#atlantis

Discuss the Atlantis (http://runatlantis.io|runatlantis.io) *Archive: * https://archive.sweetops.com/atlantis/

2019-10-15

Andrew Jeffree

You can also configure branch protection if you’re using GitHub to ensure that the atlantis/plan and apply checks have passed before it’ll allow someone to merge things.

1

2019-10-11

oscar

Am I right in saying the Atlantis workflow is to deploy before the code is merged? Isn’t that a bit sketchy?

Erik Osterman

Isn’t it sketchy to have code in master that was never deployed? Terraform is crude tool for CRUD that doesn’t rollback in face of errors.

oscar

Ah perhaps I have my workflows wrong in my head (purely theoretical, no atlantis deployed yet)

Erik Osterman

So you are right that I that you should deploy on merge in most cases :-) just I think Atlantis is a good example of when maybe not to do that.

@oscar You can require the PR to be approved before changes can be applied, and I believe you can also adjust a setting to have Atlantis merge the code when planning/applying (locally on its side).

aknysh

we open a PR and request reviews, atlantis runs plan automatically, the author and the reviewers review the plan, the reviewers approve the PR, we run atlantis apply, if everything is ok, merge to master

aknysh

we want the master to reflect what is deployed, so we merge to master only if everything is ok

oscar

Thanks guys. So really the workflow isnt to actually comment Atlantis apply until it has been merged? Is there a way to enforce this?

oscar

So that someone cant comment and trigger the apply of the plan before merge etc

Erik Osterman

Yes Atlantis uses a planfile so even if you tried to apply before plan it would fail

Erik Osterman

With Atlantis you run apply before merge

Erik Osterman

I think there is also an option to auto merge on apply

Erik Osterman

So if apply fails it doesn’t merge

AgustínGonzalezNicolini

Still if the atlantis.yaml file lives in your repo, you canc change it in the PR and skip the approval enforcement

AgustínGonzalezNicolini

that’s like one “security issue” i still don’t get

aknysh

when you deploy atlantis, you provide a global atlantis-repo-config.yaml

aknysh
cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

aknysh

where you can specify what users in the repo that atlantis provisions can do

aknysh
# allowed_overrides specifies which keys can be overridden by this repo in
    # its atlantis.yaml file
    allowed_overrides: [apply_requirements, workflow]

    # allow_custom_workflows defines whether this repo can define its own
    # workflows. If false (default), the repo can only use server-side defined workflows
    allow_custom_workflows: true
aknysh

(sure if atlantis-repo-config.yaml is in the same repo (as we have in testing), it does not solve the issue. But if the atlantis repo is different from the repo it operates on, then you can safely restrict)

AgustínGonzalezNicolini

Nice!!!

AgustínGonzalezNicolini

I’ll look into inplementing

AgustínGonzalezNicolini

thanks @aknysh

2019-10-08

joshmyers

What was the thing that was like Atlantis, but not?

joshmyers

Can’t find it in the archives

Erik Osterman

yea, i know what you mean.

Erik Osterman

it had a horrible name

Erik Osterman
Hello, Geopoiesis!

Turbocharging your infrastructure-as-code

Erik Osterman
Erik Osterman

@joshmyers

joshmyers

Awesome, thanks @Erik Osterman

joshmyers
geopoiesis

geopoiesis has 7 repositories available. Follow their code on GitHub.

Erik Osterman

Oh… thought it was

2019-09-20

Atlantis config has built-in support for custom commands though

Whereas workspaces appear mandatory in the Terraform Cloud world (on first sight)

They also demo having environment-specific git branches, which doesn’t make any sense to me

(unless it’s a short-lived environment)

Jakub Korzeniowski

Hi Guys. I’m getting atlantis to execute helmfile workflow. I created a docker image based on the official atlantis’ image with all of the necessary goodies that are needed and bizarre things happen:

If I docker run -it my_atlantis /bin/bash and run helm help it lists all the commands including the plugins.

However, if I run the same command as part of a custom atlantis’ workflow, none of the plugins are there.

Any ideas?

aknysh

@Jakub Korzeniowski are you running the same image for the atlantis workflow?

doesn’t the atlantis image have a “atlantis” user? If so, you would need to install the plugins for the atlantis user

you can create a directory for helm and set the HELM_HOME env variable to that

then install the helm plugins

don’t forget to set the permissions on the dir

aknysh

this is an example of our image with atlantis installed (geodesic is the base image, which has terraform, helm, helfile and other stuff installed) https://github.com/cloudposse/testing.cloudposse.co/blob/master/Dockerfile

this is how the atlantis server gets configured in the base geodesic image https://github.com/cloudposse/geodesic/blob/master/rootfs/etc/init.d/atlantis.sh

atlantis worflows https://github.com/cloudposse/testing.cloudposse.co/blob/master/atlantis.yaml

cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

cloudposse/geodesic

Geodesic is a cloud automation shell. It's the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. ★ this repo! h…

cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

curious how well it works to use atlantis with helm/helmfile

aknysh

works well for us

aknysh

this is an example of atlantis workflow for helmfiles:

helmfile:
    plan:
      steps:
        - run: "chamber exec kops -- kops export kubecfg"
        - run: 'chamber exec kops -- direnv exec "$DIR" helmfile diff --suppress-secrets --args="--allow-unreleased --context 5 --no-color"
    apply:
      steps:
        - run: "chamber exec kops -- kops export kubecfg"
        - run: 'test -x "$DIR"/namespace-annotations.sh && chamber exec kops -- direnv exec "$DIR" "$DIR"/namespace-annotations.sh \|\| echo "No script found to annotate namespaces"'
        - run: 'chamber exec kops -- direnv exec "$DIR" helmfile apply --suppress-secrets'
aknysh

and this is atlantis project config to deploy helmfiles

 - name: "helmfiles"
    workflow: "helmfile"
    dir: "conf/helmfiles"
    workspace: "default"
    autoplan:
      when_modified:
        - "*.yaml"
        - "*.yaml.gotmpl"
        - "*.envrc"
        - ".envrc"
      enabled: true
    apply_requirements:
      - "approved"

that’s awesome

I’ve been looking at ArgoCD for doing the k8s CD, any thoughts on that project?

i have yet to try it out , just reading up on it

aknysh

did not use it, but looks very cool

aknysh
Deploying to Kubernetes with Helm and GitHub Actions

This tutorial will go through the basics of GitHub actions as well as deploying to Kubernetes using a pre-built Helm action

we use Azure DevOps which is what GithHub Actions is built on, but I’m trying to move away from having our CI systems from talking to our K8s clusters directly

which is why I like Atlantis and ArgoCD

I can run those within our network

2019-09-19

Callum Robertson

Have you used this much @?

