#atlantis (2020-04)

atlantis

Discuss the Atlantis (http://runatlantis.io|runatlantis.io) *Archive: * https://archive.sweetops.com/atlantis/

2020-04-30

2020-04-29

skel84 avatar
skel84

does anybody here have experience with atlantis multi account setup?

jose.amengual avatar
jose.amengual

multi account as ?

jose.amengual avatar
jose.amengual

one atlantis many accounts

jose.amengual avatar
jose.amengual

or many an atlantis per account

skel84 avatar
skel84

one atlantis many accounts

jose.amengual avatar
jose.amengual

and you need to be specific about environments too

jose.amengual avatar
jose.amengual

multiple environments per account ?

skel84 avatar
skel84

one account per environment

skel84 avatar
skel84

one environment per account

jose.amengual avatar
jose.amengual

and what are your concerns ?

skel84 avatar
skel84

i’m running atlantis in my root account, but i cannot assume the role in my child account

skel84 avatar
skel84

it fails during initialization because it can’t find s3 backend

skel84 avatar
skel84

i’m using the ecs fargate module

skel84 avatar
skel84

and the task role has an administrator policy attached

skel84 avatar
skel84

i can’t figure out if I have to use a credential file, env variables or just the role

jose.amengual avatar
jose.amengual

are you specifying the region of the remote backend ?

jose.amengual avatar
jose.amengual

instance roles are sufficient

jose.amengual avatar
jose.amengual

although I do not recommend one atlantis for all accounts

skel84 avatar
skel84

it’s fargate, so only task role

jose.amengual avatar
jose.amengual

blast radius is too big

jose.amengual avatar
jose.amengual

fargate task is the same

skel84 avatar
skel84

so you reccomend one atlantis per account?

jose.amengual avatar
jose.amengual

yes, or per team if each team have multiple accounts

jose.amengual avatar
jose.amengual

you backend config should look like this :

region = "us-east-2"

bucket = "mybucket-state"

key = "terraform.tfstate"

dynamodb_table = "mybucket-state-lock"

encrypt = true
skel84 avatar
skel84

it looks like this

jose.amengual avatar
jose.amengual

does it have the region ?

skel84 avatar
skel84

yes

jose.amengual avatar
jose.amengual

and are you getting 403 or bucket not found ?

skel84 avatar
skel84

if i run it manually from my laptop it works

skel84 avatar
skel84

bucket not found

jose.amengual avatar
jose.amengual

in your local always works

jose.amengual avatar
jose.amengual

but what is the error code ?

jose.amengual avatar
jose.amengual

does the fargate role have Allow s3:* ?

skel84 avatar
skel84
 Remote state S3 bucket xxxxx-terraform-state does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n) 
jose.amengual avatar
jose.amengual

ok, so it could be a 403

skel84 avatar
skel84

fargate role has admin policy attached

skel84 avatar
skel84

the s3 bucket is in the child account

jose.amengual avatar
jose.amengual

child ?

jose.amengual avatar
jose.amengual

another account right not the same ?

skel84 avatar
skel84

yes

jose.amengual avatar
jose.amengual

you still have to specify the bucket in the policy for the role and in the bucket you need to allow the altantis account to have access

jose.amengual avatar
jose.amengual

this is a problem of cross account access of s3 buckets

jose.amengual avatar
jose.amengual

no matter if they are in the same org

skel84 avatar
skel84

but i assume the role in the backend definition

skel84 avatar
skel84

or at least i tought so

jose.amengual avatar
jose.amengual

is the bucket encrypted ?

jose.amengual avatar
jose.amengual

KMS ?

jose.amengual avatar
jose.amengual

well anyhow it should work

jose.amengual avatar
jose.amengual

if you are assuming the role it should work, so maybe the trust policies are not right

jose.amengual avatar
jose.amengual

you can start a t2.micro using the same role as fargate and use the cli

skel84 avatar
skel84

i’ll try

jose.amengual avatar
jose.amengual

configure the ~/.aws/config

jose.amengual avatar
jose.amengual

using the instance profile

jose.amengual avatar
jose.amengual

and see if it works

skel84 avatar
skel84

ok, thanks

skel84 avatar
skel84

is the ~/.aws/config in the container necessary?

jose.amengual avatar
jose.amengual

for the aws cli to work yes

jose.amengual avatar
jose.amengual
Using Instance Profiles - AWS Identity and Access Management

