Code Monkey home page Code Monkey logo

terraform-aws-atlantis's Introduction

Atlantis on AWS Fargate Terraform Module

SWUbanner

Atlantis is tool which provides unified workflow for collaborating on Terraform through GitHub, GitLab and Bitbucket Cloud.

Before using Atlantis and the code in this repository, please make sure that you have read and understood the security implications described in the official Atlantis documentation.

Usage

GitHub is shown below in usage examples; however, any git provider supported by Atlantis can be used by simply using the correct Atlantis environment variables and configuring the respective webhook for the given git provider.

See the Supplemental Docs for additional details on integrating with git providers.

GitHub Complete

The Atlantis module creates all resources required to run Atlantis on AWS Fargate.

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"

  name = "atlantis"

  # ECS Container Definition
  atlantis = {
    environment = [
      {
        name  = "ATLANTIS_GH_USER"
        value = "myuser"
      },
      {
        name  = "ATLANTIS_REPO_ALLOWLIST"
        value = "github.com/terraform-aws-modules/*"
      },
    ]
    secrets = [
      {
        name      = "ATLANTIS_GH_TOKEN"
        valueFrom = "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes256-7g8H9i"
      },
      {
        name      = "ATLANTIS_GH_WEBHOOK_SECRET"
        valueFrom = "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes192-4D5e6F"
      },
    ]
  }

  # ECS Service
  service = {
    task_exec_secret_arns = [
      "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes256-7g8H9i",
      "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes192-4D5e6F",
    ]
    # Provide Atlantis permission necessary to create/destroy resources
    tasks_iam_role_policies = {
      AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
    }
  }
  service_subnets = ["subnet-xyzde987", "subnet-slkjf456", "subnet-qeiru789"]
  vpc_id          = "vpc-1234556abcdef"

  # ALB
  alb_subnets             = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
  certificate_domain_name = "example.com"
  route53_zone_id         = "Z2ES7B9AZ6SHAE"

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

GitHub Separate

The Atlantis module creates most of resources required to run Atlantis on AWS Fargate, except for the ECS Cluster and ALB. This allows you to integrate Atlantis with your existing AWS infrastructure.

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"

  name = "atlantis"

  # Existing cluster
  create_cluster = false
  cluster_arn    = "arn:aws:ecs:eu-west-1:123456789012:cluster/default"

  # Existing ALB
  create_alb            = false
  alb_target_group_arn  = "arn:aws:elasticloadbalancing:eu-west-1:1234567890:targetgroup/bluegreentarget1/209a844cd01825a4"
  alb_security_group_id = "sg-12345678"

  # ECS Container Definition
  atlantis = {
    environment = [
      {
        name  = "ATLANTIS_GH_USER"
        value = "myuser"
      },
      {
        name  = "ATLANTIS_REPO_ALLOWLIST"
        value = "github.com/terraform-aws-modules/*"
      },
    ]
    secrets = [
      {
        name      = "ATLANTIS_GH_TOKEN"
        valueFrom = "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes256-7g8H9i"
      },
      {
        name      = "ATLANTIS_GH_WEBHOOK_SECRET"
        valueFrom = "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes192-4D5e6F"
      },
    ]
  }

  # ECS Service
  service = {
    task_exec_secret_arns = [
      "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes256-7g8H9i",
      "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes192-4D5e6F",
    ]
    # Provide Atlantis permission necessary to create/destroy resources
    tasks_iam_role_policies = {
      AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
    }
  }
  service_subnets = ["subnet-xyzde987", "subnet-slkjf456", "subnet-qeiru789"]
  vpc_id          = "vpc-1234556abcdef"

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Utilize EFS for Persistent Storage

