#atlantis (2020-05)

atlantis

Discuss the Atlantis (http://runatlantis.io|runatlantis.io) *Archive: * https://archive.sweetops.com/atlantis/

2020-05-29

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

this is strange. i have a specific workflow for a specific tf module to overwrite the terraform version yet it still uses the default.

version: 3
projects:
- name: secrets
  dir: secrets
  workflow: secrets
  terraform_version: v0.12.25

workflows:
  secrets:
    plan:
      steps:
        - init
        - run: make diff
        - plan
RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

then i see this in github

�[31m
�[1m�[31mError: �[0m�[0m�[1mError loading state: state snapshot was created by Terraform v0.12.25, which is newer than current v0.12.24; upgrade to Terraform v0.12.25 or greater to work with this state�[0m

�[0m�[0m�[0m
RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

im using atlantis 12 and i dont believe the new 13 that was just released fixes this, according to their changelog

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

any idea what im doing wrong ? or is this a bug ?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

the init seems to work but the make diff which calls terraform refresh seems to use the default terraform instead of the terraform_version

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

perhaps v0.12.25 needs to be 0.12.25 according to this

Repo Level atlantis.yaml Config | Atlantis

Atlantis: Terraform Pull Request Automation

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

this is interesting too

https://github.com/runatlantis/atlantis/issues/910

Looks like @lkysow says to use

- run: terraform$ATLANTIS_TERRAFORM_VERSION plan

so perhaps i need to do that in my Makefile to use the correct version of terraform …

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

terraform_version in atlantis workflow never worked for us as well

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

in my make diff, i changed it so my Makefile uses the $ATLANTIS_TERRAFORM_VERSION, not sure what else to do

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

wish atlantis could be smart enough to check the tfstate, get the correct version, and use the same version in the state

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

dude youre right, WTF, tested it out and that env variable wasnt even filled

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

so i guess im not allowed to use Makefile targets in my run atlantis command if it requires a non default terraform version

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)
terraform_version key ignored for custom workflow · Issue #1065 · runatlantis/atlantis

My repo level atlantis.yaml version: 3 projects: - name: secrets dir: secrets workflow: secrets terraform_version: v0.12.25 workflows: secrets: plan: steps: - init - run: make diff - plan secrets d…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes it’s like that

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can fork it and improve

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)
terraform_version key ignored for custom workflow · Issue #1065 · runatlantis/atlantis

Using v12 My repo level atlantis.yaml version: 3 projects: - name: secrets dir: secrets workflow: secrets terraform_version: v0.12.25 workflows: secrets: plan: steps: - init - run: make diff - plan…

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

atlantis, when using repo configs, is using the PR branch’s config instead of the one in master. this wasn’t clear to me and was confusing.

1

2020-05-28

jose.amengual avatar
jose.amengual

I’m going to have to fork cloudposse atlantis to fix my needs so I was wondering how can I build my fork ?

jose.amengual avatar
jose.amengual

@Andriy Knysh (Cloud Posse) I was trying make dist and got a bunch of errors, I’m wondering how you guys run the build ?

jose.amengual avatar
jose.amengual

I have no idea what I’m doing…. lol

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

make build-service

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

which is CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -o atlantis .

jose.amengual avatar
jose.amengual

and that exploded

jose.amengual avatar
jose.amengual
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -o atlantis .
github.com/atlantis/vendor/github.com/runatlantis/atlantis/server/events/vcs
# github.com/atlantis/vendor/github.com/runatlantis/atlantis/server/events/vcs
vendor/github.com/runatlantis/atlantis/server/events/vcs/gitlab_client.go:168:54: not enough arguments in call to g.Client.MergeRequests.GetMergeRequest
	have (string, int)
	want (interface {}, int, *gitlab.GetMergeRequestsOptions, ...gitlab.OptionFunc)
vendor/github.com/runatlantis/atlantis/server/events/vcs/gitlab_client.go:199:54: not enough arguments in call to g.Client.MergeRequests.GetMergeRequest
	have (string, int)
	want (interface {}, int, *gitlab.GetMergeRequestsOptions, ...gitlab.OptionFunc)
make: *** [build-service] Error 2
jose.amengual avatar
jose.amengual

do I have to have a specific version of go ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i tested it with 1.11 and 1.2 before, now I have 1.13.1, all works

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

are you building `

runatlantis/atlantis
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

or CloudPosse repo?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

runatlantis prob have made a lot of changes since the last time we forked it

jose.amengual avatar
jose.amengual

cloudposse repo

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

make sure you copy it into <GOPATH>/src/github.com/runatlantis/atlantis

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

b/c all imports are using runatlantis

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

that’s how Go works

jose.amengual avatar
jose.amengual

golang 101 lol

jose.amengual avatar
jose.amengual

this looks better

jose.amengual avatar
jose.amengual
github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/aws/defaults
github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/service/sts
github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/service/s3
github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds
github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/aws/session
github.com/runatlantis/atlantis/vendor/github.com/hashicorp/go-getter
github.com/runatlantis/atlantis/vendor/github.com/runatlantis/atlantis/server/events/terraform
github.com/runatlantis/atlantis/vendor/github.com/runatlantis/atlantis/server/events/runtime
make: *** [build-service] Error 2
jose.amengual avatar
jose.amengual