Use IAM instance profiles to pass a role to an Amazon EC2 instance when the instance starts.

jose.amengual avatar
jose.amengual

that one

jose.amengual avatar
jose.amengual
credential_source = Ec2InstanceMetadata
skel84 avatar
skel84

the thing is, according to this https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info, it says that the AWS fargate module has its own way to provide credentials

Provider Credentials | Atlantis

Atlantis: Terraform Pull Request Automation

skel84 avatar
skel84

but i can’t figure out which one it is

jose.amengual avatar
jose.amengual

but it should be using the fargate role permissions

jose.amengual avatar
jose.amengual

I run it on fargate and I do not have this problem

jose.amengual avatar
jose.amengual

but my buckets have bucket policies for cross account access

skel84 avatar
skel84

do you specify the role arn in the provider?

jose.amengual avatar
jose.amengual

and for the state it have a polocy allowing the account to have access

jose.amengual avatar
jose.amengual

no I do not , I do no assume role

jose.amengual avatar
jose.amengual

you can run a script trough atlantis so you could try run commands to list the bucket and see what you get

skel84 avatar
skel84

yeah i guess i’ll have to do some more testing

jose.amengual avatar
jose.amengual

but if you try it from an instance and it works, then it should work

jose.amengual avatar
jose.amengual

then at least you know is a config in atlantis

skel84 avatar
skel84

yes, i’ll try that

skel84 avatar
skel84

thanks

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

Have you looked at the free version of Terraform Cloud?

2020-04-28

joshmyers avatar
joshmyers

@Alex Siegman Hows your Atlantis Anchors working out? May need that real soon!

Alex Siegman avatar
Alex Siegman

Works perfectly. It’s a little janky to have to specify some “fake projects” to use as templates, but it works perfectly and has made the file a lot more readable.

1
joshmyers avatar
joshmyers

Yup, my atlantis.yml just hit 1K lines, gonna give this a whirl, thanks @Alex Siegman!

Alex Siegman avatar
Alex Siegman

Mine went form 774 lines to 331 lines, just checked the PR

joshmyers avatar
joshmyers

1047 > 357 - still to test though

sheldonh avatar
sheldonh

random disclaimer just to chime in. Anchors are awesome but merging of values is often not recommended for terraform as handling is more library specific. Just something to mention in case things get more complex. An update to a underlying library in some cases and dependency on merging of values can cause problems. I imagine the anchors without overrides though is no issue whatsover.

sheldonh avatar
sheldonh

Oh and I’m talking about yaml specifically, not merging of values in terraform necessarily. It’ just something i’ve come across in various sources as I experimented with yaml anchors and merging and then using that in terraform. I decided against merging of values itself, and only using as global constants because of that potential problem that could be a silent difficult to debug problem in the future

joshmyers avatar
joshmyers

Not sure what you mean, nope, deep merge isn’t a thing.

sheldonh avatar
sheldonh

I’m saying yaml anchors are cool, just wanted to mention that if using them to provide “default values” that then get overriden, that i decided against it for that behavior. Said this for future reader benefit, not that you are doing this.

Merging of even basic yaml anchors is not standardized and has risk for breaking/unpredictable behavior. That’s all. Not correcting, just mentioning it in case something thinks of trying yaml defaults/overrides

1
Alex Siegman avatar
Alex Siegman

Good note; the library that atlantis seems to use works as expected from my testing. At least for the example I put above

1

2020-04-25

2020-04-17

jose.amengual avatar
jose.amengual

Is there a way to limit atlantis what environment to run without workspaces ?

jose.amengual avatar
jose.amengual

in my case I have one atlantis per aws account = environment

jose.amengual avatar
jose.amengual

only selected repos can trigger webhooks

jose.amengual avatar
jose.amengual

and only few people can do applies

jose.amengual avatar
jose.amengual

using terraform atlantis cloudposse module

jose.amengual avatar
jose.amengual

but my terraform project structure is :