You can enable EFS to ensure that any plan outputs are persisted to EFS in the event that the Atlantis Task is replaced:

```hcl
module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"

  # Truncated for brevity ...

  # EFS
  enable_efs = true
  efs = {
    mount_targets = {
      "eu-west-1a" = {
        subnet_id = "subnet-xyzde987"
      }
      "eu-west-1b" = {
        subnet_id = "subnet-slkjf456"
      }
      "eu-west-1c" = {
        subnet_id = "subnet-qeiru789"
      }
    }
  }
}

Supply Atlantis server configuration

server-atlantis.yaml

repos:
  - id: /.*/
    allow_custom_workflows: true
    allowed_overrides:
      - apply_requirements
      - workflow
    apply_requirements:
      - approved
    workflow: default

main.tf

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"

  # ...

  atlantis = {
    environment = [
      {
        name : "ATLANTIS_REPO_CONFIG_JSON",
        value : jsonencode(yamldecode(file("${path.module}/server-atlantis.yaml"))),
      },
    ]
  }
}

Examples

Requirements

Name Version
terraform >= 1.0

Providers

No providers.

Modules

Name Source Version
acm terraform-aws-modules/acm/aws 5.0.0
alb terraform-aws-modules/alb/aws 9.1.0
ecs_cluster terraform-aws-modules/ecs/aws//modules/cluster 5.11.0
ecs_service terraform-aws-modules/ecs/aws//modules/service 5.11.0
efs terraform-aws-modules/efs/aws 1.3.1

Resources

No resources.

Inputs

Name Description Type Default Required
alb Map of values passed to ALB module definition. See the ALB module for full list of arguments supported any {} no
alb_https_default_action Default action for the ALB https listener any 
{
  "forward": {
    "target_group_key": "atlantis"
  }
}
 no
alb_security_group_id ID of an existing security group that will be used by ALB. Required if create_alb is false string "" no
alb_subnets List of subnets to place ALB in. Required if create_alb is true list(string) [] no
alb_target_group_arn ARN of an existing ALB target group that will be used to route traffic to the Atlantis service. Required if create_alb is false string "" no
atlantis Map of values passed to Atlantis container definition. See the ECS container definition module for full list of arguments supported any {} no
atlantis_gid GID of the atlantis user number 1000 no
atlantis_uid UID of the atlantis user number 100 no
certificate_arn ARN of certificate issued by AWS ACM. If empty, a new ACM certificate will be created and validated using Route53 DNS string "" no
certificate_domain_name Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance. Specify if it is different from value in route53_zone_name string "" no
cluster Map of values passed to ECS cluster module definition. See the ECS cluster module for full list of arguments supported any {} no
cluster_arn ARN of an existing ECS cluster where resources will be created. Required when create_cluster is false string "" no
create Controls if resources should be created (affects nearly all resources) bool true no
create_alb Determines whether to create an ALB or not bool true no
create_certificate Determines whether to create an ACM certificate or not. If false, certificate_arn must be provided bool true no
create_cluster Whether to create an ECS cluster or not bool true no
create_route53_records Determines whether to create Route53 A and AAAA records for the loadbalancer bool true no
efs Map of values passed to EFS module definition. See the EFS module for full list of arguments supported any {} no
enable_efs Determines whether to create and utilize an EFS filesystem bool false no
name Common name to use on all resources created unless a more specific name is provided string "atlantis" no
route53_record_name Name of Route53 record to create ACM certificate in and main A-record. If null is specified, var.name is used instead. Provide empty string to point root domain name to ALB. string null no
route53_zone_id Route53 zone ID to use for ACM certificate and Route53 records string "" no
service Map of values passed to ECS service module definition. See the ECS service module for full list of arguments supported any {} no
service_subnets List of subnets to place ECS service within list(string) [] no
tags A map of tags to add to all resources map(string) {} no
validate_certificate Determines whether to validate ACM certificate using Route53 DNS. If false, certificate will be created but not validated bool true no
vpc_id ID of the VPC where the resources will be provisioned string "" no

Outputs

Name Description
alb ALB created and all of its associated outputs
cluster ECS cluster created and all of its associated outputs
efs EFS created and all of its associated outputs
service ECS service created and all of its associated outputs
url URL of Atlantis

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus

terraform-aws-atlantis's People

Contributors

affelaffen avatar amitch23 avatar antonbabenko avatar betajobot avatar bodgit avatar bryantbiggs avatar chenrui333 avatar chtakahashi avatar dev-slatto avatar doomhammer avatar dynamike avatar gozer avatar henworth avatar johnlinvc avatar jychen7 avatar kilbergr avatar lazzurs avatar lopezm1 avatar marcoceppi avatar markiannucci avatar martinmosegaard avatar mwarkentin avatar nitrocode avatar onebadsanta avatar ryanoolala avatar semantic-release-bot avatar smiller171 avatar snovikov avatar titanlien avatar x-guardian avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

maartenvanderhoef kmcquade bitflight-public stephencoe rosscdh moovweb jipengxiang lsst-sqre kakao-kong-j giuliocalzolari ibuystuff manuelfelipe waeltken if-igor nabarunsen sudheerj0680 tamoanxx elipolis letubert creditas-scd bangpound eupestov trebidav eric4545 parkside-securities augment pindropsecurity dave-anand rhythmictech ax-atlantis linuxl0s3r ax-cgray itssaad rhyeal amittag matstace mbravorus mr337 happypathway iac-infrastructureascode andrewlubenets tompiscitell nostachio darrylb-github akinyemi543 schultzor aalishe geota faraazkhan dmattia arvindpai tjarjoura bmihaescu flaconi boneyaz plutino jseiser mpescetto wehkamp-oss fllaca rybons adharaprojects imlach mwarkentin pangchong jhebert-coursera sftim scalefactory jianwenlin j0nathontayl0r uncleweb joshmyers jonathanprouse cgroschupp trahloff gameanalytics harrtron martinmosegaard motomagellan dynamike tylern91 shukla2112 ellevation brunsgaard yourivandenberg genvid-aproulx tomdev vlucaswang elastic-infra qapital alextodicescu devopsutils jupitersong nitrocode markbrennan bisontrails pramine raghujirao vaibhav-sparebank1 aioumi

terraform-aws-atlantis's Issues

Integrate Atlantis with terraform-aws-modules repositories

To-do:

  • Run Atlantis service on AWS using terraform-aws-atlantis
  • Once PR is created - run atlantis plan automatically
  • Allow atlantis apply only for specific github accounts to execute examples
  • Run terraform destroy for the executed examples once PR is merged to cleanup resources
  • Make generic atlantis.yaml which suits all terraform-aws-modules

How to set credentials for this module?

When running terraform in my work environment, I need to switch accounts for different projects. My $HOME/.aws/credentials provides 6-7 sets of profiles, and I need to specify which one when I invoke AWS CLI commands. How can I integrate this situation when using this module?