at least it did more stuff

jose.amengual avatar
jose.amengual

I moved to runatlantis/atlantis

jose.amengual avatar
jose.amengual

and in there I run make build-service

jose.amengual avatar
jose.amengual

better but not quite

jose.amengual avatar
jose.amengual
~/workspace/Go/src/github.com/runatlantis/atlantis(git:master)❱✔≻ make build-service                                                                                           39.3s  Thu 28 May 17:33:50 2020
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -o atlantis .
github.com/runatlantis/atlantis/server/events/vcs/common
github.com/runatlantis/atlantis/server/logging
github.com/runatlantis/atlantis/server/recovery
github.com/runatlantis/atlantis/server/static
github.com/runatlantis/atlantis/server/events/yaml/valid
github.com/runatlantis/atlantis/testdrive
github.com/runatlantis/atlantis/server/events/terraform
github.com/runatlantis/atlantis/server/events/models
github.com/runatlantis/atlantis/server/events/yaml/raw
github.com/runatlantis/atlantis/server/events/db
github.com/runatlantis/atlantis/server/events/vcs/bitbucketserver
github.com/runatlantis/atlantis/server/events/vcs/bitbucketcloud
github.com/runatlantis/atlantis/server/events/locking
github.com/runatlantis/atlantis/server/events/webhooks
github.com/runatlantis/atlantis/server/events/vcs
github.com/runatlantis/atlantis/server/events/runtime
# github.com/runatlantis/atlantis/server/events/vcs
server/events/vcs/gitlab_client.go:168:54: not enough arguments in call to g.Client.MergeRequests.GetMergeRequest
	have (string, int)
	want (interface {}, int, *gitlab.GetMergeRequestsOptions, ...gitlab.OptionFunc)
server/events/vcs/gitlab_client.go:199:54: not enough arguments in call to g.Client.MergeRequests.GetMergeRequest
	have (string, int)
	want (interface {}, int, *gitlab.GetMergeRequestsOptions, ...gitlab.OptionFunc)
github.com/runatlantis/atlantis/server/events/yaml
make: *** [build-service] Error 2
❰jamengual❙~/workspace/Go/src/github.com/runatlantis/atlantis(git:master)❱✘≻          
jose.amengual avatar
jose.amengual

my ultimate goal is to patch current atlantis with the github code you guys did and add the atlantis.yaml specific settings I need

jose.amengual avatar
jose.amengual

but for now building cloudposse fork will be great

jose.amengual avatar
jose.amengual

so I ended up downloading lates atlantis src

jose.amengual avatar
jose.amengual

compiled

jose.amengual avatar
jose.amengual

added few thing worked

jose.amengual avatar
jose.amengual

and I decided to add the code from PR #30 from cloudposse

jose.amengual avatar
jose.amengual

after a few fixes

jose.amengual avatar
jose.amengual

compiled

jose.amengual avatar
jose.amengual

I deployed

jose.amengual avatar
jose.amengual

but I’m stuck

jose.amengual avatar
jose.amengual

fo whatever reason it keeps saying : Error: User @jamengual does not have permissions to execute 'plan' command.

jose.amengual avatar
jose.amengual

which is checkUserPermissions returning false

jose.amengual avatar
jose.amengual

but I do not know why yet

jose.amengual avatar
jose.amengual

any pointers @Andriy Knysh (Cloud Posse)

jose.amengual avatar
jose.amengual

this is the bit of code is doing the call

/ Check if the user who commented has the permissions to execute the 'plan' or 'apply' commands
	ok, err := e.checkUserPermissions(baseRepo, user, parseResult.Command)
	if err != nil {
		e.Logger.Err("unable to comment on pull request: %s", err)
		return
	}
	if !ok {
		e.commentUserDoesNotHavePermissions(baseRepo, pullNum, user, parseResult.Command)
		e.respond(w, logging.Warn, http.StatusForbidden, "User @%s does not have permissions to execute '%s' command", user.Username, parseResult.Command.Name.String())
		return
	}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@jose.amengual did you specify the parameter gh-team-whitelist?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Add `gh-team-whitelist` command line argument by aknysh · Pull Request #30 · cloudposse/atlantis

what Add gh-team-whitelist command line argument Use bigger atlantis logo on the web pages why Improved security Explicitly specify GitHub teams and operations (plan, apply) that the members of …

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and then did you add your user to the whitelisted team (on GitHub)?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the code in this PR https://github.com/cloudposse/atlantis/pull/30 makes gh-team-whitelist param optional. If not specified at all, the default functionality is in place. If specified, then the code checks if the user is in a whitelisted team. If not, the error is thrown

Add `gh-team-whitelist` command line argument by aknysh · Pull Request #30 · cloudposse/atlantis

what Add gh-team-whitelist command line argument Use bigger atlantis logo on the web pages why Improved security Explicitly specify GitHub teams and operations (plan, apply) that the members of …

jose.amengual avatar
jose.amengual

yes I did

jose.amengual avatar
jose.amengual

basically I had atlantis already running with cloudposse fork

jose.amengual avatar
jose.amengual

and then I I forked latest and added your code

jose.amengual avatar
jose.amengual

and deployed to the same fargate task

jose.amengual avatar
jose.amengual

I have everything in Parameter store

jose.amengual avatar
jose.amengual

I added debug too

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

did you use the correct format for gh-team-whitelist?

jose.amengual avatar
jose.amengual

hds-team:plan,hds-team:apply

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(looks like you did since you used CP fork before)

jose.amengual avatar
jose.amengual

I’m part of that team

jose.amengual avatar
jose.amengual

I used the terraform atlantis module from you guys

jose.amengual avatar
jose.amengual

it is weird, I can run help and that , it does not crash or anything, plus returns my user correctly

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

well… atlantis made a lot of changes, and GitHub made a lot of changes. If you copy the code correctly and it does not work, then something has been changed in the GitHub API

jose.amengual avatar
jose.amengual

somehow something in team_whitelist_checker.go does not work

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you run our fork now, does it work?

jose.amengual avatar
jose.amengual

I can roll back, one sec

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


somehow something in team_whitelist_checker.go does not work

jose.amengual avatar
jose.amengual

that is my theory

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we made changes a few times as well b/c GitHub kept changing some API

jose.amengual avatar
jose.amengual

ohhhhh so maybe I did not push those updates ?????