./
 main.tf
variables.tf
staging.tfvars
staging-backend.tfvars
production.tfvars
production-backend.tfvars
jose.amengual avatar
jose.amengual

so when we run tf we basically run terraform init -backend-config=staging-backend.tfvars then plan then `apply

jose.amengual avatar
jose.amengual

but the account or role used is only for the staging account

jose.amengual avatar
jose.amengual

and atlantis is deployed to each specific account

jose.amengual avatar
jose.amengual

so I want to limit the scope of what they can run for each atlantis deployment

zeid.derhally avatar
zeid.derhally

We have the same setup where we have an Atlantis in each account. For accounts that handle multiple environments we went with separate directories and try to follow a strict process of only making changes in one environment in a given PR.

jose.amengual avatar
jose.amengual

ok I c, same thing we are going to do

jose.amengual avatar
jose.amengual

cool

2020-04-16

2020-04-13

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

i have atlantis working and have

  atlantis_repo_whitelist = [
    "github.com/myorg/*",
  ]

  # Atlantis
  # Github repositories where webhook should be created
  atlantis_allowed_repo_names = [
    "myorg/terraform_scripts"
  ]
RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

but almost every pr in my org is receiving comments of atlantis plan when I only want it to show plan for myorg/terraform_scripts

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

if I set my atlantis_repo_whitelist to only myorg/terraform_scripts, then I see Error: repo not in whitelist or similar as a comment

jose.amengual avatar
jose.amengual

format is :

atlantis_repo_whitelist = ["github.com/org/terraform-xx-xx-rds"]
jose.amengual avatar
jose.amengual

wilcards seem to be used for all repos

jose.amengual avatar
jose.amengual

in an org

jose.amengual avatar
jose.amengual

I had the same problem

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

if I don’t set the wildcard, I receive the Error message commented on every pr. did you also see this ? if so, how did you prevent that?

jose.amengual avatar
jose.amengual

no, I did not see that

jose.amengual avatar
jose.amengual

I allowed just two repos to use altantis so far

jose.amengual avatar
jose.amengual

and I’m using cloudposse fork but I think that that matters much

jose.amengual avatar
jose.amengual

plus I setted up my worflows as repo config on the the atlantis server

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

ah interesting. our tf is a mixed bag so i have to do an atlantis.yml per repo to configure it correctly

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

if i cannot configure the official tf module, ill prob have to go the cloudposse route. which im ok with

jose.amengual avatar
jose.amengual

so you kinda want all the repos that matches myorg/terraform_scripts to use atlantis

jose.amengual avatar
jose.amengual

and nothing else ?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

exactly!

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

just to test this out, configure it correctly, and then manually start adding new repos to it

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

we have a number of terraform modules that dont even use a backend so i wouldnt want atlantis to even touch those repos until they are migrated

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

(their tfstates are unfortunately have to be committed)

jose.amengual avatar
jose.amengual

I will recommend to disable auto plan in all repos, it can get overwhelming, I would do that on the repo side

jose.amengual avatar
jose.amengual

when I said repo side, repo config side so atlantis config side

jose.amengual avatar
jose.amengual

so users are force to comment the pr or branch to get a plan

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

thats a good idea. let me figure out how to do this

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

is there an env variable for this on the server level ?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

ah it looks like it’s only possible on the repo level https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#use-cases

Repo Level atlantis.yaml Config | Atlantis

Atlantis: Terraform Pull Request Automation

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)
Disable automatic plan server flag · Issue #425 · runatlantis/atlantis

bash-4.4# atlantis version atlantis 0.4.13 Issue: I'd like to be able to disable automatic planning as a server flag. I see this option if using atlantis.yaml files. https://www.runatlantis.io/

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

yuck… so that means id have to add an atlantis.yml file for hundreds of repos in order to prevent auto planning

jose.amengual avatar
jose.amengual

yes repo level

jose.amengual avatar
jose.amengual

mmmm no

jose.amengual avatar
jose.amengual

you do do a match for all repos with /.*/

jose.amengual avatar
jose.amengual

and disable those global configs

jose.amengual avatar
jose.amengual

then you do the ones for myorg/terraform_scripts

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

im not sure if i follow you

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

what do you mean by and disable those global configs ?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

i got around this by creating a new user exclusively for atlantis and only added the user to the private repo

jose.amengual avatar
jose.amengual

you can have something like this :

jose.amengual avatar
jose.amengual
repos:
  # id can either be an exact repo ID or a regex.
  # If using a regex, it must start and end with a slash
  # Repo ID's are of the form {VCS hostname}/{org}/{repo name}
  - id: /.*/

