#github-actions (2020-03)

Discussions related to GitHub Actions

2020-03-31

2020-03-30

2020-03-29

2020-03-27

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Adding @ bot

discourse_forum avatar
discourse_forum
10:04:15 PM

@ has joined the channel

2020-03-24

2020-03-03

2020-03-02

Nick Kampe avatar
Nick Kampe

There still value to use atlantis for terraform automation nowdays when you can just do it in a github action?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for our last projects, we did not use atlantis and made it completely in GitHub Actions + Codefresh

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It is certainly possible but we discovered a lot of edge cases that make it tricky - especially with monorepos consisting of multiple terraform projects

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The other challenge we haven’t solved is we want to use the mergable flag (which is trivial) but have a catch22 (also exists with Atlantis). We would like to use code owners with branch protections and require plan and apply to succeed before merging

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But we cannot require apply if we also want to use mergable flag before running plan. Does that make sense? Confusing explanation.

sheldonh avatar
sheldonh

I’d like to explore github actions more, but struggled last time with figuring out the secrets to avoid DRY. In azure devops I can just setup a library variable set so all jobs get the rotated credentials. If I did github actions, I’d have to manage credentials for AWS or Terraform Cloud or whatever I use in multiple places.

I also didn’t see the preview + apply steps in practice, though I assume it can do this

PePe avatar

after reading this, then at this stage and age , is it a better option to use github actions instead of atlantis ?

PePe avatar

I guess my worry is that you will have to give access to GitHub to get aws keys to run privileged commands, which I don’t like that much unless this run on a github runner

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ya the lack of shared secrets combined with the lack of an API to manage repo secrets makes GitHub actions a pain if you have a lot of repos.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The GitHub runner is of course a nice alternative to run it inside your VPC with IAM roles. Note then we are back to something similar to Atlantis in terms of maintenance.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

GitHub actions will provide a more customizable experience. But recreating the Atlantis workflow complete with project locks, planfiles and approval gates will take some work. I don’t believe I have seen an end to end implementation for this. The official HashiCorp action doesn’t implement all of this.

sheldonh avatar
sheldonh

That’s what I keep coming back to the full workflow. From what I say the only fully-fledged workflow is Terraform cloud/Scalr. Otherwise I need to recreate that workflow with approval gates and Jenkins or azure DevOps. Well this is totally achievable it doesn’t come out of the box ready to go. It seems like if I want the easiest path for remote cloud runs for a team terraform cloud will probably deliver that. The other solutions offer more flexibility and customization being a more general pipeline tool. I’m looking for the easiest way to help a team begin implying best practices with terraform code cicd

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yep, more or less. only thing I’d add to it is github actions are designed to be easily shared and collaborated on. so as soon as someone implements and shares, we all benefit

PePe avatar

ok, I think we will stick with atlantis for a while, for us one of the must to have is to run inside of the vpc

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

just for the record, this is how to do that with github actions: https://github.com/actions/runner

PePe avatar

yes, I know but since the rest of the logic requires quite a lot of work and is not there yet, then….

sheldonh avatar
sheldonh

I just looked. I’ve got 90 repos for my team. Probably guilty of 75% of those . Not a big deal though as I just manage them with yaml file and terraform. Easy!

sheldonh avatar
sheldonh

Shared secrets are a thing now

    keyboard_arrow_up