#atlantis (2019-04)

atlantis

Discuss the Atlantis (<http://runatlantis.iorunatlantis.io>)

**Archive: ** https://archive.sweetops.com/atlantis/

2019-04-29

rohit avatar

what is the best way to setup atlantis in AWS ?

2019-04-30

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

this is actually a surprisingly big question.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’ve deployed atlantis now many times in many different configurations

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

our current best practice is to deploy it as an ECS fargate task with an ALB configured with OIDC

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

aaratn avatar

@Erik Osterman (Cloud Posse) - Any hints how we can do this with terragrunt + atlantis ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

to use terragrunt you just need to define your own workflow in the atlantis.yaml

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

don’t depend on the built-in plan and apply steps of atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we define a make workflow that you can borrow

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then you just define the steps in your Makefile for the project

aaratn avatar

Got it ! We used to use a lot of makefiles before terragrunt but I got what you are saying. Use makefiles + terragrunt on atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
workflows:
  make:
    plan:
      steps:
        - run: "make reset deps"
        - run: "set -o pipefail; make plan | tfmask | scenery --no-color"
    apply:
      steps:
        - run: "set -o pipefail; make apply | tfmask"
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so a project just defines a Makefile with a plan and apply target

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

our Makefile looks like this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/tfenv

Transform environment variables for use with Terraform (e.g. HOSTNAMETF_VAR_hostname) - cloudposse/tfenv

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so we don’t need a wrapper like terragrunt

aaratn avatar

Interesting !

aaratn avatar

Any clues to do a dry run before apply ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

you mean terraform plan?

aaratn avatar

the terraform plan doesn’t necessarily succeed

aaratn avatar

Like for eg. you define a wrong instance type in terraform plan and it will succeed but it will fail when you actually apply it

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

haha, yea, too true

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

technically there’s https://github.com/wata727/tflint

wata727/tflint

TFLint is a Terraform linter for detecting errors that can not be detected by terraform plan - wata727/tflint

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but IMO this is a lost cause with terraform

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

instead, practice “git flow” and only merge upon successful apply -> “the atlantis way”

aaratn avatar

apply is sometimes dangerous

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Always practice plan apply workflow

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Write plan to out file

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Do code review

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Apply outfile

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This is enforced by Atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Require approvals before apply

joshmyers avatar
joshmyers

tflint can help with some of this, even checking your Ami type is available in the region you run in AFAICR

aaratn avatar

Yeah but the solutions are in bits and pieces. I have seen some complex issues where terraform plan only validates the value type, i.e. string, list, map etc and doesn’t actually do a dry run by hitting the aws api.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yup, there’s no substitute for “doing” :smiley: just gotta apply it in the end when it comes to terraform. this is another reason I don’t advocate running terraform apply after merge, but instead running it before merge the way atlantis does it.

aaratn avatar

Doing terraform apply before the merge can be good if there are no tfstate dependencies

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we have tons of tfstate dependencies using the terraform remote state provider.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but each tfstate has it’s own SDLC

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

aaratn avatar

Same practice that we follow we try to avoid using cross-project tfstate dependencies however some base tfstates are being used by all the projects. For eg. vpc

rohit avatar
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@antonbabenko manages terraform-aws-modules/atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

it uses the #terraform-aws-modules which we (cloudposse) do not manage

antonbabenko avatar
antonbabenko

Yeah, I am not very active in #terraform-aws-modules neither, but you can try to ask in public github. Maybe other can help you faster there.

    keyboard_arrow_up