Callum Robertson

I’m curious to know how it plays out

No, not at all, I am also curious about it

Sticking to Atlantis for the time being

Callum Robertson

OK! I’ll set one up next week and give it a crack

Callum Robertson

yeah - same here.

Mostly because we don’t use workspaces

And I’m afraid Hashicorp is pushing for workspaces

2
Callum Robertson

Yeah - I feel the same, I too am not using workspaces, I’m using the terragrunt/atlantis method

Callum Robertson

I’m doing a talk on Atlantis here in NZ and Hashicorp where pushing their enterprise tools our way to present

IIRC The guys that managed Atlantis were hired by Hashicorp, so I am sure there is a lot of influence that they’ll have on their Terraform Cloud product

Erik Osterman

But Atlantis the project is also pushing workspaces :-)

2019-09-10

Announcing Terraform Cloud

Today, we’re excited to announce the full release of Terraform Cloud. This release brings the automation and collaboration features of Terraform Enterprise to the greater Terraform…

2019-08-13

Callum Robertson

Hey @Jonathan I got it working wonderfully! Thanks mate - this is what these communities are for, really appreciate you putting in the time and setting me on the right track. Kudos!

4

2019-08-12

Erik Osterman

fwiw, we do something similar to what @Jonathan prescribes

Erik Osterman

We use #geodesic with this init script

Erik Osterman
cloudposse/geodesic

Geodesic is a cloud automation shell. It's the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. ★ this repo! h…

3

2019-08-11

Callum Robertson

Hey guys, how are you running Terragrunt with Atlantis? I’m currently doing the following:

  1. Setup an ECS Fargate cluster that uses a single service task definition that runs my own Atlantis image containing Terragrunt.
  2. When the Fargate nodes spin up through terraform, they use my machines environment variables for an access key & secret to authenticate against the provider blocks Atlantis runs against
  3. Atlantis is using my Github User Token but cannot access private repositories? I’ve had to make them public (the repos don’t have any secrets or sensitive information)

I’m pretty new in this space but I’m wondering the following:

  1. what I’ve done is considered good-practice?
  2. How do you configure Atlantis to talk to git private repositories? Do you have create a root ssh folder to store a private key?
  3. Whats the best way to authenticate against the AWS providers, right now without Atlantis I use role assumption from a user in the security account with MFA, it looks like the simplest way here is to just create a key/pair to deploy in the Atlantis hosts environment variables? I need Atlantis to authenticate against the backend as well as various accounts to deploy terraform build artefacts against
Jonathan

@Callum Robertson I’m also using Atlantis, Terragrunt and Fargate. I have a “live” repo and “modules” repo, both of which are private. In order to access private Github repos, I considered adding SSH keys but I decided that that was an ugly solution since Atlantis already has a github token. To use the token I needed to make a custom Atlantis-Terragrunt docker image with the addition of two files.

Jonathan

This file forces git to use https so that the token can be used. It needs to be moved into the /home/atlantis/ folder during the docker image build.

Jonathan

This file adds the token value to the .gitconfig file with a value that is already in the Atlantis environment. It needs to be called somehow by the docker entry point file.

Jonathan

I’m also using Atlantis and Terragrunt in a multi-account AWS setup. I did not add key/pair to deploy in the Atlantis hosts environment variables. I really try to never use key pairs. I don’t think that’s as secure as using ECS task roles with a cross account access policy. To assume roles, I use the --terragrunt-iam-role flag in the atlantis.yaml file.

Jonathan

This is how I bootstrap a Terraform slave account:

  • Using the console, I create an IAM role in the slave account. Call it something like: TerraformCrossAccountAccessRole.

https://console.aws.amazon.com/iam/home?#/roles$new?step=type&roleType=crossAccount

  • When prompted, enter the AWS account number of the Terraform master account. Don’t require MFA as this will be programmatic access only.
  • Attach the AdministratorAccess policy.
  • Enter a description: “This role allows Terraform to administer all AWS resources in this account.””

The generated roll will be called something like: arn<img src="/assets/images/custom_emojis/aws.png" class="em em-aws">iam:role/TerraformCrossAccountAccessRole.

The account number in the arn above is the account number of the slave.

When I call Terragrunt from Atlantis in my Terraform master account, I assume the role in the slave account that I created above. Each of my AWS slave accounts has a different directory based workflow that calls an apply step like this :

- run: echo 'y' \| terragrunt apply-all -no-color --terragrunt-iam-role "arn<img src="/assets/images/custom_emojis/aws.png" class="em em-aws">iam:role/TerraformCrossAccountAccessRole"

Jonathan

If you are interested in this approach, I’m happy to add more detail, share my Dockerfile, etc.

Callum Robertson

hey @Jonathan this would be awesome!

Callum Robertson

I’ve got same setup, I’ve got a working “live” directory that is a multi aws account setup so assume roles is a must have for me..

Callum Robertson

I’ll have a look at that flag, I assumed you had to generate a session token and put them in your env before assuming a role

Jonathan

For AWS? If I understand your question correctly, nope. No session token in Atlantis ENV. My Atlantis ECS task has enough privileges to assume this role.

