#atlantis (2020-08)

atlantis

Discuss the Atlantis (http://runatlantis.io|runatlantis.io) *Archive: * https://archive.sweetops.com/atlantis/

2020-08-31

RB avatar

if anyone uses the terraform-aws-atlantis module to launch atlantis in fargate, does anyone have interest in turning atlantis into a github bot instead of a github user?

i wrote up this pr and hoping to get more reviews / upvotes if possible

https://github.com/terraform-aws-modules/terraform-aws-atlantis/pull/151

zeid.derhally avatar
zeid.derhally

How would this work when you need to have one Atlantis per account?

RB avatar

One atlantis per account? I guess my question is, why wouldn’t you have a single Atlantis that has permissions to assume a role in multiple accounts?

RB avatar

But if you already have one Atlantis per account, then i suppose you’d require an atlantis bot per account

RB avatar

Btw the above pr would allow for either a github user or bot. It maintains backwards compatibility with the current module.

zeid.derhally avatar
zeid.derhally

It’s one GitHub bot account but we do one Atlantis per account for security reasons

RB avatar

Ah i see. Interesting use case

PePe avatar

I have the same use case as you @zeid.derhally and I will be working on this in about a week

PePe avatar

I already have multiple Atlantis and now I want to set up the github bot as @RB did so we will see how it goes

RB avatar

My change just got merged so feel free to try it out. Reach out if you hit any snags

PePe avatar

awesome

2020-08-28

cytopia avatar
cytopia

Does anybody have a solution for deleting projects via Atlantis, once the pull request is open (which deletes a bunch of files)?

Background: I am using terragrunt and each directory represents a project which creates various resources. If I am deleting this directory and create a pull request, Atlantis obviously isn’t able to do a terraform/terragrunt destroy on those, as the directories don’t exist anymore.

PePe avatar

you could run a custom worflow step that you run before deleting files

PePe avatar

and you can run multiples comands including terraform destroy

PePe avatar

you just can’t delete files without cleaning resources from the state

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
05:34:47 AM

@PePe is right, that once the files are gone, it’s not going to work easily to destroy since the files are needed to know what to destroy :smiley:

instead, open a no-op PR, and run something like atlantis plan -destroy

1
cytopia avatar
cytopia

@Erik Osterman (Cloud Posse) @PePe how would I define this in atlantis.yaml. I’ve searched their online documentation and did not find any key for destroy to hook in.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

You don’t define it in the yaml, it’s an arg you pass when you run the chatops.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

also, others say they have trouble using it with terragrunt

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:05:28 PM
cytopia avatar
cytopia

Thanks for the info

PePe avatar
deleting resources via Atlantis · Issue #563 · runatlantis/atlantis

How are people using Atlantis to remove resources? say I deploy resources via Atlantis into my cloud provider, and I now want to manage the full life cycle of that resource. Do I run an Atlantis de…

PePe avatar

interesting comments

2020-08-27

2020-08-26

Adrian Navarrete avatar
Adrian Navarrete
02:56:49 PM

Hi all, I am using this module https://registry.terraform.io/modules/terraform-aws-modules/atlantis/aws/2.23.0 thanks to @antonbabenko, for setting up Atlantis with Gitlab, it works fine when the the load balancer is external, but as soon as I change it to be internal is not reachable from the internet and therefore from Gitlab servers. Do you know if this module supports or what I can do for being able to use the internal ALB and being reachable from gitlab servers / the internet ? Many thanks in advance.

nutellinoit avatar
nutellinoit

You can use external NLB and put some:

Hi all, I am using this module https://registry.terraform.io/modules/terraform-aws-modules/atlantis/aws/2.23.0 thanks to @antonbabenko, for setting up Atlantis with Gitlab, it works fine when the the load balancer is external, but as soon as I change it to be internal is not reachable from the internet and therefore from Gitlab servers. Do you know if this module supports or what I can do for being able to use the internal ALB and being reachable from gitlab servers / the internet ? Many thanks in advance.

nutellinoit avatar
nutellinoit
nutellinoit avatar
nutellinoit

to filter only traffic coming from gitlab

nutellinoit avatar
nutellinoit

ah wait sorry, it’s not kubernetes

nutellinoit avatar
nutellinoit

nevermind

2020-08-25

RB avatar

anyone got oidc working with atlantis on an aws alb ? we’re using okta with the following settings

    issuer                              = "<https://company.okta.com/>"
    token_endpoint                      = "<https://company.okta.com/oauth2/default/v1/token>"
    user_info_endpoint                  = "<https://company.okta.com/oauth2/default/v1/userinfo>"
    authorization_endpoint              = "<https://company.okta.com/oauth2/default/v1/authorize>"
    authentication_request_extra_params = {}

is this correct ? we created a Web integration with OpenID Connect to get a client_id and client_secret

and

  allow_unauthenticated_access = true
  allow_github_webhooks        = true
RB avatar

we’re using okta fyi

zeid.derhally avatar
zeid.derhally

I don’t know if that is correct but please let us know if you figure it. We are using okta as well

RB avatar

looks pretty handy. hoping to get it solved by today.

RB avatar

this worked for me

  alb_authenticate_oidc = {
    issuer                              = "${local.oidc_base_url}"
    token_endpoint                      = "${local.oidc_base_url}/oauth2/v1/token"
    authorization_endpoint              = "${local.oidc_base_url}/oauth2/v1/authorize"
    user_info_endpoint                  = "${local.oidc_base_url}/oauth2/v1/userinfo"
    authentication_request_extra_params = {}
    client_id                           = ""
    client_secret                       = ""
    on_unauthenticated_request          = "authenticate"
    session_timeout                     = 300
  }

where oidc_base_url = "<https://youraccountname.okta.com>"

zeid.derhally avatar
zeid.derhally

how does this work with the github webhook events?

