#atlantis (2020-05)

atlantis

Discuss the Atlantis (http://runatlantis.io|runatlantis.io) *Archive: * https://archive.sweetops.com/atlantis/

2020-05-29

RB avatar

this is strange. i have a specific workflow for a specific tf module to overwrite the terraform version yet it still uses the default.

version: 3
projects:
- name: secrets
  dir: secrets
  workflow: secrets
  terraform_version: v0.12.25

workflows:
  secrets:
    plan:
      steps:
        - init
        - run: make diff
        - plan
RB avatar

then i see this in github

�[31m
�[1m�[31mError: �[0m�[0m�[1mError loading state: state snapshot was created by Terraform v0.12.25, which is newer than current v0.12.24; upgrade to Terraform v0.12.25 or greater to work with this state�[0m

�[0m�[0m�[0m
RB avatar

im using atlantis 12 and i dont believe the new 13 that was just released fixes this, according to their changelog

RB avatar

any idea what im doing wrong ? or is this a bug ?

RB avatar

the init seems to work but the make diff which calls terraform refresh seems to use the default terraform instead of the terraform_version

RB avatar

perhaps v0.12.25 needs to be 0.12.25 according to this

Repo Level atlantis.yaml Config | Atlantis

Atlantis: Terraform Pull Request Automation

RB avatar

this is interesting too

https://github.com/runatlantis/atlantis/issues/910

Looks like @lkysow says to use

- run: terraform$ATLANTIS_TERRAFORM_VERSION plan

so perhaps i need to do that in my Makefile to use the correct version of terraform …

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

terraform_version in atlantis workflow never worked for us as well

RB avatar

in my make diff, i changed it so my Makefile uses the $ATLANTIS_TERRAFORM_VERSION, not sure what else to do

RB avatar

wish atlantis could be smart enough to check the tfstate, get the correct version, and use the same version in the state

RB avatar

dude youre right, WTF, tested it out and that env variable wasnt even filled

RB avatar

so i guess im not allowed to use Makefile targets in my run atlantis command if it requires a non default terraform version

RB avatar
terraform_version key ignored for custom workflow · Issue #1065 · runatlantis/atlantis

My repo level atlantis.yaml version: 3 projects: - name: secrets dir: secrets workflow: secrets terraform_version: v0.12.25 workflows: secrets: plan: steps: - init - run: make diff - plan secrets d…

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

yes it’s like that

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can fork it and improve

RB avatar
terraform_version key ignored for custom workflow · Issue #1065 · runatlantis/atlantis

Using v12 My repo level atlantis.yaml version: 3 projects: - name: secrets dir: secrets workflow: secrets terraform_version: v0.12.25 workflows: secrets: plan: steps: - init - run: make diff - plan…

RB avatar

atlantis, when using repo configs, is using the PR branch’s config instead of the one in master. this wasn’t clear to me and was confusing.

:--1:1

2020-05-28

PePe avatar

I’m going to have to fork cloudposse atlantis to fix my needs so I was wondering how can I build my fork ?

PePe avatar

@Andriy Knysh (Cloud Posse) I was trying make dist and got a bunch of errors, I’m wondering how you guys run the build ?

PePe avatar

I have no idea what I’m doing…. lol

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

make build-service

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

which is CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -o atlantis .

PePe avatar

and that exploded

PePe avatar
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -o atlantis .
[github.com/atlantis/vendor/github.com/runatlantis/atlantis/server/events/vcs](http://github\.com/atlantis/vendor/github\.com/runatlantis/atlantis/server/events/vcs)

\# [github.com/atlantis/vendor/github.com/runatlantis/atlantis/server/events/vcs](http://github\.com/atlantis/vendor/github\.com/runatlantis/atlantis/server/events/vcs)
vendor/github.com/runatlantis/atlantis/server/events/vcs/gitlab_client.go:168:54: not enough arguments in call to g.Client.MergeRequests.GetMergeRequest
	have (string, int)
	want (interface {}, int, *gitlab.GetMergeRequestsOptions, ...gitlab.OptionFunc)
vendor/github.com/runatlantis/atlantis/server/events/vcs/gitlab_client.go:199:54: not enough arguments in call to g.Client.MergeRequests.GetMergeRequest
	have (string, int)
	want (interface {}, int, *gitlab.GetMergeRequestsOptions, ...gitlab.OptionFunc)
make: *** [build-service] Error 2
PePe avatar

do I have to have a specific version of go ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i tested it with 1.11 and 1.2 before, now I have 1.13.1, all works