1
Jonathan

This is my custom Dockerfile for Atlantis and Terragrunt that allows the use of a token instead of SSH. It will need the two files I posted above in the in same folder where docker build is being called.

Callum Robertson

Ah of course it does!

Callum Robertson

Your a weapon @Jonathan, really appreciate this! I’ll set this up tomorrow and let you know how I get on

Callum Robertson

This fits my use-case perfectly

2019-08-10

rohit

Hi. I posted the below question in atlantis slack channel, i am also askign the same here

rohit

Is it possible to run a plan against the master branch ? I do not have a branch so i can not submit a PR but i want to run terraform plan against a workspace

2019-06-21

is there a way to pass the region for the aws provider directly to whatever modules the ecs-atlantis depends on? I’ve noticed that it asks twice for provider.aws.region so I am assuming region is not passed alongside to dependencies.

Acquiring state lock. This may take a few moments...
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: us-east-2

provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: us-east-2

not a big deal, but I wonder if this is expected

basically it seems that var.region ain’t passed here: https://github.com/cloudposse/terraform-aws-ecs-atlantis/blob/master/main.tf#L79

aknysh

@marc we did not test it in this scenario. We have ENV var for region defined in the Dockerfile(s) https://github.com/cloudposse/testing.cloudposse.co/blob/master/Dockerfile#L20

cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

aknysh

so it always has the region

ah, good to know

thank you

aknysh

but we will be converting it to TF 0.12, and fix that too

2019-06-03

I updated to 0.8.1 running on fargate, and authentication fails for me on the app user in BitBucket. @nutellinoit Have you given the new version a shot yet? Are things working for you?

nutellinoit

I tried one pull request this morning and everything was working , I did not try without approving the pull tho

@nutellinoit You didn’t have to update anything with the bitbucket app user?

nutellinoit

No, nothing

nutellinoit

I will try tomorrow morning with other pull requests

nutellinoit

it’s 22:52 in Italy

Thanks, must be something with my setup, I jumped a few versions

Okay, figured it out, I now need to use the username of the actual BitBucket user, instead of the app name as it previously was configured

1

2019-06-01

nutellinoit

i made a pull request that parhaps fixes the problem

1

2019-05-30

nutellinoit

to anyone using bitbucket cloud with atlantis https://github.com/runatlantis/atlantis/issues/652

Bitbucket: PANIC: runtime error: invalid memory address or nil pointer dereference · Issue #652 · runatlantis/atlantis

We are running into go PANIC error on BitBucket. I think something is changed on the bitbucket API, the go error stacktrace points to /go/src/github.com/runatlantis/atlantis/server/events/vcs/bitbu…

I spent the morning trying to fix this

2019-05-23

Sajid

Hey guys

Sajid

was wondering if anyone successfully used https://github.com/cloudposse/slack-notifier with Atlantis for slack notifications?

cloudposse/slack-notifier

Command line utility to send messages with attachments to Slack channels via Incoming Webhooks - cloudposse/slack-notifier

Erik Osterman

@Sajid haven’t tried it, but it would work well with a custom workflw

1

2019-05-21

geertn

Someone posted an interesting alternative for atlantis a while ago. Anyone remember what that was?

geertn

Looks cool, but that wasn’t it.

sarkis

@geertn maybe github actions?

sarkis

although it doesn’t have an apply action - so maybe not this

geertn

Thanks, I found it. I was looking for: https://docs.geopoiesis.io/manual/

Hello, Geopoiesis!

Turbocharging your infrastructure-as-code

1
geertn

Doesn’t seem to be open source AFAICS though

2019-05-20

That makes a lot of sense. I’m going to test out your version of Atlantis. Are there other changes planned for your version Atlantis vs the official?

Erik Osterman

We actually just ripped out everything else we did to be more compatible with the main line

Erik Osterman

We ripped out custom Atlantis.yaml location, support for git modules, and destroy command

Erik Osterman

We are hoping Atlantis will eventually come around.

2019-05-19

Is Make in Atlantis workflows a security risk? My thought is a pull request could have a Make file that tells it to run arbitrary code during a plan and extract secrets, etc.

Erik Osterman

We patched Atlantis to support GitHub teams. Maintainer doesn’t want to support that. Teams let us control who can run plan and apply.

Erik Osterman
Restrict Plan or Apply to Github Teams or Github Users · Issue #308 · runatlantis/atlantis

what Allow operator to define a list of permitted users who can trigger atlantis commands why Currently, the only way to restrict access is by adding/revoking users from a repository altogether. We…

Erik Osterman

Full context is here

Erik Osterman

Without GitHub teams atlantis security is a pie in the sky since any command can be run by anyone with repo access even part of the plan. Proof of concept in the issue.

2019-05-16

antonbabenko

brew install atlantis, and the price is described here - https://github.com/terraform-aws-modules/terraform-aws-atlantis/issues/19#issuecomment-420341630 , but I think I pay a bit more.

Fargate/Atlantis - Trigger AWS Fargate task from AWS Lambda · Issue #19 · terraform-aws-modules/terraform-aws-atlantis

$ To-do: Read this Allow configuration of Fargate tasks schedule via AWS Cloudwatch to avoid cold-starts on workdays (eg…

2019-05-15

rohit

@antonbabenko Do you know how much it cost monthly to run atlantis using https://registry.terraform.io/modules/terraform-aws-modules/atlantis/aws/1.17.0 ?

rohit

This is probably a dumb question but which tarball should i be using on macOS to checkout atlantis testdrive

rohit
runatlantis/atlantis

Terraform Pull Request Automation. Contribute to runatlantis/atlantis development by creating an account on GitHub.

2019-05-02

2019-04-30

Erik Osterman

this is actually a surprisingly big question.

Erik Osterman

we’ve deployed atlantis now many times in many different configurations

Erik Osterman

our current best practice is to deploy it as an ECS fargate task with an ALB configured with OIDC

Erik Osterman
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

aaratn

@Erik Osterman - Any hints how we can do this with terragrunt + atlantis ?

