Giter VIP home page Giter VIP logo

terraform-concourse's Issues

Principals can't be empty in cross-account Concourse keys policy

In the keys module, if no principals are provided in the concourse_keys_cross_account_principals variable, AWS complains that it can't create the policy without principals.

* aws_iam_role.concourse_keys_cross_account: Error creating IAM Role concourse-keys-20180525100019477900000001: MalformedPolicyDocument: Invalid principal in policy: com.amazon.balsa.error.InvalidPolicyException: The passed in policy has a statement with no principals!

Possible solution

Don't create the policy if no principals are provided

Workers not starting

Describe the problem
Pipelines are not running. When executing fly -t main workers we see that no workers are running.

To Reproduce
Steps to reproduce the behavior:

  1. Provision VPC
  2. Run terraform apply
  3. Wait about 5 minutes for web to become available
  4. Run fly --target main login --team-name main --concourse-url https://concourse.mydomain.com/ to authenticate
  5. Run fly -t main workers

Expected behavior
Expect two workers to be running

[RFC] Support for all possible combinations of `concourse web` arguments

This ticket is a Request For Comments to discuss the future evolution of this module given the set of CLI arguments or environment variables in upstream Concourse will still evolve quite a bit.

Below is the full list of arguments that concourse web supports:

Usage:
  concourse [OPTIONS] web [web-OPTIONS]

Application Options:
  -v, --version                                                         Print the version of Concourse and exit [$CONCOURSE_VERSION]

Help Options:
  -h, --help                                                            Show this help message

[web command options]
          --log-level=[debug|info|error|fatal]                          Minimum level of logs to see. (default: info) [$CONCOURSE_LOG_LEVEL]
          --bind-ip=                                                    IP address on which to listen for web traffic. (default: 0.0.0.0) [$CONCOURSE_BIND_IP]
          --bind-port=                                                  Port on which to listen for HTTP traffic. (default: 8080) [$CONCOURSE_BIND_PORT]
          --tls-bind-port=                                              Port on which to listen for HTTPS traffic. [$CONCOURSE_TLS_BIND_PORT]
          --tls-cert=                                                   File containing an SSL certificate. [$CONCOURSE_TLS_CERT]
          --tls-key=                                                    File containing an RSA private key, used to encrypt HTTPS traffic. [$CONCOURSE_TLS_KEY]
          --external-url=                                               URL used to reach any ATC from the outside world. [$CONCOURSE_EXTERNAL_URL]
          --peer-url=                                                   URL used to reach this ATC from other ATCs in the cluster. [$CONCOURSE_PEER_URL]
          --encryption-key=                                             A 16 or 32 length key used to encrypt sensitive information before storing it in the database.
                                                                        [$CONCOURSE_ENCRYPTION_KEY]
          --old-encryption-key=                                         Encryption key previously used for encrypting sensitive information. If provided without a new key, data is
                                                                        encrypted. If provided with a new key, data is re-encrypted. [$CONCOURSE_OLD_ENCRYPTION_KEY]
          --debug-bind-ip=                                              IP address on which to listen for the pprof debugger endpoints. (default: 127.0.0.1)
                                                                        [$CONCOURSE_DEBUG_BIND_IP]
          --debug-bind-port=                                            Port on which to listen for the pprof debugger endpoints. (default: 8079) [$CONCOURSE_DEBUG_BIND_PORT]
          --intercept-idle-timeout=                                     Length of time for a intercepted session to be idle before terminating. (default: 0m)
                                                                        [$CONCOURSE_INTERCEPT_IDLE_TIMEOUT]
          --global-resource-check-timeout=                              Time limit on checking for new versions of resources. (default: 1h) [$CONCOURSE_GLOBAL_RESOURCE_CHECK_TIMEOUT]
          --resource-checking-interval=                                 Interval on which to check for new versions of resources. (default: 1m)
                                                                        [$CONCOURSE_RESOURCE_CHECKING_INTERVAL]
          --resource-type-checking-interval=                            Interval on which to check for new versions of resource types. (default: 1m)
                                                                        [$CONCOURSE_RESOURCE_TYPE_CHECKING_INTERVAL]
          --container-placement-strategy=[volume-locality|random]       Method by which a worker is selected during container placement. (default: volume-locality)
                                                                        [$CONCOURSE_CONTAINER_PLACEMENT_STRATEGY]
          --baggageclaim-response-header-timeout=                       How long to wait for Baggageclaim to send the response header. (default: 1m)
                                                                        [$CONCOURSE_BAGGAGECLAIM_RESPONSE_HEADER_TIMEOUT]
          --cli-artifacts-dir=                                          Directory containing downloadable CLI binaries. [$CONCOURSE_CLI_ARTIFACTS_DIR]
          --log-db-queries                                              Log database queries. [$CONCOURSE_LOG_DB_QUERIES]
          --build-tracker-interval=                                     Interval on which to run build tracking. (default: 10s) [$CONCOURSE_BUILD_TRACKER_INTERVAL]
          --default-build-logs-to-retain=                               Default build logs to retain, 0 means all [$CONCOURSE_DEFAULT_BUILD_LOGS_TO_RETAIN]
          --max-build-logs-to-retain=                                   Maximum build logs to retain, 0 means not specified. Will override values configured in jobs
                                                                        [$CONCOURSE_MAX_BUILD_LOGS_TO_RETAIN]
          --default-task-cpu-limit=                                     Default max number of cpu shares per task, 0 means unlimited [$CONCOURSE_DEFAULT_TASK_CPU_LIMIT]
          --default-task-memory-limit=                                  Default maximum memory per task, 0 means unlimited [$CONCOURSE_DEFAULT_TASK_MEMORY_LIMIT]

