#atlantis (2021-03)
Discuss the Atlantis (<http://runatlantis.io | runatlantis.io>) |
**Archive: ** https://archive.sweetops.com/atlantis/
2021-03-01

this may be an idiotic idea but does anyone use atlantis to apply terraform changes to itself?

There’s gotta be an XKCD that applies here

yeh i thought as much but just wanted to double check

No

you would be fine on some changes, but cannot lobotomize itself.


that sounds accurate

Yup, I did that extensively Worked pretty well with the ECS on Fargate Terraform module

I also manage atlantis in terraform/terragrunt. It works pretty well, as when the terraform applies it just updates my autoscaling group, it doesn’t actually kill my old server.

@Vlad Ionescu (he/him) i use the ECS on Fargate module as well

what module is this?

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported - terraform-aws-modules/terraform-aws-atlantis


It’s a great one. I made some very small edits to turn it into an autoscaling EC2 cluster because I can attach more storage, but I’m not sure if fargate ever got around to allowing over 10gb or not

you will be fine until you delete the webhook lol

but I did applied Atlantis to Atlantis

what happens when you delete the webhook?

next apply just will not happen

the webbhook ot github app is the way Atlantis know about the changes

gotcha

yeh we don’t delete them

we only add nowadays

Also, there’s conceivably 2 SDLCs here. There’s the module for atlantis, and the docker image for atlantis.

Our terraform-aws-atlantis
module handles the latter

@jose.amengual i just tried to delete a webhook and now my terraform plan
won’t work

Error: GET <https://gitlab.com/api/v4/projects/redacted/tf-atlantis/hooks/6610588>: 404 {message: 404 Not found}

yes that is because the atlantis user does not have admin rights on the ORG or repo to read and manage webhooks
2021-03-11

hi all can Atlanstis run compatibility with GCP

since i just saw examples with AWS

2021-03-12

is there any reason that the atlantis image does not ship with jq
installed?

considering its recommended when using external data sources

For the same reason it doesn’t have aws-cli and other tools you may want, they are optional dependencies that not all may need…like, Atlantis / Terraform don’t require jq. I’d recommend wrapping the upstream Atlantis image with your personal wants

awscli
i can understand but jq
is recommended for using external data sources

How is the beta release going? Is there an estimate on when 0.17.0 will be official?

I’d hazard a guess that most users are not using external data sources, and they don’t need jq.

external data sources are a last resort escape hatch, not to be used lightly

i completely agree with what your saying

Altlantis is not a Build too so we keep it at small and concise as possible

it is very easy to wrap it around and build your own image

if we add thing to it we will end up with PRs to update X or Y which adds more work

@jose.amengual quick question re https://github.com/runatlantis/atlantis/pull/1317 - does it need to go in the server side config? or if we allow repo level config, we can stick in there?
This PR adds policy check workflow into atlantis. It uses conftest to execute policies. At the moment you can only define policies locally and configure them in the server side config. How it works…

I think this is all repo config, there is a PR for docs you can check
This PR adds policy check workflow into atlantis. It uses conftest to execute policies. At the moment you can only define policies locally and configure them in the server side config. How it works…

Cool, ta

i can’t wait for this to arrive its going to be

Are you using OPA/conftest @Steve Wade (swade1987)?

yes we use it lots

both in CI for our k8s repos as well as inside k8s using gatekeeper

What kinda things for? Anything particularly interesting? We’ve got allowed actions on resource types check, i.e cannot delete a production DDB, checking expected tags are all set on all taggable resources, make sure IAM roles have permissions_boundaries attached…

Contribute to Scalr/sample-tf-opa-policies development by creating an account on GitHub.

i wrote and maintain https://github.com/swade1987/deprek8ion
Rego policies to monitor Kubernetes APIs deprecations. - swade1987/deprek8ion

Sweet, makes sense

we have a few more at work but they are all private repos

Aye

@jose.amengual did you say before that their was a PR to stream the output of the terraform apply to the PR?

there was yes

i found it its still a PR

but we can’t get people to work on it
2021-03-15

Does anyone know how to put SSO in front of Atlantis (I’m using the fargate tf module)

you can use okta and the application load balancer’s oidc args

the fargate tf module allows inputting those oidc params

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported - terraform-aws-modules/terraform-aws-atlantis

We have an XML file for azure SSO we can leverage that?

looks like it’s possible https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
Build web applications by using the Microsoft identity platform implementation of the OpenID Connect authentication protocol.
2021-03-22

how seamless is it to hook intracost into your atlantis workflow?

i know someone is doing it but can’t remember who

couldnt you just add it to your dockerfile ?

then run it ?

i didn’t know if https://github.com/infracost/infracost/issues/81#issuecomment-760284137 is the recommended way to do it
Users who want to make IaC CI/CD easier and want to use Atlantis would find this addition very useful. https://www.runatlantis.io/ https://github.com/runatlantis/atlantis

that person is basically installing it in their docker image and creating a new workflow that runs infracost

that’s probably the only way to do it

¯_(ツ)_/¯

well… from the bottom comment it looks like this is the best way https://github.com/infracost/infracost-atlantis/
Atlantis integration for Infracost. Shows cloud cost estimates for Terraform in pull requests. - infracost/infracost-atlantis

this is the recommended way
Atlantis integration for Infracost. Shows cloud cost estimates for Terraform in pull requests. - infracost/infracost-atlantis

is there a way in atlantis (using gitlab) to do execute a plan until all other jobs have completed?

we are getting in a situation where atlantis is trying to auto merge when our pre-commit CI job is still running

I never enabled automerge before

maybe thats my issue

I do not know gitlab that well but in github you can do approvers list etc to that requires someone to approve before is merged

yeh we have that

i think the issue might be the auto merge

it could be

Make your precommit check required before merging

Then it’s impossible to merge while it is running
2021-03-26

How are people handling the tf lock file with 0.14 release with Atlantis?

i added it to my gitignore

That works @loren was talking to me about terraform-bundle as well as an option

Can 0.14 read 0.13 state and vice versa?

tf lock files get commited to source control, terragrunt bubbles them up, so just add as we go

Have been bitten by a few surprises before

0.14 can read 0.13, not the other way around

0.14 forward should be backwards compat IIRC

(although they may have backported)

The issue with the lock files is we don’t want to (plus we won’t remember to) run terraform init constantly for each directory

Also keep in mind that the lock files are architecture dependent

(I see developers running terraform on their Mac workstations and subsequently committing these files, which has no impact since Atlantis is usually running on Linux). Of course using geodesic locally would mitigate that :-)

Good luck I’m running a beast these days (also running from Docker so)



terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64
will generate a lock file for all 3 platforms