Erik Osterman

to use terragrunt you just need to define your own workflow in the atlantis.yaml

Erik Osterman

don’t depend on the built-in plan and apply steps of atlantis

Erik Osterman

we define a make workflow that you can borrow

Erik Osterman

then you just define the steps in your Makefile for the project

aaratn

Got it ! We used to use a lot of makefiles before terragrunt but I got what you are saying. Use makefiles + terragrunt on atlantis

Erik Osterman
cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

Erik Osterman
workflows:
  make:
    plan:
      steps:
        - run: "make reset deps"
        - run: "set -o pipefail; make plan \| tfmask \| scenery --no-color"
    apply:
      steps:
        - run: "set -o pipefail; make apply \| tfmask"
Erik Osterman

so a project just defines a Makefile with a plan and apply target

Erik Osterman
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

Erik Osterman

our Makefile looks like this

Erik Osterman
cloudposse/tfenv

Transform environment variables for use with Terraform (e.g. HOSTNAMETF_VAR_hostname) - cloudposse/tfenv

Erik Osterman

so we don’t need a wrapper like terragrunt

aaratn

Interesting !

aaratn

Any clues to do a dry run before apply ?

Erik Osterman

you mean terraform plan?

aaratn

the terraform plan doesn’t necessarily succeed

aaratn

Like for eg. you define a wrong instance type in terraform plan and it will succeed but it will fail when you actually apply it

Erik Osterman

haha, yea, too true

Erik Osterman

technically there’s https://github.com/wata727/tflint

wata727/tflint

TFLint is a Terraform linter for detecting errors that can not be detected by terraform plan - wata727/tflint

Erik Osterman

but IMO this is a lost cause with terraform

Erik Osterman

instead, practice “git flow” and only merge upon successful apply -> “the atlantis way”

aaratn

apply is sometimes dangerous

Erik Osterman

Always practice plan apply workflow

Erik Osterman

Write plan to out file

Erik Osterman

Do code review

Erik Osterman

Apply outfile

Erik Osterman

This is enforced by Atlantis

Erik Osterman

Require approvals before apply

joshmyers

tflint can help with some of this, even checking your Ami type is available in the region you run in AFAICR

aaratn

Yeah but the solutions are in bits and pieces. I have seen some complex issues where terraform plan only validates the value type, i.e. string, list, map etc and doesn’t actually do a dry run by hitting the aws api.

Erik Osterman

yup, there’s no substitute for “doing” just gotta apply it in the end when it comes to terraform. this is another reason I don’t advocate running terraform apply after merge, but instead running it before merge the way atlantis does it.

aaratn

Doing terraform apply before the merge can be good if there are no tfstate dependencies

Erik Osterman

we have tons of tfstate dependencies using the terraform remote state provider.

Erik Osterman

but each tfstate has it’s own SDLC

Erik Osterman
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

aaratn

Same practice that we follow we try to avoid using cross-project tfstate dependencies however some base tfstates are being used by all the projects. For eg. vpc

rohit
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

Erik Osterman

@antonbabenko manages terraform-aws-modules/atlantis

Erik Osterman

it uses the #terraform-aws-modules which we (cloudposse) do not manage

antonbabenko

Yeah, I am not very active in #terraform-aws-modules neither, but you can try to ask in public github. Maybe other can help you faster there.

2019-04-29

rohit

what is the best way to setup atlantis in AWS ?

2019-03-13

Evgeny Pestov


atlantis plan – -destroy doesn’t seem to work with terragrunt :-(

which is our wrapper of choice… But I’ve found another workaround proposed for terragrunt use case in one of the issues: using an empty/dummy module

Evgeny Pestov

One more question: how do you test modules and/or infrastructure with Atlanis? I would like to have a flow like: create MR -> atlantis plan -> review -> atlantis apply -> run tests with the CI tool of choice, which is GitLab in our case. Atlantis updates the commit status in gitlab, but I could not find a way to hook Gitlab CI jobs to the status… Which is probably a GitLab limitation…

2019-03-12

Shane

@Evgeny Pestov it will not detect it as you are removing it and it will see nothing exists. So you have to destroy it yourself or leave a empty tf file with no resources.

2019-03-08

Evgeny Pestov

@nutellinoit Thanks! That’s an option indeed. Does Atlantis destroy removed ‘projects’ or one need to create a PR with an empty tf folder for that?

joshmyers

Atlantis literally runs what Terraform would.

2019-03-07

Evgeny Pestov

Greetings! I’m evaluating Atlantis and there are few things I’ve stumbled upon.. One of which is what is the Atlantis flow for re-creating things? Let’s say I’ve lost a bunch of resources due to some disastrous event. Locally I can just run ‘terraform plan, apply’ and get most of the things re-created. But with Atlantis there are no changes to create a PR with. The same if I want to re-create something: I can do ‘terraform destroy, apply’ locally, but we want all our actions to be run through our gitops flow… Thanks for help!

nutellinoit

You can create a PR , then launch atlantis plan

nutellinoit

wait for plan to be ready

nutellinoit

and then atlantis apply

nutellinoit

atlantis plan -p projectname

mpmsimo

Any modification to a .tf file should work, if no changes are recognized (i.e. whitespace)

2019-02-14

Erik Osterman
05:17:07 AM

@Erik Osterman set the channel purpose: Discuss the Atlantis (http://runatlantis.io) *Archive: * https://archive.sweetops.com/atlantis/

2019-02-05

2019-02-01

Erik Osterman

<https//github.com/runatlantis/atlantis/issues/444%23issuecomment-459752990&source=gmail&ust=1549120016857000&usg=AFQjCNEcsWAL9rz-d89CKuA3ItgAX4naBw&rct=i>

4

2019-01-30

hey hey

which atlantis repo should I be looking at to run atlantis in conjunction with the geodesic ref arch?