    PostgreSQL Configuration:
          --postgres-host=                                              The host to connect to. (default: 127.0.0.1) [$CONCOURSE_POSTGRES_HOST]
          --postgres-port=                                              The port to connect to. (default: 5432) [$CONCOURSE_POSTGRES_PORT]
          --postgres-socket=                                            Path to a UNIX domain socket to connect to. [$CONCOURSE_POSTGRES_SOCKET]
          --postgres-user=                                              The user to sign in as. [$CONCOURSE_POSTGRES_USER]
          --postgres-password=                                          The user's password. [$CONCOURSE_POSTGRES_PASSWORD]
          --postgres-sslmode=[disable|require|verify-ca|verify-full]    Whether or not to use SSL. (default: disable) [$CONCOURSE_POSTGRES_SSLMODE]
          --postgres-ca-cert=                                           CA cert file location, to verify when connecting with SSL. [$CONCOURSE_POSTGRES_CA_CERT]
          --postgres-client-cert=                                       Client cert file location. [$CONCOURSE_POSTGRES_CLIENT_CERT]
          --postgres-client-key=                                        Client key file location. [$CONCOURSE_POSTGRES_CLIENT_KEY]
          --postgres-connect-timeout=                                   Dialing timeout. (0 means wait indefinitely) (default: 5m) [$CONCOURSE_POSTGRES_CONNECT_TIMEOUT]
          --postgres-database=                                          The name of the database to use. (default: atc) [$CONCOURSE_POSTGRES_DATABASE]

