. [$CONCOURSE_CREDHUB_INSECURE_SKIP_VERIFY]
          --credhub-client-id=                                          Client ID for CredHub authorization. [$CONCOURSE_CREDHUB_CLIENT_ID]
          --credhub-client-secret=                                      Client secret for CredHub authorization. [$CONCOURSE_CREDHUB_CLIENT_SECRET]

    Kubernetes Credential Management:
          --kubernetes-in-cluster                                       Enables the in-cluster client. [$CONCOURSE_KUBERNETES_IN_CLUSTER]
          --kubernetes-config-path=                                     Path to Kubernetes config when running ATC outside Kubernetes. [$CONCOURSE_KUBERNETES_CONFIG_PATH]
          --kubernetes-namespace-prefix=                                Prefix to use for Kubernetes namespaces under which secrets will be looked up. (default: concourse-)
                                                                        [$CONCOURSE_KUBERNETES_NAMESPACE_PREFIX]

    AWS SecretsManager Credential Management:
          --aws-secretsmanager-access-key=                              AWS Access key ID [$CONCOURSE_AWS_SECRETSMANAGER_ACCESS_KEY]
          --aws-secretsmanager-secret-key=                              AWS Secret Access Key [$CONCOURSE_AWS_SECRETSMANAGER_SECRET_KEY]
          --aws-secretsmanager-session-token=                           AWS Session Token [$CONCOURSE_AWS_SECRETSMANAGER_SESSION_TOKEN]
          --aws-secretsmanager-region=                                  AWS region to send requests to [$AWS_REGION]
          --aws-secretsmanager-pipeline-secret-template=                AWS Secrets Manager secret identifier template used for pipeline specific parameter (default:
                                                                        /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}) [$CONCOURSE_AWS_SECRETSMANAGER_PIPELINE_SECRET_TEMPLATE]
          --aws-secretsmanager-team-secret-template=                    AWS Secrets Manager secret identifier  template used for team specific parameter (default:
                                                                        /concourse/{{.Team}}/{{.Secret}}) [$CONCOURSE_AWS_SECRETSMANAGER_TEAM_SECRET_TEMPLATE]

    AWS SSM Credential Management:
          --aws-ssm-access-key=                                         AWS Access key ID [$CONCOURSE_AWS_SSM_ACCESS_KEY]
          --aws-ssm-secret-key=                                         AWS Secret Access Key [$CONCOURSE_AWS_SSM_SECRET_KEY]
          --aws-ssm-session-token=                                      AWS Session Token [$CONCOURSE_AWS_SSM_SESSION_TOKEN]
          --aws-ssm-region=                                             AWS region to send requests to [$AWS_REGION]
          --aws-ssm-pipeline-secret-template=                           AWS SSM parameter name template used for pipeline specific parameter (default:
                                                                        /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}) [$CONCOURSE_AWS_SSM_PIPELINE_SECRET_TEMPLATE]
          --aws-ssm-team-secret-template=                               AWS SSM parameter name template used for team specific parameter (default: /concourse/{{.Team}}/{{.Secret}})
                                                                        [$CONCOURSE_AWS_SSM_TEAM_SECRET_TEMPLATE]

    Developer Options:
      -n, --noop                                                        Don't actually do any automatic scheduling or checking. [$CONCOURSE_NOOP]

    Static Worker (optional):
          --worker-garden-url=                                          A Garden API endpoint to register as a worker. [$CONCOURSE_WORKER_GARDEN_URL]
          --worker-baggageclaim-url=                                    A Baggageclaim API endpoint to register with the worker. [$CONCOURSE_WORKER_BAGGAGECLAIM_URL]
          --worker-resource=TYPE:IMAGE                                  A resource type to advertise for the worker. Can be specified multiple times. [$CONCOURSE_WORKER_RESOURCE]

