#atlantis (2019-08)

Hi. I posted the below question in atlantis slack channel, i am also askign the same here

Is it possible to run a plan against the master branch ? I do not have a branch so i can not submit a PR but i want to run terraform plan against a workspace

Hey guys, how are you running Terragrunt with Atlantis? I’m currently doing the following:

1. Setup an ECS Fargate cluster that uses a single service task definition that runs my own Atlantis image containing Terragrunt.
2. When the Fargate nodes spin up through terraform, they use my machines environment variables for an access key & secret to authenticate against the provider blocks Atlantis runs against
3. Atlantis is using my Github User Token but cannot access private repositories? I’ve had to make them public (the repos don’t have any secrets or sensitive information)

I’m pretty new in this space but I’m wondering the following:

1. what I’ve done is considered good-practice?
2. How do you configure Atlantis to talk to git private repositories? Do you have create a root ssh folder to store a private key?
3. Whats the best way to authenticate against the AWS providers, right now without Atlantis I use role assumption from a user in the security account with MFA, it looks like the simplest way here is to just create a key/pair to deploy in the Atlantis hosts environment variables? I need Atlantis to authenticate against the backend as well as various accounts to deploy terraform build artefacts against

@Callum Robertson I’m also using Atlantis, Terragrunt and Fargate. I have a “live” repo and “modules” repo, both of which are private. In order to access private Github repos, I considered adding SSH keys but I decided that that was an ugly solution since Atlantis already has a github token. To use the token I needed to make a custom Atlantis-Terragrunt docker image with the addition of two files.

This file forces git to use https so that the token can be used. It needs to be moved into the /home/atlantis/ folder during the docker image build.

This file adds the token value to the .gitconfig file with a value that is already in the Atlantis environment. It needs to be called somehow by the docker entry point file.

I’m also using Atlantis and Terragrunt in a multi-account AWS setup. I did not add key/pair to deploy in the Atlantis hosts environment variables. I really try to never use key pairs. I don’t think that’s as secure as using ECS task roles with a cross account access policy. To assume roles, I use the --terragrunt-iam-role flag in the atlantis.yaml file.

This is how I bootstrap a Terraform slave account:

• Using the console, I create an IAM role in the slave account. Call it something like: TerraformCrossAccountAccessRole.

https://console.aws.amazon.com/iam/home?#/roles$new?step=type&roleType=crossAccount

• When prompted, enter the AWS account number of the Terraform master account. Don’t require MFA as this will be programmatic access only.
• Attach the AdministratorAccess policy.
• Enter a description: “This role allows Terraform to administer all AWS resources in this account.””

The generated roll will be called something like: arn:aws:iam::123456789012:role/TerraformCrossAccountAccessRole.

The account number in the arn above is the account number of the slave.

When I call Terragrunt from Atlantis in my Terraform master account, I assume the role in the slave account that I created above. Each of my AWS slave accounts has a different directory based workflow that calls an apply step like this :

- run: echo 'y' | terragrunt apply-all -no-color --terragrunt-iam-role "arn:aws:iam::123456789012:role/TerraformCrossAccountAccessRole"

If you are interested in this approach, I’m happy to add more detail, share my Dockerfile, etc.

hey @Jonathan this would be awesome!

I’ve got same setup, I’ve got a working “live” directory that is a multi aws account setup so assume roles is a must have for me..

I’ll have a look at that flag, I assumed you had to generate a session token and put them in your env before assuming a role

For AWS? If I understand your question correctly, nope. No session token in Atlantis ENV. My Atlantis ECS task has enough privileges to assume this role.

This is my custom Dockerfile for Atlantis and Terragrunt that allows the use of a token instead of SSH. It will need the two files I posted above in the in same folder where docker build is being called.

Ah of course it does!

Your a weapon @Jonathan, really appreciate this! I’ll set this up tomorrow and let you know how I get on

This fits my use-case perfectly

fwiw, we do something similar to what @Jonathan prescribes

We use #geodesic with this init script

https://github.com/cloudposse/geodesic/blob/master/rootfs/etc/init.d/atlantis.sh

Hey @Jonathan I got it working wonderfully! Thanks mate - this is what these communities are for, really appreciate you putting in the time and setting me on the right track. Kudos!