runatlantis / atlantis Goto Github PK
View Code? Open in Web Editor NEWTerraform Pull Request Automation
Home Page: https://www.runatlantis.io
License: Other
Terraform Pull Request Automation
Home Page: https://www.runatlantis.io
License: Other
See https://twitter.com/antonbabenko/status/959435367001845760 for a use-case.
Probably implement this via atlantis.yaml
or via a specific comment format that allows users to customize how we run terraform plan
or terraform apply
.
Right now users can add additional arguments to those commands by just appending the args to atlantis plan/apply -additional-arg
but they can't change the first part we run: terraform plan/apply
Issue by @lkysow
Thursday Nov 30, 2017 at 06:54 GMT
Migrated from hootsuite/atlantis#210
Why was it migrated?
GitHub has lots of branch protections that we could support in Atlantis by requiring them to "pass" before we allow apply's. Right now you can specify --require-approval
but this only looks for an approval, not necessarily the type of approval specified in the branch protections.
apply
I'm using docker atlantisnorth/atlantis:latest
and I'm trying to run a plan in a specific directory and it's not working. When I pass the -d
option it passes it to terraform and I get this error from terraform:
flag provided but not defined: -d
The command I use is atlantis plan -d . -w <my_env>
Really though this is kinda secondary to my root issue, I have other directories holding spec tests and templates and I'm trying to just force the plan to run in the root directory instead of walking the tree.
Maybe this could just be a feature request? Maybe make an option in the atlantis.yaml
to ignore specific directories? It looks like it already ignores a few directories by default, maybe make that configurable?
Atlantis Version: 0.3.3
We have an interesting edge case we've run into that I think should be considered for a functional change.
Currently, when you create a pull request and perform an atlantis plan
which results in No changes. Infrastructure is up-to-date.
which is expected.
BUT, in our case, because we have Atlantis required for merges, which results in the following stalemate:
My expected behavior is that if Terraform returns with No Changes
, atlantis should report green and "ready to merge", because... well, there are no net changes. We discovered the edge case when refactoring some code that had plenty of code changes, but no output changes.
$ atlantis version
atlantis 0.3.5
$ atlantis bootstrap
Welcome to Atlantis bootstrap!
This mode walks you through setting up and using Atlantis. We will
Press Ctrl-c at any time to exit
GitHub username: NeckBeardPrince
To continue, we need you to create a GitHub personal access token
with "repo" scope so we can fork an example terraform project.
Follow these instructions to create a token (we don't store any tokens):
https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/#creating-a-token
GitHub access token (will be hidden):
=> forking repo
=> fork completed!
=> terraform found in $PATH!
=> downloading ngrok
=> downloaded ngrok successfully!
=> creating secure tunnel
=> started tunnel!
Error: getting tunnel url: didn't find tunnels that were expected to be created
Usage:
atlantis bootstrap [flags]
Flags:
-h, --help help for bootstrap
Issue by @automaticgiant
Tuesday Dec 05, 2017 at 01:49 GMT
Migrated from hootsuite/atlantis#218
Why was it migrated?
i need terraform to go through the proxy to aws, but the git stuff to not go through a proxy.
presently, looks like the env won't get passed through to tf anyway, which is a problem.
however i do see also the problem that i can't set no_proxy
to exclude enterprise github from atlantis trying to proxy that.
I'm looking at deploying Atlantis to Heroku, since the free tier seems like a good fit for running this service on a project that only sees occasional updates. However, Heroku only provides an ephemeral filesystem, which disappears any time the service shuts down - at least once every 24 hours, and on the free tier, also after 15 minutes without a request. Since Atlantis writes its locks to disk, this means that locks are volatile and disappear quickly.
I'd love to store locks in an external service, such as PostgreSQL or etcd, if possible, so that filesystem ephemerality isn't a blocker.
I had a look at the locking package, and the lock API looks general enough to implement on other systems - treat this issue as a combined question ("is this important to anyone else?") and suggestion ("wouldn't it be nice if").
Issue by @nwalke
Thursday Aug 03, 2017 at 19:23 GMT
Migrated from hootsuite/atlantis#99
Why was it migrated?
Would be awesome to have this support BitBucket
Issue by @anubhavmishra
Saturday Jul 08, 2017 at 19:08 GMT
Migrated from hootsuite/atlantis#71
Why was it migrated?
atlantis apply
to e2e tests Issue by @nwalke
Thursday Aug 24, 2017 at 20:17 GMT
Migrated from hootsuite/atlantis#135
Why was it migrated?