RB avatar
  # allow unauthenticated access from github
  # This adds an additional listener rule to bypass the oidc authentication above
  allow_unauthenticated_access = true
  allow_github_webhooks        = true

2020-08-17

PePe avatar

in the same account it does not have to assume role, it uses an instance profile

PePe avatar

so you do not need to provide a role arn

Sean Turner avatar
Sean Turner

Cool, that worked! Thanks

PePe avatar

np

2020-08-16

Sean Turner avatar
Sean Turner

Hey all, I’ve just deployed atlantis in fargate using the module. What do I need to do exactly to allow fargate to assume the role in my TF code?

PePe avatar

assume role into another account ?

Sean Turner avatar
Sean Turner

Same account, doing a POC for now.

Sean Turner avatar
Sean Turner

The below is from my PR. I gave the ECS task role the admin access policy to get things working. According to policy simulator, the ECS role can assume ROLE_NAME in the below.

Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::ACCOUNT:role/ROLE_NAME) cannot be assumed.

There are a number of possible causes of this - the most common are:
  * The credentials used in order to assume the role are invalid
  * The credentials do not have appropriate permission to assume the role
  * The role ARN is not valid

Error: NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
kexue.wang avatar
kexue.wang

How about if not used the instance profile? I have the same issue on K8s Pod. (instance profile of Node profile I’m try to avoid, replaced as ServiceAccountIAM to assume) but it won’t work.

Sean Turner avatar
Sean Turner
04:16:42 AM

¯_(ツ)_/¯

Sean Turner avatar
Sean Turner

I don’t remember anymore sorry

Sean Turner avatar
Sean Turner

Ah, if you’re not using instance profile, you need to provide a role arn to assume I believe

2020-08-15

2020-08-14

Andrew Mackett avatar
Andrew Mackett

I’m a huge fan of Atlantis and have implemented and used it to great success in the last 2 companies I’ve worked for.

I’ve just started at a new company where things are a bit messy; multiple terraform repos, 2 different home made ‘wrappers’ similar to terragrunt, with some changes being made through Jenkins pipeline and some made from engineers laptops (all with remote state).

I thought this would be a good chance to see what other people are doing before I go down the path of demoing and discussing what Atlantis can do.

Does anybody have any blogs/videos/slides/ideas about alternatives for Terraform deployment? Thanks!

RB avatar

Oof. I went down this road recently by trying to sell just terraform cicd. Once i sold people on that idea, that’s when i brought up atlantis.

RB avatar

I still can’t get them to allow atlantis applies tho so people still do applies locally but at least the plans are in github prs as comments

Andrew Mackett avatar
Andrew Mackett

I feel bad for you @RB that sounds tough.

I’m lucky that I don’t need to sell the idea, they are very much on board with CI/CD. I just need to improve the process. There are varying levels of terraform experience and different engineering teams are each free to do their own thing, which will make it harder and harder to give support over time.

My intention is to make the test and deployment my team does as simple and smart as possible so that we can offer it to our other engineering teams and they’ll want to use it over their own custom creations.

RB avatar

No need to feel bad haha. I’m slowly getting them to embrace the applies by showing them how it brings value in specific repos. Soon I’ll be able to release it across the org. At least, that’s the dream

RB avatar

Yep same here. Eng teams are free to do whatever. What ends up happening is a lot of copy pasta and lack of consistencies

RB avatar

I like your idea of a poc and then showing it to your company. I’m sure that will turn heads and people will hopefully gravitate to the path of least resistance

PePe avatar

what version did you used the last time @Andrew Mackett?

PePe avatar

0.14 atlantis have some cool new features that you might want to take advantage

PePe avatar

I have a fork of it with some features to make it work with multiple altantis for the same repo etc if you have a need for that

Andrew Mackett avatar
Andrew Mackett

@PePe That’s a good question and I cannot remember the answer. Looking at the change log I suspect it was 0.11 or 0.12.

I just noticed the --hide-prev-plan-comments flag in 0.12 - that would have been so useful! Cannot believe I missed that!

The atlantis unlock command in 0.14 is another feature I’d been missing.

:--1:1
Andrew Mackett avatar
Andrew Mackett

Previously I had CircleCI running checks like terraform validate and terraform fmt before Atlantis would be able to apply.

Does anybody do that with a custom workflow in Atlantis? My current thinking is that if I’m going to use something like CircleCI to run tests, it’s probably not much more effort to do the plan and apply there as well.

PePe avatar

I guess you can even do this with github actions but Atlantis give you more features

2020-08-10

2020-08-09

RB avatar

has anyone used atlantis 0.14.0’s feature to turn atlantis into a bot instead of using a github user ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

can you elaborate?

RB avatar
Git Host Access Credentials | Atlantis

Atlantis: Terraform Pull Request Automation

:--1:1
RB avatar

ive installed it as an app and now integrating the pem into the dockerfile. wish it was easier to setup by passing the pem as a string in the environment variable

RB avatar

oof… i keep getting bad credentials from atlantis now

RB avatar
Using version 0.14.0, atlantis bot instead of a github user · Issue #147 · terraform-aws-modules/terraform-aws-atlantis

I started this ticket because I was struggling to get this to work. I finally did get this to work and rewrote the issue to try to make this easier using the module… I&#39;d like to use an atlant…

PePe avatar

ohhh cool, I wanted to test this too, how hard it was?

PePe avatar

any tricks?

RB avatar

See that issue. It was difficult to setup cause that module doesn’t support it

RB avatar

I tried to put in as much information as possible to make it clear what could be done to update the module to make it easier

PePe avatar

I use the cloudposse module but is definitely applicable

PePe avatar

thanks for the info

    keyboard_arrow_up