#github-actions (2020-03)
Discussions related to GitHub Actions
2020-03-02
![Nick Kampe avatar](https://avatars.slack-edge.com/2019-12-19/881306625072_447f6e59320073c5418a_72.png)
There still value to use atlantis for terraform automation nowdays when you can just do it in a github action?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
for our last projects, we did not use atlantis and made it completely in GitHub Actions + Codefresh
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It is certainly possible but we discovered a lot of edge cases that make it tricky - especially with monorepos consisting of multiple terraform projects
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The other challenge we haven’t solved is we want to use the mergable flag (which is trivial) but have a catch22 (also exists with Atlantis). We would like to use code owners with branch protections and require plan and apply to succeed before merging
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
But we cannot require apply if we also want to use mergable flag before running plan. Does that make sense? Confusing explanation.
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
I’d like to explore github actions more, but struggled last time with figuring out the secrets to avoid DRY. In azure devops I can just setup a library variable set so all jobs get the rotated credentials. If I did github actions, I’d have to manage credentials for AWS or Terraform Cloud or whatever I use in multiple places.
I also didn’t see the preview + apply steps in practice, though I assume it can do this
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
after reading this, then at this stage and age , is it a better option to use github actions instead of atlantis ?
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
I guess my worry is that you will have to give access to GitHub to get aws keys to run privileged commands, which I don’t like that much unless this run on a github runner
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Ya the lack of shared secrets combined with the lack of an API to manage repo secrets makes GitHub actions a pain if you have a lot of repos.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The GitHub runner is of course a nice alternative to run it inside your VPC with IAM roles. Note then we are back to something similar to Atlantis in terms of maintenance.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
GitHub actions will provide a more customizable experience. But recreating the Atlantis workflow complete with project locks, planfiles and approval gates will take some work. I don’t believe I have seen an end to end implementation for this. The official HashiCorp action doesn’t implement all of this.
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
That’s what I keep coming back to the full workflow. From what I say the only fully-fledged workflow is Terraform cloud/Scalr. Otherwise I need to recreate that workflow with approval gates and Jenkins or azure DevOps. Well this is totally achievable it doesn’t come out of the box ready to go. It seems like if I want the easiest path for remote cloud runs for a team terraform cloud will probably deliver that. The other solutions offer more flexibility and customization being a more general pipeline tool. I’m looking for the easiest way to help a team begin implying best practices with terraform code cicd
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
yep, more or less. only thing I’d add to it is github actions are designed to be easily shared and collaborated on. so as soon as someone implements and shares, we all benefit
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
ok, I think we will stick with atlantis for a while, for us one of the must to have is to run inside of the vpc
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
just for the record, this is how to do that with github actions: https://github.com/actions/runner
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
yes, I know but since the rest of the logic requires quite a lot of work and is not there yet, then….
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
I just looked. I’ve got 90 repos for my team. Probably guilty of 75% of those . Not a big deal though as I just manage them with yaml file and terraform. Easy!
![sheldonh avatar](https://secure.gravatar.com/avatar/b909e5a82474e9853ff6a6c6111cf0cf.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
Shared secrets are a thing now
2020-03-03
2020-03-24
2020-03-27
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Adding @discourse_forum bot
![discourse_forum avatar](https://avatars.slack-edge.com/2020-03-26/1029663249525_451a74d3463357c40dbf_72.png)
@discourse_forum has joined the channel