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(don’t know )

jose.amengual avatar
jose.amengual

I checked like 40 times

jose.amengual avatar
jose.amengual

after #30 I do not see anything about github

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in situations like this, and since you are modifying the code anyway, would be great to update the version number and display it on the screen (I think it’s displayed)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so you can know for sure which version got deployed

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

jose.amengual avatar
jose.amengual

mmmm

jose.amengual avatar
jose.amengual

I see :

2020-05-29 18:15:42
2020/05/30 01:15:42+0000 [INFO] server.go:462 server: Atlantis started - listening on port 4141
jose.amengual avatar
jose.amengual

yes so I have a custom version

jose.amengual avatar
jose.amengual

atlantis version                                                     8.9m  Fri 29 May 20:34:46 2020 atlantis 0.12.0-multienv-debug1

jose.amengual avatar
jose.amengual

I see the same if I docker build locally

jose.amengual avatar
jose.amengual

I wonder if I could shot the version on fargate logs

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you should see the version in the UI, in the bottom-right corner

jose.amengual avatar
jose.amengual

which I though it was the problem

jose.amengual avatar
jose.amengual

the ui…ok let me check I have not used the UI ever

jose.amengual avatar
jose.amengual

mmm the ui is 503…..

jose.amengual avatar
jose.amengual

the ui is on /?

jose.amengual avatar
jose.amengual

ok, listener rule error , it shows my version

jose.amengual avatar
jose.amengual

v0.12.0-multienv-debug0

jose.amengual avatar
jose.amengual

so at least I know is the one I compiled

jose.amengual avatar
jose.amengual

and this was updated too

func (g *GithubClient) GetTeamNamesForUser(repo models.Repo, user models.User) ([]string, error) {
	var teamNames []string
	opts := &github.ListOptions{}
	org := repo.Owner
	for {
		teams, resp, err := g.client.Teams.ListTeams(g.ctx, org, opts)
		if err != nil {
			return nil, err
		}
		for _, t := range teams {
			membership, _, err := g.client.Teams.GetTeamMembership(g.ctx, t.GetID(), user.Username)
			if err == nil && membership != nil {
				if *membership.State == "active" && (*membership.Role == "member" || *membership.Role == "maintainer") {
					teamNames = append(teamNames, t.GetName())
				}
			}
		}
		if resp.NextPage == 0 {
			break
		}
		opts.Page = resp.NextPage
	}
	return teamNames, nil
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

do you see this error Error: User @jamengual does not have permissions to execute 'plan' command as GitHub comment?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also, you sure that the user is a member of the team, and the team name is correct?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and also, is our version working for you?

jose.amengual avatar
jose.amengual

yes I do see it as a github comment

jose.amengual avatar
jose.amengual

yes I’m a member of that team and the team is correct

jose.amengual avatar
jose.amengual

you version was working ok but my need is that I use one repo for all environment so I deploy and atlantis per AWS account and without the option to define a custom atlantis.yaml it does not work for me so I added https://github.com/runatlantis/atlantis/compare/master...mediwareinc:multienv-0.11.0

runatlantis/atlantis

Terraform Pull Request Automation. Contribute to runatlantis/atlantis development by creating an account on GitHub.

jose.amengual avatar
jose.amengual

which is very very simple and fit my needs

jose.amengual avatar
jose.amengual

but I really like the team whitelist option and that is why I’m here

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so it’s the same team whitelist code in both repos, one is working, the other is not

jose.amengual avatar
jose.amengual

correct

jose.amengual avatar
jose.amengual

Unless I missed something

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and the code gets executed and checks for team membership

jose.amengual avatar
jose.amengual

as fas as I can tell

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so 1) you missed something; 2) atlantis made other changes that affected it; 3) you are using new GitHub API that changed the logic (they did it in the past)

jose.amengual avatar
jose.amengual

I’m not a go experts by any means but I was thinking to add e.Logger.Err

jose.amengual avatar
jose.amengual

one of the 3 but I think 3 is unlikely because this was working with cloudposse fork and I did not change anything related to apis for github

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

since our fork does not use Go modules (was not in atlantis at the time), and the new atlantis uses Go modules, the GitHub APi could be completely different

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(the sad thing is, w/o Go modules it was not possible to pin it to a particular version)

jose.amengual avatar
jose.amengual

so you alway get the latest

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but new atlantis uses Go modules so you can see what version you are using

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you alway get the latest - if you don’t use Go modules, which was created to fix those issues

jose.amengual avatar
jose.amengual

I see ok

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

as I said, w/o Go modules it was aways the latest version, and GitHub updated the API a few times and broke our code

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

with Go modules in the latest atlantis, they pinned it to a particular version, but.. that version could be new with some API changes from GitHub (just an idea)

jose.amengual avatar
jose.amengual

so you think when I did go get [github.com/runatlantis/atlantis](http://github.com/runatlantis/atlantis)

jose.amengual avatar
jose.amengual

ad then go build I got a version of the github client api that is not compatible ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

might be

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we had such issue before

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not saying that they change the API all the time, but they did, and broke our code

jose.amengual avatar
jose.amengual

I’m running my version now using ngrok and using chamber to populate the ENV variables to my local

jose.amengual avatar
jose.amengual

so I can debug faster

jose.amengual avatar
jose.amengual

intersting

jose.amengual avatar
jose.amengual

I added this :