    Metrics & Diagnostics:
          --metrics-host-name=                                          Host string to attach to emitted metrics. [$CONCOURSE_METRICS_HOST_NAME]
          --metrics-attribute=NAME:VALUE                                A key-value attribute to attach to emitted metrics. Can be specified multiple times.
                                                                        [$CONCOURSE_METRICS_ATTRIBUTE]

    Metric Emitter (Datadog):
          --datadog-agent-host=                                         Datadog agent host to expose dogstatsd metrics [$CONCOURSE_DATADOG_AGENT_HOST]
          --datadog-agent-port=                                         Datadog agent port to expose dogstatsd metrics [$CONCOURSE_DATADOG_AGENT_PORT]
          --datadog-prefix=                                             Prefix for all metrics to easily find them in Datadog [$CONCOURSE_DATADOG_PREFIX]

    Metric Emitter (InfluxDB):
          --influxdb-url=                                               InfluxDB server address to emit points to. [$CONCOURSE_INFLUXDB_URL]
          --influxdb-database=                                          InfluxDB database to write points to. [$CONCOURSE_INFLUXDB_DATABASE]
          --influxdb-username=                                          InfluxDB server username. [$CONCOURSE_INFLUXDB_USERNAME]
          --influxdb-password=                                          InfluxDB server password. [$CONCOURSE_INFLUXDB_PASSWORD]
          --influxdb-insecure-skip-verify                               Skip SSL verification when emitting to InfluxDB. [$CONCOURSE_INFLUXDB_INSECURE_SKIP_VERIFY]

    Metric Emitter (Lager):
          --emit-to-logs                                                Emit metrics to logs. [$CONCOURSE_EMIT_TO_LOGS]

    Metric Emitter (NewRelic):
          --newrelic-account-id=                                        New Relic Account ID [$CONCOURSE_NEWRELIC_ACCOUNT_ID]
          --newrelic-api-key=                                           New Relic Insights API Key [$CONCOURSE_NEWRELIC_API_KEY]
          --newrelic-service-prefix=                                    An optional prefix for emitted New Relic events [$CONCOURSE_NEWRELIC_SERVICE_PREFIX]

    Metric Emitter (Prometheus):
          --prometheus-bind-ip=                                         IP to listen on to expose Prometheus metrics. [$CONCOURSE_PROMETHEUS_BIND_IP]
          --prometheus-bind-port=                                       Port to listen on to expose Prometheus metrics. [$CONCOURSE_PROMETHEUS_BIND_PORT]

    Metric Emitter (Riemann):
          --riemann-host=                                               Riemann server address to emit metrics to. [$CONCOURSE_RIEMANN_HOST]
          --riemann-port=                                               Port of the Riemann server to emit metrics to. (default: 5555) [$CONCOURSE_RIEMANN_PORT]
          --riemann-service-prefix=                                     An optional prefix for emitted Riemann services [$CONCOURSE_RIEMANN_SERVICE_PREFIX]
          --riemann-tag=TAG                                             Tag to attach to emitted metrics. Can be specified multiple times. [$CONCOURSE_RIEMANN_TAG]

    Web Server:
          --x-frame-options=                                            The value to set for X-Frame-Options. If omitted, the header is not set. [$CONCOURSE_X_FRAME_OPTIONS]

    Garbage Collection:
          --gc-interval=                                                Interval on which to perform garbage collection. (default: 30s) [$CONCOURSE_GC_INTERVAL]
          --gc-one-off-grace-period=                                    Grace period before reaping one-off task containers (default: 5m) [$CONCOURSE_GC_ONE_OFF_GRACE_PERIOD]

    Syslog Drainer Configuration:
          --syslog-hostname=                                            Client hostname with which the build logs will be sent to the syslog server. (default: atc-syslog-drainer)
                                                                        [$CONCOURSE_SYSLOG_HOSTNAME]
          --syslog-address=                                             Remote syslog server address with port (Example: 0.0.0.0:514). [$CONCOURSE_SYSLOG_ADDRESS]
          --syslog-transport=                                           Transport protocol for syslog messages (Currently supporting tcp, udp & tls). [$CONCOURSE_SYSLOG_TRANSPORT]
          --syslog-drain-interval=                                      Interval over which checking is done for new build logs to send to syslog server (duration measurement units
                                                                        are s/m/h; eg. 30s/30m/1h) (default: 30s) [$CONCOURSE_SYSLOG_DRAIN_INTERVAL]
          --syslog-ca-cert=                                             Paths to PEM-encoded CA cert files to use to verify the Syslog server SSL cert. [$CONCOURSE_SYSLOG_CA_CERT]

