#atlantis (2018-12)

atlantis

Discuss the Atlantis (http://runatlantis.io|runatlantis.io) *Archive: * https://archive.sweetops.com/atlantis/

2018-12-27

Shane avatar
Shane

Don’t know if anyone has sway in helm/charts repo - https://github.com/helm/charts/pull/10256

Atlantis support for TLS, annotations, extra environment variables, log level, etc by sstarcher · Pull Request #10256 · helm/charts

What this PR does / why we need it: Atlantis support for TLS, annotations, extra environment variables, log level, load balancer port restrictions @jkodroff

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Have you signed up for their slack? https://thawing-headland-22460.herokuapp.com/

Atlantis support for TLS, annotations, extra environment variables, log level, etc by sstarcher · Pull Request #10256 · helm/charts

What this PR does / why we need it: Atlantis support for TLS, annotations, extra environment variables, log level, load balancer port restrictions @jkodroff

Shane avatar
Shane

nope did not know it existed.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it’s smallish, but you’ll get direct access to Luke who is the maintainer

Shane avatar
Shane

thanks

2018-12-19

mumoshu avatar
mumoshu

im rethinking my pr to add custom stages to atlantis https://github.com/cloudposse/atlantis/pull/20

can’t we just a write a webhook proxy server that sits in front of atlantis instead?

it should either (1) forward the webhook payload as-is to atlantis if it is atlantis plan blah or atlantis apply or (2) run preconfigured shell commands matching the pull request comment body.

this way, we have no need to scope-creep atlantis.

in theory, it will also allow extending atlantis without modifying it in some cases, like running multiple atlantis instances each for different branch.

also, you can add a mono-image containing both atlantis and the proxy then collocate it in the same fargate svc for easy integration/hosting.

maybe im getting crazy but wanted some feedback!

feat/wip: Custom stages by mumoshu · Pull Request #20 · cloudposse/atlantis

This is currently an alpha-level work of what the subject states. I have not tried to think throughout all the edge-cases, but it should work in normal cases. I want to run arbitrary helmfile comma…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


webhook proxy server that sits in front of atlantis instead

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i mean, at this point is atlantis even in the picture?

mumoshu avatar
mumoshu

i suppose you can choose

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, like if we ultrageneralize this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

webhook proxy that runs a command

mumoshu avatar
mumoshu

if you bring atlantis in to the picture, you don’t need to reimplement tf-project locking and plan/apply functionalities

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that command could be a taskrunner

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it could be make

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

aha, i see

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Shane how are your atlantis adventures going?

Shane avatar
Shane

I have not touched Atlantis in at least a week. Playing with prometheus operator atm.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@mumoshu aha! I see what you’re staying now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

basically, the proxy would look at the request and decide how to route it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and alternatively, be able to call out to some thing else

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it’s like a github webhook router

mumoshu avatar
mumoshu

yeah that’s my point :–1:

2

2018-12-18

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/helmfiles

Comprehensive Distribution of Helmfiles. Works with helmfile.d - cloudposse/helmfiles

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’re using our monochart though

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

also, only tested it against our flavor of cloudposse/atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

after using monochart i get frustrated using any other charts because it’s so standardized

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what’s cool, is we package this helmfile with the container, so it works like a heroku Procfile

2018-12-17

Shane avatar
Shane
Add chart for Atlantis: by jkodroff · Pull Request #8177 · helm/charts

https://runatlantis.io Signed-off-by: Josh Kodroff [email protected] What this PR does / why we need it: There's no Helm chart for Atlantis, and it's a useful tool. Checklist [Place an …

2018-12-15

antonbabenko avatar
antonbabenko

ohh, yes, though I try to not mix work and vacation. Looking forward to my month off in July already

2018-12-14

i5okie avatar
i5okie

hi

i5okie avatar
i5okie

just recently found out what atlantis is. holy cow this is coooool

:--1:1
fiesta_parrot2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea, atlantis is very sweeet!

antonbabenko avatar
antonbabenko

@i5okie and others, I have just added Gitlab and SSM support into Atlantis AWS Fargate module - https://github.com/terraform-aws-modules/terraform-aws-atlantis/

terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate. Github and Gitlab supported. - terraform-aws-modules/terraform-aws-atlantis

:--1:2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Had some time to get back to coding?

antonbabenko avatar
antonbabenko

Well, kind of. At the same time I need to do work for customers implementing Terraform while there are no conferences. My next travel will be in 39 days.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

That’s almost like a vacation for you

2018-12-12

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Introduce new `mergeable` requirement by brndnmtthws · Pull Request #385 · runatlantis/atlantis

Introduce new mergeable requirement, in similar vein to the approved requirement. Addresses #43.

davidvasandani avatar
davidvasandani

@Erik Osterman (Cloud Posse) this was closed not merged. They preferred it was just done via custom commands.