No space left on device when running atlantis plan

We are running Atlantis on Fargate via this module. Recently, we started to get this error on running an atlantis plan:

running git clone --branch patch/rds_alerts_raw_delivery --depth=1 --single-branch https://atlantis-bot:<redacted>@github.com/<redacted>/terraform.git /home/atlantis/.atlantis/repos/<redacted>/terraform/293/default: Cloning into '/home/atlantis/.atlantis/repos/<redacted>/terraform/293/default'...
error: unable to write file _legacy/permissions/policies/README.md
error: unable to write file _legacy/permissions/policies/step_functions_start_stop_execution.tf
error: unable to write file _legacy/permissions/role_policy_attachments.tf
fatal: cannot create directory at '_legacy/permissions/roles': No space left on device
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry the checkout with 'git checkout -f HEAD'

: exit status 128

This indicates that the instance is out of disk space, but I don't see any way to increase the disk size in the module inputs. What should we do to address this?

aws codecommit support as a git host

We use codecommit to save our state file + tfvars. I am wondering if we can use atlantis to manage our gitops workflow.
Is codecommit could be used a an git host like github or bitbucket ?

Limit ALB SG ingress to GH only (via input variable)

terraform-aws-atlantis/main.tf

Line 47 in 508eb0c

ingress_cidr_blocks = ["0.0.0.0/0"]

I found that opening Atlantis to the world is risky and inline with the principle of least privilege.
So I restricted it to the CIDR blocks that Github advertises as their own on https://api.github.com/meta
in addition to perhaps the office network, bastion for instance.

PS: I know Atlantis uses the --repo-whitelist but adding another layer of (network) security doesn't harm IMO...

aws_iam_role_policy_attachment.ecs_task_execution: value of 'count' cannot be computed

Adding an additional iam policy via the policies_arn variable throws the error in the issue description when that additional policy arn is computed:

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "1.13.0"
  name               = "atlantis"
...
...
  policies_arn               = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "${aws_iam_policy.atlantis_run_terraform_policy.arn}"]
}

Per hashicorp/terraform#10857, this is Terraform's desired behavior, because we are "performing a function call length on a computed value" and we're trying to call length before that value is computed (or the resource created).

length is called here -- https://github.com/terraform-aws-modules/terraform-aws-atlantis/blob/master/main.tf#L331

Workaround is to create aws_iam_policy.atlantis_run_terraform_policy first, then add it to the module's policies_arn var on a subsequent terraform apply run. It can't be created and applied in a single run.

Cannot reuse existing VPC and existing subnets.

I am using version 1.12.0 of the module.

When I use the module with this configuration, I get an error. Some details are obscured with asterisks.

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "1.12.0"

  name = "atlantis"

  # VPC
  vpc_id             = "${data.aws_vpc.vpc.id}"
  private_subnet_ids = ["${data.aws_subnet_ids.private.ids}"]
  public_subnet_ids  = ["${data.aws_subnet_ids.public.ids}"]

  # DNS (without trailing dot)
  route53_zone_name = "****.com"

  certificate_arn = "${data.aws_acm_certificate.star_star_star_star_com.arn}"

  # Atlantis
  atlantis_repo_whitelist    = ["gitlab.****.com/terraform/*"]
  atlantis_gitlab_user       = "****"
  atlantis_gitlab_user_token = "****"
}

Outcome:

17:54 $ terraform plan

Error: module.atlantis.module.vpc.aws_eip.nat: 1 error(s) occurred:

* module.atlantis.module.vpc.aws_eip.nat: element: element() may not be used with an empty list in:

${merge(map("Name", format("%s-%s", var.name, element(var.azs, (var.single_nat_gateway ? 0 : count.index)))), var.tags, var.nat_eip_tags)}



Error: module.atlantis.module.vpc.aws_vpc_ipv4_cidr_block_association.this: 1 error(s) occurred:

* module.atlantis.module.vpc.aws_vpc_ipv4_cidr_block_association.this: element: element() may not be used with an empty list in:

${element(var.secondary_cidr_blocks, count.index)}



Error: module.atlantis.module.vpc.aws_vpc.this: expected cidr_block to contain a valid CIDR, got:  with err: invalid CIDR address:

Investigate - Parallel executions, locking

Investigate what to do when multiple comments are sent to Atlantis.

What about locking?

Will there be a need to resolve cold starts (eg, use GitHub -> SQS -> SNS -> Lambda -> Fargate) ?

Redirect HTTP to HTTPS on the ALB

Redirect ingress on port 80 HTTP to port 443 HTTPS.

Opening the atlantis page in a browser simply times out but should be redirected to HTTPS.

Does Not Support Govcloud 

Error: Error putting IAM role policy ECSTaskAccessSecretsPolicy: MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:ssm:us-gov-east-1:account:parameter/atlantis/webhook/secret".
	status code: 400, request id: a30c5ba6-2e10-4841-afc2-7ae4d5806024

  on .terraform/modules/atlantis/terraform-aws-modules-terraform-aws-atlantis-b97e816/main.tf line 388, in resource "aws_iam_role_policy" "ecs_task_access_secrets":
 388: resource "aws_iam_role_policy" "ecs_task_access_secrets" {

I assume part of this is to blame.

terraform-aws-atlantis/main.tf

Line 357 in ee46717

data "aws_iam_policy_document" "ecs_task_access_secrets" {

Missing parameters when using own vpc

I'm invoking the module atlantis using following variable settings:

  atlantis_repo_whitelist     = [our primary repository]
  allow_repo_config           = true
  atlantis_allowed_repo_names = []
  atlantis_github_user        = "userbot"
  atlantis_github_user_token  = "EXAMPLE"
  azs                         = "${data.terraform_remote_state.vpc.avail_zones}"
  ecs_service_assign_public_ip = true
  private_subnet_ids            = "${data.terraform_remote_state.vpc.private_subnets}"
  public_subnet_ids             = "${data.terraform_remote_state.vpc.public_subnets}"
  route53_zone_name             = "${data.terraform_remote_state.r53.fqdn}"
  vpc_id                        = "${data.terraform_remote_state.vpc.vpc_id}"

But then I get an error message:
Error: module.atlantis.module.vpc.aws_vpc.this: expected cidr_block to contain a valid CIDR, got: with err: invalid CIDR address:

Easy to inject environments into `container_definitions`

Problem

I need to inject environment variables to the ECS container_definitions regarding the API tokens for different terraform providers (like fastly, pagerduty, etc.)

Ideas

Initially I was thinking to create a new container_definition module to override the existing one.
Per this code, container_definitions = "${var.custom_container_definitions == "" ? module.container_definition.json : var.custom_container_definitions}"

But then I realize it is pretty parameterized already inside this module and what I want is just override the environment list. So I guess maybe I just need to override the list?

What would be the better way?

Provide option to make ALB internal