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

cloudposse/geodesic-aws-atlantis

Geodesic module for managing Atlantis with ECS Fargate - cloudposse/geodesic-aws-atlantis

wait and a helm chart?

cloudposse/helmfiles

Comprehensive Distribution of Helmfiles. Works with helmfile.d - cloudposse/helmfiles

Erik Osterman

so ooooooo

Erik Osterman

I don’t recommend running atlantis in kubernetes

Erik Osterman

we started down that path and support it

yea I agree

I want atlantis to be managing my k8s clusters

Erik Osterman

But just remember, then you have a pod that someone can kubectl exec into with admin

avoid the inception trap

Erik Osterman

So we have a nice e2e working story with ECS Fargate

im alright with that for now

later I might consider a locked down k8s or soemthing

Erik Osterman

@joshmyers finished updating our example here:

Erik Osterman
ECS Atlantis + tfenv + new goodies by joshmyers · Pull Request #58 · cloudposse/testing.cloudposse.co

what The updates http://testing.cloudposse.co to use the latest Geodesic image with a host of new goodies like Atlantis support, tfenv, scenery, tfmask. Requires cloudposse/terraform-root-modules#107 to b…

Erik Osterman

We merged that this morning

something less AWS specific

Erik Osterman

unfortunately, not documented

Erik Osterman

All the ECS/Atlatnis stuff is demonstrated here: https://github.com/cloudposse/terraform-root-modules/tree/master/aws/ecs

cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” invocations for provisioning reference architectures - cloudposse/terraform-root-modules

haha you know I like my docs in the form of code

Erik Osterman

Currently, we don’t have an alpine package for atlantis (our fork)

Erik Osterman
cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

Erik Osterman

I should probably give you a demo of what the workflow looks like using Atlantis

Erik Osterman

B/c the docker multi-stage isn’t ideally suited for it.

joshmyers

Yeah, it took quite a bit of plumbing to get to work in this workflow

so I will need to get atlantis in place asap

have on-boarded 8 core team members to our version of geodesic + ref arch

pipelines are next up

and a few others

Erik Osterman

I can give you the low down so you can get started

Erik Osterman

won’t take long to deploy

2019-01-25

Hey, im always curious about Atlantis, kind of would like to use it, but we prefer to apply on merge. For the ones doing apply on PR, how do you work with it and lets say, ECS. We have our ECS service defined in terraform for the time being (yeah not the best I know, but this could be a DB change or something else) and if we applied on PR, the new container or service that should use this will not be deployed yet, unless you also build the container on PR. How do you handle that?

Erik Osterman

I have a lot of thoughts on why you don’t apply on merge for terraform

Erik Osterman

web apps, cool. they are usually stateless and easily rollback.

Erik Osterman

terraform does not rollback in the face of errors.

Erik Osterman

terraform errors all the time.

Erik Osterman

happened to me a couple of times yesterday

Erik Osterman

the plan is very primitive. “in an ideal world, here’s what I plan to do”

Erik Osterman

so atlantis ensure we keep master pristine of what was deployed

Erik Osterman

rather than what should have been deployed

Yeah, I do get that part of the flow, and doing full CI is super “expensive” for terraform, as you will have to A) deploy old version B) apply the new version on top, on an isolated environmant, which might take a while. But I wonder how is that tied in when your terraform requires the deployed version of the app or thing to already running, as the workflow makes it so you always have to do terraform first with atlantis

unless you do 2 PRs for the 1 change

I guess sometimes, its good as it enforces the app/infra to support the update in a “rolling” fashion, or you take the downtime which you would anyway if the merge of the infra “broke” something for the app

~EG: you are changing CORS and adding some DNS~ bad example, you can do that one without requiring the app to be running with the new CORS

I keep wondering as I like the idea of the terraform part running on a completely detached part, with its own creds. It works sort of like Terraform Enterprise

Erik Osterman

Yea, it work similar to Terraform enterprise.

Erik Osterman

As for the workflow between your other apps and terraform, that is out of scope for atlantis

Yeah I know it is, but it is part of the same pipeline and have to coexist, so I’m wondering about the full story for it.

Erik Osterman

Fair enough!

joshmyers

@ by default we deploy a standard backing image with ECS

joshmyers

and then use an out of band CI/CD to deploy the actual app we want

Yeah, the docker part was just an example

but if you had certain DB change for example, it would be the same

joshmyers
cloudposse/terraform-aws-ecs-web-app

Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. - cloudposse/terraform-aws-ecs-web-app

The container one was just an example because it makes clear the “problem” i see

but there might be other changes that should be insync with that is deployed

Too bad Atlantis closed the PR for apply on merge, because that workflow would be sweet, atlantis saves plan from PR, which was approved in line, then on merge, it applies that plan

2019-01-11

antonbabenko

Lots of content on your slides. Will it be an hour talk?

Erik Osterman

last I did it was ~30 minutes + 30 minute q&a

Erik Osterman

also, these are the old slides

Erik Osterman

going to revamp them before the conf

antonbabenko

Good luck with this talk. It is great to share Atlantis with the community in any way. (I am about to be involved in getting it up and running in Azure… omg)

1
1

2019-01-10

Erik Osterman

Any chance this will be live streamed or a recorded?

Erik Osterman

That’s a good question. I am not sure if it will be recorded.

Erik Osterman

I will find out.

Thanks

Erik Osterman

I’ll be giving a live demo of Atlantis

nice slides

2
Erik Osterman

2018-12-27

Shane

Don’t know if anyone has sway in helm/charts repo - https://github.com/helm/charts/pull/10256

Atlantis support for TLS, annotations, extra environment variables, log level, etc by sstarcher · Pull Request #10256 · helm/charts

What this PR does / why we need it: Atlantis support for TLS, annotations, extra environment variables, log level, load balancer port restrictions @jkodroff

Erik Osterman

Have you signed up for their slack? https://thawing-headland-22460.herokuapp.com/

Atlantis support for TLS, annotations, extra environment variables, log level, etc by sstarcher · Pull Request #10256 · helm/charts

What this PR does / why we need it: Atlantis support for TLS, annotations, extra environment variables, log level, load balancer port restrictions @jkodroff

Shane

nope did not know it existed.