    # apply_requirements sets the Apply Requirements for all repos that match
    apply_requirements: [approved,mergeable]

    # allowed_overrides specifies which keys can be overridden by this repo in
    # its atlantis.yaml file
    allowed_overrides: [apply_requirements]

    # allow_custom_workflows defines whether this repo can define its own
    # workflows. If false (default), the repo can only use server-side defined workflows
    allow_custom_workflows: false

    # Allow repos to chose one of the workflows created in this file
    allowed_overrides: [workflow]
jose.amengual avatar
jose.amengual

or one each repo

jose.amengual avatar
jose.amengual

etc

jose.amengual avatar
jose.amengual

so for the global id: /.*/

jose.amengual avatar
jose.amengual

you could disable auto plan

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

ah ok but still have to be one for each repo

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

I think I understand what you’re saying now. Thank you for sending me the config!

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

i think now that i can test in my org’s terraform_scripts repo, we can now configure our repo level atlantis.yml file without commenting every pr in the org

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

going forward, i’ll create a new atlantis.yml file in the new repo, then add our bot user to that new repo

jose.amengual avatar
jose.amengual

the rule - id: /.*/ will match all repos

jose.amengual avatar
jose.amengual

then you can do each repo if you need to

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

oh! i see. so i could have this user added to all repos and configure it right from the server atlantis yaml

jose.amengual avatar
jose.amengual

correct, that is what I think it will do

jose.amengual avatar
jose.amengual

I only configure the repos I want with the webhooks

jose.amengual avatar
jose.amengual

not all the repos

jose.amengual avatar
jose.amengual

and I add the Team were the atlantis user is

jose.amengual avatar
jose.amengual

mmm autoplan is not a server level config

jose.amengual avatar
jose.amengual

is repo level

jose.amengual avatar
jose.amengual

that sucks

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

yea i saw that. unfortunate. see the ticket i mentioned above. it seems like the maintainer doesnt think it’s a good idea to do but i dont fully understand the reasoning

jose.amengual avatar
jose.amengual

you could do that

jose.amengual avatar
jose.amengual

although I can see the reason why not to disable autoplan

jose.amengual avatar
jose.amengual

I gues the idea is to run plan against to PR to master

jose.amengual avatar
jose.amengual

and you enable the webhooks per repo

jose.amengual avatar
jose.amengual

not globaly in your VCS

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

looking at my fargate logs, even tho i only have a single repo whitelisted with a single webhook, the app keeps trying to reach out to every new pr but is getting a 404 (because i havent added the bot to their private repos)

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

weird that it would still be trying to reach out to each pr. i figured it would know to only look at prs coming from the repos whitelisted

jose.amengual avatar
jose.amengual

mmm I do not see that

jose.amengual avatar
jose.amengual

the event comes from the repo

jose.amengual avatar
jose.amengual

atlantis receives the event

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

is there a way to configure it for a single repository in an org without it commenting “error” on all other repo prs ?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

thanks!

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

management doesn’t seem to be completely sold on atlantis. besides

• just like we have cicd of code, we can also have cicd of terraform

• auditability of terraform plans

• a number of top companies using it (lyft, shopify, pagerduty, hootsuite, cloudposse) and hashicorp owns it

• locking of modules within prs

terraform workspace support

• only apply changes that are approved notable posts

https://www.runatlantis.io/

https://medium.com/runatlantis/terraform-and-the-dangers-of-applying-locally-543563782a73

https://medium.com/runatlantis/introducing-atlantis-6570d6de7281

https://docs.google.com/presentation/d/1X4VGx-R8UZWE_2s7I8IxcbWsav1kR-QosmHI8kKaIZc/htmlpresent

https://www.reddit.com/r/devops/comments/cakyfp/psa_love_terraform_love_cicd_you_want_to_run/ are there more reasons to use it?

roth.andy avatar
roth.andy

In my experience management will almost never be “sold” on something like this. This has to come from you, as the subject matter expert, as a requirement. Asking for their permission is shifting the risk over to them, and their number one priority is to avoid risk.

https://youtu.be/ecIWPzGEbFc?t=3862

2
jose.amengual avatar
jose.amengual

Dev do not need to set terraform on their machines and TF is run by atlantis using instance profiles that are fully auditable

