#atlantis (2021-02)
| Discuss the Atlantis (<http://runatlantis.io | runatlantis.io>) |
**Archive: ** https://archive.sweetops.com/atlantis/
2021-02-03
woops. i posted in #terraform when I meant to post here.
https://sweetops.slack.com/archives/CB6GHNLG0/p1612364483242900
2021-02-05
Nice one @jose.amengual
Atlantis release is coming today or monday
do you have a changelog yet @jose.amengual would be interested in having a read as i will defo be upgrading
we will publish one
is not yet publish
so i have this atlantis.yaml in my repo with allow repo configs enabled
version: 3
projects:
- name: iam
dir: aws_accounts/account_a/iam
terraform_version: v0.14.6
I have like 50 modules in my repo and none of them work except for aws_accounts/account_a/iam
how do i set a default workflow for all directories except for the ones specified in my atlantis.yaml
maybe this ?
not for autoplan but same idea
if it comes with streaming the run to comments the devs in my company are going to love this release
hmm i have that set in my repos.yaml file
# <https://www.runatlantis.io/docs/server-configuration.html#repo-config-json>
repos:
# apply config to repos matching this regex
- id: /.*/
# allow repo level configs to override the following per project
allowed_overrides:
- apply_requirements
- workflow
# `terraform apply` requires the PR to be the following.
# commented out since applies are commented out
#apply_requirements:
# - approved
# # - mergeable
workflow: default
but it seems like my repo atlantis.yaml supplants the /.*/ workflow
it could
it is last match
no i mean, the repo atlantis.yaml file seems to completely supplant the repos.yaml file on the server
so if i codify aws_accounts/account_a/iam that will use the custom atlantis.yaml in my repo
but if i dont codify say secrets dir in that same repo, the repos.yaml will not use it’s /.*/ default repo workflow
does that make sense ?
so basically i have to choose betw the repos.yaml on my server and my atlantis.yaml in my repo instead of having a default set in atlantis.yaml if a directory is not codified in repos.yaml
server config overwrite repo config only if is allowed in the server side
not sure i follow
you kinda have to have a default and then a specific repo setting
but don’t i already have a default set ?
what do i need to add ?
allowed_overrides: []
that will now allow repos to set those setting
what happens if you do atlantis plan -d aws_accounts/account_a/iam -d aws_accounts/account_a/sgs -d aws_accounts/account_a/pepesucks
does that work?
wait but i want repos to be able to override the workflow
(lol at your example command btw)
ya if i comment on the PR with a manual atlantis plan -d dir_path then it works correctly
but not the best UX. I’d prefer if the default is /.*/ w/o having to run it manually
I think this is not implemented on atlantis
ahh! ok so im not crazy
i thought i was doing something wrong
and if you do *.tf it will pick every single module
you do not have !/pepe/*.tf
lol i did try that a while back and it planned EVERYTHING
you can create a pr to atlantis
my github PR was insanely commented hahaha
im go nna have to learn how to locally dev atlantis
do you folks have docs on that ?
not really
ah please add them cause i am so confused how to dev it
I use dlv to run atlantis and ngrok for the webhook
if you work with me on setting up a local dev env, id write up the tech docs for it and contrib to atlantis
im not free this week but ill be free next week if youre down
go 1.15 DLV VScode
2021-02-08
2021-02-09
2021-02-17
Anyone know/recommend a terraform module for deploying atlantis to GCP
2021-02-18
Hi everybody, I’d like to use Terraform cross-account, without having the assume_role block in provider and backend. With terragrunt that was easily solved by using –terragrunt-iam-role in the cmdline of the apply/plan steps.
I have state buckets in every account seperately.
What would now be the best way forward ?
We deploy an Atlantis into each AWS account and each atlantis is configured to only listen to certain repos. There is a cost to this in both maintaining a service and $$ for running it. If you have a lot of accounts this can add up, but it is more secure. But it is probably still cheaper than paying for one of those SaaS options
Can still use Terragrunt with Atlantis…
i can dream
i’ll try and use aws sts to assume , see if that works
I use terragrunt + a single atlantis server that assumes roles cross-account and it works great. If done with fine-grained IAM roles the security model is still quite nice.
If you just want to not assume roles locally though you can set up different profiles using aws-vault and run commands like aws-vault exec some_profile -- terraform apply.
terragrunt + a single atlantis server < snap
assumes roles into other accounts
what atlantis runs is exactly what users from from local
I have a solution now, but what you are suggesting can be done without terragrunt.hcl ?
It’s a project which I need to dumb down a bit for the target group, flat structures, no workspaces, no tricks, so duplicated vars. Also the reason that I’m not using terragrunt as it’s another thing..
2021-02-22
@jose.amengual Are ya’ll gonna cut a release of Atlantis since merging the OPA stuff?
The policy checks will be released as a pre-release for people to try
Awesome! Any idea when that will be?
Thanks!
Awesome, thanks man
2021-02-24
@joshmyers ^