// checkUserPermissions checks if the user has permissions to execute the command
func (e *EventsController) checkUserPermissions(repo models.Repo, user models.User, cmd *events.CommentCommand) (bool, error) {
	if cmd.Name == models.ApplyCommand || cmd.Name == models.PlanCommand {
		teams, err := e.VCSClient.GetTeamNamesForUser(repo, user)
		if err != nil {
			return false, err
		}
		e.Logger.Err("PEPE teams: ", teams)
		ok := e.TeamWhitelistChecker.IsCommandAllowedForAnyTeam(teams, cmd.Name.String())
		if !ok {
			return false, nil
		}
	}
	return true, nil
}
jose.amengual avatar
jose.amengual

e.Logger.Err("PEPE teams: ", teams)

jose.amengual avatar
jose.amengual

mmm there is some sensitive information on all this

jose.amengual avatar
jose.amengual

basically

jose.amengual avatar
jose.amengual
[EROR] events_controller.go:585 server: PEPE teams: %!(EXTRA []string=[Ops Team Product Engineering Employees terraform-atlantis])
jose.amengual avatar
jose.amengual

terrafom-atlantis is a team

jose.amengual avatar
jose.amengual

but the other is the description of the ream not the team name

jose.amengual avatar
jose.amengual

no wait….those are the names

jose.amengual avatar
jose.amengual

they just have spaces

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we did not test teams with spaces

jose.amengual avatar
jose.amengual

that is it

jose.amengual avatar
jose.amengual

I added terraform-atlantis to the team whitelist

jose.amengual avatar
jose.amengual

and now is working

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but where is hds-team in the list?

jose.amengual avatar
jose.amengual

yes it was

jose.amengual avatar
jose.amengual

and it did work with the cloudposse fork

jose.amengual avatar
jose.amengual

atlantis_gh_team_whitelist = hds-team:plan,hds-team:apply,terraform-atlantis:plan

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what do you mean “it was”? it’s not in the list [Ops Team Product Engineering Employees terraform-atlantis]

jose.amengual avatar
jose.amengual

I mangled the output

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so you are not part of that team

jose.amengual avatar
jose.amengual

sorry

jose.amengual avatar
jose.amengual

PEPE teams: %!(EXTRA []string=[IQ Ops HDS Team Product Engineering Employees terraform-atlantis])

jose.amengual avatar
jose.amengual

HDS Team is that team

jose.amengual avatar
jose.amengual

and I’m part of it

jose.amengual avatar
jose.amengual

ok so…….

jose.amengual avatar
jose.amengual

HDS Team:plan,hds-team:apply that works

jose.amengual avatar
jose.amengual

so this must be something to do with the the github client response that is now not passing some sort of alternated name for the team ?

jose.amengual avatar
jose.amengual

I guess a team with a name with space will be converted to something else ?

jose.amengual avatar
jose.amengual

I’m trying to understand why it worked with the cloudposse fork before

jose.amengual avatar
jose.amengual

@Andriy Knysh (Cloud Posse) do you happen to know if there is a way to shortcircuit atlantis execution after the call to ParseRepoCfg I was trying to stop atlantis if :

if projectName != "" && yaml.AtlantisYAMLFilename != "atlantis.yaml" {
		return
	}

OR by using a new env variable ATLANTIS_MULTISERVERbut I’m not familiar with the code and after many hours the plan command keeps executing

jose.amengual avatar
jose.amengual

my guess that whatever I do it will have to be in the Event controller but I’m not so sure anymore

2020-05-21

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

using default server workflow and custom repo workflow but only my defined directory has terraform run. all undefined directories in custom repo workflow do not use default workflow.

version: 3
projects:
- name: secrets
  dir: secrets
  workflow: secrets

workflows:
  secrets:
    plan:
      steps:
        - init
        - run: make diff
        - plan
    apply:
      steps:
        - run: "echo 'Apply is disabled for now."

am I missing something simple ?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

thread start

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

do i need to define both of these in my repo config ?

- id: "/.*/"
  workflow: default
- name: secrets
  dir: secrets
  workflow: secrets

even tho my server config has this already ?

- id: "/.*/"
  workflow: default
jose.amengual avatar
jose.amengual

which for of atlantis are you using ?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

using runatlantis/atlantis:v0.12.0

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

looks like the latest version

jose.amengual avatar
jose.amengual

you need to allow custom workflows if you are defining workflows in your repo config

jose.amengual avatar
jose.amengual

otherwise is not going to pick them up

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

it does pick it up for my custom workflow, just not for my not defined modules. this is my atlantis server config

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)
repos:
  - # apply config to repos matching this regex
    id: /.*/
    allow_custom_workflows: true
    allowed_overrides:
      - apply_requirements
      - workflow
    apply_requirements:
      - approved
    workflow: default
jose.amengual avatar
jose.amengual

that should apply to all repos

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

it should but after i added a repo level config that i shared above, it seemed to only allow the custom one to work

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

the others i have to manually run atlantis plan -d mytfdir

jose.amengual avatar
jose.amengual

mmm so is the autoplan you are expecting it to run?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

yessir

jose.amengual avatar
jose.amengual

I hate autoplan so I disable every time

jose.amengual avatar
jose.amengual

autoplan does have a default for the files it tracks

jose.amengual avatar
jose.amengual

“/.tf”*

jose.amengual avatar
jose.amengual

something like that

1
jose.amengual avatar
jose.amengual

I can type two *

jose.amengual avatar
jose.amengual

freaking annoying slack

2020-05-19

jose.amengual avatar
jose.amengual
RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

Pretty cool. Does it only work with terraform cloud and enterprise or also for other backends?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This works with terraform open source

Padarn avatar
Padarn

if you have TF enterprise you probably don’t need this?