    Vault Credential Management:
          --vault-url=                                                  Vault server address used to access secrets. [$CONCOURSE_VAULT_URL]
          --vault-path-prefix=                                          Path under which to namespace credential lookup. (default: /concourse) [$CONCOURSE_VAULT_PATH_PREFIX]
          --vault-cache                                                 Cache returned secrets for their lease duration in memory [$CONCOURSE_VAULT_CACHE]
          --vault-max-lease=                                            If the cache is enabled, and this is set, override secrets lease duration with a maximum value
                                                                        [$CONCOURSE_VAULT_MAX_LEASE]
          --vault-ca-cert=                                              Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert. [$CONCOURSE_VAULT_CA_CERT]
          --vault-ca-path=                                              Path to a directory of PEM-encoded CA cert files to verify the vault server SSL cert.
                                                                        [$CONCOURSE_VAULT_CA_PATH]
          --vault-client-cert=                                          Path to the client certificate for Vault authorization. [$CONCOURSE_VAULT_CLIENT_CERT]
          --vault-client-key=                                           Path to the client private key for Vault authorization. [$CONCOURSE_VAULT_CLIENT_KEY]
          --vault-server-name=                                          If set, is used to set the SNI host when connecting via TLS. [$CONCOURSE_VAULT_SERVER_NAME]
          --vault-insecure-skip-verify                                  Enable insecure SSL verification. [$CONCOURSE_VAULT_INSECURE_SKIP_VERIFY]
          --vault-client-token=                                         Client token for accessing secrets within the Vault server. [$CONCOURSE_VAULT_CLIENT_TOKEN]
          --vault-auth-backend=                                         Auth backend to use for logging in to Vault. [$CONCOURSE_VAULT_AUTH_BACKEND]
          --vault-auth-backend-max-ttl=                                 Time after which to force a re-login. If not set, the token will just be continuously renewed.
                                                                        [$CONCOURSE_VAULT_AUTH_BACKEND_MAX_TTL]
          --vault-retry-max=                                            The maximum time between retries when logging in or re-authing a secret. (default: 5m)
                                                                        [$CONCOURSE_VAULT_RETRY_MAX]
          --vault-retry-initial=                                        The initial time between retries when logging in or re-authing a secret. (default: 1s)
                                                                        [$CONCOURSE_VAULT_RETRY_INITIAL]
          --vault-auth-param=NAME=VALUE                                 Paramter to pass when logging in via the backend. Can be specified multiple times.
                                                                        [$CONCOURSE_VAULT_AUTH_PARAM]

    CredHub Credential Management:
          --credhub-url=                                                CredHub server address used to access secrets. [$CONCOURSE_CREDHUB_URL]
          --credhub-path-prefix=                                        Path under which to namespace credential lookup. (default: /concourse) [$CONCOURSE_CREDHUB_PATH_PREFIX]
          --credhub-ca-cert=                                            Paths to PEM-encoded CA cert files to use to verify the CredHub server SSL cert. [$CONCOURSE_CREDHUB_CA_CERT]
          --credhub-client-cert=                                        Path to the client certificate for mutual TLS authorization. [$CONCOURSE_CREDHUB_CLIENT_CERT]
          --credhub-client-key=                                         Path to the client private key for mutual TLS authorization. [$CONCOURSE_CREDHUB_CLIENT_KEY]
          --credhub-insecure-skip-verify                                Enable insecure SSL verification. [$CONCOURSE_CREDHUB_INSECURE_SKIP_VERIFY]
          --credhub-client-id=                                          Client ID for CredHub authorization. [$CONCOURSE_CREDHUB_CLIENT_ID]
          --credhub-client-secret=                                      Client secret for CredHub authorization. [$CONCOURSE_CREDHUB_CLIENT_SECRET]

    Kubernetes Credential Management:
          --kubernetes-in-cluster                                       Enables the in-cluster client. [$CONCOURSE_KUBERNETES_IN_CLUSTER]
          --kubernetes-config-path=                                     Path to Kubernetes config when running ATC outside Kubernetes. [$CONCOURSE_KUBERNETES_CONFIG_PATH]
          --kubernetes-namespace-prefix=                                Prefix to use for Kubernetes namespaces under which secrets will be looked up. (default: concourse-)
                                                                        [$CONCOURSE_KUBERNETES_NAMESPACE_PREFIX]

    AWS SecretsManager Credential Management:
          --aws-secretsmanager-access-key=                              AWS Access key ID [$CONCOURSE_AWS_SECRETSMANAGER_ACCESS_KEY]
          --aws-secretsmanager-secret-key=                              AWS Secret Access Key [$CONCOURSE_AWS_SECRETSMANAGER_SECRET_KEY]
          --aws-secretsmanager-session-token=                           AWS Session Token [$CONCOURSE_AWS_SECRETSMANAGER_SESSION_TOKEN]
          --aws-secretsmanager-region=                                  AWS region to send requests to [$AWS_REGION]
          --aws-secretsmanager-pipeline-secret-template=                AWS Secrets Manager secret identifier template used for pipeline specific parameter (default:
                                                                        /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}) [$CONCOURSE_AWS_SECRETSMANAGER_PIPELINE_SECRET_TEMPLATE]
          --aws-secretsmanager-team-secret-template=                    AWS Secrets Manager secret identifier  template used for team specific parameter (default:
                                                                        /concourse/{{.Team}}/{{.Secret}}) [$CONCOURSE_AWS_SECRETSMANAGER_TEAM_SECRET_TEMPLATE]