    Authentication:
          --cookie-secure                                               Force sending secure flag on http cookies [$CONCOURSE_COOKIE_SECURE]
          --auth-duration=                                              Length of time for which tokens are valid. Afterwards, users will have to log back in. (default: 24h)
                                                                        [$CONCOURSE_AUTH_DURATION]
          --session-signing-key=                                        File containing an RSA private key, used to sign auth tokens. [$CONCOURSE_SESSION_SIGNING_KEY]
          --add-local-user=USERNAME:PASSWORD                            List of username:password combinations for all your local users. The password can be bcrypted - if so, it
                                                                        must have a minimum cost of 10. [$CONCOURSE_ADD_LOCAL_USER]

    Authentication (Main Team):
          --main-team-local-user=USERNAME                               List of whitelisted local concourse users. These are the users you've added at atc startup with the
                                                                        --add-local-user flag. [$CONCOURSE_MAIN_TEAM_LOCAL_USER]
          --main-team-allow-all-users                                   Setting this flag will whitelist all logged in users in the system. ALL OF THEM. If, for example, you've
                                                                        configured GitHub, any user with a GitHub account will have access to your team.
                                                                        [$CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS]

    Authentication (Main Team) (CloudFoundry):
          --main-team-cf-user=USERNAME                                  List of whitelisted CloudFoundry users. [$CONCOURSE_MAIN_TEAM_CF_USER]
          --main-team-cf-org=ORG_NAME                                   List of whitelisted CloudFoundry orgs [$CONCOURSE_MAIN_TEAM_CF_ORG]
          --main-team-cf-space=ORG_NAME:SPACE_NAME                      List of whitelisted CloudFoundry spaces [$CONCOURSE_MAIN_TEAM_CF_SPACE]
          --main-team-cf-space-guid=SPACE_GUID                          (Deprecated) List of whitelisted CloudFoundry space guids [$CONCOURSE_MAIN_TEAM_CF_SPACE_GUID]

    Authentication (Main Team) (GitHub):
          --main-team-github-user=USERNAME                              List of whitelisted GitHub users [$CONCOURSE_MAIN_TEAM_GITHUB_USER]
          --main-team-github-org=ORG_NAME                               List of whitelisted GitHub orgs [$CONCOURSE_MAIN_TEAM_GITHUB_ORG]
          --main-team-github-team=ORG_NAME:TEAM_NAME                    List of whitelisted GitHub teams [$CONCOURSE_MAIN_TEAM_GITHUB_TEAM]

    Authentication (Main Team) (GitLab):
          --main-team-gitlab-user=USERNAME                              List of whitelisted GitLab users [$CONCOURSE_MAIN_TEAM_GITLAB_USER]
          --main-team-gitlab-group=GROUP_NAME                           List of whitelisted GitLab groups [$CONCOURSE_MAIN_TEAM_GITLAB_GROUP]

    Authentication (Main Team) (LDAP):
          --main-team-ldap-user=USERNAME                                List of whitelisted LDAP users [$CONCOURSE_MAIN_TEAM_LDAP_USER]
          --main-team-ldap-group=GROUP_NAME                             List of whitelisted LDAP groups [$CONCOURSE_MAIN_TEAM_LDAP_GROUP]

    Authentication (Main Team) (OAuth2):
          --main-team-oauth-user=USERNAME                               List of whitelisted OAuth2 users [$CONCOURSE_MAIN_TEAM_OAUTH_USER]
          --main-team-oauth-group=GROUP_NAME                            List of whitelisted OAuth2 groups [$CONCOURSE_MAIN_TEAM_OAUTH_GROUP]

