#atlantis (2020-08)
| Discuss the Atlantis (<http://runatlantis.io | runatlantis.io>) |
**Archive: ** https://archive.sweetops.com/atlantis/
2020-08-09
has anyone used atlantis 0.14.0’s feature to turn atlantis into a bot instead of using a github user ?
can you elaborate?
https://github.com/runatlantis/atlantis/blob/master/CHANGELOG.md
shows that you can now install atlantis as a github app
see: https://www.runatlantis.io/docs/access-credentials.html#github-app
ive installed it as an app and now integrating the pem into the dockerfile. wish it was easier to setup by passing the pem as a string in the environment variable
oof… i keep getting bad credentials from atlantis now
Igot it to work! woo. another pita
https://github.com/terraform-aws-modules/terraform-aws-atlantis/issues/147
ohhh cool, I wanted to test this too, how hard it was?
any tricks?
See that issue. It was difficult to setup cause that module doesn’t support it
I tried to put in as much information as possible to make it clear what could be done to update the module to make it easier
I use the cloudposse module but is definitely applicable
thanks for the info
2020-08-10
2020-08-14
I’m a huge fan of Atlantis and have implemented and used it to great success in the last 2 companies I’ve worked for.
I’ve just started at a new company where things are a bit messy; multiple terraform repos, 2 different home made ‘wrappers’ similar to terragrunt, with some changes being made through Jenkins pipeline and some made from engineers laptops (all with remote state).
I thought this would be a good chance to see what other people are doing before I go down the path of demoing and discussing what Atlantis can do.
Does anybody have any blogs/videos/slides/ideas about alternatives for Terraform deployment? Thanks!
Oof. I went down this road recently by trying to sell just terraform cicd. Once i sold people on that idea, that’s when i brought up atlantis.
I still can’t get them to allow atlantis applies tho so people still do applies locally but at least the plans are in github prs as comments
I feel bad for you @RB that sounds tough.
I’m lucky that I don’t need to sell the idea, they are very much on board with CI/CD. I just need to improve the process. There are varying levels of terraform experience and different engineering teams are each free to do their own thing, which will make it harder and harder to give support over time.
My intention is to make the test and deployment my team does as simple and smart as possible so that we can offer it to our other engineering teams and they’ll want to use it over their own custom creations.
No need to feel bad haha. I’m slowly getting them to embrace the applies by showing them how it brings value in specific repos. Soon I’ll be able to release it across the org. At least, that’s the dream
Yep same here. Eng teams are free to do whatever. What ends up happening is a lot of copy pasta and lack of consistencies
I like your idea of a poc and then showing it to your company. I’m sure that will turn heads and people will hopefully gravitate to the path of least resistance
what version did you used the last time @Andrew Mackett?
0.14 atlantis have some cool new features that you might want to take advantage
I have a fork of it with some features to make it work with multiple altantis for the same repo etc if you have a need for that
@jose.amengual That’s a good question and I cannot remember the answer. Looking at the change log I suspect it was 0.11 or 0.12.
I just noticed the --hide-prev-plan-comments flag in 0.12 - that would have been so useful! Cannot believe I missed that!
The atlantis unlock command in 0.14 is another feature I’d been missing.
Previously I had CircleCI running checks like terraform validate and terraform fmt before Atlantis would be able to apply.
Does anybody do that with a custom workflow in Atlantis? My current thinking is that if I’m going to use something like CircleCI to run tests, it’s probably not much more effort to do the plan and apply there as well.
I guess you can even do this with github actions but Atlantis give you more features
2020-08-15
2020-08-16
Hey all, I’ve just deployed atlantis in fargate using the module. What do I need to do exactly to allow fargate to assume the role in my TF code?
assume role into another account ?
Same account, doing a POC for now.
The below is from my PR. I gave the ECS task role the admin access policy to get things working. According to policy simulator, the ECS role can assume ROLE_NAME in the below.
Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::ACCOUNT:role/ROLE_NAME) cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
How about if not used the instance profile? I have the same issue on K8s Pod. (instance profile of Node profile I’m try to avoid, replaced as ServiceAccountIAM to assume) but it won’t work.