Erik Osterman

it’s smallish, but you’ll get direct access to Luke who is the maintainer

Shane

thanks

2018-12-19

mumoshu

im rethinking my pr to add custom stages to atlantis https://github.com/cloudposse/atlantis/pull/20

can’t we just a write a webhook proxy server that sits in front of atlantis instead?

it should either (1) forward the webhook payload as-is to atlantis if it is atlantis plan blah or atlantis apply or (2) run preconfigured shell commands matching the pull request comment body.

this way, we have no need to scope-creep atlantis.

in theory, it will also allow extending atlantis without modifying it in some cases, like running multiple atlantis instances each for different branch.

also, you can add a mono-image containing both atlantis and the proxy then collocate it in the same fargate svc for easy integration/hosting.

maybe im getting crazy but wanted some feedback!

feat/wip: Custom stages by mumoshu · Pull Request #20 · cloudposse/atlantis

This is currently an alpha-level work of what the subject states. I have not tried to think throughout all the edge-cases, but it should work in normal cases. I want to run arbitrary helmfile comma…

Erik Osterman


webhook proxy server that sits in front of atlantis instead

Erik Osterman

i mean, at this point is atlantis even in the picture?

mumoshu

i suppose you can choose

Erik Osterman

yea, like if we ultrageneralize this

Erik Osterman

webhook proxy that runs a command

mumoshu

if you bring atlantis in to the picture, you don’t need to reimplement tf-project locking and plan/apply functionalities

Erik Osterman

that command could be a taskrunner

Erik Osterman

it could be make

Erik Osterman

aha, i see

Erik Osterman

@Shane how are your atlantis adventures going?

Shane

I have not touched Atlantis in at least a week. Playing with prometheus operator atm.

Erik Osterman

@mumoshu aha! I see what you’re staying now

Erik Osterman

basically, the proxy would look at the request and decide how to route it

Erik Osterman

and alternatively, be able to call out to some thing else

Erik Osterman

it’s like a github webhook router

mumoshu

yeah that’s my point

2

2018-12-18

Erik Osterman
cloudposse/helmfiles

Comprehensive Distribution of Helmfiles. Works with helmfile.d - cloudposse/helmfiles

Erik Osterman

we’re using our monochart though

Erik Osterman

also, only tested it against our flavor of cloudposse/atlantis

Erik Osterman

after using monochart i get frustrated using any other charts because it’s so standardized

Erik Osterman

what’s cool, is we package this helmfile with the container, so it works like a heroku Procfile

2018-12-17

Shane
Add chart for Atlantis: by jkodroff · Pull Request #8177 · helm/charts

https://runatlantis.io Signed-off-by: Josh Kodroff [email protected] What this PR does / why we need it: There&#39;s no Helm chart for Atlantis, and it&#39;s a useful tool. Checklist [Place an …

2018-12-15

antonbabenko

ohh, yes, though I try to not mix work and vacation. Looking forward to my month off in July already

2018-12-14

i5okie

hi

i5okie

just recently found out what atlantis is. holy cow this is coooool

1
2
Erik Osterman

Yea, atlantis is very sweeet!

antonbabenko

@i5okie and others, I have just added Gitlab and SSM support into Atlantis AWS Fargate module - https://github.com/terraform-aws-modules/terraform-aws-atlantis/

terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate. Github and Gitlab supported. - terraform-aws-modules/terraform-aws-atlantis

2
Erik Osterman

Had some time to get back to coding?

antonbabenko

Well, kind of. At the same time I need to do work for customers implementing Terraform while there are no conferences. My next travel will be in 39 days.

Erik Osterman

That’s almost like a vacation for you

2018-12-12

Erik Osterman
Introduce new `mergeable` requirement by brndnmtthws · Pull Request #385 · runatlantis/atlantis

Introduce new mergeable requirement, in similar vein to the approved requirement. Addresses #43.

davidvasandani

@Erik Osterman this was closed not merged. They preferred it was just done via custom commands.

Introduce new `mergeable` requirement by brndnmtthws · Pull Request #385 · runatlantis/atlantis

Introduce new mergeable requirement, in similar vein to the approved requirement. Addresses #43.

davidvasandani

Do you have a successful workflow that implements the rebase using custom commands? It seems everyone in the GitHub comments is still working on it.

Erik Osterman

@davidvasandani it’s not closed, but looks like it will get merged any day now. Lot’s of interest from Luke on it.

Erik Osterman

This is not the rebase PR

davidvasandani

Thanks! This looks awesome.

Erik Osterman

I add a comment here that repos should have commands that can be run

Erik Osterman

woohoo!

Erik Osterman

@aknysh

aknysh

Shane

Looks like it just got merged

Shane

That’s a nice addition

Erik Osterman
08:39:52 PM
antonbabenko

The screenshot where Erik is talking to Erik inspired me to click the link Massive document you guys are composing! Bookmarked to read next week!

Erik Osterman

Lol yes! I have multiple representatives

Erik Osterman

@Shane what do you think about this?

Shane

so that would be a global setting for any terraform in that repo to allow for executing something prior aka in your example rebase?

Shane

That’s likely helpful as you want to do it before plan and before apply so you would not want it to be part of the apply/plan chain

Erik Osterman

My understanding is that it’s generalized settings for a particular repo

Erik Osterman

so in your case, it’s that you want to rebase after checking out

Erik Osterman

in our case, we wanted to update submodules

Erik Osterman

i am thinking this could maybe be solved in the generalized way of adding commands

Shane

ya, that sounds reasonable

Erik Osterman

(not sure if there are global settings - which would also be nice)

Shane

basically any action that you wanted to fire off, before a command.