    Authentication (Main Team) (OIDC):
          --main-team-oidc-user=USERNAME                                List of whitelisted OIDC users [$CONCOURSE_MAIN_TEAM_OIDC_USER]
          --main-team-oidc-group=GROUP_NAME                             List of whitelisted OIDC groups [$CONCOURSE_MAIN_TEAM_OIDC_GROUP]

    Authentication (CloudFoundry):
          --cf-client-id=                                               (Required) Client id [$CONCOURSE_CF_CLIENT_ID]
          --cf-client-secret=                                           (Required) Client secret [$CONCOURSE_CF_CLIENT_SECRET]
          --cf-api-url=                                                 (Required) The base API URL of your CF deployment. It will use this information to discover information about
                                                                        the authentication provider. [$CONCOURSE_CF_API_URL]
          --cf-ca-cert=                                                 CA Certificate [$CONCOURSE_CF_CA_CERT]
          --cf-skip-ssl-validation                                      Skip SSL validation [$CONCOURSE_CF_SKIP_SSL_VALIDATION]

    Authentication (GitHub):
          --github-client-id=                                           (Required) Client id [$CONCOURSE_GITHUB_CLIENT_ID]
          --github-client-secret=                                       (Required) Client secret [$CONCOURSE_GITHUB_CLIENT_SECRET]
          --github-host=                                                Hostname of GitHub Enterprise deployment (No scheme, No trailing slash) [$CONCOURSE_GITHUB_HOST]
          --github-ca-cert=                                             CA certificate of GitHub Enterprise deployment [$CONCOURSE_GITHUB_CA_CERT]

    Authentication (GitLab):
          --gitlab-client-id=                                           (Required) Client id [$CONCOURSE_GITLAB_CLIENT_ID]
          --gitlab-client-secret=                                       (Required) Client secret [$CONCOURSE_GITLAB_CLIENT_SECRET]
          --gitlab-host=                                                Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash) [$CONCOURSE_GITLAB_HOST]

    Authentication (LDAP):
          --ldap-display-name=                                          The auth provider name displayed to users on the login page [$CONCOURSE_LDAP_DISPLAY_NAME]
          --ldap-host=                                                  (Required) The host and optional port of the LDAP server. If port isn't supplied, it will be guessed based on
                                                                        the TLS configuration. 389 or 636. [$CONCOURSE_LDAP_HOST]
          --ldap-bind-dn=                                               (Required) Bind DN for searching LDAP users and groups. Typically this is a read-only user.
                                                                        [$CONCOURSE_LDAP_BIND_DN]
          --ldap-bind-pw=                                               (Required) Bind Password for the user specified by 'bind-dn' [$CONCOURSE_LDAP_BIND_PW]
          --ldap-insecure-no-ssl                                        Required if LDAP host does not use TLS. [$CONCOURSE_LDAP_INSECURE_NO_SSL]
          --ldap-insecure-skip-verify                                   Skip certificate verification [$CONCOURSE_LDAP_INSECURE_SKIP_VERIFY]
          --ldap-start-tls                                              Start on insecure port, then negotiate TLS [$CONCOURSE_LDAP_START_TLS]
          --ldap-ca-cert=                                               CA certificate [$CONCOURSE_LDAP_CA_CERT]
          --ldap-user-search-base-dn=                                   BaseDN to start the search from. For example 'cn=users,dc=example,dc=com'
                                                                        [$CONCOURSE_LDAP_USER_SEARCH_BASE_DN]
          --ldap-user-search-filter=                                    Optional filter to apply when searching the directory. For example '(objectClass=person)'
                                                                        [$CONCOURSE_LDAP_USER_SEARCH_FILTER]
          --ldap-user-search-username=                                  Attribute to match against the inputted username. This will be translated and combined with the other filter
                                                                        as '(<attr>=<username>)'. [$CONCOURSE_LDAP_USER_SEARCH_USERNAME]
          --ldap-user-search-scope=                                     Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
                                                                        [$CONCOURSE_LDAP_USER_SEARCH_SCOPE]
          --ldap-user-search-id-attr=                                   A mapping of attributes on the user entry to claims. Defaults to 'uid'. [$CONCOURSE_LDAP_USER_SEARCH_ID_ATTR]
          --ldap-user-search-email-attr=                                A mapping of attributes on the user entry to claims. Defaults to 'mail'.
                                                                        [$CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR]
          --ldap-user-search-name-attr=                                 A mapping of attributes on the user entry to claims. [$CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR]
          --ldap-group-search-base-dn=                                  BaseDN to start the search from. For example 'cn=groups,dc=example,dc=com'
                                                                        [$CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN]
          --ldap-group-search-filter=                                   Optional filter to apply when searching the directory. For example '(objectClass=posixGroup)'
                                                                        [$CONCOURSE_LDAP_GROUP_SEARCH_FILTER]
          --ldap-group-search-scope=                                    Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
                                                                        [$CONCOURSE_LDAP_GROUP_SEARCH_SCOPE]
          --ldap-group-search-user-attr=                                Adds an additional requirement to the filter that an attribute in the group match the user's attribute value.
                                                                        The exact filter being added is: (<groupAttr>=<userAttr value>) [$CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR]
          --ldap-group-search-group-attr=                               Adds an additional requirement to the filter that an attribute in the group match the user's attribute value.
                                                                        The exact filter being added is: (<groupAttr>=<userAttr value>) [$CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR]
          --ldap-group-search-name-attr=                                The attribute of the group that represents its name. [$CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR]