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

are you building `

runatlantis/atlantis
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

or CloudPosse repo?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

runatlantis prob have made a lot of changes since the last time we forked it

PePe avatar

cloudposse repo

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

make sure you copy it into <GOPATH>/src/github.com/runatlantis/atlantis

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

b/c all imports are using runatlantis

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

that’s how Go works

PePe avatar

golang 101 lol

PePe avatar

this looks better

PePe avatar
[github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/aws/defaults](http://github\.com/runatlantis/atlantis/vendor/github\.com/aws/aws\-sdk\-go/aws/defaults)
[github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/service/sts](http://github\.com/runatlantis/atlantis/vendor/github\.com/aws/aws\-sdk\-go/service/sts)
[github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/service/s3](http://github\.com/runatlantis/atlantis/vendor/github\.com/aws/aws\-sdk\-go/service/s3)
[github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds](http://github\.com/runatlantis/atlantis/vendor/github\.com/aws/aws\-sdk\-go/aws/credentials/stscreds)
[github.com/runatlantis/atlantis/vendor/github.com/aws/aws-sdk-go/aws/session](http://github\.com/runatlantis/atlantis/vendor/github\.com/aws/aws\-sdk\-go/aws/session)
[github.com/runatlantis/atlantis/vendor/github.com/hashicorp/go-getter](http://github\.com/runatlantis/atlantis/vendor/github\.com/hashicorp/go\-getter)
[github.com/runatlantis/atlantis/vendor/github.com/runatlantis/atlantis/server/events/terraform](http://github\.com/runatlantis/atlantis/vendor/github\.com/runatlantis/atlantis/server/events/terraform)
[github.com/runatlantis/atlantis/vendor/github.com/runatlantis/atlantis/server/events/runtime](http://github\.com/runatlantis/atlantis/vendor/github\.com/runatlantis/atlantis/server/events/runtime)
make: *** [build-service] Error 2
PePe avatar

at least it did more stuff

PePe avatar

I moved to runatlantis/atlantis

PePe avatar

and in there I run make build-service

PePe avatar

better but not quite

PePe avatar
~/workspace/Go/src/github.com/runatlantis/atlantis(git:master)❱✔≻ make build-service                                                                                           39.3s  Thu 28 May 17:33:50 2020
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -o atlantis .
[github.com/runatlantis/atlantis/server/events/vcs/common](http://github\.com/runatlantis/atlantis/server/events/vcs/common)
[github.com/runatlantis/atlantis/server/logging](http://github\.com/runatlantis/atlantis/server/logging)
[github.com/runatlantis/atlantis/server/recovery](http://github\.com/runatlantis/atlantis/server/recovery)
[github.com/runatlantis/atlantis/server/static](http://github\.com/runatlantis/atlantis/server/static)
[github.com/runatlantis/atlantis/server/events/yaml/valid](http://github\.com/runatlantis/atlantis/server/events/yaml/valid)
[github.com/runatlantis/atlantis/testdrive](http://github\.com/runatlantis/atlantis/testdrive)
[github.com/runatlantis/atlantis/server/events/terraform](http://github\.com/runatlantis/atlantis/server/events/terraform)
[github.com/runatlantis/atlantis/server/events/models](http://github\.com/runatlantis/atlantis/server/events/models)
[github.com/runatlantis/atlantis/server/events/yaml/raw](http://github\.com/runatlantis/atlantis/server/events/yaml/raw)
[github.com/runatlantis/atlantis/server/events/db](http://github\.com/runatlantis/atlantis/server/events/db)
[github.com/runatlantis/atlantis/server/events/vcs/bitbucketserver](http://github\.com/runatlantis/atlantis/server/events/vcs/bitbucketserver)
[github.com/runatlantis/atlantis/server/events/vcs/bitbucketcloud](http://github\.com/runatlantis/atlantis/server/events/vcs/bitbucketcloud)
[github.com/runatlantis/atlantis/server/events/locking](http://github\.com/runatlantis/atlantis/server/events/locking)
[github.com/runatlantis/atlantis/server/events/webhooks](http://github\.com/runatlantis/atlantis/server/events/webhooks)
[github.com/runatlantis/atlantis/server/events/vcs](http://github\.com/runatlantis/atlantis/server/events/vcs)
[github.com/runatlantis/atlantis/server/events/runtime](http://github\.com/runatlantis/atlantis/server/events/runtime)

\# [github.com/runatlantis/atlantis/server/events/vcs](http://github\.com/runatlantis/atlantis/server/events/vcs)
server/events/vcs/gitlab_client.go:168:54: not enough arguments in call to g.Client.MergeRequests.GetMergeRequest
	have (string, int)
	want (interface {}, int, *gitlab.GetMergeRequestsOptions, ...gitlab.OptionFunc)
server/events/vcs/gitlab_client.go:199:54: not enough arguments in call to g.Client.MergeRequests.GetMergeRequest
	have (string, int)
	want (interface {}, int, *gitlab.GetMergeRequestsOptions, ...gitlab.OptionFunc)
[github.com/runatlantis/atlantis/server/events/yaml](http://github\.com/runatlantis/atlantis/server/events/yaml)
make: *** [build-service] Error 2
❰jamengual❙~/workspace/Go/src/github.com/runatlantis/atlantis(git:master)❱✘≻          
PePe avatar

my ultimate goal is to patch current atlantis with the github code you guys did and add the atlantis.yaml specific settings I need

PePe avatar

but for now building cloudposse fork will be great

PePe avatar

so I ended up downloading lates atlantis src

PePe avatar

compiled

PePe avatar

added few thing worked

PePe avatar

and I decided to add the code from PR #30 from cloudposse

PePe avatar

after a few fixes

PePe avatar

compiled

PePe avatar

I deployed

PePe avatar

but I’m stuck

PePe avatar

fo whatever reason it keeps saying : Error: User @jamengual does not have permissions to execute 'plan' command.