3
jose.amengual avatar
jose.amengual

the changes of infra are in a VCS

jose.amengual avatar
jose.amengual

GitOps is awesome

1
cool-doge1

2020-04-12

2020-04-11

jose.amengual avatar
jose.amengual
cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

jose.amengual avatar
jose.amengual

I find the doc and this a bit confusing

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

jose.amengual avatar
jose.amengual
cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

jose.amengual avatar
jose.amengual

talk about : github_oauth_token and github_webhooks_token that need to be created before the init of the module but then it says that is they are not provided it will be looked up in PS

jose.amengual avatar
jose.amengual

and the instruction is that you can write the values with chamber :

chamber write atlantis atlantis_gh_token "..."
  chamber write atlantis github_webhooks_token "...""
jose.amengual avatar
jose.amengual

so github_oauth_token and atlantis_gh_token is the same thing

jose.amengual avatar
jose.amengual

but called differently

jose.amengual avatar
jose.amengual

what I mean is that what is asked to be created in github side does not match the names in Parameter store

jose.amengual avatar
jose.amengual

I don’t know I just find it a bit confusing

jose.amengual avatar
jose.amengual

working with the cloudposse atlantis module I’m having a problem with the github webhooks

jose.amengual avatar
jose.amengual

the error I get after creating the webhooks and then changing the team access to read

jose.amengual avatar
jose.amengual
Error: POST <https://api.github.com/repos/xxxxx/terraform-xx-xx-ecs-cluster/hooks>: 404 Not Found []

  on .terraform/modules/repo_webhooks/main.tf line 6, in resource "github_repository_webhook" "default":
   6: resource "github_repository_webhook" "default" {
jose.amengual avatar
jose.amengual

it tries to create the webhooks again

jose.amengual avatar
jose.amengual

well is trying to look for the webhooks

jose.amengual avatar
jose.amengual

but read permission at repository level do not allow you to see webhook configs

jose.amengual avatar
jose.amengual

so I don’t know how to fix this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I vaguely recall there’s no way to update github webhooks using the provider

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so i would need to taint them and reapply

jose.amengual avatar
jose.amengual

but if you taint

jose.amengual avatar
jose.amengual

then can you re-apply with read permissions ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

oh no, i never tried changing permissions

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but i did try changing the webhook settings and that’s when this happened

jose.amengual avatar
jose.amengual

the readme says to change to read after the webhook is created

jose.amengual avatar
jose.amengual

but that breaks things

jose.amengual avatar
jose.amengual

so maybe having another repo for the webhooks maybe a better idea

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse) might recall what to do here… but it’s been a while

jose.amengual avatar
jose.amengual

I’m cleaning up my the atlantis setup and I think I got everything pretty much figure out

jose.amengual avatar
jose.amengual

using one atlantis for multiple repos in the sam environment

jose.amengual avatar
jose.amengual

anyone was able to recall what can be done ?

jose.amengual avatar
jose.amengual

taint ?

2020-04-10

2020-04-09

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

trying to use this module to setup fargate but having issues. anyone using the same module and have it working as expected?

https://github.com/terraform-aws-modules/terraform-aws-atlantis

terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported - terraform-aws-modules/terraform-aws-atlantis

jose.amengual avatar
jose.amengual

I have not used it , I used the cloudposse one

terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported - terraform-aws-modules/terraform-aws-atlantis

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

my terraform

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "~> 2.0"

  name = local.name

  # VPC
  vpc_id             = data.aws_vpc.selected.id
  
  public_subnet_ids  = local.public_subnet_ids
  # TODO: use private subnets instead of public
  # fargate in private. need to be in same set of AZs as public
  private_subnet_ids = local.public_subnet_ids

  ecs_service_assign_public_ip = true

  route53_zone_name = "internal.snip.com"

  certificate_arn = data.aws_acm_certificate.internal.arn

  # create_github_repository_webhook = true
  # Atlantis
  atlantis_github_user       = "atlantis-bot"
  # TODO: use s3keyring or ssm
  atlantis_github_user_token = "snip"
  atlantis_repo_whitelist    = [
    "github.com/terraform-aws-modules/*",
    "github.com/snip/*",
  ]

  allow_repo_config = "true"

  # Atlantis
  atlantis_allowed_repo_names = [
    "snip/terraform-scripts"
  ]
}
RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

hmmm, perhaps I should switch to the cloudposse one or at least try it side by side

jose.amengual avatar
jose.amengual

the cloudposse one is recommended with the use of their fork

jose.amengual avatar
jose.amengual

you could use the atlantis from runatlantis but you will have to feed some different config to make it work