Padarn avatar
Padarn

I was under the impression they offered integrations of many build tools

jose.amengual avatar
jose.amengual

someone must be working in an atlantis feature complete clone, right…..?

jose.amengual avatar
jose.amengual

I heard a rumour

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

Isn’t the guy that started atlantis ilya working directly got hashicorp? Wouldn’t he be the one working on this as well?

jose.amengual avatar
jose.amengual

both guys are working for hashicorp

2020-05-18

joshmyers avatar
joshmyers

minimal Atlantis policy is minimal policy for what you are wanting Atlantis to apply…

Padarn avatar
Padarn

Haha yes, true, but in my experience terraform needs quite a few permissions just to do basic operations, even just for state refresh

Padarn avatar
Padarn

another question on similar topic: Is anyway using something like an OAuth server infront of Atlantis ?

joshmyers avatar
joshmyers

To do a state refresh it needs read access to the things you want to manage to it

joshmyers avatar
joshmyers

Yes, I believe CloudPosse (may??) do this

joshmyers avatar
joshmyers

@ https://github.com/cloudposse/terraform-aws-ecs-atlantis is opinionated but contains the resources you will need

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yep, this has support for that, but it’s a beast of a module

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Padarn avatar
Padarn

thanks guys - I was using the other terraform on fargate module, will go through this one

2020-05-16

Padarn avatar
Padarn

anyone have an example of a minimal terraform policy that Atlantis needs for AWS?

Padarn avatar
Padarn

I’m trying to figure out how to get tag based permissions to work, and my original lenient policy is a bit had to prune

2020-05-14

2020-05-12

2020-05-11

2020-05-07

2020-05-05

2020-05-04

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

If a terraform module (module UP) is updated, is there a way for atlantis or something else to rerun a terraform plan for a module (module DOWN) that depends on UP ?

Adrian avatar
Adrian

try terragrunt-atlantis-config it will generate atlantis.yaml according to your HCL dependencies

Adrian avatar
Adrian

omg sorry for that it terragrunt not terraform

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

would this work if a module was referenced using a git source as well ?

Adrian avatar
Adrian

Don’t know

jose.amengual avatar
jose.amengual

need some help, mostly cloudposse guys since I use their fork : I’m defining this as my atlantis.yaml

version: 2
projects:
- name: staging-us-east-2
  dir: .
  workflow: staging-us-east-2
  terraform_version: v0.12.24
  autoplan:
    when_modified: 
      - "*.tf"
    enabled: false

- name: production-us-east-2
  dir: .
  workflow: production-us-east-2
  terraform_version: v0.12.24
  autoplan:
    when_modified: 
      - "prod.txt"
    enabled: false
jose.amengual avatar
jose.amengual

I created a PR that does not have the "prod.txt" file but when I run atlantis plan -p production-us-east-2 atlantis goes and runs the the plan

jose.amengual avatar
jose.amengual

I’m trying to avoid that by using the prod.txt file as a feature enable flag kind off

jose.amengual avatar
jose.amengual

is that possible ?

jose.amengual avatar
jose.amengual

does the file have to exist in order for this to work ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

this is just for autoplan

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when you run the command, it will be executed

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(Cloud Posse fork, the latest version, does not have any new features except we added GitHub Team whitelist to detect if a user has permissions to run the atlantis commands. For all other features, you can ask in the atlantis Slack)

jose.amengual avatar
jose.amengual

I thought when_modified will work even if autoplan is disabled

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

probably not, you can look into the atlantis code

jose.amengual avatar
jose.amengual

I’m not so versed in golang yet

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what problem are you trying to solve?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you want atlantis to run diff workflows for staging and prod when diff files are modified?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and you are using one repo?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

suggest you create a folder conf and add staging.tfvars and prod.tfvars in it

jose.amengual avatar
jose.amengual

sorry I made a mistake

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you modify the main module, both staging and prod will run

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you modify only e.g. staging.tfvars, then only the staging atlantis would run

jose.amengual avatar
jose.amengual

one aws account per environment, one atlantis server per aws account

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

one repo for all environments?

jose.amengual avatar
jose.amengual

yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so you need to separate prod config from staging config

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

they should not be in [variables.tf](http://variables.tf) for all environments

jose.amengual avatar
jose.amengual

I run them like this, this is the server config

staging-us-west-2:
    plan:
      steps:
      - run: rm -rf .terraform
      - init:
          extra_args: [-backend-config=staging-backend-us-west-2.tfvars]
      - plan:
          extra_args: [-var-file=staging-us-west-2.tfvars]
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

only the code (logic) is common for all

jose.amengual avatar
jose.amengual

the idea was that we could test config changes of the main module in staging without triggering a prod even to the prod atlantis

jose.amengual avatar
jose.amengual

that is what we usually do

jose.amengual avatar
jose.amengual

so one repo terraform-aws-rds for multiple environments and we have different .tfvars and backen-configs

jose.amengual avatar
jose.amengual

for example

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but that should work

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you already disabled autoplan

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when you run atlantis plan -p production-us-east-2, only prod should run

jose.amengual avatar
jose.amengual

yes but by repo is for multiple environments so I haver multiple webhooks

jose.amengual avatar
jose.amengual

one point from the same repo to the staginmg atlantis and another to the prod atlantis

jose.amengual avatar
jose.amengual

I want the staging atlantis to ignore the productions workflows

jose.amengual avatar
jose.amengual

so I thought I could use :

version: 2
projects:
- name: staging-us-east-2
  dir: .
  workflow: staging-us-east-2
  terraform_version: v0.12.24
  autoplan:
    when_modified: 
      - "*.tf"
    enabled: false
- name: production-us-east-2
  dir: .
  workflow: production-us-east-2
  terraform_version: v0.12.24
  autoplan:
    when_modified: 
      - "prod.txt"
    enabled: false
jose.amengual avatar
jose.amengual

and so I create a PR, then go and run manually atlantis plan -p staging-use-east-2 then once approved then I run atlantis apply and after is tested, I can user the same PR or a new PR , modify the prod.txt file and then run atlantis plan -p production-use-east-2

jose.amengual avatar
jose.amengual

but what I really wanted was that the atlantis in staging ignore any call to production workflows

jose.amengual avatar
jose.amengual

to avoid this :

jose.amengual avatar
jose.amengual
jose.amengual avatar
jose.amengual

I want to avoid having devs to be able to run atlantis plan against prod and getting those errors in the comments

jose.amengual avatar
jose.amengual

since the atlantis servers are separated is not a security concern

jose.amengual avatar
jose.amengual

is just more annoying that anything

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you are talking about two diff things. If you run those atlantis plan xxxxxxxx commands manually, then it should run only the workflow specified in the command (prod or staging)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for the autoplan, enable it, then make each autoplan (prod and staging) depend on diff tfvars files