Shane

kind of a pre-hook for any action

Erik Osterman

yea, almost like a pre-hook indeed

Shane

maybe changing the name to something like pre-command would make more sense

Shane

or pre-actions

Erik Osterman

oh, so id is a regex, so it’s possible to set globals

Erik Osterman
08:45:09 PM

2018-12-05

Shane

anyone else see an issue with atlantis with multiple github hooks being processed

Shane
05:30:25 PM
Shane

…. apparently the tool I’m using to display logs is the culprit…

Shane

with a stateful set whenever you have a new container it tails that container, but since it’s the same name it tails it X amount of times where X is the amount of new containers that have started since you started the tail….

Erik Osterman

which tool are you using?

Shane
atombender/ktail

ktail is a tool to easily tail Kubernetes logs. Contribute to atombender/ktail development by creating an account on GitHub.

Erik Osterman

btw, if you’re not able to get your PR merged upstream in atlantis, we’ll accept it in cloudposse/atlantis

Erik Osterman
add flag for rebasing branch off master by sstarcher · Pull Request #374 · runatlantis/atlantis

This adds a flag to the CLI to have the PR rebased onto the master branch when the flag –rebase-repo is set. I did not implement the configuration for the atlantis.yml as I was not sure if we woul…

Shane

Good to know thanks

Erik Osterman

@Shane

2018-12-04

Shane

Anyone want to have a conversation around - https://github.com/runatlantis/atlantis/issues/43

Add new "mergeable" apply requirement · Issue #43 · runatlantis/atlantis

Issue by @lkysow Thursday Nov 30, 2017 at 06:54 GMT Migrated from hootsuite/atlantis#210 Why was it migrated? GitHub has lots of branch protections that we could support in Atlantis by requiring th…

Shane

I would like to implement it, but I want to get some opinions

aknysh

@Shane let’s discuss that

aknysh

we already added some security to our atlantis fork https://github.com/cloudposse/atlantis/releases/tag/0.1.0

cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

aknysh
cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

Erik Osterman

@mumoshu would maybe also be interested in that flag

Erik Osterman

He got busy with Reinvent so couldn’t get back to his PR for custom stages

Shane

My prime interest is in using the merge able state and allowing github to do the logic on if it’s safe to apply.

Erik Osterman

I think the interface laid out by Luke looks good by adding a parameter like the require-approval

Erik Osterman

Add require-mergability

Erik Osterman

I think it should be also available to “plan”

Erik Osterman

A user can execute any command as part of plan

Shane

In that case would it be better to create 2 separate flags or a flag that has a value and requires mergability for all steps below it in the chain

aknysh

would we want to do plan even if the PR could not be merged for any reason?

Erik Osterman

So right now there are “apply_requirements”, then maybe “plan_requirements” for consistency

Shane

So if that’s how that was designed how would you layout the flags

Shane

Would you do a flag per state?

Erik Osterman

Yep, I think that’s how it would work

Erik Osterman

“State” in this case refers to…?

Shane

stage as in plan, apply

aknysh

we played a bit with the GitHub branch protection API in Go, something for reference https://github.com/cloudposse/github-status-updater/blob/master/main.go#L145

cloudposse/github-status-updater

Command line utility for updating GitHub commit statuses and enabling required status checks for pull requests - cloudposse/github-status-updater

Shane

@aknysh thanks I’ll take a look

Shane

Stab at adding support for rebasing onto master - https://github.com/runatlantis/atlantis/pull/374

add flag for rebasing branch off master by sstarcher · Pull Request #374 · runatlantis/atlantis

This adds a flag to the CLI to have the PR rebased onto the master branch when the flag –rebase-repo is set. I did not implement the configuration for the atlantis.yml as I was not sure if we woul…

1
Erik Osterman

that’s cool!

Shane

I implemented it in the simplest way as possible that fits my use-case please let me know if you would like to see any tweaks.

Erik Osterman

makes sense - i hadn’t considered the fact we should be rebasing before running plan/apply, but agree since we always do that before merging.

Erik Osterman

dependabot does that - which is nice

2018-12-03

Shane

@ for my setup we have all of our terraform in a single repo with 3 folders, dev, prod, stg and a single atlantis that applies them all.

Erik Osterman

yea, I think that’s the most common approach and the use-case I think atlantis was originally built for

Erik Osterman

the part about that I struggle with is controlling access and reducing blast radius

Erik Osterman

this is why we forked atlantis to implement the basic ACLs

Erik Osterman

those ACLs are scoped to a particular instance of atlantis

Erik Osterman

then we can deploy atlantis into different AWS accounts and control who can do what based on GitHub team membership

1
1
Shane

we do that by using CODEOWNERS and requiring approval before an apply

Erik Osterman
Restrict Plan or Apply to Github Teams or Github Users · Issue #308 · runatlantis/atlantis

what Allow operator to define a list of permitted users who can trigger atlantis commands why Currently, the only way to restrict access is by adding/revoking users from a repository altogether. We…

Erik Osterman

has something changed?

Erik Osterman

Last I was aware, CODEOWNERS prevents merging, but mergability is not yet used to determine who can plan or apply

Shane

My understanding was that it linked into the approval process. I’ll verify that requirement.

Erik Osterman

it does, but it only requires that one of the CODEOWNERS approves

Erik Osterman

but it doesn’t prevent anyone else from also approving

Erik Osterman

and atlantis only checks if it has been approved

Erik Osterman

but not if it can be merged

Erik Osterman
Add new "mergeable" apply requirement · Issue #43 · runatlantis/atlantis

Issue by @lkysow Thursday Nov 30, 2017 at 06:54 GMT Migrated from hootsuite/atlantis#210 Why was it migrated? GitHub has lots of branch protections that we could support in Atlantis by requiring th…

Shane

@Erik Osterman ahh good catch

Shane

I guess I should put in some PRs

Erik Osterman

2018-12-02

Hey all, I’ve been playing around with Atlantis and I’m at a point where I want proof of concept this in an actual workflow. My setup for AWS accounts one per environment (dev, stg, prd) with an instance of Atlantis in each account/environment. Dev teams will hook into Atlantis via an atlantis.yml and webhook. This is what my question revolves around, in this sort of setup, what does the webhook setup for a repository look like if you have 3 separate Atlantis instances?