    AWS SSM Credential Management:
          --aws-ssm-access-key=                                         AWS Access key ID [$CONCOURSE_AWS_SSM_ACCESS_KEY]
          --aws-ssm-secret-key=                                         AWS Secret Access Key [$CONCOURSE_AWS_SSM_SECRET_KEY]
          --aws-ssm-session-token=                                      AWS Session Token [$CONCOURSE_AWS_SSM_SESSION_TOKEN]
          --aws-ssm-region=                                             AWS region to send requests to [$AWS_REGION]
          --aws-ssm-pipeline-secret-template=                           AWS SSM parameter name template used for pipeline specific parameter (default:
                                                                        /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}) [$CONCOURSE_AWS_SSM_PIPELINE_SECRET_TEMPLATE]
          --aws-ssm-team-secret-template=                               AWS SSM parameter name template used for team specific parameter (default: /concourse/{{.Team}}/{{.Secret}})
                                                                        [$CONCOURSE_AWS_SSM_TEAM_SECRET_TEMPLATE]

    Developer Options:
      -n, --noop                                                        Don't actually do any automatic scheduling or checking. [$CONCOURSE_NOOP]

    Static Worker (optional):
          --worker-garden-url=                                          A Garden API endpoint to register as a worker. [$CONCOURSE_WORKER_GARDEN_URL]
          --worker-baggageclaim-url=                                    A Baggageclaim API endpoint to register with the worker. [$CONCOURSE_WORKER_BAGGAGECLAIM_URL]
          --worker-resource=TYPE:IMAGE                                  A resource type to advertise for the worker. Can be specified multiple times. [$CONCOURSE_WORKER_RESOURCE]

    Metrics & Diagnostics:
          --metrics-host-name=                                          Host string to attach to emitted metrics. [$CONCOURSE_METRICS_HOST_NAME]
          --metrics-attribute=NAME:VALUE                                A key-value attribute to attach to emitted metrics. Can be specified multiple times.
                                                                        [$CONCOURSE_METRICS_ATTRIBUTE]

    Metric Emitter (Datadog):
          --datadog-agent-host=                                         Datadog agent host to expose dogstatsd metrics [$CONCOURSE_DATADOG_AGENT_HOST]
          --datadog-agent-port=                                         Datadog agent port to expose dogstatsd metrics [$CONCOURSE_DATADOG_AGENT_PORT]
          --datadog-prefix=                                             Prefix for all metrics to easily find them in Datadog [$CONCOURSE_DATADOG_PREFIX]

    Metric Emitter (InfluxDB):
          --influxdb-url=                                               InfluxDB server address to emit points to. [$CONCOURSE_INFLUXDB_URL]
          --influxdb-database=                                          InfluxDB database to write points to. [$CONCOURSE_INFLUXDB_DATABASE]
          --influxdb-username=                                          InfluxDB server username. [$CONCOURSE_INFLUXDB_USERNAME]
          --influxdb-password=                                          InfluxDB server password. [$CONCOURSE_INFLUXDB_PASSWORD]
          --influxdb-insecure-skip-verify                               Skip SSL verification when emitting to InfluxDB. [$CONCOURSE_INFLUXDB_INSECURE_SKIP_VERIFY]

    Metric Emitter (Lager):
          --emit-to-logs                                                Emit metrics to logs. [$CONCOURSE_EMIT_TO_LOGS]

    Metric Emitter (NewRelic):
          --newrelic-account-id=                                        New Relic Account ID [$CONCOURSE_NEWRELIC_ACCOUNT_ID]
          --newrelic-api-key=                                           New Relic Insights API Key [$CONCOURSE_NEWRELIC_API_KEY]
          --newrelic-service-prefix=                                    An optional prefix for emitted New Relic events [$CONCOURSE_NEWRELIC_SERVICE_PREFIX]