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
    autoplan:
      when_modified:
        - "*.tf"
        - "prod.tfvars"
      enabled: true

    autoplan:
      when_modified:
        - "*.tf"
        - "staging.tfvars"
      enabled: true
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in this case, if you update the module(s), both autoplans will run and show the changes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you update the settings for e.g. staging, only the staging autoplan will run

jose.amengual avatar
jose.amengual

I prefer to run autoplan manually than automatically but I will try this

jose.amengual avatar
jose.amengual

do you know if the when_modified array is like an AND for every item ?

jose.amengual avatar
jose.amengual

like *.tf AND prod.tfvars need to change for it to trigger ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

It’s OR

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

If you modify the code, then *.tf will trigger both

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

If you modify settings for one environment, only one should trigger

jose.amengual avatar
jose.amengual

ok I see

jose.amengual avatar
jose.amengual

thanks a lot

jose.amengual avatar
jose.amengual

well, yesterday I realize how stupid I’m and why I never thought about having two separated atlantis-repo-config.yaml files, one for the altantis in prod, one for the atlantis in staging

jose.amengual avatar
jose.amengual

that will solve this issue

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

that’s a good idea

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

each one could be configured and allowed to do only specific things

jose.amengual avatar
jose.amengual

exactly

jose.amengual avatar
jose.amengual

and I can still do the specific files so that it does not comment back to the repo saying that that project does not exist

jose.amengual avatar
jose.amengual

etc

zeid.derhally avatar
zeid.derhally

This is what we do, we have Atlantis look for a configuration file that matches the env name. We have a patched version of Atlantis that does this. We still get the extra status checks showing up in the PR, but I think some of that is fixed in the latest version of Atlantis

jose.amengual avatar
jose.amengual

if you use a WAF rule you can avoid the calls from github to altantis base on some text in the payload post from the webhook but if you can deal with the extra status then that is cheaper

jose.amengual avatar
jose.amengual

I saw a delete old messages option or something in the new version

zeid.derhally avatar
zeid.derhally

They added the –silence-vcs-status-no-plans flag that silences VCS commit status when autoplan finds no projects to plan

zeid.derhally avatar
zeid.derhally

Haven’t tried it yet

jose.amengual avatar
jose.amengual

can you share your repo and altantis yaml ?

jose.amengual avatar
jose.amengual

I mean a piece of it

jose.amengual avatar
jose.amengual

ohh but you said you have a patched version, what patches do you have ?

zeid.derhally avatar
zeid.derhally

to support different Atlantis configs was a quick hack. We set an env variable that tells Atlantis what config file to load

zeid.derhally avatar
zeid.derhally

So in the repo we have 3 Atlantis config files, prod.yaml dev.yaml sandbox.yaml.

jose.amengual avatar
jose.amengual

ahhh ok I know the feature request you are altking

jose.amengual avatar
jose.amengual

that it never got merged

zeid.derhally avatar
zeid.derhally

Yeah, that PR did it the better way but it requires lots of changes. Ours is like 5 lines of code

zeid.derhally avatar
zeid.derhally

We were thinking of reimplementing that PR and submitting it again

jose.amengual avatar
jose.amengual

can you share the code ?

zeid.derhally avatar
zeid.derhally
mediwareinc/atlantis-1

Terraform Pull Request Automation. Contribute to mediwareinc/atlantis-1 development by creating an account on GitHub.

zeid.derhally avatar
zeid.derhally

It’s in the multi-env branch

zeid.derhally avatar
zeid.derhally
Allow setting env var to override atlantis.yaml name · mediwareinc/[email protected]

Terraform Pull Request Automation. Contribute to mediwareinc/atlantis-1 development by creating an account on GitHub.

jose.amengual avatar
jose.amengual

NO Fing way……..

jose.amengual avatar
jose.amengual

how can someone deny to merge that?

jose.amengual avatar
jose.amengual

if you create the pull request and starts huge discussion and it takes months to merge, I will just flip the table

zeid.derhally avatar
zeid.derhally

I think that PR you linked should have been included, not sure why they rejected it

jose.amengual avatar
jose.amengual

but you solution is totally valid too

jose.amengual avatar
jose.amengual

for people that can deploy multiple altlantis

zeid.derhally avatar
zeid.derhally

We are going to update to the latest Atlantis next week and try our change with the –silence-vcs-status-no-plans flag

zeid.derhally avatar
zeid.derhally

But ultimately would like to get something submitted back to atlantis

jose.amengual avatar
jose.amengual

I’m kinda concern with the project because both guys work for hashicorp

jose.amengual avatar
jose.amengual

basically getting pay to have a conflict of interest

jose.amengual avatar
jose.amengual

they should hand over the project

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

So I think I came up with a way to authenticate github users specific for terraform applies using a file in /home/atlantis/users with 444 permissions.

https://github.com/nitrocode/atlantis

questions:

  1. how do i restrict the atlantis user in the docker container to ONLY be able to read the file and NOT append the file2. i am whitelisting repos that have access to atlantis plans. on top of that, how do i only allow repo level workflow overrides for a subset of the whitelisted repos?
  2. is there a way to perform a different function if a specific tf resource is detected ?
  3. using a custom workflow, can I use the @ sign to tag specific people ?
nitrocode/atlantis

Basic terraform cicd setup using atlantis. Contribute to nitrocode/atlantis development by creating an account on GitHub.