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

ah perhaps thats what im missing. i was having trouble figuring out how to apply the server configuration too

jose.amengual avatar
jose.amengual

the cloudposse module uses Parameter store to store the configs and value and I used chamber to populate the Dockerfile

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

interesting! ok ill focus more on the fork then

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

do you still require repo specific atlantis.yml configs ?

jose.amengual avatar
jose.amengual

I was going to say : to make it easier for you

jose.amengual avatar
jose.amengual

here are the file I used

jose.amengual avatar
jose.amengual
jose.amengual avatar
jose.amengual

buildscpec for codebuild :

jose.amengual avatar
jose.amengual
jose.amengual avatar
jose.amengual

atlantis.yaml

jose.amengual avatar
jose.amengual
jose.amengual avatar
jose.amengual

atlantis-repo-config

jose.amengual avatar
jose.amengual
jose.amengual avatar
jose.amengual

there

jose.amengual avatar
jose.amengual

that is all you need

jose.amengual avatar
jose.amengual

I put this all in the same repo but you do not have to

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

awesome! you the man pepe

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

ill give it a go

jose.amengual avatar
jose.amengual

I tried it with one repo

jose.amengual avatar
jose.amengual

but you could have the Dockerfile+buildspec+atlantisrepo config in one repo and use that as a atlantis ECS cluster for your AWS account and run multiple repos against the same atlantis

jose.amengual avatar
jose.amengual

OR

jose.amengual avatar
jose.amengual

you could have all this files in all the repos and build atlantis every time from the scratch (codebuild+codepipeline) for every repo that have the webhooks configured

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

ah so this is a local installation of atlantis then

jose.amengual avatar
jose.amengual

this is a relevant thread that explains the why

jose.amengual avatar
jose.amengual

no this is for running on ECS+fargate

joshmyers avatar
joshmyers

I’m using https://github.com/terraform-aws-modules/terraform-aws-atlantis , whats the problem with it?

terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported - terraform-aws-modules/terraform-aws-atlantis

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

ive listed my config further up in the thread and i can’t seem to get the github account to post on my pr when i write atlantis plan

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

first time using fargate so just starting to debug

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

ah I’ve gotten it to work. I forgot to add the webhook

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

now im hitting an issue where we use private terraform modules and the user doesn’t have access to those modules and so fails

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)
authenticating for a module with a private github.com repo source · Issue #281 · runatlantis/atlantis

Hello, I&#39;m trying to use a module sourced from a private github repo: module &quot;module-name&quot; { source = &quot;git://github.com/<org>/<repo>.git?ref=0.0.2&quot;> } but …

joshmyers avatar
joshmyers

ATLANTIS_WRITE_GIT_CREDS maybe useful to you

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

yep that did it, thank you

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

2020-04-03

Alex Siegman avatar
Alex Siegman

For folks using atlantis.yaml per-repo settings files to define many projects, figured I’d see if I could reduce a lot of repetition in my config file using YAML Anchors and References. Came up with the following anchor system. While atlantis will process the two anchor templates as projects, the directory doesn’t exist so it doesn’t detect any changes and will not run. I couldn’t define the anchors in a separate section as atlantis got mad about it.

projects:
  # Project Definitions
  - &terraform_project
    name: "template-terraform-project"
    dir: '.empty'
    workflow: "make"
    workspace: "default"
    terraform_version: "v0.11.14"
    autoplan:
      when_modified:
        - "Makefile*"
        - "*.tf"
        - "*.tfvars"
        - "*.envrc"
      enabled: true
    apply_requirements:
      - "approved"

  ## Shared Infrastructure
  - <<: *terraform_project
    name: "account-dns"
    dir: "conf/account-dns"

  - <<: *terraform_project
    name: "aws-metrics-role"
    dir: "conf/us-east-1/aws-metrics-role"

  - <<: *terraform_project
    name: "chamber"
    dir: "conf/us-east-1/chamber"

  - <<: *terraform_project
    name: "cloudtrail"
    dir: "conf/cloudtrail"

It’s worked in my limited testing thus far.

2
1
joshmyers avatar
joshmyers

Could you have used e.g. account-dns as the template project or does it get invoked every time so needed to be a non existent thing? Not tested yet

    keyboard_arrow_up