It would be nice to be able to see the Atlantis version number on the UI page. Just a sanity check that an upgrade worked or a quick way to check if we're behind, etc.
Issue by @so0k
Monday Jan 29, 2018 at 08:24 GMT
Migrated from hootsuite/atlantis#236
Why was it migrated?
Atm, any developer can add pre_get
, pre_init
, pre/post_plan
commands to expose secrets via atlantis.yaml
- as Atlantis requires quite significant permissions, this might be a concern.
Drone used to have a signing step required for the drone.yaml
file, ensuring unauthorized modifications to atlantis.yaml
can be prevented
Version: 0.3.5
Repo whitelist should be case insensitive.
When I configure the repo whitelist as github.com/247sports/*
I get the following log output:
2018/03/29 23:05:31 events_controller.go:136: [DEBUG] server: Ignoring pull request event from non-whitelisted repo
Once I change it to github.com/247Sports/*
it works fine.
Issue by @lkysow
Monday Dec 18, 2017 at 01:50 GMT
Migrated from hootsuite/atlantis#223
Why was it migrated?
On releases, the circleci tagging workflow isn't working anymore. Should switch it to use the new tagging support from circleci anyway.
Issue by @lkysow
Monday Nov 06, 2017 at 15:15 GMT
Migrated from hootsuite/atlantis#183
Why was it migrated?
When complete, we can re-enable golint
in our metacheck
config.
Issue by @lkysow
Friday Jun 30, 2017 at 03:25 GMT
Migrated from hootsuite/atlantis#57
Why was it migrated?
None
Issue by @lkysow
Tuesday Sep 05, 2017 at 01:54 GMT
Migrated from hootsuite/atlantis#143
Why was it migrated?
Right now we don't check whether a branch has been updated to the latest master. We should just error out if it hasn't, otherwise the plan will be weird.
Given the following directory structure:
modules/
module1/
main.tf
vpc/
main.tf
If a change is made to both module1/main.tf
and vpc/main.tf
, Atlantis will attempt to run terraform plan
in vpc/
(which is correct) and in the root of the project (which is incorrect).
This occurs due to an attempt to support this type of structure:
main.tf
modules/
module1/
main.tf
The way Atlantis works right now is we assume if there's a change in any directory called modules
we should run plan/apply in the root.
Possible solutions:
atlantis.yaml
file in all project roots. We don't run anywhere that doesn't have one.tf
files in the parent of modules/
and not running there if that's the caseIf performing a large change, terraform can sometimes take a long time until it returns. During this time, the only indication that Atlantis is working is the build status icon.
It would be nice if an apply
was taking over 30 seconds for Atlantis to comment back with some sort of indication that the operation is under progress.
Fixed. the problem was that I did not understand the error message was referring to another repository that the bot did not have access to
Issue by @lkysow
Monday Oct 23, 2017 at 13:41 GMT
Migrated from hootsuite/atlantis#165
Why was it migrated?
When a pull request is first opened up, and when new changes are pushed to an existing pull request, Atlantis should run plan
again for each project modified.
When spf13/pflag#155 is merged we can just add a newline to the end of our descriptions.
Will change
Usage:
atlantis server [flags]
Flags:
--allow-fork-prs > Allow Atlantis to run on pull requests from forks. A security issue for
public repos.
--atlantis-url string > URL that Atlantis can be reached at. Defaults to http://$(hostname):$port
where $port is from --port.
--config string > Path to config file.
--data-dir string > Path to directory to store Atlantis data. (default "~/.atlantis")
--gh-hostname string > Hostname of your Github Enterprise installation. If using github.com, no
need to set. (default "github.com")
--gh-token string > GitHub token of API user. Can also be specified via the ATLANTIS_GH_TOKEN
environment variable.
--gh-user string > GitHub username of API user.
--gh-webhook-secret string > Secret used to validate GitHub webhooks (see
https://developer.github.com/webhooks/securing/). SECURITY WARNING: If not
specified, Atlantis won't be able to validate that the incoming webhook
call came from GitHub. This means that an attacker could spoof calls to
Atlantis and cause it to perform malicious actions. Should be specified via
the ATLANTIS_GH_WEBHOOK_SECRET environment variable.
--gitlab-hostname string > Hostname of your GitLab Enterprise installation. If using gitlab.com, no
need to set. (default "gitlab.com")
--gitlab-token string > GitLab token of API user. Can also be specified via the
ATLANTIS_GITLAB_TOKEN environment variable.