Introduce new `mergeable` requirement by brndnmtthws · Pull Request #385 · runatlantis/atlantis

Introduce new mergeable requirement, in similar vein to the approved requirement. Addresses #43.

davidvasandani avatar
davidvasandani

Do you have a successful workflow that implements the rebase using custom commands? It seems everyone in the GitHub comments is still working on it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@davidvasandani it’s not closed, but looks like it will get merged any day now. Lot’s of interest from Luke on it.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This is not the rebase PR

davidvasandani avatar
davidvasandani

Thanks! This looks awesome.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I add a comment here that repos should have commands that can be run

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

woohoo!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Shane avatar
Shane

Looks like it just got merged

Shane avatar
Shane

That’s a nice addition

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
08:39:52 PM
antonbabenko avatar
antonbabenko

The screenshot where Erik is talking to Erik inspired me to click the link Massive document you guys are composing! Bookmarked to read next week!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Lol yes! I have multiple representatives

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Shane what do you think about this?

Shane avatar
Shane

so that would be a global setting for any terraform in that repo to allow for executing something prior aka in your example rebase?

Shane avatar
Shane

That’s likely helpful as you want to do it before plan and before apply so you would not want it to be part of the apply/plan chain

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

My understanding is that it’s generalized settings for a particular repo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so in your case, it’s that you want to rebase after checking out

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

in our case, we wanted to update submodules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i am thinking this could maybe be solved in the generalized way of adding commands

Shane avatar
Shane

ya, that sounds reasonable

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(not sure if there are global settings - which would also be nice)

Shane avatar
Shane

basically any action that you wanted to fire off, before a command.

Shane avatar
Shane

kind of a pre-hook for any action

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, almost like a pre-hook indeed

Shane avatar
Shane

maybe changing the name to something like pre-command would make more sense

Shane avatar
Shane

or pre-actions

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh, so id is a regex, so it’s possible to set globals

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
08:45:09 PM

2018-12-05

Shane avatar
Shane

anyone else see an issue with atlantis with multiple github hooks being processed

Shane avatar
Shane
05:30:25 PM
Shane avatar
Shane

…. apparently the tool I’m using to display logs is the culprit…

Shane avatar
Shane

with a stateful set whenever you have a new container it tails that container, but since it’s the same name it tails it X amount of times where X is the amount of new containers that have started since you started the tail….

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

which tool are you using?

Shane avatar
Shane
atombender/ktail

ktail is a tool to easily tail Kubernetes logs. Contribute to atombender/ktail development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

btw, if you’re not able to get your PR merged upstream in atlantis, we’ll accept it in cloudposse/atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
add flag for rebasing branch off master by sstarcher · Pull Request #374 · runatlantis/atlantis

This adds a flag to the CLI to have the PR rebased onto the master branch when the flag –rebase-repo is set. I did not implement the configuration for the atlantis.yml as I was not sure if we woul…

Shane avatar
Shane

Good to know thanks

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Shane

2018-12-04

Shane avatar
Shane

Anyone want to have a conversation around - https://github.com/runatlantis/atlantis/issues/43

Add new "mergeable" apply requirement · Issue #43 · runatlantis/atlantis

Issue by @lkysow Thursday Nov 30, 2017 at 06:54 GMT Migrated from hootsuite/atlantis#210 Why was it migrated? GitHub has lots of branch protections that we could support in Atlantis by requiring th…

Shane avatar
Shane

I would like to implement it, but I want to get some opinions

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Shane let’s discuss that

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we already added some security to our atlantis fork https://github.com/cloudposse/atlantis/releases/tag/0.1.0

cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@mumoshu would maybe also be interested in that flag

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

He got busy with Reinvent so couldn’t get back to his PR for custom stages

Shane avatar
Shane

My prime interest is in using the merge able state and allowing github to do the logic on if it’s safe to apply.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think the interface laid out by Luke looks good by adding a parameter like the require-approval

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Add require-mergability

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think it should be also available to “plan”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

A user can execute any command as part of plan

Shane avatar
Shane

In that case would it be better to create 2 separate flags or a flag that has a value and requires mergability for all steps below it in the chain

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

would we want to do plan even if the PR could not be merged for any reason?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So right now there are “apply_requirements”, then maybe “plan_requirements” for consistency

Shane avatar
Shane

So if that’s how that was designed how would you layout the flags

Shane avatar
Shane

Would you do a flag per state?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yep, I think that’s how it would work

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

“State” in this case refers to…?