    Metric Emitter (Prometheus):
          --prometheus-bind-ip=                                         IP to listen on to expose Prometheus metrics. [$CONCOURSE_PROMETHEUS_BIND_IP]
          --prometheus-bind-port=                                       Port to listen on to expose Prometheus metrics. [$CONCOURSE_PROMETHEUS_BIND_PORT]

    Metric Emitter (Riemann):
          --riemann-host=                                               Riemann server address to emit metrics to. [$CONCOURSE_RIEMANN_HOST]
          --riemann-port=                                               Port of the Riemann server to emit metrics to. (default: 5555) [$CONCOURSE_RIEMANN_PORT]
          --riemann-service-prefix=                                     An optional prefix for emitted Riemann services [$CONCOURSE_RIEMANN_SERVICE_PREFIX]
          --riemann-tag=TAG                                             Tag to attach to emitted metrics. Can be specified multiple times. [$CONCOURSE_RIEMANN_TAG]

    Web Server:
          --x-frame-options=                                            The value to set for X-Frame-Options. If omitted, the header is not set. [$CONCOURSE_X_FRAME_OPTIONS]

    Garbage Collection:
          --gc-interval=                                                Interval on which to perform garbage collection. (default: 30s) [$CONCOURSE_GC_INTERVAL]
          --gc-one-off-grace-period=                                    Grace period before reaping one-off task containers (default: 5m) [$CONCOURSE_GC_ONE_OFF_GRACE_PERIOD]

    Syslog Drainer Configuration:
          --syslog-hostname=                                            Client hostname with which the build logs will be sent to the syslog server. (default: atc-syslog-drainer)
                                                                        [$CONCOURSE_SYSLOG_HOSTNAME]
          --syslog-address=                                             Remote syslog server address with port (Example: 0.0.0.0:514). [$CONCOURSE_SYSLOG_ADDRESS]
          --syslog-transport=                                           Transport protocol for syslog messages (Currently supporting tcp, udp & tls). [$CONCOURSE_SYSLOG_TRANSPORT]
          --syslog-drain-interval=                                      Interval over which checking is done for new build logs to send to syslog server (duration measurement units
                                                                        are s/m/h; eg. 30s/30m/1h) (default: 30s) [$CONCOURSE_SYSLOG_DRAIN_INTERVAL]
          --syslog-ca-cert=                                             Paths to PEM-encoded CA cert files to use to verify the Syslog server SSL cert. [$CONCOURSE_SYSLOG_CA_CERT]

    Authentication:
          --cookie-secure                                               Force sending secure flag on http cookies [$CONCOURSE_COOKIE_SECURE]
          --auth-duration=                                              Length of time for which tokens are valid. Afterwards, users will have to log back in. (default: 24h)
                                                                        [$CONCOURSE_AUTH_DURATION]
          --session-signing-key=                                        File containing an RSA private key, used to sign auth tokens. [$CONCOURSE_SESSION_SIGNING_KEY]
          --add-local-user=USERNAME:PASSWORD                            List of username:password combinations for all your local users. The password can be bcrypted - if so, it
                                                                        must have a minimum cost of 10. [$CONCOURSE_ADD_LOCAL_USER]

    Authentication (Main Team):
          --main-team-local-user=USERNAME                               List of whitelisted local concourse users. These are the users you've added at atc startup with the
                                                                        --add-local-user flag. [$CONCOURSE_MAIN_TEAM_LOCAL_USER]
          --main-team-allow-all-users                                   Setting this flag will whitelist all logged in users in the system. ALL OF THEM. If, for example, you've
                                                                        configured GitHub, any user with a GitHub account will have access to your team.
                                                                        [$CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS]

    Authentication (Main Team) (CloudFoundry):
          --main-team-cf-user=USERNAME                                  List of whitelisted CloudFoundry users. [$CONCOURSE_MAIN_TEAM_CF_USER]
          --main-team-cf-org=ORG_NAME                                   List of whitelisted CloudFoundry orgs [$CONCOURSE_MAIN_TEAM_CF_ORG]
          --main-team-cf-space=ORG_NAME:SPACE_NAME                      List of whitelisted CloudFoundry spaces [$CONCOURSE_MAIN_TEAM_CF_SPACE]
          --main-team-cf-space-guid=SPACE_GUID                          (Deprecated) List of whitelisted CloudFoundry space guids [$CONCOURSE_MAIN_TEAM_CF_SPACE_GUID]