--gitlab-user string > GitLab username of API user.
--gitlab-webhook-secret string > Optional secret used to validate GitLab webhooks. SECURITY WARNING: If
not specified, Atlantis won't be able to validate that the incoming webhook
call came from GitLab. This means that an attacker could spoof calls to
Atlantis and cause it to perform malicious actions. Should be specified via
the ATLANTIS_GITLAB_WEBHOOK_SECRET environment variable.
-h, --help help for server
--log-level string > Log level. Either debug, info, warn, or error. (default "info")
--port int > Port to bind to. (default 4141)
--repo-whitelist string > Comma separated list of repositories that Atlantis will operate on, ex.
'github.com/runatlantis/atlantis,github.mycompany.com/*'. The format is
{hostname}/{owner}/{repo}. '*' denotes any string until the next comma and
can be used to whitelist all repos (not recommended) or an entire hostname
or organization.
--require-approval > Require pull requests to be "Approved" before allowing the apply command
to be run.
--ssl-cert-file string > File containing x509 Certificate used for serving HTTPS. If the cert is
signed by a CA, the file should be the concatenation of the server's
certificate, any intermediates, and the CA's certificate.
--ssl-key-file string > File containing x509 private key matching --ssl-cert-file.
To look like
Start the atlantis server
Flags can also be set in a yaml config file (see --config).
Config file values are overridden by environment variables which in turn are overridden by flags.
Usage:
atlantis server [flags]
Flags:
--allow-fork-prs Allow Atlantis to run on pull requests from forks. A security issue for
public repos.
--atlantis-url string URL that Atlantis can be reached at. Defaults to http://$(hostname):$port
where $port is from --port.
--config string Path to config file.
--data-dir string Path to directory to store Atlantis data. (default "~/.atlantis")
--gh-hostname string Hostname of your Github Enterprise installation. If using github.com, no
need to set. (default "github.com")
--gh-token string GitHub token of API user. Can also be specified via the ATLANTIS_GH_TOKEN
environment variable.
--gh-user string GitHub username of API user.
--gh-webhook-secret string Secret used to validate GitHub webhooks (see
https://developer.github.com/webhooks/securing/). SECURITY WARNING: If not
specified, Atlantis won't be able to validate that the incoming webhook
call came from GitHub. This means that an attacker could spoof calls to
Atlantis and cause it to perform malicious actions. Should be specified via
the ATLANTIS_GH_WEBHOOK_SECRET environment variable.
--gitlab-hostname string Hostname of your GitLab Enterprise installation. If using gitlab.com, no
need to set. (default "gitlab.com")
--gitlab-token string GitLab token of API user. Can also be specified via the
ATLANTIS_GITLAB_TOKEN environment variable.
--gitlab-user string GitLab username of API user.
--gitlab-webhook-secret string Optional secret used to validate GitLab webhooks. SECURITY WARNING: If not
specified, Atlantis won't be able to validate that the incoming webhook
call came from GitLab. This means that an attacker could spoof calls to
Atlantis and cause it to perform malicious actions. Should be specified via
the ATLANTIS_GITLAB_WEBHOOK_SECRET environment variable.
-h, --help help for server
--log-level string Log level. Either debug, info, warn, or error. (default "info")
--port int Port to bind to. (default 4141)
--repo-whitelist string Comma separated list of repositories that Atlantis will operate on, ex.
'github.com/runatlantis/atlantis,github.mycompany.com/*'. The format is
{hostname}/{owner}/{repo}. '*' denotes any string until the next comma and
can be used to whitelist all repos (not recommended) or an entire hostname
or organization.
--require-approval Require pull requests to be "Approved" before allowing the apply command to
be run.
--ssl-cert-file string File containing x509 Certificate used for serving HTTPS. If the cert is
signed by a CA, the file should be the concatenation of the server's
certificate, any intermediates, and the CA's certificate.
--ssl-key-file string File containing x509 private key matching --ssl-cert-file.
Greetings,
I have started diving into Terraform and Atlantis. One issue that isn't very clear is how Atlantis supports the multiple "projects" repository layout and separate state files for each.
I want this layout with each "project" having its own state file.
.
├── staging
│ ├── main.tf
| └── ...
└── production
│ ├── main.tf
| └── ...
└── modules
├── module_1
└── ...
I can't tell from the documentation how Atlantis will handle it if at all. If it does, how does this work with a backend for each to separate the state files?
