#atlantis (2021-03)

atlantis

Discuss the Atlantis (http://runatlantis.io|runatlantis.io) *Archive: * https://archive.sweetops.com/atlantis/

2021-03-29

2021-03-26

Steve Wade avatar
Steve Wade

How are people handling the tf lock file with 0.14 release with Atlantis?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

i added it to my gitignore

Steve Wade avatar
Steve Wade

That works @loren was talking to me about terraform-bundle as well as an option

Steve Wade avatar
Steve Wade

Can 0.14 read 0.13 state and vice versa?

joshmyers avatar
joshmyers

tf lock files get commited to source control, terragrunt bubbles them up, so just add as we go

joshmyers avatar
joshmyers

Have been bitten by a few surprises before

joshmyers avatar
joshmyers

0.14 can read 0.13, not the other way around

joshmyers avatar
joshmyers

0.14 forward should be backwards compat IIRC

joshmyers avatar
joshmyers

(although they may have backported)

Steve Wade avatar
Steve Wade

The issue with the lock files is we don’t want to (plus we won’t remember to) run terraform init constantly for each directory

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Also keep in mind that the lock files are architecture dependent

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(I see developers running terraform on their Mac workstations and subsequently committing these files, which has no impact since Atlantis is usually running on Linux). Of course using geodesic locally would mitigate that :-)

joshmyers avatar
joshmyers

Good luck I’m running a beast these days (also running from Docker so)

joshmyers avatar
joshmyers
02:44:24 PM
joshmyers avatar
joshmyers

tomv avatar

terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64

will generate a lock file for all 3 platforms

3

2021-03-22

Steve Wade avatar
Steve Wade

how seamless is it to hook intracost into your atlantis workflow?

Steve Wade avatar
Steve Wade

i know someone is doing it but can’t remember who

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

couldnt you just add it to your dockerfile ?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

then run it ?

Steve Wade avatar
Steve Wade

i didn’t know if https://github.com/infracost/infracost/issues/81#issuecomment-760284137 is the recommended way to do it

Add Atlantis support · Issue #81 · infracost/infracost

Users who want to make IaC CI/CD easier and want to use Atlantis would find this addition very useful. https://www.runatlantis.io/ https://github.com/runatlantis/atlantis

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

that person is basically installing it in their docker image and creating a new workflow that runs infracost

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

that’s probably the only way to do it

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)
07:45:57 PM

¯_(ツ)_/¯

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

well… from the bottom comment it looks like this is the best way https://github.com/infracost/infracost-atlantis/

infracost/infracost-atlantis

Atlantis integration for Infracost. Shows cloud cost estimates for Terraform in pull requests. - infracost/infracost-atlantis

jose.amengual avatar
jose.amengual

this is the recommended way

infracost/infracost-atlantis

Atlantis integration for Infracost. Shows cloud cost estimates for Terraform in pull requests. - infracost/infracost-atlantis

1
Steve Wade avatar
Steve Wade

is there a way in atlantis (using gitlab) to do execute a plan until all other jobs have completed?

Steve Wade avatar
Steve Wade

we are getting in a situation where atlantis is trying to auto merge when our pre-commit CI job is still running

jose.amengual avatar
jose.amengual

I never enabled automerge before

Steve Wade avatar
Steve Wade

maybe thats my issue

jose.amengual avatar
jose.amengual

I do not know gitlab that well but in github you can do approvers list etc to that requires someone to approve before is merged

Steve Wade avatar
Steve Wade

yeh we have that

Steve Wade avatar
Steve Wade

i think the issue might be the auto merge

jose.amengual avatar
jose.amengual

it could be

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Make your precommit check required before merging

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Then it’s impossible to merge while it is running

2021-03-15

Steve Wade avatar
Steve Wade

Does anyone know how to put SSO in front of Atlantis (I’m using the fargate tf module)

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

you can use okta and the application load balancer’s oidc args

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

the fargate tf module allows inputting those oidc params

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)
terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported - terraform-aws-modules/terraform-aws-atlantis

1
Steve Wade avatar
Steve Wade

We have an XML file for azure SSO we can leverage that?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)
Microsoft identity platform and OpenID Connect protocol - Microsoft identity platform

Build web applications by using the Microsoft identity platform implementation of the OpenID Connect authentication protocol.

2021-03-12

Steve Wade avatar
Steve Wade

is there any reason that the atlantis image does not ship with jq installed?

Steve Wade avatar
Steve Wade

considering its recommended when using external data sources

joshmyers avatar
joshmyers

For the same reason it doesn’t have aws-cli and other tools you may want, they are optional dependencies that not all may need…like, Atlantis / Terraform don’t require jq. I’d recommend wrapping the upstream Atlantis image with your personal wants

Steve Wade avatar
Steve Wade

awscli i can understand but jq is recommended for using external data sources

David avatar
David

How is the beta release going? Is there an estimate on when 0.17.0 will be official?

joshmyers avatar
joshmyers

I’d hazard a guess that most users are not using external data sources, and they don’t need jq.

