#release-engineering (2020-1)

All things CI/CD. Specific emphasis on Codefresh and CodeBuild with CodePipeline.

CI/CD Discussions

Archive: https://archive.sweetops.com/release-engineering/

2020-01-24

Darren Cunningham

has anybody built a Codefresh pipeline for a Maven project that uses https://github.com/GoogleContainerTools/jib ?

GoogleContainerTools/jib

Build container images for your Java applications. - GoogleContainerTools/jib

2020-01-23

so I’m using : https://github.com/cloudposse/terraform-aws-ecs-atlantis and I’m going trough the setup but

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

in :

Provision the module with Terraform. Terraform GitHub Provider will use the github_webhooks_token to create webhooks on the repo
cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

as I understand it I need to provision the module meaning provided the necessary input variables to be able to run apply, correct ?

Adrian

correct

thanks

mmm I’m getting this error :

on [main.tf](http://main.tf) line 95, in module "atlantis":
  95:   atlantis_repo_whitelist    = [var.atlantis_repo_whitelist]

The given value is not suitable for child module variable
"atlantis_repo_whitelist" defined at ../../variables.tf:123,1-35: element 0:
string required.

I used something like :atlantis_repo_whitelist = ["cloudposse/terraform-aws-ecs-atlantis"]

that variable is set to list(string)

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

so this should work

I know why

the example is incorrect

if you add * it doesnt like it somehow

aknysh
cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

aknysh

is always correct since it’s auto-tested on AWS with terratest

aknysh

at least it ran OK the last time a PR was opened for the repo

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

they are different

aknysh

different how?

aknysh

the example itself defaults it to empty list

aknysh

and we provide the concrete value in tfvars

the default is different :

variable "atlantis_repo_whitelist" {
  type        = list(string)
  description = "Whitelist of repositories Atlantis will accept webhooks from"
  default     = ["<http://github.com/example/*|github.com/example/*>"]
}

that is from the cognito example

but in the cognito example there is no .tfvars, just defaults

if I’m not mistaken, is just the cognito-example folder what have the problem

I switched to the complete example and it works

mmmm the provisioning of the module should work for private repos too , right ?

Error: POST <https://api.github.com/repos/company/terraform-rds/hooks>: 404 Not Found []

  on .terraform/modules/atlantis.ecs_web_app.ecs_codepipeline.github_webhooks/main.tf line 6, in resource "github_repository_webhook" "default":
   6: resource "github_repository_webhook" "default" {
aknysh

The user you create the token for, must be an admin in the repo to be able to create webhooks

I added to a team that is admin

aknysh

That’s the dropdown with Read, Write and Admin values

exactly

I just added it as a single collaborator with admin and does not work

I forgot to add the scope!!!!

admin:repo_hook

another issue

the webhooks are created in the repo

but every time the apply happens wants to create the webhooks again

so I’m guessing webhook_enabled = true should be set to false after initial bootstrap ?

I wonder how this will work for multiple repos

I think I figure out that part too no

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

so the repo where the webhook were created should have a dockerfile ?

or should I point it to : github.com/cloudposse/atlantis

ahhh I’m so stupid

that will have to be the and ECR repo image or docker registry of atlantis

mmmm that does not seems to work

[31mError: --gh-user/--gh-token or --gitlab-user/--gitlab-token or --bitbucket-user/--bitbucket-token must be set[39m
aknysh

if the example in https://github.com/cloudposse/terraform-aws-ecs-atlantis/tree/master/examples/complete did not help, this is how we deployed atlantis in our test account (it’s working now) https://github.com/cloudposse/testing.cloudposse.co/tree/master/conf/ecs

cloudposse/terraform-aws-ecs-atlantis

Terraform module for deploying Atlantis as an ECS Task - cloudposse/terraform-aws-ecs-atlantis

cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

aknysh
cloudposse/terraform-root-modules

Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules

mmm

the environment variables of the ECS task are missing

I mean , the only one that is created is ATLANTIS_ENABLED

but atlantis is expecting other ENV vars

I have no clue

I can;t use default-backend as an image_url for the ECS task since that thing is the pretty 404 page

so I changed it to cloudposse/atlantis:latest

and now atlantis does not start

but I’m confused about how codepipeline/codebuild work since I never used them before

that is why I don’t know if my repo have to have a Docker file to build atlantis and then that is build and upload to ECR and then run, or atlantis runs all the time and then it pulls the repo and run TF etc

need to read the docs more

Deployment | Atlantis

Atlantis: Terraform Pull Request Automation

altantis tuns all the time and recieve the webhook requests

so it needs to be up and running to do so

terraform-aws-modules/terraform-aws-atlantis

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported. - terraform-aws-modules/terraform-aws-atlantis

which I think I’m missing somehow

do I have to have a Docker file like this in eve repo that I run atlantis to run ? https://github.com/cloudposse/atlantis/blob/master/Dockerfile

cloudposse/atlantis

GitOps for Teams (experimental hard fork of atlantis) - cloudposse/atlantis

so Codepipeline can build the image and push it to ECS?

is that the idea?

