Atlantis: Terraform Pull Request Automation

Let’s see how you can enable anyone in your team run Terraform automations safely !

Here comes Atlantis !

Why would you run Atlantis?

  1. Increased visibility-
  • Is what’s in master deployed?
  • Did someone forget to create a pull request for that latest change?
  • What was the output from that last terraform apply?

How it worked?

  1. Open a pull request.
  2. Atlantis automatically runs Terraform plan and comments back on the pull request.
  3. Someone from your team will review the plan and approve the pull request.
  4. You comment “atlantis apply”.
  5. Atlantis automatically runs Terraform applyand comments back on the pull request.
  1. We recommend creating a new user named @atlantis (or something close) or using a dedicated CI user.
  2. Once you’ve created a new user (or decided to use an existing one), you need to generate an access token for a Github. Create the token with repo scope
  3. Atlantis uses Webhook secrets to validate that the webhooks it receives from your Git host are legitimate.Webhook secrets are actually optional. However they’re highly recommended for security.You can use any random string generator to create your Webhook secret. It should be > 24 characters.You must use the same webhook secret for each repo.
  4. first create a Secret with the webhook secret and access token:
echo -n "yourtoken" > token
echo -n "yoursecret" > webhook-secret
kubectl create secret generic atlantis-vcs --from-file=token --from-file=webhook-secret
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: atlantis
spec:
serviceName: atlantis
replicas: 1
updateStrategy:
type: RollingUpdate
rollingUpdate:
partition: 0
selector:
matchLabels:
app: atlantis
template:
metadata:
labels:
app: atlantis
spec:
securityContext:
fsGroup: 1000 # Atlantis group (1000) read/write access to volumes.
containers:
- name: atlantis
image: runatlantis/atlantis:v<VERSION> # 1. Replace <VERSION> with the most recent release.
env:
- name: ATLANTIS_REPO_ALLOWLIST
value: github.com/yourorg/* # 2. Replace this with your own repo allowlist.
### GitHub Config ###
- name: ATLANTIS_GH_USER
value: <YOUR_GITHUB_USER> # 3i. If you're using GitHub replace <YOUR_GITHUB_USER> with the username of your Atlantis GitHub user without the `@`.
- name: ATLANTIS_GH_TOKEN
valueFrom:
secretKeyRef:
name: atlantis-vcs
key: token
- name: ATLANTIS_GH_WEBHOOK_SECRET
valueFrom:
secretKeyRef:
name: atlantis-vcs
key: webhook-secret
### End GitHub Config ###
- name: ATLANTIS_DATA_DIR
value: /atlantis
- name: ATLANTIS_PORT
value: "4141" # Kubernetes sets an ATLANTIS_PORT variable so we need to override.
volumeMounts:
- name: atlantis-data
mountPath: /atlantis
ports:
- name: atlantis
containerPort: 4141
resources:
requests:
memory: 256Mi
cpu: 100m
limits:
memory: 256Mi
cpu: 100m
livenessProbe:
# We only need to check every 60s since Atlantis is not a
# high-throughput service.
periodSeconds: 60
httpGet:
path: /healthz
port: 4141
# If using https, change this to HTTPS
scheme: HTTP
readinessProbe:
periodSeconds: 60
httpGet:
path: /healthz
port: 4141
# If using https, change this to HTTPS
scheme: HTTP
volumeClaimTemplates:
- metadata:
name: atlantis-data
spec:
accessModes: ["ReadWriteOnce"] # Volume should not be shared by multiple nodes.
resources:
requests:
# The biggest thing Atlantis stores is the Git repo when it checks it out.
# It deletes the repo after the pull request is merged.
storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
name: atlantis
spec:
type: ClusterIP
ports:
- name: atlantis
port: 80
targetPort: 4141
selector:
app: atlantis
  • atlantis.yaml files must be placed at the root of the repo.
  • The only supported name is atlantis.yaml. Not atlantis.yml or .atlantis.yaml.
version: 3
projects:
- dir: <path of directory where you have terraform code>
autoplan:
when_modified: ["../modules/**/*.tf", "*.tf*"]

--

--

I have total 3 Plus years of experience as a Devops engineer and currently dealing with Cloud, Containers, Kubernates and Bigdata technologies.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akshay Bobade

Akshay Bobade

I have total 3 Plus years of experience as a Devops engineer and currently dealing with Cloud, Containers, Kubernates and Bigdata technologies.