¯_(ツ)_/¯
I don’t remember anymore sorry
Ah, if you’re not using instance profile, you need to provide a role arn to assume I believe
2020-08-17
in the same account it does not have to assume role, it uses an instance profile
so you do not need to provide a role arn
Cool, that worked! Thanks
np
2020-08-25
anyone got oidc working with atlantis on an aws alb ? we’re using okta with the following settings
issuer = "<https://company.okta.com/>"
token_endpoint = "<https://company.okta.com/oauth2/default/v1/token>"
user_info_endpoint = "<https://company.okta.com/oauth2/default/v1/userinfo>"
authorization_endpoint = "<https://company.okta.com/oauth2/default/v1/authorize>"
authentication_request_extra_params = {}
is this correct ? we created a Web integration with OpenID Connect to get a client_id and client_secret
and
allow_unauthenticated_access = true
allow_github_webhooks = true
we’re using okta fyi
I don’t know if that is correct but please let us know if you figure it. We are using okta as well
looks pretty handy. hoping to get it solved by today.
this worked for me
alb_authenticate_oidc = {
issuer = "${local.oidc_base_url}"
token_endpoint = "${local.oidc_base_url}/oauth2/v1/token"
authorization_endpoint = "${local.oidc_base_url}/oauth2/v1/authorize"
user_info_endpoint = "${local.oidc_base_url}/oauth2/v1/userinfo"
authentication_request_extra_params = {}
client_id = ""
client_secret = ""
on_unauthenticated_request = "authenticate"
session_timeout = 300
}
where oidc_base_url = "<https://youraccountname.okta.com>"
how does this work with the github webhook events?
# allow unauthenticated access from github
# This adds an additional listener rule to bypass the oidc authentication above
allow_unauthenticated_access = true
allow_github_webhooks = true
2020-08-26
You can use external NLB and put some:
to filter only traffic coming from gitlab
ah wait sorry, it’s not kubernetes
nevermind
2020-08-27
2020-08-28
Does anybody have a solution for deleting projects via Atlantis, once the pull request is open (which deletes a bunch of files)?
Background:
I am using terragrunt and each directory represents a project which creates various resources. If I am deleting this directory and create a pull request, Atlantis obviously isn’t able to do a terraform/terragrunt destroy on those, as the directories don’t exist anymore.
you could run a custom worflow step that you run before deleting files
and you can run multiples comands including terraform destroy
you just can’t delete files without cleaning resources from the state
@jose.amengual is right, that once the files are gone, it’s not going to work easily to destroy since the files are needed to know what to destroy :smiley:
instead, open a no-op PR, and run something like atlantis plan -destroy
@Erik Osterman (Cloud Posse) @jose.amengual how would I define this in atlantis.yaml. I’ve searched their online documentation and did not find any key for destroy to hook in.
You don’t define it in the yaml, it’s an arg you pass when you run the chatops.
also, others say they have trouble using it with terragrunt
Thanks for the info
interesting comments
2020-08-31
if anyone uses the terraform-aws-atlantis module to launch atlantis in fargate, does anyone have interest in turning atlantis into a github bot instead of a github user?
i wrote up this pr and hoping to get more reviews / upvotes if possible
https://github.com/terraform-aws-modules/terraform-aws-atlantis/pull/151
How would this work when you need to have one Atlantis per account?
One atlantis per account? I guess my question is, why wouldn’t you have a single Atlantis that has permissions to assume a role in multiple accounts?
But if you already have one Atlantis per account, then i suppose you’d require an atlantis bot per account
Btw the above pr would allow for either a github user or bot. It maintains backwards compatibility with the current module.
It’s one GitHub bot account but we do one Atlantis per account for security reasons
Ah i see. Interesting use case
I have the same use case as you @zeid.derhally and I will be working on this in about a week
I already have multiple Atlantis and now I want to set up the github bot as @RB did so we will see how it goes
My change just got merged so feel free to try it out. Reach out if you hit any snags
awesome