PePe avatar

which is checkUserPermissions returning false

PePe avatar

but I do not know why yet

PePe avatar

any pointers @Andriy Knysh (Cloud Posse)

PePe avatar

this is the bit of code is doing the call

/ Check if the user who commented has the permissions to execute the 'plan' or 'apply' commands
	ok, err := e.checkUserPermissions(baseRepo, user, parseResult.Command)
	if err != nil {
		e.Logger.Err("unable to comment on pull request: %s", err)
		return
	}
	if !ok {
		e.commentUserDoesNotHavePermissions(baseRepo, pullNum, user, parseResult.Command)
		e.respond(w, logging.Warn, http.StatusForbidden, "User @%s does not have permissions to execute '%s' command", user.Username, parseResult.Command.Name.String())
		return
	}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@PePe did you specify the parameter gh-team-whitelist?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Add `gh-team-whitelist` command line argument by aknysh · Pull Request #30 · cloudposse/atlantis

what Add gh-team-whitelist command line argument Use bigger atlantis logo on the web pages why Improved security Explicitly specify GitHub teams and operations (plan, apply) that the members of …

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and then did you add your user to the whitelisted team (on GitHub)?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the code in this PR https://github.com/cloudposse/atlantis/pull/30 makes gh-team-whitelist param optional. If not specified at all, the default functionality is in place. If specified, then the code checks if the user is in a whitelisted team. If not, the error is thrown

Add `gh-team-whitelist` command line argument by aknysh · Pull Request #30 · cloudposse/atlantis

what Add gh-team-whitelist command line argument Use bigger atlantis logo on the web pages why Improved security Explicitly specify GitHub teams and operations (plan, apply) that the members of …

PePe avatar

yes I did

PePe avatar

basically I had atlantis already running with cloudposse fork

PePe avatar

and then I I forked latest and added your code

PePe avatar

and deployed to the same fargate task

PePe avatar

I have everything in Parameter store

PePe avatar

I added debug too

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

did you use the correct format for gh-team-whitelist?

PePe avatar

hds-team:plan,hds-team:apply

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(looks like you did since you used CP fork before)

PePe avatar

I’m part of that team

PePe avatar

I used the terraform atlantis module from you guys

PePe avatar

it is weird, I can run help and that , it does not crash or anything, plus returns my user correctly

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

well… atlantis made a lot of changes, and GitHub made a lot of changes. If you copy the code correctly and it does not work, then something has been changed in the GitHub API

PePe avatar

somehow something in team_whitelist_checker.go does not work

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you run our fork now, does it work?

PePe avatar

I can roll back, one sec

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)


somehow something in team_whitelist_checker.go does not work

PePe avatar

that is my theory

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we made changes a few times as well b/c GitHub kept changing some API

PePe avatar

ohhhhh so maybe I did not push those updates ?????

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(don’t know )

PePe avatar

I checked like 40 times

PePe avatar

after #30 I do not see anything about github

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in situations like this, and since you are modifying the code anyway, would be great to update the version number and display it on the screen (I think it’s displayed)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so you can know for sure which version got deployed

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

PePe avatar

mmmm

PePe avatar

I see :

2020-05-29 18:15:42
2020/05/30 01:15:42+0000 [INFO] server.go:462 server: Atlantis started - listening on port 4141
PePe avatar

yes so I have a custom version

PePe avatar

atlantis version                                                     8.9m  Fri 29 May 20:34:46 2020 atlantis 0.12.0-multienv-debug1

PePe avatar

I see the same if I docker build locally

PePe avatar

I wonder if I could shot the version on fargate logs

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you should see the version in the UI, in the bottom-right corner

PePe avatar

which I though it was the problem

PePe avatar

the ui…ok let me check I have not used the UI ever

PePe avatar

mmm the ui is 503…..

PePe avatar

the ui is on /?

PePe avatar

ok, listener rule error , it shows my version

PePe avatar

v0.12.0-multienv-debug0

PePe avatar

so at least I know is the one I compiled

PePe avatar

and this was updated too

func (g *GithubClient) GetTeamNamesForUser(repo models.Repo, user models.User) ([]string, error) {
	var teamNames []string
	opts := &github.ListOptions{}
	org := repo.Owner
	for {
		teams, resp, err := g.client.Teams.ListTeams(g.ctx, org, opts)
		if err != nil {
			return nil, err
		}
		for _, t := range teams {
			membership, _, err := g.client.Teams.GetTeamMembership(g.ctx, t.GetID(), user.Username)
			if err == nil && membership != nil {
				if *membership.State == "active" && (*membership.Role == "member" || *membership.Role == "maintainer") {
					teamNames = append(teamNames, t.GetName())
				}
			}
		}
		if resp.NextPage == 0 {
			break
		}
		opts.Page = resp.NextPage
	}
	return teamNames, nil
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

do you see this error Error: User @jamengual does not have permissions to execute 'plan' command as GitHub comment?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

also, you sure that the user is a member of the team, and the team name is correct?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and also, is our version working for you?

PePe avatar

yes I do see it as a github comment

PePe avatar

yes I’m a member of that team and the team is correct

PePe avatar

you version was working ok but my need is that I use one repo for all environment so I deploy and atlantis per AWS account and without the option to define a custom atlantis.yaml it does not work for me so I added https://github.com/runatlantis/atlantis/compare/master...mediwareinc:multienv-0.11.0

runatlantis/atlantis

Terraform Pull Request Automation. Contribute to runatlantis/atlantis development by creating an account on GitHub.

