#atlantis (2019-08)

atlantis

Discuss the Atlantis (http://runatlantis.io|runatlantis.io) *Archive: * https://archive.sweetops.com/atlantis/

2019-08-13

Callum Robertson avatar
Callum Robertson

Hey @Jonathan I got it working wonderfully! Thanks mate - this is what these communities are for, really appreciate you putting in the time and setting me on the right track. Kudos!

:--1:4

2019-08-12

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

fwiw, we do something similar to what @Jonathan prescribes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We use #geodesic with this init script

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/geodesic

Geodesic is a cloud automation shell. It's the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. ★ this repo! h…

:--1:3

2019-08-11

Callum Robertson avatar
Callum Robertson

Hey guys, how are you running Terragrunt with Atlantis? I’m currently doing the following:

  1. Setup an ECS Fargate cluster that uses a single service task definition that runs my own Atlantis image containing Terragrunt.
  2. When the Fargate nodes spin up through terraform, they use my machines environment variables for an access key & secret to authenticate against the provider blocks Atlantis runs against
  3. Atlantis is using my Github User Token but cannot access private repositories? I’ve had to make them public (the repos don’t have any secrets or sensitive information)

I’m pretty new in this space but I’m wondering the following:

  1. what I’ve done is considered good-practice?
  2. How do you configure Atlantis to talk to git private repositories? Do you have create a root ssh folder to store a private key?
  3. Whats the best way to authenticate against the AWS providers, right now without Atlantis I use role assumption from a user in the security account with MFA, it looks like the simplest way here is to just create a key/pair to deploy in the Atlantis hosts environment variables? I need Atlantis to authenticate against the backend as well as various accounts to deploy terraform build artefacts against
Jonathan avatar
Jonathan

@Callum Robertson I’m also using Atlantis, Terragrunt and Fargate. I have a “live” repo and “modules” repo, both of which are private. In order to access private Github repos, I considered adding SSH keys but I decided that that was an ugly solution since Atlantis already has a github token. To use the token I needed to make a custom Atlantis-Terragrunt docker image with the addition of two files.

Jonathan avatar
Jonathan

This file forces git to use https so that the token can be used. It needs to be moved into the /home/atlantis/ folder during the docker image build.

Jonathan avatar
Jonathan

This file adds the token value to the .gitconfig file with a value that is already in the Atlantis environment. It needs to be called somehow by the docker entry point file.

Jonathan avatar
Jonathan

I’m also using Atlantis and Terragrunt in a multi-account AWS setup. I did not add key/pair to deploy in the Atlantis hosts environment variables. I really try to never use key pairs. I don’t think that’s as secure as using ECS task roles with a cross account access policy. To assume roles, I use the --terragrunt-iam-role flag in the atlantis.yaml file.

Jonathan avatar
Jonathan

This is how I bootstrap a Terraform slave account:

  • Using the console, I create an IAM role in the slave account. Call it something like: TerraformCrossAccountAccessRole.

https://console.aws.amazon.com/iam/home?#/roles$new?step=type&roleType=crossAccount

  • When prompted, enter the AWS account number of the Terraform master account. Don’t require MFA as this will be programmatic access only.
  • Attach the AdministratorAccess policy.
  • Enter a description: “This role allows Terraform to administer all AWS resources in this account.””

The generated roll will be called something like: arn:aws:iam::123456789012:role/TerraformCrossAccountAccessRole.

The account number in the arn above is the account number of the slave.

When I call Terragrunt from Atlantis in my Terraform master account, I assume the role in the slave account that I created above. Each of my AWS slave accounts has a different directory based workflow that calls an apply step like this :

- run: echo 'y' | terragrunt apply-all -no-color --terragrunt-iam-role "arn:aws:iam::123456789012:role/TerraformCrossAccountAccessRole"

Jonathan avatar
Jonathan

If you are interested in this approach, I’m happy to add more detail, share my Dockerfile, etc.

Callum Robertson avatar
Callum Robertson

hey @Jonathan this would be awesome!

Callum Robertson avatar
Callum Robertson

I’ve got same setup, I’ve got a working “live” directory that is a multi aws account setup so assume roles is a must have for me..

Callum Robertson avatar
Callum Robertson

I’ll have a look at that flag, I assumed you had to generate a session token and put them in your env before assuming a role

Jonathan avatar
Jonathan

For AWS? If I understand your question correctly, nope. No session token in Atlantis ENV. My Atlantis ECS task has enough privileges to assume this role.

1
Jonathan avatar
Jonathan

This is my custom Dockerfile for Atlantis and Terragrunt that allows the use of a token instead of SSH. It will need the two files I posted above in the in same folder where docker build is being called.

Callum Robertson avatar
Callum Robertson

Ah of course it does!

Callum Robertson avatar
Callum Robertson

Your a weapon @Jonathan, really appreciate this! I’ll set this up tomorrow and let you know how I get on

Callum Robertson avatar
Callum Robertson

This fits my use-case perfectly

2019-08-10

rohit avatar
rohit

Hi. I posted the below question in atlantis slack channel, i am also askign the same here

rohit avatar
rohit

Is it possible to run a plan against the master branch ? I do not have a branch so i can not submit a PR but i want to run terraform plan against a workspace

    keyboard_arrow_up