    Authentication (Main Team) (GitHub):
          --main-team-github-user=USERNAME                              List of whitelisted GitHub users [$CONCOURSE_MAIN_TEAM_GITHUB_USER]
          --main-team-github-org=ORG_NAME                               List of whitelisted GitHub orgs [$CONCOURSE_MAIN_TEAM_GITHUB_ORG]
          --main-team-github-team=ORG_NAME:TEAM_NAME                    List of whitelisted GitHub teams [$CONCOURSE_MAIN_TEAM_GITHUB_TEAM]

    Authentication (Main Team) (GitLab):
          --main-team-gitlab-user=USERNAME                              List of whitelisted GitLab users [$CONCOURSE_MAIN_TEAM_GITLAB_USER]
          --main-team-gitlab-group=GROUP_NAME                           List of whitelisted GitLab groups [$CONCOURSE_MAIN_TEAM_GITLAB_GROUP]

    Authentication (Main Team) (LDAP):
          --main-team-ldap-user=USERNAME                                List of whitelisted LDAP users [$CONCOURSE_MAIN_TEAM_LDAP_USER]
          --main-team-ldap-group=GROUP_NAME                             List of whitelisted LDAP groups [$CONCOURSE_MAIN_TEAM_LDAP_GROUP]

    Authentication (Main Team) (OAuth2):
          --main-team-oauth-user=USERNAME                               List of whitelisted OAuth2 users [$CONCOURSE_MAIN_TEAM_OAUTH_USER]
          --main-team-oauth-group=GROUP_NAME                            List of whitelisted OAuth2 groups [$CONCOURSE_MAIN_TEAM_OAUTH_GROUP]

    Authentication (Main Team) (OIDC):
          --main-team-oidc-user=USERNAME                                List of whitelisted OIDC users [$CONCOURSE_MAIN_TEAM_OIDC_USER]
          --main-team-oidc-group=GROUP_NAME                             List of whitelisted OIDC groups [$CONCOURSE_MAIN_TEAM_OIDC_GROUP]

    Authentication (CloudFoundry):
          --cf-client-id=                                               (Required) Client id [$CONCOURSE_CF_CLIENT_ID]
          --cf-client-secret=                                           (Required) Client secret [$CONCOURSE_CF_CLIENT_SECRET]
          --cf-api-url=                                                 (Required) The base API URL of your CF deployment. It will use this information to discover information about
                                                                        the authentication provider. [$CONCOURSE_CF_API_URL]
          --cf-ca-cert=                                                 CA Certificate [$CONCOURSE_CF_CA_CERT]
          --cf-skip-ssl-validation                                      Skip SSL validation [$CONCOURSE_CF_SKIP_SSL_VALIDATION]

    Authentication (GitHub):
          --github-client-id=                                           (Required) Client id [$CONCOURSE_GITHUB_CLIENT_ID]
          --github-client-secret=                                       (Required) Client secret [$CONCOURSE_GITHUB_CLIENT_SECRET]
          --github-host=                                                Hostname of GitHub Enterprise deployment (No scheme, No trailing slash) [$CONCOURSE_GITHUB_HOST]
          --github-ca-cert=                                             CA certificate of GitHub Enterprise deployment [$CONCOURSE_GITHUB_CA_CERT]

    Authentication (GitLab):
          --gitlab-client-id=                                           (Required) Client id [$CONCOURSE_GITLAB_CLIENT_ID]
          --gitlab-client-secret=                                       (Required) Client secret [$CONCOURSE_GITLAB_CLIENT_SECRET]
          --gitlab-host=                                                Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash) [$CONCOURSE_GITLAB_HOST]