Shane avatar
Shane

stage as in plan, apply

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we played a bit with the GitHub branch protection API in Go, something for reference https://github.com/cloudposse/github-status-updater/blob/master/main.go#L145

cloudposse/github-status-updater

Command line utility for updating GitHub commit statuses and enabling required status checks for pull requests - cloudposse/github-status-updater

Shane avatar
Shane

@Andriy Knysh (Cloud Posse) thanks I’ll take a look

Shane avatar
Shane

Stab at adding support for rebasing onto master - https://github.com/runatlantis/atlantis/pull/374

add flag for rebasing branch off master by sstarcher · Pull Request #374 · runatlantis/atlantis

This adds a flag to the CLI to have the PR rebased onto the master branch when the flag –rebase-repo is set. I did not implement the configuration for the atlantis.yml as I was not sure if we woul…

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that’s cool!

Shane avatar
Shane

I implemented it in the simplest way as possible that fits my use-case please let me know if you would like to see any tweaks.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

makes sense - i hadn’t considered the fact we should be rebasing before running plan/apply, but agree since we always do that before merging.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

dependabot does that - which is nice

2018-12-03

Shane avatar
Shane

@arwin.tugade for my setup we have all of our terraform in a single repo with 3 folders, dev, prod, stg and a single atlantis that applies them all.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, I think that’s the most common approach and the use-case I think atlantis was originally built for

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the part about that I struggle with is controlling access and reducing blast radius

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this is why we forked atlantis to implement the basic ACLs

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

those ACLs are scoped to a particular instance of atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then we can deploy atlantis into different AWS accounts and control who can do what based on GitHub team membership

1
:--1:1
Shane avatar
Shane

we do that by using CODEOWNERS and requiring approval before an apply

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Restrict Plan or Apply to Github Teams or Github Users · Issue #308 · runatlantis/atlantis

what Allow operator to define a list of permitted users who can trigger atlantis commands why Currently, the only way to restrict access is by adding/revoking users from a repository altogether. We…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

has something changed?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Last I was aware, CODEOWNERS prevents merging, but mergability is not yet used to determine who can plan or apply

Shane avatar
Shane

My understanding was that it linked into the approval process. I’ll verify that requirement.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it does, but it only requires that one of the CODEOWNERS approves

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but it doesn’t prevent anyone else from also approving

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and atlantis only checks if it has been approved

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but not if it can be merged

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Enforce only certain people can plan/apply · Issue #103 · runatlantis/atlantis

Via @psalaberria002, would like to be able to only allow certain people to run apply.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Add new "mergeable" apply requirement · Issue #43 · runatlantis/atlantis

Issue by @lkysow Thursday Nov 30, 2017 at 06:54 GMT Migrated from hootsuite/atlantis#210 Why was it migrated? GitHub has lots of branch protections that we could support in Atlantis by requiring th…

Shane avatar
Shane

@Erik Osterman (Cloud Posse) ahh good catch

Shane avatar
Shane

I guess I should put in some PRs

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

2018-12-02

arwin.tugade avatar
arwin.tugade

Hey all, I’ve been playing around with Atlantis and I’m at a point where I want proof of concept this in an actual workflow. My setup for AWS accounts one per environment (dev, stg, prd) with an instance of Atlantis in each account/environment. Dev teams will hook into Atlantis via an atlantis.yml and webhook. This is what my question revolves around, in this sort of setup, what does the webhook setup for a repository look like if you have 3 separate Atlantis instances?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So, it basically comes down to how you organize your infra. In our case, we have 1 repo per AWS account.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and then a terraform-root-modules that acts like a library we can pull from

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so then in each of our account repos, we pull in the terraform root modules that we want to use

arwin.tugade avatar
arwin.tugade

Do you treat application repos the same way? And how do you promote changes from one env to the other? For instance, in the case you’re talking about, say i’ve made some changes to the vpc in the dev repo that needs to be reflected in stg and prd.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so all changes are made to terraform-root-modules and tagged

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then you update the tag in the corresponding environment with a PR <– which you can use atlantis to execute

2018-12-01

rohit avatar
rohit

Hello. So i am thinking about using Atlantis and was wondering how to set it up

rohit avatar
rohit

Also, is it possible to run terraform commands when we use atlantis ?

rohit avatar
rohit

like for example, terraform workspace command

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes, you can run any arbitrary commands

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Atlantis understands workspaces too

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@antonbabenko has module for it

antonbabenko avatar
antonbabenko

https://github.com/terraform-aws-modules/terraform-aws-atlantis - I have not used it much since the release, so it may require some polishing.

terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate - terraform-aws-modules/terraform-aws-atlantis

rohit avatar
rohit

awesome

rohit avatar
rohit

so once atlantis is setup, do we run arbitrary commands in github ?

antonbabenko avatar
antonbabenko

yes, in github PR comment users should be able to write everything atlantis can recognize - atlantis plan

rohit avatar
rohit

nice

    keyboard_arrow_up