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

For 1) I tested it locally using docker run --user atlantis -it 2febd567f15e bash after chowning to root:atlantis which allowed reading users but not writing / appending

nitrocode/atlantis

Basic terraform cicd setup using atlantis. Contribute to nitrocode/atlantis development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

atlantis has a global config file. It does not answer all the questions or allow you to config everything you asked, but might help

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
# <https://www.runatlantis.io/docs/configuring-atlantis.html>
# <https://www.runatlantis.io/docs/server-configuration.html>
# <https://www.runatlantis.io/docs/server-side-repo-config.html>
# <https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html>

# repos lists the config for specific repos
repos:
  # id can either be an exact repo ID or a regex.
  # If using a regex, it must start and end with a slash
  # Repo ID's are of the form {VCS hostname}/{org}/{repo name}
  - id: github.com/xxxxxxx/yyyyyyyyy

    # apply_requirements sets the Apply Requirements for all repos that match
    apply_requirements: [approved]

    # allowed_overrides specifies which keys can be overridden by this repo in
    # its atlantis.yaml file
    allowed_overrides: [apply_requirements, workflow]

    # allow_custom_workflows defines whether this repo can define its own
    # workflows. If false (default), the repo can only use server-side defined workflows
    allow_custom_workflows: true
1

2020-05-03

jose.amengual avatar
jose.amengual

@ I was deploying and enabling for the first time Atlantis for our team and and when I was testing I realize of a somewhat huge problem!!!, my repos are like terraform-team-rds and we define the environments by .tfvars files and then we call -var-file and that is how we can initialize the environments so if the sam repo for all environments so if I deploy another atlantis in the prod account then the repo is going to have two webhooks so it will receive from the same events plan or apply` commands and then both atlantis server will populate the PR, one with a successful run and the other one with a incomplete run, which is far from ideal since the PR will get polluted

jose.amengual avatar
jose.amengual

So there is I think two ways to do this : one is to maybe set a webhook that only send events on releases for prod and then do apply but I have no idea if that will work and the other way it costs $6 bucks a month and is to use WAF to parse the POST payload of the webhook and look form something and block it if it does not contain that magic word, that in my case I set it up to be environment: staging

jose.amengual avatar
jose.amengual

after doing this the staging atlantis only received the events that need to process

jose.amengual avatar
jose.amengual

not the best solution but it was very easy to setup, if atlantis could deal with this will be ideal

jose.amengual avatar
jose.amengual

having to move to having modules per environment will not be fun

Padarn avatar
Padarn

By this do you mean a repo per environment?

jose.amengual avatar
jose.amengual

yes

jose.amengual avatar
jose.amengual

so that each repo have it’s own webhook

jose.amengual avatar
jose.amengual

and the amount of repos will be crazy

Padarn avatar
Padarn

This is a good point (I hadn’t worked on this in the weekend). I am using gitlab, and there is one possible simple solution: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/19513. It Is possible to filter webhooks based on the branch

Filter web hooks by branch (!19513) · Merge Requests · GitLab.org / GitLab FOSS

What does this MR do? Allow for filtering of project webhooks by branch as requested per https://gitlab.com/gitlab-org/gitlab-ce/issues/20338 Scope: - ability to specify a single branch name in a form…

Padarn avatar
Padarn

but, it seems like (from what I can see) this only filters for “push events” with is not ideal

jose.amengual avatar
jose.amengual

push events and not comments

jose.amengual avatar
jose.amengual

mmmm

Padarn avatar
Padarn
Repo Level atlantis.yaml Config | Atlantis

Atlantis: Terraform Pull Request Automation

jose.amengual avatar
jose.amengual

i do that already

Repo Level atlantis.yaml Config | Atlantis

Atlantis: Terraform Pull Request Automation

jose.amengual avatar
jose.amengual
staging-us-east-2:
    plan:
      steps:
      - run: rm -rf .terraform
      - init:
          extra_args: [-backend-config=staging-backend-us-east-2.tfvars]
      - plan:
          extra_args: [-var-file=staging-us-east-2.tfvars]
Padarn avatar
Padarn

what if you add something like :

autoplan:
    when_modified: ["*stg.tf>", "../modules/**<http://stg.tf|stg.tf"]
jose.amengual avatar
jose.amengual

ahhhhhhh…..

jose.amengual avatar
jose.amengual

I missed that

Padarn avatar
Padarn

not totally sure this will work, but may do

jose.amengual avatar
jose.amengual

yes, that could work too

jose.amengual avatar
jose.amengual

but in my case I will still have two webhooks

Padarn avatar
Padarn

right, but one of them may not actually trigger anything

jose.amengual avatar
jose.amengual

correct

Padarn avatar
Padarn

(hopefully)

Padarn avatar
Padarn

I wonder if there is a way to do something like assume role before the different workflows

Padarn avatar
Padarn

that would simplify this

jose.amengual avatar
jose.amengual

you could run aws-vault in the init step

jose.amengual avatar
jose.amengual

and apply step

Padarn avatar
Padarn

ah yeah.. that might be enough

jose.amengual avatar
jose.amengual

like the way they show to run Terragrunt and custom workflows

Padarn avatar
Padarn

I think what I’m going to try later today (I’m in Singapore, so guessing not the same time zone) is one atlantis with assume roles for env

jose.amengual avatar
jose.amengual

you will need to package aws-vault plus .aws config dir in the container

Padarn avatar
Padarn

where do you run atlantis btw? on fargate?

jose.amengual avatar
jose.amengual

Fargate

1
Padarn avatar
Padarn

you could define a workflow only for staging for your staging intance

Padarn avatar
Padarn

but this setup is getting pretty messy

jose.amengual avatar
jose.amengual

@Erik Osterman (Cloud Posse) is this still in the cloudposse fork https://github.com/runatlantis/atlantis/pull/310

Adds support for specifying the atlantis.yaml filename on the server side by darrylb-github · Pull Request #310 · runatlantis/atlantis