Issue by @robertlabrie
Thursday Oct 19, 2017 at 18:00 GMT
Migrated from hootsuite/atlantis#163
Why was it migrated?
in server.go, it doesn't feel like it'd hurt to do things like ATLANTIS_GH_USER
etc. Two use cases:
Enable users to apply all outstanding plans with a command something like atlantis apply -w * -d *
. Exact command to be determined.
When auto plan is implemented, the need for an atlantis plan -w *
would be less likely. This is also harder to implement since we need to figure out what your workspaces and dirs are.
PR status updates wouldn't work for me until I added our Atlantis Github user to the repo with Write access.
Add a note in the Github configuration section of the README.
Issue by @lkysow
Friday Nov 17, 2017 at 04:14 GMT
Migrated from hootsuite/atlantis#200
Why was it migrated?
Issue by @lkysow
Monday Aug 07, 2017 at 15:07 GMT
Migrated from hootsuite/atlantis#103
Why was it migrated?
Feature request. See: https://twitter.com/raphink/status/894574763510833156
Issue by @lkysow
Monday Sep 04, 2017 at 01:47 GMT
Migrated from hootsuite/atlantis#141
Why was it migrated?
With the latest terraform >= 0.9 providers come as plugins that need to be downloaded. Right now, we're using terraform init
which downloads the plugins into the current directory under .terraform/plugins/{os}_{runtime}
for every project.
If we move the downloaded plugin to ~/.terraform.d/plugins/
(or ~/.terraform.d/plugins/{os}_{runtime}
then terraform won't download the plugin again for any project.
So my proposed solution is:
terraform init
, check if there are any files in {pwd}/.terraform/plugins/os_runtime
other than lock.json
. If so, move all of them to ~/.terraform.d/plugins/
.Now tf will check ~/.terraform.d/plugins/
before downloading any plugins so it will be back up to speed. Since tf will download any plugins that aren't already existing, we can rely on it to do the downloading.
Issue by @johntdyer
Thursday Nov 09, 2017 at 21:57 GMT
Migrated from hootsuite/atlantis#187
Why was it migrated?
Hey guys,
So atlantis plan
appears to be doing a plan w/ an old version of one of our modules. I am wondering if there is any way to force atlantis to run terraform get -update=true
before the plan ? Perhaps i am missing something fundamental ?
Issue by @eriksw
Tuesday Feb 27, 2018 at 18:42 GMT
Migrated from hootsuite/atlantis#247
Why was it migrated?
Please document how you want security vulnerabilities to be reported.
Something like the "Reporting Security Issues" section in moby's CONTRIBUTING.md would be enough.
You can set a required terraform version: https://www.terraform.io/docs/configuration/terraform.html
terraform {
required_version = "> 0.7.0"
}
Atlantis should support detecting this and using this version. This would mean users don't have to also update the terraform_version
in their atlantis.yaml
files.
The logic should be:
terraform_version
is set in atlantis.yaml
, use thatterraform
binaryCurrently Atlantis locks a specific repo/directory/workspace combination. So if you run plan in subdir/
for workspace default
in runatlantis/atlantis
, another pull request will be able to run plan in subdir/
for workspace new
in runatlantis/atlantis
. This needs to be configurable.
From @lorenzoaiello they would like to be able to lock all directories and workspaces when there's a plan. This is because they have small repos and so if there's a change going on in any of the directories they would like the whole repo locked.
From @grobie, his team would like to completely disable locking because they use a mono-repo and so it would be too disruptive to lock things. He'd like plan to always be available.
Issue by @robertlabrie
Thursday Oct 19, 2017 at 12:21 GMT
Migrated from hootsuite/atlantis#162
Why was it migrated?
Would be great if merging a PR triggered a terraform apply
Issue by @lkysow
Thursday Jun 29, 2017 at 02:29 GMT
Migrated from hootsuite/atlantis#53
Why was it migrated?
None
If a user types terraform plan
or atlantis badcommand
it would be nice to comment back on the pull request with an error. Otherwise the user might wait until they realize it was wrong.
I think we should comment back on:
terraform\s.*
atlantis\s.*
Issue by @tsiq-cejas
Wednesday Feb 21, 2018 at 19:30 GMT
Migrated from hootsuite/atlantis#246
Why was it migrated?
There is any way to disable/control who can trigger an atlantis apply?
Expired: Tuesday, February 27, 2018 at 10:34:12 AM Pacific Standard Time.