PePe avatar

which is very very simple and fit my needs

PePe avatar

but I really like the team whitelist option and that is why I’m here

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so it’s the same team whitelist code in both repos, one is working, the other is not

PePe avatar

correct

PePe avatar

Unless I missed something

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and the code gets executed and checks for team membership

PePe avatar

as fas as I can tell

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so 1) you missed something; 2) atlantis made other changes that affected it; 3) you are using new GitHub API that changed the logic (they did it in the past)

PePe avatar

I’m not a go experts by any means but I was thinking to add e.Logger.Err

PePe avatar

one of the 3 but I think 3 is unlikely because this was working with cloudposse fork and I did not change anything related to apis for github

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

since our fork does not use Go modules (was not in atlantis at the time), and the new atlantis uses Go modules, the GitHub APi could be completely different

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(the sad thing is, w/o Go modules it was not possible to pin it to a particular version)

PePe avatar

so you alway get the latest

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but new atlantis uses Go modules so you can see what version you are using

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you alway get the latest - if you don’t use Go modules, which was created to fix those issues

PePe avatar

I see ok

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

as I said, w/o Go modules it was aways the latest version, and GitHub updated the API a few times and broke our code

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

with Go modules in the latest atlantis, they pinned it to a particular version, but.. that version could be new with some API changes from GitHub (just an idea)

PePe avatar

so you think when I did go get [github.com/runatlantis/atlantis](http://github\.com/runatlantis/atlantis)

PePe avatar

ad then go build I got a version of the github client api that is not compatible ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

might be

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we had such issue before

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

not saying that they change the API all the time, but they did, and broke our code

PePe avatar

I’m running my version now using ngrok and using chamber to populate the ENV variables to my local

PePe avatar

so I can debug faster

PePe avatar

intersting

PePe avatar

I added this :

// checkUserPermissions checks if the user has permissions to execute the command
func (e *EventsController) checkUserPermissions(repo models.Repo, user models.User, cmd *events.CommentCommand) (bool, error) {
	if cmd.Name == models.ApplyCommand || cmd.Name == models.PlanCommand {
		teams, err := e.VCSClient.GetTeamNamesForUser(repo, user)
		if err != nil {
			return false, err
		}
		e.Logger.Err("PEPE teams: ", teams)
		ok := e.TeamWhitelistChecker.IsCommandAllowedForAnyTeam(teams, cmd.Name.String())
		if !ok {
			return false, nil
		}
	}
	return true, nil
}
PePe avatar

e.Logger.Err("PEPE teams: ", teams)

PePe avatar

mmm there is some sensitive information on all this

PePe avatar

basically

PePe avatar
[EROR] events_controller.go:585 server: PEPE teams: %!(EXTRA []string=[Ops Team Product Engineering Employees terraform-atlantis])
PePe avatar

terrafom-atlantis is a team

PePe avatar

but the other is the description of the ream not the team name

PePe avatar

no wait….those are the names

PePe avatar

they just have spaces

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we did not test teams with spaces

PePe avatar

that is it

PePe avatar

I added terraform-atlantis to the team whitelist

PePe avatar

and now is working

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but where is hds-team in the list?

PePe avatar

yes it was

PePe avatar

and it did work with the cloudposse fork

PePe avatar

atlantis_gh_team_whitelist = hds-team:plan,hds-team:apply,terraform-atlantis:plan

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what do you mean “it was”? it’s not in the list [Ops Team Product Engineering Employees terraform-atlantis]

PePe avatar

I mangled the output

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so you are not part of that team

PePe avatar

sorry

PePe avatar

PEPE teams: %!(EXTRA []string=[IQ Ops HDS Team Product Engineering Employees terraform-atlantis])

PePe avatar

HDS Team is that team

PePe avatar

and I’m part of it

PePe avatar

ok so…….

PePe avatar

HDS Team:plan,hds-team:apply that works

PePe avatar

so this must be something to do with the the github client response that is now not passing some sort of alternated name for the team ?

PePe avatar

I guess a team with a name with space will be converted to something else ?

PePe avatar

I’m trying to understand why it worked with the cloudposse fork before

PePe avatar

@Andriy Knysh (Cloud Posse) do you happen to know if there is a way to shortcircuit atlantis execution after the call to ParseRepoCfg I was trying to stop atlantis if :

if projectName != "" && yaml.AtlantisYAMLFilename != "atlantis.yaml" {
		return
	}

OR by using a new env variable ATLANTIS_MULTISERVERbut I’m not familiar with the code and after many hours the plan command keeps executing

PePe avatar

my guess that whatever I do it will have to be in the Event controller but I’m not so sure anymore

2020-05-21

RB avatar

using default server workflow and custom repo workflow but only my defined directory has terraform run. all undefined directories in custom repo workflow do not use default workflow.

version: 3
projects:
- name: secrets
  dir: secrets
  workflow: secrets

workflows:
  secrets:
    plan:
      steps:
        - init
        - run: make diff
        - plan
    apply:
      steps:
        - run: "echo 'Apply is disabled for now."

am I missing something simple ?

RB avatar

thread start

RB avatar

do i need to define both of these in my repo config ?

- id: "/.*/"
  workflow: default
- name: secrets
  dir: secrets
  workflow: secrets

even tho my server config has this already ?

- id: "/.*/"
  workflow: default
PePe avatar

which for of atlantis are you using ?

RB avatar

using runatlantis/atlantis:v0.12.0

RB avatar

looks like the latest version

PePe avatar

you need to allow custom workflows if you are defining workflows in your repo config

PePe avatar

otherwise is not going to pick them up

RB avatar

it does pick it up for my custom workflow, just not for my not defined modules. this is my atlantis server config

RB avatar
repos:
  - # apply config to repos matching this regex
    id: /.*/
    allow_custom_workflows: true
    allowed_overrides:
      - apply_requirements
      - workflow
    apply_requirements:
      - approved
    workflow: default
PePe avatar

that should apply to all repos

RB avatar

it should but after i added a repo level config that i shared above, it seemed to only allow the custom one to work

RB avatar

the others i have to manually run atlantis plan -d mytfdir

PePe avatar

mmm so is the autoplan you are expecting it to run?