    Authentication (LDAP):
          --ldap-display-name=                                          The auth provider name displayed to users on the login page [$CONCOURSE_LDAP_DISPLAY_NAME]
          --ldap-host=                                                  (Required) The host and optional port of the LDAP server. If port isn't supplied, it will be guessed based on
                                                                        the TLS configuration. 389 or 636. [$CONCOURSE_LDAP_HOST]
          --ldap-bind-dn=                                               (Required) Bind DN for searching LDAP users and groups. Typically this is a read-only user.
                                                                        [$CONCOURSE_LDAP_BIND_DN]
          --ldap-bind-pw=                                               (Required) Bind Password for the user specified by 'bind-dn' [$CONCOURSE_LDAP_BIND_PW]
          --ldap-insecure-no-ssl                                        Required if LDAP host does not use TLS. [$CONCOURSE_LDAP_INSECURE_NO_SSL]
          --ldap-insecure-skip-verify                                   Skip certificate verification [$CONCOURSE_LDAP_INSECURE_SKIP_VERIFY]
          --ldap-start-tls                                              Start on insecure port, then negotiate TLS [$CONCOURSE_LDAP_START_TLS]
          --ldap-ca-cert=                                               CA certificate [$CONCOURSE_LDAP_CA_CERT]
          --ldap-user-search-base-dn=                                   BaseDN to start the search from. For example 'cn=users,dc=example,dc=com'
                                                                        [$CONCOURSE_LDAP_USER_SEARCH_BASE_DN]
          --ldap-user-search-filter=                                    Optional filter to apply when searching the directory. For example '(objectClass=person)'
                                                                        [$CONCOURSE_LDAP_USER_SEARCH_FILTER]
          --ldap-user-search-username=                                  Attribute to match against the inputted username. This will be translated and combined with the other filter
                                                                        as '(<attr>=<username>)'. [$CONCOURSE_LDAP_USER_SEARCH_USERNAME]
          --ldap-user-search-scope=                                     Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
                                                                        [$CONCOURSE_LDAP_USER_SEARCH_SCOPE]
          --ldap-user-search-id-attr=                                   A mapping of attributes on the user entry to claims. Defaults to 'uid'. [$CONCOURSE_LDAP_USER_SEARCH_ID_ATTR]
          --ldap-user-search-email-attr=                                A mapping of attributes on the user entry to claims. Defaults to 'mail'.
                                                                        [$CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR]
          --ldap-user-search-name-attr=                                 A mapping of attributes on the user entry to claims. [$CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR]
          --ldap-group-search-base-dn=                                  BaseDN to start the search from. For example 'cn=groups,dc=example,dc=com'
                                                                        [$CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN]
          --ldap-group-search-filter=                                   Optional filter to apply when searching the directory. For example '(objectClass=posixGroup)'
                                                                        [$CONCOURSE_LDAP_GROUP_SEARCH_FILTER]
          --ldap-group-search-scope=                                    Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
                                                                        [$CONCOURSE_LDAP_GROUP_SEARCH_SCOPE]
          --ldap-group-search-user-attr=                                Adds an additional requirement to the filter that an attribute in the group match the user's attribute value.
                                                                        The exact filter being added is: (<groupAttr>=<userAttr value>) [$CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR]
          --ldap-group-search-group-attr=                               Adds an additional requirement to the filter that an attribute in the group match the user's attribute value.
                                                                        The exact filter being added is: (<groupAttr>=<userAttr value>) [$CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR]
          --ldap-group-search-name-attr=                                The attribute of the group that represents its name. [$CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR]

    Authentication (OAuth2):
          --oauth-display-name=                                         The auth provider name displayed to users on the login page [$CONCOURSE_OAUTH_DISPLAY_NAME]
          --oauth-client-id=                                            (Required) Client id [$CONCOURSE_OAUTH_CLIENT_ID]
          --oauth-client-secret=                                        (Required) Client secret [$CONCOURSE_OAUTH_CLIENT_SECRET]
          --oauth-auth-url=                                             (Required) Authorization URL [$CONCOURSE_OAUTH_AUTH_URL]
          --oauth-token-url=                                            (Required) Token URL [$CONCOURSE_OAUTH_TOKEN_URL]
          --oauth-userinfo-url=                                         UserInfo URL [$CONCOURSE_OAUTH_USERINFO_URL]
          --oauth-scope=                                                Any additional scopes that need to be requested during authorization [$CONCOURSE_OAUTH_SCOPE]
          --oauth-groups-key=                                           The groups key indicates which claim to use to map external groups to Concourse teams.
                                                                        [$CONCOURSE_OAUTH_GROUPS_KEY]
          --oauth-ca-cert=                                              CA Certificate [$CONCOURSE_OAUTH_CA_CERT]
          --oauth-skip-ssl-validation                                   Skip SSL validation [$CONCOURSE_OAUTH_SKIP_SSL_VALIDATION]