What it says in the description. In our setup it would be ideal if the load balancer was internal, on the private subnets so it's not publicly routed. It seems like it'd be fairly straightforward to implement.

Add code to work with Gitlab webhooks

Need to add code that allows for use of Gitlab webhooks as well.
So you could use something like:

# Atlantis
  atlantis_gitlab_user                 = "atlantis-bot"
  atlantis_gitlab_user_token      = "examplegitlabtoken"
  atlantis_repo_whitelist            = ["gitlab.com/terraform-aws-modules/*"]"

How to get atlantis secret without checking tf state file

Hi,

I am currently using this as As a Terraform module approach, but I could not find a good way to do retrieve the token as well as the events url.

The webhook events url is easy to setup though with appending /events behind the domain, but how can I get the token that I need for setting up the repo's webohook?

Right now the github_user and github_user_token are passed in as build env variables:

  # Atlantis
  atlantis_github_user       = "${var.BOT_USERNAME}"
  atlantis_github_user_token = "${var.BOT_TOKEN}"
  atlantis_repo_whitelist    = ["github.com/org/*"]

task_definition version always known after apply

Hello,

While using this module, I get the following message every time I do terraform apply.

~ resource "aws_ecs_service" "atlantis" {
        cluster                            = "arn:aws:ecs:eu-west-1:[REDACTED]:cluster/atlantis"
        deployment_maximum_percent         = 200
        deployment_minimum_healthy_percent = 50
        desired_count                      = 1
        enable_ecs_managed_tags            = false
        health_check_grace_period_seconds  = 0
        iam_role                           = "aws-service-role"
        id                                 = "arn:aws:ecs:eu-west-1:[REDACTED]:service/atlantis"
        launch_type                        = "FARGATE"
        name                               = "atlantis"
        platform_version                   = "LATEST"
        propagate_tags                     = "NONE"
        scheduling_strategy                = "REPLICA"
        tags                               = {}
      ~ task_definition                    = "atlantis:2" -> (known after apply)

Is there any way to avoid this?

The following is my module usage:

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "~> 2.0"

  name               = "atlantis"
  vpc_id             = "${aws_vpc.myvpc.id}"
  private_subnet_ids = ["${aws_subnet.private-1a.id}", "${aws_subnet.private-1b.id}", "${aws_subnet.private-1c.id}"]
  public_subnet_ids  = ["${aws_subnet.public-1a.id}", "${aws_subnet.public-1b.id}", "${aws_subnet.public-1c.id}"]

  certificate_arn       = "redacted"
  create_route53_record = false

  atlantis_github_user       = "${local.atlantis_github_username}"
  atlantis_github_user_token = "${local.atlantis_github_access_token}"
  atlantis_repo_whitelist    = ["redacted"]

  ssm_kms_key_arn = "redacted"
}

Problem using pre-created ACM cert (Invalid index)

I am running into the following error when using a pre-existing certificate:

Error: Invalid index

  on .terraform/modules/atlantis.acm/terraform-aws-modules-terraform-aws-acm-566067c/main.tf line 6, in locals:
   6:   validation_domains = [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, v.domain_name)]
    |----------------
    | aws_acm_certificate.this is empty tuple

The given key does not identify an element in this collection value.

This is an issue with the underlying ACM module, see here. However, there is a PR open for a change to the module.

This occurs if you explicit supply a certificate ARN when using the atlantis module:

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "~> 2.0"

  name = "atlantis"

  # ACM (SSL certificate) 
  certificate_arn = module.acm.this_acm_certificate_arn
...

Error when using an existing VPC.

I believe #50 should be re-opened. I am running into this issue using my own VPC.

Error: module.atlantis11.module.vpc.aws_vpc.this: expected cidr_block to contain a valid CIDR, got:  with err: invalid CIDR address:

I'm not sure I really understand what this line does, https://github.com/terraform-aws-modules/terraform-aws-atlantis/blob/master/main.tf#L148, but I'm not confident that it's NOT trying to create a new VPC. I am specifying a single vpc_id (as a string, not a list) in my module, calling terraform-aws-modules/atlantis/aws

I think a fix would have to be implemented in both the 1.x and 2.x 'branches of this code. We still have Terraform 11 code in production.

Terraform 0.12 support issue

Attempting to deploy using Terraform 0.12 and running into several alarms.

Terraform implementation:

module "atlantis" {
  source = "terraform-aws-modules/atlantis/aws"

  name = "atlantis"

  # VPC
  vpc_id              = var.vpc_id
  private_subnet_ids  = var.private_subnet_ids
  public_subnet_ids   = var.public_subnet_ids

  # DNS (without trailing dot)
  route53_zone_name = var.zone_name

  # ACM (SSL certificate) - Specify ARN of an existing certificate or new one will be created and validated using Route53 DNS
  acm_certificate_domain_name = var.domain_name
  certificate_arn = var.acm_certificate_arn

  # Atlantis
  atlantis_github_user       = var.github_user
  atlantis_github_user_token_ssm_parameter_name = "/atlantis/user_token"
  atlantis_repo_whitelist    = ["github.com/terraform-aws-modules/*"]
  allow_repo_config = "true"
}

terraform apply

Error: Missing resource instance key

  on .terraform/modules/atlantis.acm/terraform-aws-modules-terraform-aws-acm-4c42634/main.tf line 29, in resource "aws_route53_record" "validation":
  29:   name    = "${aws_acm_certificate.this.domain_validation_options.0.resource_record_name}"

Because aws_acm_certificate.this has "count" set, its attributes must be
accessed on specific instances.

For example, to correlate with indices of a referring resource, use:
    aws_acm_certificate.this[count.index]


Error: Missing resource instance key

  on .terraform/modules/atlantis.acm/terraform-aws-modules-terraform-aws-acm-4c42634/main.tf line 30, in resource "aws_route53_record" "validation":
  30:   type    = "${aws_acm_certificate.this.domain_validation_options.0.resource_record_type}"

Because aws_acm_certificate.this has "count" set, its attributes must be
accessed on specific instances.

For example, to correlate with indices of a referring resource, use:
    aws_acm_certificate.this[count.index]


Error: Missing resource instance key

  on .terraform/modules/atlantis.acm/terraform-aws-modules-terraform-aws-acm-4c42634/main.tf line 34, in resource "aws_route53_record" "validation":
  34:     "${aws_acm_certificate.this.domain_validation_options.0.resource_record_value}",

Because aws_acm_certificate.this has "count" set, its attributes must be
accessed on specific instances.

For example, to correlate with indices of a referring resource, use:
    aws_acm_certificate.this[count.index]


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_http_sg/terraform-aws-modules-terraform-aws-security-group-9c0d748/main.tf line 119, in resource "aws_security_group_rule" "ingress_with_cidr_blocks":
