#github-actions (2020-03)

for our last projects, we did not use atlantis and made it completely in GitHub Actions + Codefresh

It is certainly possible but we discovered a lot of edge cases that make it tricky - especially with monorepos consisting of multiple terraform projects

The other challenge we haven’t solved is we want to use the mergable flag (which is trivial) but have a catch22 (also exists with Atlantis). We would like to use code owners with branch protections and require plan and apply to succeed before merging

But we cannot require apply if we also want to use mergable flag before running plan. Does that make sense? Confusing explanation.

I’d like to explore github actions more, but struggled last time with figuring out the secrets to avoid DRY. In azure devops I can just setup a library variable set so all jobs get the rotated credentials. If I did github actions, I’d have to manage credentials for AWS or Terraform Cloud or whatever I use in multiple places.

I also didn’t see the preview + apply steps in practice, though I assume it can do this

after reading this, then at this stage and age , is it a better option to use github actions instead of atlantis ?

I guess my worry is that you will have to give access to GitHub to get aws keys to run privileged commands, which I don’t like that much unless this run on a github runner

Ya the lack of shared secrets combined with the lack of an API to manage repo secrets makes GitHub actions a pain if you have a lot of repos.

The GitHub runner is of course a nice alternative to run it inside your VPC with IAM roles. Note then we are back to something similar to Atlantis in terms of maintenance.

GitHub actions will provide a more customizable experience. But recreating the Atlantis workflow complete with project locks, planfiles and approval gates will take some work. I don’t believe I have seen an end to end implementation for this. The official HashiCorp action doesn’t implement all of this.

That’s what I keep coming back to the full workflow. From what I say the only fully-fledged workflow is Terraform cloud/Scalr. Otherwise I need to recreate that workflow with approval gates and Jenkins or azure DevOps. Well this is totally achievable it doesn’t come out of the box ready to go. It seems like if I want the easiest path for remote cloud runs for a team terraform cloud will probably deliver that. The other solutions offer more flexibility and customization being a more general pipeline tool. I’m looking for the easiest way to help a team begin implying best practices with terraform code cicd

yep, more or less. only thing I’d add to it is github actions are designed to be easily shared and collaborated on. so as soon as someone implements and shares, we all benefit

ok, I think we will stick with atlantis for a while, for us one of the must to have is to run inside of the vpc

just for the record, this is how to do that with github actions: https://github.com/actions/runner

yes, I know but since the rest of the logic requires quite a lot of work and is not there yet, then….

I just looked. I’ve got 90 repos for my team. Probably guilty of 75% of those . Not a big deal though as I just manage them with yaml file and terraform. Easy!

Shared secrets are a thing now