aknysh

as we did it, we install atlantis in Docker file for each environment we use

aknysh
cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

aknysh

so the CodePipeline builds the image on merging to master branch

aknysh

and saves it to ECR

aknysh

and then deploys it to ECS

aknysh

so yes, in our case, we install atlantis in the same repo on which atlantis operates after it gets installed

aknysh

but you can choose any other solution that fits your needs

aknysh

in our case, atlantis is deployed from the repo, and then operates on the same repo using the config file https://github.com/cloudposse/testing.cloudposse.co/blob/master/atlantis.yaml

cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

aknysh

(we did it to minimize the number of repos to create and maintain. You can have atlantis defined in one repo, but operating on a different infra repo. But in this case, the number of repos doubles)

aknysh

(the confusion here is because we merged two diff concepts together to minimize the number of repos: GitOps for atlantis itself (how to deploy it into each environment), and GitOps for the resources that atlantis controls)

aknysh

if you use atlantis itself from a different repo (not on which it operates), this file becomes very important from security point of view

aknysh
cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

aknysh

id: github.com/cloudposse/testing.cloudposse.co gives atlantis permissions to the specified repo only

aknysh
cloudposse/geodesic

Geodesic is a cloud automation shell. It&#39;s the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. ★ this repo! h…

aknysh

since all Dockerfiles have geodesic as base, atlantis.sh gets executed

aknysh
cloudposse/geodesic

Geodesic is a cloud automation shell. It&#39;s the fastest way to get up and running with a rock solid, production grade cloud platform built on top of strictly Open Source tools. ★ this repo! h…

aknysh

@PePe you were asking about missing vars

aknysh

(who said the whole solution would be easy )

hahaha

now the missing pieces are surfacing…

now I understand a bit more

in our case we have several repos that build one environment, where we do have a ECS cluster

and the many services inside are build from a different TF repo

so I was thinking to deploy atlantis as a service that is part of the same ECS cluster

and trigger the builds trough the webhooks

aknysh

yes, so you prob will have to do some digging since our stuff was made to work with geodesic which has lots of things for atlantis

and the idea behind this is to minimize the “access” of atlantis and atlantis apply to that specific aws account/cluster

aknysh

if that’s a question, then yes

aknysh

and to minimize the number of repos

aknysh

if you have 7 environments, you would have 14 repos (7 for atlantis) if you deployed atlantis from separate repos

ok, that confuses me a bit

aknysh

that’s why we put atlantis in the Dockerfile for the the same repo on which it operates in the same account

I though atlantis will clone and run any repo that hits the public endpoint for the webhook, right ?

aknysh

it can

aknysh

but you need to deploy atlantis itself

aknysh

preferably with GitOps

imagine that I gave atlantis running already

then I add the webhooks to the repo, give access to the atlantis bot user to the repo then atlantis should be able to run terraform apply from that repo on a github event

aknysh

cloudposse/testing.cloudposse.co is the repo that deploys atlantis and the repo on which the deployed atlantis operates

for that environment

aknysh

as you described yes, it will do it

so one atlantis per environment basically

no matter how many terraform repos that environment could have?

aknysh

yes

aknysh

but as I mentioned, you have to deploy atlantis somehow into each env

aknysh

that’s when it becomes more complicated

correct I understand

aknysh
cloudposse/testing.cloudposse.co

Example Terraform Reference Architecture that implements a Geodesic Module for an Automated Testing Organization in AWS - cloudposse/testing.cloudposse.co

and that is why you run atlantis from whiting the TF repo

to avoid having two each

aknysh

haha yes, been trying to say that for 30 mins

hahahahahaha

aknysh

to minimize the number of repos

and I guess another advantage of running from the sam repo is that you could somewhat customize atlantis for repo specific configs

aknysh

Yes

aknysh

For example, it uses the same credentials or assume role as you do when executing into that container

aknysh

So you specify it only once in one place

exactly

thanks so much for the time, sorry for being too slow

aknysh

np, that’s not easy solution

I was wondering yesterday, building atlantis every time could take some time

do you happen to know if there is a notable difference from having atlantis running all the time?

aknysh

CodePipeline will build on merge to master

aknysh

and deploy to ECS

aknysh

but ECS will switch to the new version only if the deployment is a success

ok

and this approach should not be an issue if I want to setup atlantis to build from a branch ?

not just merge to master

aknysh

yes

aknysh

we selected master

aknysh

in CodePipeline config

ahhhh right that is Codepipeline not atlantis, ok cool

2020-01-22

2020-01-17

Roderik van der Veer

We have been using travisci pro for years, and pay a whopping 5k a year for 10 concurrent builds. The cost or amount of builds is not really the issue though. It is the power of the underlying machines. Our builds flows are optimised to the max, but we have for example a 10 minute create-react-app build (webpack) which cannot be sped up in any way, except bigger CPU’s. 2 min on my top spec mbp vs 12 minutes on travis. But they do not have plans with faster machines, so not really an option. How are you all handling these kinds of problems?

Pierre Humberdroz

Remote worker’s but this might sadly not be an option for travic ci.

Roderik van der Veer

via their support found that the premium vm’s are still there

Roderik van der Veer

will try that first

loren

you could maybe connect your repo to gitlab-ci with a “ci-only” project, and manage your own runners as powerful as you need?

:100:1
Erik Osterman

Drop Travis?

1
Maycon Santos

5K year for 10 concurrent is really pricey. I used to run Gitlab’s CI with docker-machine launching on-demand spot instances for less than $50/month for the runners.

:100:1

2020-01-12

Mahesh

any GoCD users here?

2020-01-10

Rob Rose

Hey does anyone have any examples of production/dev/staging environments integrated with terraform and orchestrated by a Jenkins pipeline?

    keyboard_arrow_up