    Authentication (OAuth2):
          --oauth-display-name=                                         The auth provider name displayed to users on the login page [$CONCOURSE_OAUTH_DISPLAY_NAME]
          --oauth-client-id=                                            (Required) Client id [$CONCOURSE_OAUTH_CLIENT_ID]
          --oauth-client-secret=                                        (Required) Client secret [$CONCOURSE_OAUTH_CLIENT_SECRET]
          --oauth-auth-url=                                             (Required) Authorization URL [$CONCOURSE_OAUTH_AUTH_URL]
          --oauth-token-url=                                            (Required) Token URL [$CONCOURSE_OAUTH_TOKEN_URL]
          --oauth-userinfo-url=                                         UserInfo URL [$CONCOURSE_OAUTH_USERINFO_URL]
          --oauth-scope=                                                Any additional scopes that need to be requested during authorization [$CONCOURSE_OAUTH_SCOPE]
          --oauth-groups-key=                                           The groups key indicates which claim to use to map external groups to Concourse teams.
                                                                        [$CONCOURSE_OAUTH_GROUPS_KEY]
          --oauth-ca-cert=                                              CA Certificate [$CONCOURSE_OAUTH_CA_CERT]
          --oauth-skip-ssl-validation                                   Skip SSL validation [$CONCOURSE_OAUTH_SKIP_SSL_VALIDATION]

    Authentication (OIDC):
          --oidc-display-name=                                          The auth provider name displayed to users on the login page [$CONCOURSE_OIDC_DISPLAY_NAME]
          --oidc-issuer=                                                (Required) An OIDC issuer URL that will be used to discover provider configuration using the
                                                                        .well-known/openid-configuration [$CONCOURSE_OIDC_ISSUER]
          --oidc-client-id=                                             (Required) Client id [$CONCOURSE_OIDC_CLIENT_ID]
          --oidc-client-secret=                                         (Required) Client secret [$CONCOURSE_OIDC_CLIENT_SECRET]
          --oidc-scope=                                                 Any additional scopes that need to be requested during authorization [$CONCOURSE_OIDC_SCOPE]
          --oidc-groups-key=                                            The groups key indicates which claim to use to map external groups to Concourse teams.
                                                                        [$CONCOURSE_OIDC_GROUPS_KEY]
          --oidc-hosted-domains=                                        List of whitelisted domains when using Google, only users from a listed domain will be allowed to log in
                                                                        [$CONCOURSE_OIDC_HOSTED_DOMAINS]
          --oidc-ca-cert=                                               CA Certificate [$CONCOURSE_OIDC_CA_CERT]
          --oidc-skip-ssl-validation                                    Skip SSL validation [$CONCOURSE_OIDC_SKIP_SSL_VALIDATION]