 119:   cidr_blocks     = ["${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_http_sg/terraform-aws-modules-terraform-aws-security-group-9c0d748/main.tf line 135, in resource "aws_security_group_rule" "computed_ingress_with_cidr_blocks":
 135:   cidr_blocks     = ["${split(",", lookup(var.computed_ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_http_sg/terraform-aws-modules-terraform-aws-security-group-9c0d748/main.tf line 151, in resource "aws_security_group_rule" "ingress_with_ipv6_cidr_blocks":
 151:   ipv6_cidr_blocks = ["${split(",", lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.ingress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_http_sg/terraform-aws-modules-terraform-aws-security-group-9c0d748/main.tf line 167, in resource "aws_security_group_rule" "computed_ingress_with_ipv6_cidr_blocks":
 167:   ipv6_cidr_blocks = ["${split(",", lookup(var.computed_ingress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.ingress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_http_sg/terraform-aws-modules-terraform-aws-security-group-9c0d748/main.tf line 295, in resource "aws_security_group_rule" "egress_with_cidr_blocks":
 295:   cidr_blocks     = ["${split(",", lookup(var.egress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.egress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_http_sg/terraform-aws-modules-terraform-aws-security-group-9c0d748/main.tf line 311, in resource "aws_security_group_rule" "computed_egress_with_cidr_blocks":
 311:   cidr_blocks     = ["${split(",", lookup(var.computed_egress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.egress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_http_sg/terraform-aws-modules-terraform-aws-security-group-9c0d748/main.tf line 327, in resource "aws_security_group_rule" "egress_with_ipv6_cidr_blocks":
 327:   ipv6_cidr_blocks = ["${split(",", lookup(var.egress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.egress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_http_sg/terraform-aws-modules-terraform-aws-security-group-9c0d748/main.tf line 343, in resource "aws_security_group_rule" "computed_egress_with_ipv6_cidr_blocks":
 343:   ipv6_cidr_blocks = ["${split(",", lookup(var.computed_egress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.egress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_https_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 119, in resource "aws_security_group_rule" "ingress_with_cidr_blocks":
 119:   cidr_blocks     = ["${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_https_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 135, in resource "aws_security_group_rule" "computed_ingress_with_cidr_blocks":
 135:   cidr_blocks     = ["${split(",", lookup(var.computed_ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_https_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 151, in resource "aws_security_group_rule" "ingress_with_ipv6_cidr_blocks":
 151:   ipv6_cidr_blocks = ["${split(",", lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.ingress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_https_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 167, in resource "aws_security_group_rule" "computed_ingress_with_ipv6_cidr_blocks":
 167:   ipv6_cidr_blocks = ["${split(",", lookup(var.computed_ingress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.ingress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_https_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 295, in resource "aws_security_group_rule" "egress_with_cidr_blocks":
 295:   cidr_blocks     = ["${split(",", lookup(var.egress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.egress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_https_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 311, in resource "aws_security_group_rule" "computed_egress_with_cidr_blocks":
 311:   cidr_blocks     = ["${split(",", lookup(var.computed_egress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.egress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_https_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 327, in resource "aws_security_group_rule" "egress_with_ipv6_cidr_blocks":
 327:   ipv6_cidr_blocks = ["${split(",", lookup(var.egress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.egress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.alb_https_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 343, in resource "aws_security_group_rule" "computed_egress_with_ipv6_cidr_blocks":
 343:   ipv6_cidr_blocks = ["${split(",", lookup(var.computed_egress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.egress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.atlantis_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 119, in resource "aws_security_group_rule" "ingress_with_cidr_blocks":
 119:   cidr_blocks     = ["${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.atlantis_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 135, in resource "aws_security_group_rule" "computed_ingress_with_cidr_blocks":
 135:   cidr_blocks     = ["${split(",", lookup(var.computed_ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.atlantis_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 151, in resource "aws_security_group_rule" "ingress_with_ipv6_cidr_blocks":
 151:   ipv6_cidr_blocks = ["${split(",", lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.ingress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.atlantis_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 167, in resource "aws_security_group_rule" "computed_ingress_with_ipv6_cidr_blocks":
 167:   ipv6_cidr_blocks = ["${split(",", lookup(var.computed_ingress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.ingress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.atlantis_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 295, in resource "aws_security_group_rule" "egress_with_cidr_blocks":
 295:   cidr_blocks     = ["${split(",", lookup(var.egress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.egress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.atlantis_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 311, in resource "aws_security_group_rule" "computed_egress_with_cidr_blocks":
 311:   cidr_blocks     = ["${split(",", lookup(var.computed_egress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.egress_cidr_blocks)))}"]

Inappropriate value for attribute "cidr_blocks": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.atlantis_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 327, in resource "aws_security_group_rule" "egress_with_ipv6_cidr_blocks":
 327:   ipv6_cidr_blocks = ["${split(",", lookup(var.egress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.egress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.atlantis_sg/terraform-aws-modules-terraform-aws-security-group-0fd7c5a/main.tf line 343, in resource "aws_security_group_rule" "computed_egress_with_ipv6_cidr_blocks":
 343:   ipv6_cidr_blocks = ["${split(",", lookup(var.computed_egress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.egress_ipv6_cidr_blocks)))}"]

Inappropriate value for attribute "ipv6_cidr_blocks": element 0: string
required.


Error: Missing resource instance key