This allows setting different configs for different instances of atlantis, which is useful when wanting to run different servers for production and staging. Our use case is to have separate product…

jose.amengual avatar
jose.amengual

Looks like now that this guys are in hashicorp, they are not so willing to improve Atlantis

Adds support for specifying the atlantis.yaml filename on the server side by darrylb-github · Pull Request #310 · runatlantis/atlantis

This allows setting different configs for different instances of atlantis, which is useful when wanting to run different servers for production and staging. Our use case is to have separate product…

Padarn avatar
Padarn

hmm thats a shame

Padarn avatar
Padarn

what is in the fork that you need not existing in the main branch?

jose.amengual avatar
jose.amengual

Github group whitelist

jose.amengual avatar
jose.amengual

I don’t know if it works for gitlab

jose.amengual avatar
jose.amengual

Basically only certain groups can do apply

Padarn avatar
Padarn

Ah okay. Yeah I’m going with the fargate setup currently. but some minor blockers around getting my config to work

Padarn avatar
Padarn

was planning on just using codeowners for that

jose.amengual avatar
jose.amengual

Github does not have code owners I believe

jose.amengual avatar
jose.amengual
Question: Multiple Atlantis Servers · Issue #653 · runatlantis/atlantis

We’d like to use multiple Altantis servers, with each running local to its provider’s resources. The problem with this (design 1) is that both Atlantis servers would respond to the webhooks receive…

jose.amengual avatar
jose.amengual

it was abandon

Padarn avatar
Padarn

Oh … sad

Padarn avatar
Padarn

Wondering if there is any real alternative

Padarn avatar
Padarn

(except terraform enterprise)

jose.amengual avatar
jose.amengual

atlantis have like 300 forks

jose.amengual avatar
jose.amengual

I guess a lot of people have think some options are lacking..

Padarn avatar
Padarn

Padarn avatar
Padarn

either the Atlantis devs have really dropped the ball here or people just don’t understand open source

jose.amengual avatar
jose.amengual

lol

2020-05-01

Padarn avatar
Padarn

Hi guys - I’m wondering if anyone has advice for setting up an Atlantis to manage multiple environments (dev/stg/prd) within the same AWS account (cannot split them unfortunately): Unclear to me right now how to manage permissions for users so the environments are isolated (based on AWS)

jose.amengual avatar
jose.amengual

interesting

jose.amengual avatar
jose.amengual

I just set it up for one account per environment

jose.amengual avatar
jose.amengual

but the catch is that the TF repo is for both envs, stage and prod

jose.amengual avatar
jose.amengual

so I started freaking out when I realize that people can access the prod state but….it was not possible since the S3 bucket lives in another account

jose.amengual avatar
jose.amengual

so in your case is a bit harder

jose.amengual avatar
jose.amengual

you could deploy 3 different atlantis with 3 different web hooks and 3 different repos

jose.amengual avatar
jose.amengual

and then by instance profile restrict which remote state they can use

jose.amengual avatar
jose.amengual

I’m assuming you are using remote state

jose.amengual avatar
jose.amengual

otherwise restricting using the githib groups could be another way but that is on the clouposse repo

jose.amengual avatar
jose.amengual

is a fork of atlantis

jose.amengual avatar
jose.amengual

then you can name a team that can run the apply

jose.amengual avatar
jose.amengual

and only that team can do it

Padarn avatar
Padarn

When I looked at the clouposse module it looked like it did not support gitlab, am I wrong in thinking that?

Padarn avatar
Padarn

generally your idea of 3 Atlantis makes sense - the only drawback of this is not having a clear way to actually write an instance profile that can’t touch prd resources

Padarn avatar
Padarn

the state yes, but I guess you could manually import a prd instance then destroy it?

Padarn avatar
Padarn
Using Tags with IAM Policies - AWS IoT

You can apply tag-based resource-level permissions in the IAM policies you use for AWS IoT API actions. This gives you better control over what resources a user can create, modify, or use. You use the Condition element (also called the Condition

jose.amengual avatar
jose.amengual

I haver seen that

jose.amengual avatar
jose.amengual

you could do TAG base access

jose.amengual avatar
jose.amengual
Simplify granting access to your AWS resources by using tags on AWS IAM users and roles | Amazon Web Services attachment image

Recently, AWS enabled tags on IAM principals (users and roles). The main benefit of this new feature is that you’ll be able to author a single policy to grant access to individual resources and you’ll no longer need to update your policies for each new resource that you add. In other words, you can now […]

jose.amengual avatar
jose.amengual

ABACs are called

jose.amengual avatar
jose.amengual

Attribute base access

Padarn avatar
Padarn

Oh nice.. that seems like quite a good solution

jose.amengual avatar
jose.amengual

are they in different VPCs ?

Padarn avatar
Padarn

yes.. we’ve done what we can with the one account restriction

Padarn avatar
Padarn

do you have a specific reference for the cloudposse groups approach, not clear to me from their github repo what they’ve done in the fork

jose.amengual avatar
jose.amengual

one sec

jose.amengual avatar
jose.amengual

We have the same setup where we have an Atlantis in each account. For accounts that handle multiple environments we went with separate directories and try to follow a strict process of only making changes in one environment in a given PR.

jose.amengual avatar
jose.amengual
Add `gh-team-whitelist` command line argument (#30) · cloudposse/[email protected]
  • Add .travis.yml * Add gh-team-whitelist command line argument * Add gh-team-whitelist command line argument * Make description line length shorter than 120 chars * Make descript…
Padarn avatar
Padarn

awesome, tanks a bunch

Padarn avatar
Padarn

I’ll go through in detail

Padarn avatar
Padarn

thanks a lot for the help, will let you know how I get on

jose.amengual avatar
jose.amengual

no problem, I hope this help

    keyboard_arrow_up