RB avatar

yessir

PePe avatar

I hate autoplan so I disable every time

PePe avatar

autoplan does have a default for the files it tracks

PePe avatar

“/.tf”*

PePe avatar

something like that

1
PePe avatar

I can type two *

PePe avatar

freaking annoying slack

2020-05-19

PePe avatar
RB avatar

Pretty cool. Does it only work with terraform cloud and enterprise or also for other backends?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This works with terraform open source

Padarn avatar
Padarn

if you have TF enterprise you probably don’t need this?

Padarn avatar
Padarn

I was under the impression they offered integrations of many build tools

PePe avatar

someone must be working in an atlantis feature complete clone, right…..?

PePe avatar

I heard a rumour

RB avatar

Isn’t the guy that started atlantis ilya working directly got hashicorp? Wouldn’t he be the one working on this as well?

PePe avatar

both guys are working for hashicorp

2020-05-18

joshmyers avatar
joshmyers

minimal Atlantis policy is minimal policy for what you are wanting Atlantis to apply…

Padarn avatar
Padarn

Haha yes, true, but in my experience terraform needs quite a few permissions just to do basic operations, even just for state refresh

Padarn avatar
Padarn

another question on similar topic: Is anyway using something like an OAuth server infront of Atlantis ?

joshmyers avatar
joshmyers

To do a state refresh it needs read access to the things you want to manage to it

joshmyers avatar
joshmyers

Yes, I believe CloudPosse (may??) do this

joshmyers avatar
joshmyers

@ https://github.com/cloudposse/terraform-aws-ecs-atlantis is opinionated but contains the resources you will need

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yep, this has support for that, but it’s a beast of a module

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Padarn avatar
Padarn

thanks guys - I was using the other terraform on fargate module, will go through this one

2020-05-16

Padarn avatar
Padarn

anyone have an example of a minimal terraform policy that Atlantis needs for AWS?

Padarn avatar
Padarn

I’m trying to figure out how to get tag based permissions to work, and my original lenient policy is a bit had to prune

2020-05-14

2020-05-12

2020-05-11

2020-05-07

2020-05-05

2020-05-04

RB avatar

If a terraform module (module UP) is updated, is there a way for atlantis or something else to rerun a terraform plan for a module (module DOWN) that depends on UP ?

Adrian avatar
Adrian

try terragrunt-atlantis-config it will generate atlantis.yaml according to your HCL dependencies

Adrian avatar
Adrian

omg sorry for that it terragrunt not terraform

RB avatar

would this work if a module was referenced using a git source as well ?

Adrian avatar
Adrian

Don’t know

PePe avatar

need some help, mostly cloudposse guys since I use their fork : I’m defining this as my atlantis.yaml

version: 2
projects:
- name: staging-us-east-2
  dir: .
  workflow: staging-us-east-2
  terraform_version: v0.12.24
  autoplan:
    when_modified: 
      - "*.tf"
    enabled: false

- name: production-us-east-2
  dir: .
  workflow: production-us-east-2
  terraform_version: v0.12.24
  autoplan:
    when_modified: 
      - "prod.txt"
    enabled: false
PePe avatar

I created a PR that does not have the "prod.txt" file but when I run atlantis plan -p production-us-east-2 atlantis goes and runs the the plan

PePe avatar

I’m trying to avoid that by using the prod.txt file as a feature enable flag kind off

PePe avatar

is that possible ?

PePe avatar

does the file have to exist in order for this to work ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

this is just for autoplan

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when you run the command, it will be executed

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

(Cloud Posse fork, the latest version, does not have any new features except we added GitHub Team whitelist to detect if a user has permissions to run the atlantis commands. For all other features, you can ask in the atlantis Slack)

PePe avatar

I thought when_modified will work even if autoplan is disabled

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

probably not, you can look into the atlantis code

PePe avatar

I’m not so versed in golang yet

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

what problem are you trying to solve?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you want atlantis to run diff workflows for staging and prod when diff files are modified?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

and you are using one repo?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

suggest you create a folder conf and add staging.tfvars and prod.tfvars in it

PePe avatar

sorry I made a mistake

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you modify the main module, both staging and prod will run

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you modify only e.g. staging.tfvars, then only the staging atlantis would run

PePe avatar

one aws account per environment, one atlantis server per aws account

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

one repo for all environments?

PePe avatar

yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

so you need to separate prod config from staging config

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

they should not be in [variables.tf](http://variables\.tf) for all environments

PePe avatar

I run them like this, this is the server config

staging-us-west-2:
    plan:
      steps:
      - run: rm -rf .terraform
      - init:
          extra_args: [-backend-config=staging-backend-us-west-2.tfvars]
      - plan:
          extra_args: [-var-file=staging-us-west-2.tfvars]
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

only the code (logic) is common for all

PePe avatar

the idea was that we could test config changes of the main module in staging without triggering a prod even to the prod atlantis

PePe avatar

that is what we usually do

PePe avatar

so one repo terraform-aws-rds for multiple environments and we have different .tfvars and backen-configs

PePe avatar

for example

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

but that should work

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you already disabled autoplan

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

when you run atlantis plan -p production-us-east-2, only prod should run

PePe avatar

yes but by repo is for multiple environments so I haver multiple webhooks

PePe avatar

one point from the same repo to the staginmg atlantis and another to the prod atlantis