Erik Osterman

So, it basically comes down to how you organize your infra. In our case, we have 1 repo per AWS account.

Erik Osterman

and then a terraform-root-modules that acts like a library we can pull from

Erik Osterman

so then in each of our account repos, we pull in the terraform root modules that we want to use

Do you treat application repos the same way? And how do you promote changes from one env to the other? For instance, in the case you’re talking about, say i’ve made some changes to the vpc in the dev repo that needs to be reflected in stg and prd.

Erik Osterman

so all changes are made to terraform-root-modules and tagged

Erik Osterman

then you update the tag in the corresponding environment with a PR <– which you can use atlantis to execute

2018-12-01

rohit

Hello. So i am thinking about using Atlantis and was wondering how to set it up

rohit

Also, is it possible to run terraform commands when we use atlantis ?

rohit

like for example, terraform workspace command

Erik Osterman

Yes, you can run any arbitrary commands

Erik Osterman

Atlantis understands workspaces too

Erik Osterman

@antonbabenko has module for it

antonbabenko

https://github.com/terraform-aws-modules/terraform-aws-atlantis - I have not used it much since the release, so it may require some polishing.

terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate - terraform-aws-modules/terraform-aws-atlantis

rohit

awesome

rohit

so once atlantis is setup, do we run arbitrary commands in github ?

antonbabenko

yes, in github PR comment users should be able to write everything atlantis can recognize - atlantis plan

rohit

nice

2018-11-30

Erik Osterman
11:26:43 PM

@Erik Osterman set the channel topic:

1

2018-11-16

Erik Osterman

@aknysh we have been talking about how to extend atlantis for helmfile here https://github.com/roboll/helmfile/issues/386

Github PR workflow support similar to Atlantis · Issue #386 · roboll/helmfile

A workflow similar to Atlantis for terraform would be a killer feature for helmfile - https://github.com/runatlantis/atlantis/

Erik Osterman

@mumoshu one of the maintainers of our other favorite tool (#helmfile) has expressed interest in possibly helping out.

aknysh

mumoshu
04:58:23 PM

@mumoshu has joined the channel

aknysh

that sounds great

Erik Osterman

@Shane do you also want to collaborate on some helmfile+atlantis improvements?

Shane

Sure, we are rolling out Atlantis for our terraform and people are loving it. If we could get some nice setup for atlantis for helmfile that would be great.

Shane

My main concern is all of the ways that helmfile works… so many usecases have been added that supporting it all proves painful.

Shane

terraform has a nice concise handling with modules

2018-10-30

nukepuppy
03:12:28 PM

@nukepuppy has joined the channel

2018-10-29

Kenny Inggs
12:00:09 PM

@Kenny Inggs has joined the channel

2018-10-27

Dombo
07:49:43 AM

@Dombo has joined the channel

03:03:20 AM

@ has joined the channel

2018-10-25

joshmyers
11:06:40 AM

@joshmyers has joined the channel

02:59:20 PM

@ has joined the channel

2018-10-24

jsanchez
06:53:39 PM

@jsanchez has joined the channel

Steven
06:58:17 PM

@Steven has joined the channel

sprutner

came here to post that

sprutner

exciting news, curious to see how it is implemented. there were some thing in Enterprise 1.0 I didn’t like

1
Erik Osterman

yea, we’re cautiously optimistic

Erik Osterman

we’ve just started investing in atlantis 1 month ago and in that time a few big things happened

Erik Osterman

1) luke goes to hashicorp

Erik Osterman

2) github releases actions

Erik Osterman

3) hashicorp announces a free tier

Erik Osterman

i guess if anything we using this as an opportunity to refine the workflow

Erik Osterman

the tooling matters a little bit less

Erik Osterman
10:44:26 PM
Erik Osterman

our atlantis fork supports permissions

Erik Osterman

…uses github teams

Erik Osterman

granular control down to plan, apply and destroy (we added destroy too)

aknysh

And custom wake word

aknysh

atlantis/root

2018-10-23

Erik Osterman
Terraform Collaboration for Everyone

HashiCorp announces improved configuration language, remote operations, and new, free collaboration features for HashiCorp Terraform….

sarkis
06:37:48 PM

@sarkis has joined the channel

ankur
06:44:28 PM

@ankur has joined the channel

Erik Osterman


“We’ve just started using Atlantis here at PagerDuty and this is totally exciting news. Also I’ll keep an eye out for you at HashiConf :”

jarv
07:39:29 PM

@jarv has joined the channel

2018-10-22

Erik Osterman
10:02:38 PM

@Erik Osterman has joined the channel

Erik Osterman
10:02:38 PM

@Erik Osterman set the channel purpose: Discuss the Atlantis (http://runatlantis.io)

aknysh
10:02:38 PM

@aknysh has joined the channel

antonbabenko
10:02:38 PM

@antonbabenko has joined the channel

10:02:38 PM

@ has joined the channel

sprutner
10:02:57 PM

@sprutner has joined the channel

Erik Osterman

Our experimental hard-fork is here: https://github.com/cloudposse/atlantis

cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

Erik Osterman

Goal is to upstream these changes, but due to some bigger plans by Luke (current maintainer), looks like it will be difficult to get some of these accepted quickly.

10:07:20 PM

@ has joined the channel

Vi
10:15:45 PM

@Vi has joined the channel

ndobbs
10:19:16 PM

@ndobbs has joined the channel

Wes
02:27:16 AM

@Wes has joined the channel

    keyboard_arrow_up