    TSA Configuration:
          --tsa-log-level=[debug|info|error|fatal]                      Minimum level of logs to see. (default: info) [$CONCOURSE_TSA_LOG_LEVEL]
          --tsa-bind-ip=                                                IP address on which to listen for SSH. (default: 0.0.0.0) [$CONCOURSE_TSA_BIND_IP]
          --tsa-bind-port=                                              Port on which to listen for SSH. (default: 2222) [$CONCOURSE_TSA_BIND_PORT]
          --tsa-bind-debug-port=                                        Port on which to listen for TSA pprof server. (default: 8089) [$CONCOURSE_TSA_BIND_DEBUG_PORT]
          --tsa-peer-ip=                                                IP address of this TSA, reachable by the ATCs. Used for forwarded worker addresses. [$CONCOURSE_TSA_PEER_IP]
          --tsa-host-key=                                               Path to private key to use for the SSH server. [$CONCOURSE_TSA_HOST_KEY]
          --tsa-authorized-keys=                                        Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line).
                                                                        [$CONCOURSE_TSA_AUTHORIZED_KEYS]
          --tsa-team-authorized-keys=NAME=PATH                          Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line).
                                                                        [$CONCOURSE_TSA_TEAM_AUTHORIZED_KEYS]
          --tsa-atc-url=                                                ATC API endpoints to which workers will be registered. [$CONCOURSE_TSA_ATC_URL]
          --tsa-session-signing-key=                                    Path to private key to use when signing tokens in reqests to the ATC during registration.
                                                                        [$CONCOURSE_TSA_SESSION_SIGNING_KEY]
          --tsa-heartbeat-interval=                                     interval on which to heartbeat workers to the ATC (default: 30s) [$CONCOURSE_TSA_HEARTBEAT_INTERVAL]

Before adding specific support for other sets of options, I would like to discuss whether or not it would be better to pass these options in a more general way.

The configuration for PostgreSQL and TSA are required settings for any Concourse deployment. The configuration of these 2 sets of arguments could remain as is.
The current state of the module only supports a subset of the remaining options:

Basic Authentication
Github Authentication
Vault for Concourse Credential Management

Suppose we would only pass a single args parameter, then the templating to combine all the arguments would be outside of this module and specific to the use case. Given the set of options will evolve in the future, this approach will require less maintenance on this module.

The current case I'm working on requires:

Datadog Metrics emitter
OAuth2 Authentication (Office365) (BitBucket is currently not supported by Concourse via its integrated Dex)
AWS Secrets Manager for Concourse Credential Management

Principals can't be empty in cross-account Concourse keys policy

In the keys module, if no principals are provided in the concourse_keys_cross_account_principals variable, AWS complains that it can't create the policy without principals.

* aws_iam_role.concourse_keys_cross_account: Error creating IAM Role concourse-keys-20180525100019477900000001: MalformedPolicyDocument: Invalid principal in policy: com.amazon.balsa.error.InvalidPolicyException: The passed in policy has a statement with no principals!

Possible solution

Don't create the policy if no principals are provided

Workers not starting

Describe the problem
Pipelines are not running. When executing fly -t main workers we see that no workers are running.

To Reproduce
Steps to reproduce the behavior:

Provision VPC
Run terraform apply
Wait about 5 minutes for web to become available
Run fly --target main login --team-name main --concourse-url https://concourse.mydomain.com/ to authenticate
Run fly -t main workers

Expected behavior
Expect two workers to be running

Green / Blue Canary Setup: HowTo?

Is there any documentation as to how to use the implemented Canary setup here? If this is not the best place to post lmk.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.