PePe avatar

I want the staging atlantis to ignore the productions workflows

PePe avatar

so I thought I could use :

version: 2
projects:
- name: staging-us-east-2
  dir: .
  workflow: staging-us-east-2
  terraform_version: v0.12.24
  autoplan:
    when_modified: 
      - "*.tf"
    enabled: false
- name: production-us-east-2
  dir: .
  workflow: production-us-east-2
  terraform_version: v0.12.24
  autoplan:
    when_modified: 
      - "prod.txt"
    enabled: false
PePe avatar

and so I create a PR, then go and run manually atlantis plan -p staging-use-east-2 then once approved then I run atlantis apply and after is tested, I can user the same PR or a new PR , modify the prod.txt file and then run atlantis plan -p production-use-east-2

PePe avatar

but what I really wanted was that the atlantis in staging ignore any call to production workflows

PePe avatar

to avoid this :

PePe avatar

I want to avoid having devs to be able to run atlantis plan against prod and getting those errors in the comments

PePe avatar

since the atlantis servers are separated is not a security concern

PePe avatar

is just more annoying that anything

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you are talking about two diff things. If you run those atlantis plan xxxxxxxx commands manually, then it should run only the workflow specified in the command (prod or staging)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for the autoplan, enable it, then make each autoplan (prod and staging) depend on diff tfvars files

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
    autoplan:
      when_modified:
        - "*.tf"
        - "prod.tfvars"
      enabled: true

    autoplan:
      when_modified:
        - "*.tf"
        - "staging.tfvars"
      enabled: true
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in this case, if you update the module(s), both autoplans will run and show the changes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you update the settings for e.g. staging, only the staging autoplan will run

PePe avatar

I prefer to run autoplan manually than automatically but I will try this

PePe avatar

do you know if the when_modified array is like an AND for every item ?

PePe avatar

like *.tf AND prod.tfvars need to change for it to trigger ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

It’s OR

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

If you modify the code, then *.tf will trigger both

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

If you modify settings for one environment, only one should trigger

PePe avatar

ok I see

PePe avatar

thanks a lot

PePe avatar

well, yesterday I realize how stupid I’m and why I never thought about having two separated atlantis-repo-config.yaml files, one for the altantis in prod, one for the atlantis in staging

PePe avatar

that will solve this issue

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

that’s a good idea

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

each one could be configured and allowed to do only specific things

PePe avatar

exactly

PePe avatar

and I can still do the specific files so that it does not comment back to the repo saying that that project does not exist

PePe avatar

etc

zeid.derhally avatar
zeid.derhally

This is what we do, we have Atlantis look for a configuration file that matches the env name. We have a patched version of Atlantis that does this. We still get the extra status checks showing up in the PR, but I think some of that is fixed in the latest version of Atlantis

PePe avatar

if you use a WAF rule you can avoid the calls from github to altantis base on some text in the payload post from the webhook but if you can deal with the extra status then that is cheaper

PePe avatar

I saw a delete old messages option or something in the new version

zeid.derhally avatar
zeid.derhally

They added the –silence-vcs-status-no-plans flag that silences VCS commit status when autoplan finds no projects to plan

zeid.derhally avatar
zeid.derhally

Haven’t tried it yet

PePe avatar

can you share your repo and altantis yaml ?

PePe avatar

I mean a piece of it

PePe avatar

ohh but you said you have a patched version, what patches do you have ?

zeid.derhally avatar
zeid.derhally

to support different Atlantis configs was a quick hack. We set an env variable that tells Atlantis what config file to load

zeid.derhally avatar
zeid.derhally

So in the repo we have 3 Atlantis config files, prod.yaml dev.yaml sandbox.yaml.

PePe avatar

ahhh ok I know the feature request you are altking

PePe avatar

that it never got merged

zeid.derhally avatar
zeid.derhally

Yeah, that PR did it the better way but it requires lots of changes. Ours is like 5 lines of code

zeid.derhally avatar
zeid.derhally

We were thinking of reimplementing that PR and submitting it again

PePe avatar

can you share the code ?

zeid.derhally avatar
zeid.derhally
mediwareinc/atlantis-1

Terraform Pull Request Automation. Contribute to mediwareinc/atlantis-1 development by creating an account on GitHub.

zeid.derhally avatar
zeid.derhally

It’s in the multi-env branch

zeid.derhally avatar
zeid.derhally
Allow setting env var to override atlantis.yaml name · mediwareinc/[email protected]

Terraform Pull Request Automation. Contribute to mediwareinc/atlantis-1 development by creating an account on GitHub.

PePe avatar

NO Fing way……..

PePe avatar

how can someone deny to merge that?

PePe avatar

if you create the pull request and starts huge discussion and it takes months to merge, I will just flip the table

zeid.derhally avatar
zeid.derhally

I think that PR you linked should have been included, not sure why they rejected it

PePe avatar

but you solution is totally valid too

PePe avatar

for people that can deploy multiple altlantis

zeid.derhally avatar
zeid.derhally

We are going to update to the latest Atlantis next week and try our change with the –silence-vcs-status-no-plans flag

zeid.derhally avatar
zeid.derhally

But ultimately would like to get something submitted back to atlantis

PePe avatar

I’m kinda concern with the project because both guys work for hashicorp

PePe avatar

basically getting pay to have a conflict of interest

PePe avatar

they should hand over the project

RB avatar

So I think I came up with a way to authenticate github users specific for terraform applies using a file in /home/atlantis/users with 444 permissions.

https://github.com/nitrocode/atlantis

questions:

  1. how do i restrict the atlantis user in the docker container to ONLY be able to read the file and NOT append the file2. i am whitelisting repos that have access to atlantis plans. on top of that, how do i only allow repo level workflow overrides for a subset of the whitelisted repos?
  2. is there a way to perform a different function if a specific tf resource is detected ?
  3. using a custom workflow, can I use the @ sign to tag specific people ?
nitrocode/atlantis

Basic terraform cicd setup using atlantis. Contribute to nitrocode/atlantis development by creating an account on GitHub.