  on .terraform/modules/atlantis.vpc/terraform-aws-modules-terraform-aws-vpc-d59af8f/main.tf line 31, in resource "aws_vpc_ipv4_cidr_block_association" "this":
  31:   vpc_id = "${aws_vpc.this.id}"

Because aws_vpc.this has "count" set, its attributes must be accessed on
specific instances.

For example, to correlate with indices of a referring resource, use:
    aws_vpc.this[count.index]


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.vpc/terraform-aws-modules-terraform-aws-vpc-d59af8f/main.tf line 43, in resource "aws_vpc_dhcp_options" "this":
  43:   domain_name_servers  = ["${var.dhcp_options_domain_name_servers}"]

Inappropriate value for attribute "domain_name_servers": element 0: string
required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.vpc/terraform-aws-modules-terraform-aws-vpc-d59af8f/main.tf line 44, in resource "aws_vpc_dhcp_options" "this":
  44:   ntp_servers          = ["${var.dhcp_options_ntp_servers}"]

Inappropriate value for attribute "ntp_servers": element 0: string required.


Error: Incorrect attribute value type

  on .terraform/modules/atlantis.vpc/terraform-aws-modules-terraform-aws-vpc-d59af8f/main.tf line 45, in resource "aws_vpc_dhcp_options" "this":
  45:   netbios_name_servers = ["${var.dhcp_options_netbios_name_servers}"]

Inappropriate value for attribute "netbios_name_servers": element 0: string
required.


Error: Unexpected resource instance key

  on .terraform/modules/atlantis/terraform-aws-modules-terraform-aws-atlantis-3eae5e6/main.tf line 362, in data "aws_iam_policy_document" "ecs_task_access_secrets_with_kms":
 362:   source_json = "${data.aws_iam_policy_document.ecs_task_access_secrets.0.json}"

Because data.aws_iam_policy_document.ecs_task_access_secrets does not have
"count" or "for_each" set, references to it must not include an index key.
Remove the bracketed index to refer to the single instance of this resource.


Error: Invalid value for module argument

  on .terraform/modules/atlantis/terraform-aws-modules-terraform-aws-atlantis-3eae5e6/main.tf line 401, in module "container_definition_github_gitlab":
 401:   log_options = [
 402:     {
 403:       "awslogs-region"        = "${data.aws_region.current.name}"
 404:       "awslogs-group"         = "${aws_cloudwatch_log_group.atlantis.name}"
 405:       "awslogs-stream-prefix" = "ecs"
 406:     },
 407:   ]

The given value is not suitable for child module variable "log_options"
defined at
.terraform/modules/atlantis.container_definition_github_gitlab/cloudposse-terraform-aws-ecs-container-definition-1e0a6da/variables.tf:91,1-23:
map of any single type required.


Error: Invalid value for module argument

  on .terraform/modules/atlantis/terraform-aws-modules-terraform-aws-atlantis-3eae5e6/main.tf line 433, in module "container_definition_bitbucket":
 433:   log_options = [
 434:     {
 435:       "awslogs-region"        = "${data.aws_region.current.name}"
 436:       "awslogs-group"         = "${aws_cloudwatch_log_group.atlantis.name}"
 437:       "awslogs-stream-prefix" = "ecs"
 438:     },
 439:   ]

The given value is not suitable for child module variable "log_options"
defined at
.terraform/modules/atlantis.container_definition_bitbucket/cloudposse-terraform-aws-ecs-container-definition-1e0a6da/variables.tf:91,1-23:
map of any single type required.

When using SSM parameter store for Github token, it stores the token in plain text.

When using an access token and storing in to SSM it stores the token as plain text. Am I missing something in the vars?

I tested the access to the parameters via a new user with generic power user rights. That user could see the secret in plain text.

When encrypting the token via a custom key it fails to decrypt.(the ARN has been placed in to the vars file, the role execution task has the decrypt action set.)

Thoughts?

Host key verification failed

This is related to #15.

I’m unable to get Atlantis to work as it’s failing on host key verification when downloading modules from Bitbucket:

running "/usr/local/bin/terraform init -input=false -no-color -upgrade" in "/home/atlantis/.atlantis/repos/foo/terraform/24/default/acct-dev/monitoring": exit status 1
Upgrading modules...
- monitoring in modules
Downloading git::ssh://[email protected]:/foo/aws-sns-topic.git?ref=v0.0.1 for monitoring.aws_sns_topic_high_priority...

Error: Failed to download module

Could not download module "aws_sns_topic_high_priority"
(modules/aws-sns-topic-high-priority.tf:1) source code from
"git::ssh://[email protected]:/foo/aws-sns-topic.git?ref=v0.0.1": error
downloading 'ssh://[email protected]:/foo/aws-sns-topic.git?ref=v0.0.1':
/usr/bin/git exited with 128: Cloning into
'.terraform/modules/monitoring.aws_sns_topic_high_priority'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.



Error: Failed to download module

Could not download module "aws_sns_topic_high_priority"
(modules/aws-sns-topic-high-priority.tf:1) source code from
"git::ssh://[email protected]:/foo/aws-sns-topic.git?ref=v0.0.1": error
downloading 'ssh://[email protected]:/foo/aws-sns-topic.git?ref=v0.0.1':
/usr/bin/git exited with 128: Cloning into
'.terraform/modules/monitoring.aws_sns_topic_high_priority'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The container I’m running is the latest runatlantis/atlantis image and I’ve added a private SSH key and SSH config with StrictHostKeyChecking no to the atlantis user.

When I run the image locally, I’m am able to clone the repo without issue. Below is showing it failing, then working:

28d492ee4645:~$ whoami
#atlantis
28d492ee4645:~$
28d492ee4645:~$
28d492ee4645:~$ ls -al .ssh/
total 16
drwxr-xr-x    1 #atlanti root          4096 Jun 14 14:36 .
drwxrwxr-x    1 #atlanti root          4096 Jun 14 14:36 ..
-rw-------    1 #atlanti root            25 Jun 14 04:21 config.foo
-rw-------    1 #atlanti root          1811 Jun 14 04:21 id_rsa
28d492ee4645:~$
28d492ee4645:~$
28d492ee4645:~$ git clone [email protected]:foo/aws-sns-topic.git
Cloning into 'aws-sns-topic'...
The authenticity of host 'bitbucket.org (18.205.93.1)' can't be established.
RSA key fingerprint is SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A.
Are you sure you want to continue connecting (yes/no)? ^C
28d492ee4645:~$
28d492ee4645:~$
28d492ee4645:~$ mv .ssh/config.foo .ssh/config
28d492ee4645:~$
28d492ee4645:~$
28d492ee4645:~$ git clone [email protected]:foo/aws-sns-topic.git
Cloning into 'aws-sns-topic'...
Warning: Permanently added 'bitbucket.org,18.205.3.1' (RSA) to the list of known hosts.
remote: Counting objects: 5, done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 5 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (5/5), done.
28d492ee4645:~$ ls -al
total 16
drwxrwxr-x    1 #atlanti root          4096 Jun 14 14:37 .
drwxr-xr-x    1 root     root          4096 Mar 14 19:25 ..
drwxr-xr-x    1 #atlanti root          4096 Jun 14 14:37 .ssh
drwxr-xr-x    3 #atlanti atlantis      4096 Jun 14 14:37 aws-sns-topic

What am I missing?

Terraform init fails

Hi, I'm trying to setup atlantis on AWS Fargate via Gitlab, but am getting error in cloudwatch on init:

2019/06/08 19:13:45+0000 [EROR] terraform_client.go:189 meshwatch/infrastructure/terraform-gsuite#1: Running "/usr/local/bin/terraform init -input=false -no-color -upgrade" in "/home/atlantis/.atlantis/repos/meshwatch/infrastructure/terraform-gsuite/1/default": exit status 1

Any idea what might be wrong (I know the error is not very descriptive)? I would assume that is has to do with permissions, as I didnt configure any. What credentials does it use by default? How to configure them?

Unable to invoke atlantis server container

I've gone the path of running via solution three, "running in own environment." But my service is not running, probably due to combination of entrypoint (which I left blank) and command (which gets displayed in log message shown below.)

/usr/local/bin/docker-entrypoint.sh: exec: line 46: atlantis server --log-level=debug \
--gh-user=XXXX --gh-token="YYYYY" --gh-webhook-secret="something" --repo-config-json='
{
    "repos": [
        {
            "id": "/.*/",
            "allowed_overrides": [
                "workflow"
            ],
            "allow_custom_workflows": true,
            "apply_requirements": [
                "approved",
                "mergeable"
            ]
        }
    ]
}
' --repo-whitelist=github.com/our/repository: not found

Where did I go wrong?

Pass Task Exec. policy ARN as an input variable or default to AmazonECSTaskExecutionRolePolicy

terraform-aws-atlantis/main.tf

Line 186 in 508eb0c

policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"

When I tried to use atlantis plan or apply I found that it needed permissions for at least for (depending on the config files of course):

    • access to the backend (say S3)
    • access to IAM
      among others.

Initially I began by attaching existing policies, before I determine the which ones are most restrictive. Alternatively, one could pass the overly permissive https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator if they're confident that the Task runs securely.

Provide output of task_role_name

I had to add an IAM policy to the task execution role for the ECS task definition in order to give it permission to GetParameters from the SSM parameter store. In order to do this via Terraform I needed to reference the role that your terraform-aws-atlantis module creates. I wasn't sure how to do it other than to fork the code and create an output that did this, and then reference it in my module that wraps terraform-aws-atlantis:

output "task_role_name" {
  description = "The Atlantis ECS task role name"
  value       = "${aws_iam_role.ecs_task_execution.name}"
}

Would it be possible to create this output for the 1.x and 2.x branches of this repo?

Missing support for Azure DevOps

Hi,

It would be great if this module would have support for Azure DevOps aswell, as Atlantis itself recently added it.

Cheers.

Issues creating service on v2.0.0

terraform-aws-atlantis/main.tf

Line 495 in 1195897

// depends_on = [aws_ecs_task_definition.atlantis] 

Error: Failed getting task definition ClientException: Unable to describe task definition.
        status code: 400, request id: 0cd48c37-8d35-11e9-9e00-5ff346cf8ee8 "atlantis"

  on .terraform/modules/atlantis/terraform-aws-modules-terraform-aws-atlantis-ca4ff06/main.tf line 491, in data "aws_ecs_task_definition" "atlantis":
 491: data "aws_ecs_task_definition" "atlantis" {

Bitbucket Server Authentication Failed

I basically have the same problem that was discussed in #54 but with Bitbucket Server, instead of Bitbucket Cloud.

Since the original issue was closed without resolution and no further input, I would like to investigate this issue more in-depth since I was able to reproduce it.

I set these params:

  atlantis_bitbucket_user       = "<user>"
  atlantis_bitbucket_user_token = "<password>"

In addition, I introduced the Terraform variable "atlantis_bitbucket_base_url" to set the environment parameter "ATLANTIS_BITBUCKET_BASE_URL" which is needed to run Bitbucket Server with Atlantis (see runatlantis/atlantis#622).

I used this custom workflow:

# atlantis.yaml
version: 3
projects:
- dir: .
  workflow: echo
workflows:
  echo:
    plan:
      steps:
      - run: echo $ATLANTIS_BITBUCKET_USER
      - run: echo $ATLANTIS_BITBUCKET_TOKEN

Originally posted by @lkysow in #54 (comment)

I verified access via cURL:

curl --location --request GET 
'https://<BitbucketServerEndpoint>/rest/api/1.0/projects/<BitbucketProject>/repos/infrastructure/pull-requests/23/changes?start=0' \
--header 'Authorization: Bearer <Token>'

(works)

This is the output after opening a new PR:

 [DBUG] events_controller.go:122 server: Handling Bitbucket Server post
 [DBUG] events_controller.go:208 server: Handling as pull request state changed event
 [INFO] events_controller.go:304 server: Identified event as type "opened"
 [INFO] events_controller.go:345 server: Executing autoplan
 [INFO] middleware.go:42 server: POST /events – respond HTTP 200
 [WARN] command_runner.go:114 <BitbucketProject+Repo>#23: Unable to update commit status: making request "POST https://<BitbucketServer>/rest/build-status/1.0/commits/081a96ff9e6d001c56db8eb70d824008c54ad8d8" unexpected status code: 401, body: 
        {
            "errors": [
                {
                    "context": null,
                    "message": "Authentication failed. Please check your credentials and try again.",
                    "exceptionName": "com.atlassian.bitbucket.auth.IncorrectPasswordAuthenticationException"
                }
            ]
        }
 [DBUG] project_command_builder.go:106 <BitbucketProject+Repo>#23: Got workspace lock
 [WARN] command_runner.go:120 <BitbucketProject+Repo>#23: Unable to update commit status: making request "POST https://<BitbucketServer>/rest/build-status/1.0/commits/081a96ff9e6d001c56db8eb70d824008c54ad8d8" unexpected status code: 401, body: 
        {
            "errors": [
                {
                    "context": null,
                    "message": "Authentication failed. Please check your credentials and try again.",
                    "exceptionName": "com.atlassian.bitbucket.auth.IncorrectPasswordAuthenticationException"
                }
            ]
        }
 [EROR] command_runner.go:419 <BitbucketProject+Repo>#23: Making request "GET https://<BitbucketServer>/rest/api/1.0/projects/<BitbucketProject>/repos/infrastructure/pull-requests/23/changes?start=0" unexpected status code: 401, body: 
        {
            "errors": [
                {
                    "context": null,
                    "message": "Authentication failed. Please check your credentials and try again.",
                    "exceptionName": "com.atlassian.bitbucket.auth.IncorrectPasswordAuthenticationException"
                }
            ]
        }
 [EROR] command_runner.go:426 <BitbucketProject+Repo>#23: Unable to comment: making request "POST https://<BitbucketServer>/rest/api/1.0/projects/<BitbucketProject>/repos/infrastructure/pull-requests/23/comments" unexpected status code: 401, body: 
        {
            "errors": [
                {
                    "context": null,
                    "message": "Authentication failed. Please check your credentials and try again.",
                    "exceptionName": "com.atlassian.bitbucket.auth.IncorrectPasswordAuthenticationException"
