#atlantis (2021-03)
| Discuss the Atlantis (<http://runatlantis.io | runatlantis.io>) |
**Archive: ** https://archive.sweetops.com/atlantis/
2021-03-01
this may be an idiotic idea but does anyone use atlantis to apply terraform changes to itself?
There’s gotta be an XKCD that applies here
yeh i thought as much but just wanted to double check
No
you would be fine on some changes, but cannot lobotomize itself.
that sounds accurate
Yup, I did that extensively Worked pretty well with the ECS on Fargate Terraform module
I also manage atlantis in terraform/terragrunt. It works pretty well, as when the terraform applies it just updates my autoscaling group, it doesn’t actually kill my old server.
@Vlad Ionescu (he/him) i use the ECS on Fargate module as well
what module is this?
It’s a great one. I made some very small edits to turn it into an autoscaling EC2 cluster because I can attach more storage, but I’m not sure if fargate ever got around to allowing over 10gb or not
you will be fine until you delete the webhook lol
but I did applied Atlantis to Atlantis
what happens when you delete the webhook?
next apply just will not happen
the webbhook ot github app is the way Atlantis know about the changes
gotcha
yeh we don’t delete them
we only add nowadays
Also, there’s conceivably 2 SDLCs here. There’s the module for atlantis, and the docker image for atlantis.
Our terraform-aws-atlantis module handles the latter
@jose.amengual i just tried to delete a webhook and now my terraform plan won’t work
Error: GET <https://gitlab.com/api/v4/projects/redacted/tf-atlantis/hooks/6610588>: 404 {message: 404 Not found}
yes that is because the atlantis user does not have admin rights on the ORG or repo to read and manage webhooks
2021-03-11
hi all can Atlanstis run compatibility with GCP
since i just saw examples with AWS
2021-03-12
is there any reason that the atlantis image does not ship with jq installed?
considering its recommended when using external data sources
For the same reason it doesn’t have aws-cli and other tools you may want, they are optional dependencies that not all may need…like, Atlantis / Terraform don’t require jq. I’d recommend wrapping the upstream Atlantis image with your personal wants
awscli i can understand but jq is recommended for using external data sources
How is the beta release going? Is there an estimate on when 0.17.0 will be official?
I’d hazard a guess that most users are not using external data sources, and they don’t need jq.
external data sources are a last resort escape hatch, not to be used lightly
i completely agree with what your saying
Altlantis is not a Build too so we keep it at small and concise as possible
it is very easy to wrap it around and build your own image
if we add thing to it we will end up with PRs to update X or Y which adds more work
@jose.amengual quick question re https://github.com/runatlantis/atlantis/pull/1317 - does it need to go in the server side config? or if we allow repo level config, we can stick in there?
I think this is all repo config, there is a PR for docs you can check
Cool, ta
i can’t wait for this to arrive its going to be
Are you using OPA/conftest @Steve Wade (swade1987)?
yes we use it lots
both in CI for our k8s repos as well as inside k8s using gatekeeper
What kinda things for? Anything particularly interesting? We’ve got allowed actions on resource types check, i.e cannot delete a production DDB, checking expected tags are all set on all taggable resources, make sure IAM roles have permissions_boundaries attached…
i wrote and maintain https://github.com/swade1987/deprek8ion
Sweet, makes sense
we have a few more at work but they are all private repos
Aye
@jose.amengual did you say before that their was a PR to stream the output of the terraform apply to the PR?
there was yes
i found it its still a PR
but we can’t get people to work on it
2021-03-15
Does anyone know how to put SSO in front of Atlantis (I’m using the fargate tf module)
you can use okta and the application load balancer’s oidc args
the fargate tf module allows inputting those oidc params
We have an XML file for azure SSO we can leverage that?
looks like it’s possible https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
2021-03-22
how seamless is it to hook intracost into your atlantis workflow?
i know someone is doing it but can’t remember who
couldnt you just add it to your dockerfile ?
then run it ?
i didn’t know if https://github.com/infracost/infracost/issues/81#issuecomment-760284137 is the recommended way to do it
that person is basically installing it in their docker image and creating a new workflow that runs infracost
that’s probably the only way to do it
¯_(ツ)_/¯
well… from the bottom comment it looks like this is the best way https://github.com/infracost/infracost-atlantis/
is there a way in atlantis (using gitlab) to do execute a plan until all other jobs have completed?
we are getting in a situation where atlantis is trying to auto merge when our pre-commit CI job is still running
I never enabled automerge before
maybe thats my issue
I do not know gitlab that well but in github you can do approvers list etc to that requires someone to approve before is merged
yeh we have that
i think the issue might be the auto merge
it could be
Make your precommit check required before merging
Then it’s impossible to merge while it is running
2021-03-26
How are people handling the tf lock file with 0.14 release with Atlantis?
i added it to my gitignore
That works @loren was talking to me about terraform-bundle as well as an option
Can 0.14 read 0.13 state and vice versa?
tf lock files get commited to source control, terragrunt bubbles them up, so just add as we go
Have been bitten by a few surprises before
0.14 can read 0.13, not the other way around
0.14 forward should be backwards compat IIRC
(although they may have backported)
The issue with the lock files is we don’t want to (plus we won’t remember to) run terraform init constantly for each directory
Also keep in mind that the lock files are architecture dependent
(I see developers running terraform on their Mac workstations and subsequently committing these files, which has no impact since Atlantis is usually running on Linux). Of course using geodesic locally would mitigate that :-)
Good luck I’m running a beast these days (also running from Docker so)
terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64
will generate a lock file for all 3 platforms