    Authentication (OIDC):
          --oidc-display-name=                                          The auth provider name displayed to users on the login page [$CONCOURSE_OIDC_DISPLAY_NAME]
          --oidc-issuer=                                                (Required) An OIDC issuer URL that will be used to discover provider configuration using the
                                                                        .well-known/openid-configuration [$CONCOURSE_OIDC_ISSUER]
          --oidc-client-id=                                             (Required) Client id [$CONCOURSE_OIDC_CLIENT_ID]
          --oidc-client-secret=                                         (Required) Client secret [$CONCOURSE_OIDC_CLIENT_SECRET]
          --oidc-scope=                                                 Any additional scopes that need to be requested during authorization [$CONCOURSE_OIDC_SCOPE]
          --oidc-groups-key=                                            The groups key indicates which claim to use to map external groups to Concourse teams.
                                                                        [$CONCOURSE_OIDC_GROUPS_KEY]
          --oidc-hosted-domains=                                        List of whitelisted domains when using Google, only users from a listed domain will be allowed to log in
                                                                        [$CONCOURSE_OIDC_HOSTED_DOMAINS]
          --oidc-ca-cert=                                               CA Certificate [$CONCOURSE_OIDC_CA_CERT]
          --oidc-skip-ssl-validation                                    Skip SSL validation [$CONCOURSE_OIDC_SKIP_SSL_VALIDATION]

    TSA Configuration:
          --tsa-log-level=[debug|info|error|fatal]                      Minimum level of logs to see. (default: info) [$CONCOURSE_TSA_LOG_LEVEL]
          --tsa-bind-ip=                                                IP address on which to listen for SSH. (default: 0.0.0.0) [$CONCOURSE_TSA_BIND_IP]
          --tsa-bind-port=                                              Port on which to listen for SSH. (default: 2222) [$CONCOURSE_TSA_BIND_PORT]
          --tsa-bind-debug-port=                                        Port on which to listen for TSA pprof server. (default: 8089) [$CONCOURSE_TSA_BIND_DEBUG_PORT]
          --tsa-peer-ip=                                                IP address of this TSA, reachable by the ATCs. Used for forwarded worker addresses. [$CONCOURSE_TSA_PEER_IP]
          --tsa-host-key=                                               Path to private key to use for the SSH server. [$CONCOURSE_TSA_HOST_KEY]
          --tsa-authorized-keys=                                        Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line).
                                                                        [$CONCOURSE_TSA_AUTHORIZED_KEYS]
          --tsa-team-authorized-keys=NAME=PATH                          Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line).
                                                                        [$CONCOURSE_TSA_TEAM_AUTHORIZED_KEYS]
          --tsa-atc-url=                                                ATC API endpoints to which workers will be registered. [$CONCOURSE_TSA_ATC_URL]
          --tsa-session-signing-key=                                    Path to private key to use when signing tokens in reqests to the ATC during registration.
                                                                        [$CONCOURSE_TSA_SESSION_SIGNING_KEY]
          --tsa-heartbeat-interval=                                     interval on which to heartbeat workers to the ATC (default: 30s) [$CONCOURSE_TSA_HEARTBEAT_INTERVAL]

Before adding specific support for other sets of options, I would like to discuss whether or not it would be better to pass these options in a more general way.

The configuration for PostgreSQL and TSA are required settings for any Concourse deployment. The configuration of these 2 sets of arguments could remain as is.
The current state of the module only supports a subset of the remaining options:

  • Basic Authentication
  • Github Authentication
  • Vault for Concourse Credential Management

Suppose we would only pass a single args parameter, then the templating to combine all the arguments would be outside of this module and specific to the use case. Given the set of options will evolve in the future, this approach will require less maintenance on this module.

The current case I'm working on requires:

  • Datadog Metrics emitter
  • OAuth2 Authentication (Office365) (BitBucket is currently not supported by Concourse via its integrated Dex)
  • AWS Secrets Manager for Concourse Credential Management

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.