Issue by @anubhavmishra
Monday Jun 26, 2017 at 06:05 GMT
Migrated from hootsuite/atlantis#50
Why was it migrated?
Currently, atlantis ignores certain folders such as _modules/
and modules/
but we want to extend this to ignore any folder that has .atlantisignore
file or something along those lines. https://github.com/hootsuite/atlantis/blob/master/server/plan_executor.go#L196
Issue by @anubhavmishra
Wednesday May 31, 2017 at 18:52 GMT
Migrated from hootsuite/atlantis#7
Why was it migrated?
Hi!
I have been playing with a multi-project repository (dev, prod), and I cannot find a way to execute plan or apply only for a specific project.
When I run atlantis plan
I get the following message:
To perform exactly these actions, run the following command to apply:
terraform apply "/tmp/atlantis/data/repos/psalaberria002/atlantis-example/2/default/prod/default.tfplan"
I would like to do atlantis apply "/tmp/atlantis/data/repos/psalaberria002/atlantis-example/2/default/prod/default.tfplan"
.
Is there a way to do this currently in Atlantis? Maybe there is an existing flag I have missed.
Thank you.
Upgraded from 0.2.4 to 0.3.3 last night and it appears as though there is a significant downtick in the number of parallel processing it can handle. The release notes don't seem to show anything specific, has someone noticed any performance impacts post-upgrade?
Issue by @raphink
Wednesday Aug 16, 2017 at 15:57 GMT
Migrated from hootsuite/atlantis#125
Why was it migrated?
It'd be great to support gogs!
Issue by @kiranpraneeth
Tuesday Feb 06, 2018 at 22:48 GMT
Migrated from hootsuite/atlantis#243
Why was it migrated?
It would be great if we can have Oauth callback ability in Atlantis. That would avoid us from being relying on our own HTTP auth methods and rather just use GitHub OAuth to authenticate users to Atlantis. I looked at closed and open issues but didn't find any issues in regards to OAuth. Can you throw some light on this?
Thanks
Atlantis should include the timing of each step to help debug why plan/apply is taking a certain amount of time.
It would be great if we had the ability to "force" a plan and/or apply to bypass the following error:
"Plan Failed: No Terraform files were modified."
The use case in our case, is we store userdata files, and policy statements as flat files using the terraform file function, so despite there being changes in those files, Atlantis won't re-run without adding a whitespace or some other irrelevant change to the TF stack.
I have a question regarding the new repo whitelist functionality.
README.md states:
--repo-whitelist
If someone stole your webhook secret or you don't have any set, they could make Atlantis perform actions on their repository. To mitigate this, you can run Atlantis with --repo-whitelist and whitelist which repositories Atlantis acts on. See atlantis server --help for more details.
But the release notes states:
Must set --repo-whitelist in order to start atlantis server. See atlantis server --help for how that flag works.
Combined, I am unclear as to whether this new flag is REQUIRED or OPTIONAL. I would assume that it is optional (our use case we would never want to explicitly whitelist), but want to confirm.
I have a repository where there are several changes, when I run the atlantis plan step the plan passes but no plan output is commented on the pull request. I believe this may be is due to the length of the output.
If I run atlantis plan with -target=some.resource the plan passes and output is commented as expected. The full plan output is never posted. tfplan files are created as expected.
I am running Atlantis in a container FROM runatlantis/atlantis. I started atlantis server with --log-level debug but it does not show any comment posts from atlantis to github.
Issue by @lkysow
Monday Jan 29, 2018 at 22:09 GMT
Migrated from hootsuite/atlantis#238
Why was it migrated?
As reported in #237 pre/post commands should have their working directories set to the project root that they're operating on.
Hello,
I don't suppose you could remove this from being a fork of the original?
Minor issue but on a fork it seems you can't so searches on github, so when I was looking for how the Slack integration worked, you are unable to do a code search, which means I need to clone the repo and do local searches.
Not a massive problem but worth considering.
Issue by @so0k
Monday Jan 29, 2018 at 06:59 GMT
Migrated from hootsuite/atlantis#235
Why was it migrated?
Is there any way to redact Atlantis output into the PR comments?
In our company there is a concern with secrets in PR comments and we would need finer control over the comments created by Atlantis.
for Terraform, opencredo/terrahelp provides masking functionality by piping Terraform output through it and masking any variables that are in the tfvars file.
At this stage I see 2 options:
or maybe there is a workaround I'm not seeing?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.