RB avatar

For 1) I tested it locally using docker run --user atlantis -it 2febd567f15e bash after chowning to root:atlantis which allowed reading users but not writing / appending

nitrocode/atlantis

Basic terraform cicd setup using atlantis. Contribute to nitrocode/atlantis development by creating an account on GitHub.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

atlantis has a global config file. It does not answer all the questions or allow you to config everything you asked, but might help

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

\# <https://www.runatlantis.io/docs/configuring-atlantis.html>

\# <https://www.runatlantis.io/docs/server-configuration.html>

\# <https://www.runatlantis.io/docs/server-side-repo-config.html>

\# <https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html>


\# repos lists the config for specific repos
repos:
  # id can either be an exact repo ID or a regex.
  # If using a regex, it must start and end with a slash
  # Repo ID's are of the form {VCS hostname}/{org}/{repo name}
  - id: [github.com/xxxxxxx/yyyyyyyyy](http://github\.com/xxxxxxx/yyyyyyyyy)

    # apply_requirements sets the Apply Requirements for all repos that match
    apply_requirements: [approved]

    # allowed_overrides specifies which keys can be overridden by this repo in
    # its atlantis.yaml file
    allowed_overrides: [apply_requirements, workflow]

    # allow_custom_workflows defines whether this repo can define its own
    # workflows. If false (default), the repo can only use server-side defined workflows
    allow_custom_workflows: true
:--1:1

2020-05-03

PePe avatar

@ I was deploying and enabling for the first time Atlantis for our team and and when I was testing I realize of a somewhat huge problem!!!, my repos are like terraform-team-rds and we define the environments by .tfvars files and then we call -var-file and that is how we can initialize the environments so if the sam repo for all environments so if I deploy another atlantis in the prod account then the repo is going to have two webhooks so it will receive from the same events plan or apply` commands and then both atlantis server will populate the PR, one with a successful run and the other one with a incomplete run, which is far from ideal since the PR will get polluted

PePe avatar

So there is I think two ways to do this : one is to maybe set a webhook that only send events on releases for prod and then do apply but I have no idea if that will work and the other way it costs $6 bucks a month and is to use WAF to parse the POST payload of the webhook and look form something and block it if it does not contain that magic word, that in my case I set it up to be environment: staging

PePe avatar

after doing this the staging atlantis only received the events that need to process

PePe avatar

not the best solution but it was very easy to setup, if atlantis could deal with this will be ideal

PePe avatar

having to move to having modules per environment will not be fun

Padarn avatar
Padarn

By this do you mean a repo per environment?

PePe avatar

yes

PePe avatar

so that each repo have it’s own webhook

PePe avatar

and the amount of repos will be crazy

Padarn avatar
Padarn

This is a good point (I hadn’t worked on this in the weekend). I am using gitlab, and there is one possible simple solution: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/19513. It Is possible to filter webhooks based on the branch

Filter web hooks by branch (!19513) · Merge Requests · GitLab.org / GitLab FOSS

What does this MR do? Allow for filtering of project webhooks by branch as requested per https://gitlab.com/gitlab-org/gitlab-ce/issues/20338 Scope: - ability to specify a single branch name in a form…

Padarn avatar
Padarn

but, it seems like (from what I can see) this only filters for “push events” with is not ideal

PePe avatar

push events and not comments

PePe avatar

mmmm

Padarn avatar
Padarn
Repo Level atlantis.yaml Config | Atlantis

Atlantis: Terraform Pull Request Automation

PePe avatar

i do that already

Repo Level atlantis.yaml Config | Atlantis

Atlantis: Terraform Pull Request Automation

PePe avatar
staging-us-east-2:
    plan:
      steps:
      - run: rm -rf .terraform
      - init:
          extra_args: [-backend-config=staging-backend-us-east-2.tfvars]
      - plan:
          extra_args: [-var-file=staging-us-east-2.tfvars]
Padarn avatar
Padarn

what if you add something like :

autoplan:
    when_modified: ["*[stg.tf>", "../modules/**<http://stg.tf|stg.tf](http://stg\.tf)"]
PePe avatar

ahhhhhhh…..

PePe avatar

I missed that

Padarn avatar
Padarn

not totally sure this will work, but may do

PePe avatar

yes, that could work too

PePe avatar

but in my case I will still have two webhooks

Padarn avatar
Padarn

right, but one of them may not actually trigger anything

PePe avatar

correct

Padarn avatar
Padarn

(hopefully)

Padarn avatar
Padarn

I wonder if there is a way to do something like assume role before the different workflows

Padarn avatar
Padarn

that would simplify this

PePe avatar

you could run aws-vault in the init step

PePe avatar

and apply step

Padarn avatar
Padarn

ah yeah.. that might be enough

PePe avatar

like the way they show to run Terragrunt and custom workflows

Padarn avatar
Padarn

I think what I’m going to try later today (I’m in Singapore, so guessing not the same time zone) is one atlantis with assume roles for env

PePe avatar

you will need to package aws-vault plus .aws config dir in the container

Padarn avatar
Padarn

where do you run atlantis btw? on fargate?