2
joshmyers avatar
joshmyers

external data sources are a last resort escape hatch, not to be used lightly

Steve Wade avatar
Steve Wade

i completely agree with what your saying

jose.amengual avatar
jose.amengual

Altlantis is not a Build too so we keep it at small and concise as possible

jose.amengual avatar
jose.amengual

it is very easy to wrap it around and build your own image

jose.amengual avatar
jose.amengual

if we add thing to it we will end up with PRs to update X or Y which adds more work

joshmyers avatar
joshmyers

@jose.amengual quick question re https://github.com/runatlantis/atlantis/pull/1317 - does it need to go in the server side config? or if we allow repo level config, we can stick in there?

Implement a new policy check workflow by msarvar · Pull Request #1317 · runatlantis/atlantis

This PR adds policy check workflow into atlantis. It uses conftest to execute policies. At the moment you can only define policies locally and configure them in the server side config. How it works…

jose.amengual avatar
jose.amengual

I think this is all repo config, there is a PR for docs you can check

Implement a new policy check workflow by msarvar · Pull Request #1317 · runatlantis/atlantis

This PR adds policy check workflow into atlantis. It uses conftest to execute policies. At the moment you can only define policies locally and configure them in the server side config. How it works…

joshmyers avatar
joshmyers

Cool, ta

Steve Wade avatar
Steve Wade

i can’t wait for this to arrive its going to be

joshmyers avatar
joshmyers

Are you using OPA/conftest @?

Steve Wade avatar
Steve Wade

yes we use it lots

Steve Wade avatar
Steve Wade

both in CI for our k8s repos as well as inside k8s using gatekeeper

joshmyers avatar
joshmyers

What kinda things for? Anything particularly interesting? We’ve got allowed actions on resource types check, i.e cannot delete a production DDB, checking expected tags are all set on all taggable resources, make sure IAM roles have permissions_boundaries attached…

joshmyers avatar
joshmyers
Scalr/sample-tf-opa-policies

Contribute to Scalr/sample-tf-opa-policies development by creating an account on GitHub.

Steve Wade avatar
Steve Wade
swade1987/deprek8ion

Rego policies to monitor Kubernetes APIs deprecations. - swade1987/deprek8ion

joshmyers avatar
joshmyers

Sweet, makes sense

Steve Wade avatar
Steve Wade

we have a few more at work but they are all private repos

joshmyers avatar
joshmyers

Aye

Steve Wade avatar
Steve Wade

@jose.amengual did you say before that their was a PR to stream the output of the terraform apply to the PR?

jose.amengual avatar
jose.amengual

there was yes

Steve Wade avatar
Steve Wade

i found it its still a PR

jose.amengual avatar
jose.amengual

but we can’t get people to work on it

2021-03-11

Takan avatar
Takan

hi all can Atlanstis run compatibility with GCP

Takan avatar
Takan

since i just saw examples with AWS

jose.amengual avatar
jose.amengual

atlantis runs terraform and terraform can create GCP resources

1

2021-03-01

Steve Wade avatar
Steve Wade

this may be an idiotic idea but does anyone use atlantis to apply terraform changes to itself?

roth.andy avatar
roth.andy

There’s gotta be an XKCD that applies here

Steve Wade avatar
Steve Wade

yeh i thought as much but just wanted to double check

joshmyers avatar
joshmyers

No

joshmyers avatar
joshmyers

you would be fine on some changes, but cannot lobotomize itself.

roth.andy avatar
roth.andy
03:56:27 PM
1
Steve Wade avatar
Steve Wade

that sounds accurate

Vlad Ionescu (he/him) avatar
Vlad Ionescu (he/him)

Yup, I did that extensively Worked pretty well with the ECS on Fargate Terraform module

David avatar
David

I also manage atlantis in terraform/terragrunt. It works pretty well, as when the terraform applies it just updates my autoscaling group, it doesn’t actually kill my old server.

Steve Wade avatar
Steve Wade

@Vlad Ionescu (he/him) i use the ECS on Fargate module as well

roth.andy avatar
roth.andy

what module is this?

Vlad Ionescu (he/him) avatar
Vlad Ionescu (he/him)
terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported - terraform-aws-modules/terraform-aws-atlantis

David avatar
David

It’s a great one. I made some very small edits to turn it into an autoscaling EC2 cluster because I can attach more storage, but I’m not sure if fargate ever got around to allowing over 10gb or not

jose.amengual avatar
jose.amengual

you will be fine until you delete the webhook lol

jose.amengual avatar
jose.amengual

but I did applied Atlantis to Atlantis

Steve Wade avatar
Steve Wade

what happens when you delete the webhook?

jose.amengual avatar
jose.amengual

next apply just will not happen

jose.amengual avatar
jose.amengual

the webbhook ot github app is the way Atlantis know about the changes

Steve Wade avatar
Steve Wade

gotcha

Steve Wade avatar
Steve Wade

yeh we don’t delete them

Steve Wade avatar
Steve Wade

we only add nowadays

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Also, there’s conceivably 2 SDLCs here. There’s the module for atlantis, and the docker image for atlantis.

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Our terraform-aws-atlantis module handles the latter

Steve Wade avatar
Steve Wade

@jose.amengual i just tried to delete a webhook and now my terraform plan won’t work

Steve Wade avatar
Steve Wade
Error: GET <https://gitlab.com/api/v4/projects/redacted/tf-atlantis/hooks/6610588>: 404 {message: 404 Not found}
jose.amengual avatar
jose.amengual

yes that is because the atlantis user does not have admin rights on the ORG or repo to read and manage webhooks

    keyboard_arrow_up