PePe avatar

Fargate

:--1:1
Padarn avatar
Padarn

you could define a workflow only for staging for your staging intance

Padarn avatar
Padarn

but this setup is getting pretty messy

PePe avatar

@Erik Osterman (Cloud Posse) is this still in the cloudposse fork https://github.com/runatlantis/atlantis/pull/310

Adds support for specifying the atlantis.yaml filename on the server side by darrylb-github · Pull Request #310 · runatlantis/atlantis

This allows setting different configs for different instances of atlantis, which is useful when wanting to run different servers for production and staging. Our use case is to have separate product…

PePe avatar

Looks like now that this guys are in hashicorp, they are not so willing to improve Atlantis

Adds support for specifying the atlantis.yaml filename on the server side by darrylb-github · Pull Request #310 · runatlantis/atlantis

This allows setting different configs for different instances of atlantis, which is useful when wanting to run different servers for production and staging. Our use case is to have separate product…

Padarn avatar
Padarn

hmm thats a shame

Padarn avatar
Padarn

what is in the fork that you need not existing in the main branch?

PePe avatar

Github group whitelist

PePe avatar

I don’t know if it works for gitlab

PePe avatar

Basically only certain groups can do apply

Padarn avatar
Padarn

Ah okay. Yeah I’m going with the fargate setup currently. but some minor blockers around getting my config to work

Padarn avatar
Padarn

was planning on just using codeowners for that

PePe avatar

Github does not have code owners I believe

PePe avatar
Question: Multiple Atlantis Servers · Issue #653 · runatlantis/atlantis

We’d like to use multiple Altantis servers, with each running local to its provider’s resources. The problem with this (design 1) is that both Atlantis servers would respond to the webhooks receive…

PePe avatar

it was abandon

Padarn avatar
Padarn

Oh … sad

Padarn avatar
Padarn

Wondering if there is any real alternative

Padarn avatar
Padarn

(except terraform enterprise)

PePe avatar

atlantis have like 300 forks

PePe avatar

I guess a lot of people have think some options are lacking..

Padarn avatar
Padarn

Padarn avatar
Padarn

either the Atlantis devs have really dropped the ball here or people just don’t understand open source

PePe avatar

lol

2020-05-01

Padarn avatar
Padarn

Hi guys - I’m wondering if anyone has advice for setting up an Atlantis to manage multiple environments (dev/stg/prd) within the same AWS account (cannot split them unfortunately): Unclear to me right now how to manage permissions for users so the environments are isolated (based on AWS)

PePe avatar

interesting

PePe avatar

I just set it up for one account per environment

PePe avatar

but the catch is that the TF repo is for both envs, stage and prod

PePe avatar

so I started freaking out when I realize that people can access the prod state but….it was not possible since the S3 bucket lives in another account

PePe avatar

so in your case is a bit harder

PePe avatar

you could deploy 3 different atlantis with 3 different web hooks and 3 different repos

PePe avatar

and then by instance profile restrict which remote state they can use

PePe avatar

I’m assuming you are using remote state

PePe avatar

otherwise restricting using the githib groups could be another way but that is on the clouposse repo

PePe avatar

is a fork of atlantis

PePe avatar

then you can name a team that can run the apply

PePe avatar

and only that team can do it

Padarn avatar
Padarn

When I looked at the clouposse module it looked like it did not support gitlab, am I wrong in thinking that?

Padarn avatar
Padarn

generally your idea of 3 Atlantis makes sense - the only drawback of this is not having a clear way to actually write an instance profile that can’t touch prd resources

Padarn avatar
Padarn

the state yes, but I guess you could manually import a prd instance then destroy it?

Padarn avatar
Padarn
Using Tags with IAM Policies - AWS IoT

You can apply tag-based resource-level permissions in the IAM policies you use for AWS IoT API actions. This gives you better control over what resources a user can create, modify, or use. You use the Condition element (also called the Condition

PePe avatar

I haver seen that

PePe avatar

you could do TAG base access

PePe avatar
Simplify granting access to your AWS resources by using tags on AWS IAM users and roles | Amazon Web Services attachment image

Recently, AWS enabled tags on IAM principals (users and roles). The main benefit of this new feature is that you’ll be able to author a single policy to grant access to individual resources and you’ll no longer need to update your policies for each new resource that you add. In other words, you can now […]

PePe avatar

ABACs are called

PePe avatar

Attribute base access

Padarn avatar
Padarn

Oh nice.. that seems like quite a good solution

PePe avatar

are they in different VPCs ?

Padarn avatar
Padarn

yes.. we’ve done what we can with the one account restriction

Padarn avatar
Padarn

do you have a specific reference for the cloudposse groups approach, not clear to me from their github repo what they’ve done in the fork

PePe avatar

one sec

PePe avatar

We have the same setup where we have an Atlantis in each account. For accounts that handle multiple environments we went with separate directories and try to follow a strict process of only making changes in one environment in a given PR.

PePe avatar
Add `gh-team-whitelist` command line argument (#30) · cloudposse/[email protected]
  • Add .travis.yml * Add gh-team-whitelist command line argument * Add gh-team-whitelist command line argument * Make description line length shorter than 120 chars * Make descript…
Padarn avatar
Padarn

awesome, tanks a bunch

Padarn avatar
Padarn

I’ll go through in detail

Padarn avatar
Padarn

thanks a lot for the help, will let you know how I get on

PePe avatar

no problem, I hope this help

    keyboard_arrow_up