                }
            ]
        }

Move container definition into a template_file data source

terraform-aws-atlantis/main.tf

Line 197 in 508eb0c

container_definitions = <<EOF

Instead of having it inline, it may be more flexible and allow further interpolations :

data "template_file" "container" {
  template = "${file("${path.module}/atlantis-container-definition.json")}"
  vars {
    port              = "${var.atlantis_port}"
    log_level         = "${var.log_level}"
    cw_logs_prefix    = "${var.cw_logs_prefix}"
  }
}

The above is a minimalistic example. The input variable can have defaults, but module users should have the liberty to easily change them at instantiation time if they want to.

PS: I found that changing Atlantis port from 4141 to 80 helped when accessing it from the office network or via VPN - hence my thought that since they allow it to be changed, why not also have it as an input..

ACM count error on 2.0.0

Getting this error when updating to 2.0.0 from 1.17.0

$ terraform apply 
...
module.atlantis.data.aws_route53_zone.this[0]: Refreshing state...
module.atlantis.module.acm.aws_acm_certificate.this[0]: Refreshing state... [id=arn:aws:acm:us-east-2:697393925297:certificate/29c16798-e810-47d9-8972-d7ea5e6a9d31]

Error: Invalid count argument

  on .terraform/modules/atlantis.acm/terraform-aws-modules-terraform-aws-acm-566067c/main.tf line 30, in resource "aws_route53_record" "validation":
  30:   count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) : 0

The "count" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the count depends on.

Releasing state lock. This may take a few moments...

Task definition is broken with pre-created secrets

Hi,

Looks like something regarding the secrets is broken. We discovered this during our upgrade to 0.12 and the v2.1.0 of this module.

The following config used to work:

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "~> 2.1.0"

  name = "atlantis"

  # VPC
  cidr            = "10.20.0.0/16"
  azs             = ["us-east-1a", "us-east-1b", "us-east-1c"]
  private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"]
  public_subnets  = ["10.20.101.0/24", "10.20.102.0/24", "10.20.103.0/24"]

  # DNS (without trailing dot)
  route53_zone_name = "example.com"
  # Atlantis
  atlantis_github_user       = "atlantis-bot"
  atlantis_repo_whitelist    = ["github.com/terraform-aws-modules/*"]
}

provider "aws" {
  region = "us-east-1"
}

Note that that's the same code from the example, without atlantis_github_user_token defined. We don't want to have that in code so we put it in SSM.
This module is smart enough that it can take it from SSM if it's not in the Terrafrom config. That's what was happening in v1.9.0.

In the v2.1.0 this leads to the following in the JSON task definition:

     "secrets": [
        {
          "valueFrom": "unknown_secret_name_value",
          "name": "unknown_secret_name_key"
        },
        {
          "valueFrom": "/atlantis/webhook/secret",
          "name": "unknown_secret_webhook_key"
        }
      ],

This is obviously wrong and leads to the Task definition failing cause it cannot find those SSM secrets.

I think in https://github.com/terraform-aws-modules/terraform-aws-atlantis/blob/master/main.tf#L17-L23 there's something bad. That breaks the definitions in https://github.com/terraform-aws-modules/terraform-aws-atlantis/blob/master/main.tf#L67-L81. Maybe instead of the token there should've been user as I define the user, but the token is always empty.

Am I missing something?

Fargate/Atlantis - Trigger AWS Fargate task from AWS Lambda

$$$ Who wants to pay for idle resources in the cloud century? I don't. $$$

To-do:

  • Read this
  • Allow configuration of Fargate tasks schedule via AWS Cloudwatch to avoid cold-starts on workdays (eg, start one Fargate Task 15 minutes before 9:00 on workdays)

AWS credentials file not taken into consideration

Hello. I've tried using your module and I've added my own Atlantis image from v0.11.0 and copied the AWS credentials and config files to the image. From further investigations I realised that the AWS credentials are not retrieved at all from those files, but from the task's role.

2020/02/06 09:14:16 [INFO] Setting AWS metadata API timeout to 100ms
2020/02/06 09:14:16 [INFO] ECS container credentials detected, RemoteCredProvider added to auth chain
2020/02/06 09:14:16 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
2020/02/06 09:14:16 [INFO] AWS Auth provider used: "CredentialsEndpointProvider"

Could you help and provide a way so that when terraform runs, to look for the AWS credentials, not the container task role and also to respect the AWS chain of finding credentials.

Unable to update commit status: making request ... unexpected status code: 401, body

I'm running into problems, presumably with bitbucket authentication.

I've verified the bitbucket username and app password using curl.

My terraform.tfvars has the following (with actual username and app password):

atlantis_bitbucket_user = "foo"
atlantis_bitbucket_user_token = "bar"

I see the ATLANTIS_BITBUCKET_USER populated correctly as an environment variable for the Fargate container.

However, when I test it fails with the following:

2019/06/06 02:52:20+0000 [DBUG] events_controller.go:100 server: Handling Bitbucket Cloud post
2019/06/06 02:52:20+0000 [DBUG] events_controller.go:154 server: Handling as comment created event
2019/06/06 02:52:20+0000 [INFO] events_controller.go:367 server: Parsed comment as command="plan" verbose=false dir="" workspace="" project="" flags=""
2019/06/06 02:52:20+0000 [DBUG] events_controller.go:389 server: Executing command
2019/06/06 02:52:20+0000 [INFO] middleware.go:42 server: POST /events – respond HTTP 200
2019/06/06 02:52:20+0000 [WARN] command_runner.go:208 foo/terraform#24: Unable to update commit status: making request "POST https://api.bitbucket.org/2.0/repositories/foo/terraform/commit/3a050fbb589a/statuses/build" unexpected status code: 401, body:
2019/06/06 02:52:20+0000 [DBUG] project_command_builder.go:102 foo/terraform#24: Got workspace lock
2019/06/06 02:52:21+0000 [WARN] command_runner.go:223 foo/terraform#24: Unable to update commit status: making request "POST https://api.bitbucket.org/2.0/repositories/foo/terraform/commit/3a050fbb589a/statuses/build" unexpected status code: 401, body:
2019/06/06 02:52:21+0000 [EROR] command_runner.go:383 foo/terraform#24: Making request "GET https://api.bitbucket.org/2.0/repositories/foo/terraform/pullrequests/24/diffstat" unexpected status code: 401, body:
2019/06/06 02:52:21+0000 [EROR] command_runner.go:390 foo/terraform#24: Unable to comment: making request "POST https://api.bitbucket.org/2.0/repositories/foo/terraform/pullrequests/24/comments" unexpected status code: 401, body:

Improve json in heredoc by using data source and jsonencode

Instead of this -

terraform-aws-atlantis/main.tf

Lines 226 to 282 in 8d873d4

container_definitions = <<EOF
[
{
"cpu": 0,
"environment": [
{
"name": "ATLANTIS_LOG_LEVEL",
"value": "debug"
},
{
"name": "ATLANTIS_PORT",
"value": "4141"
},
{
"name": "ATLANTIS_ATLANTIS_URL",
"value": "https://${coalesce(element(concat(aws_route53_record.atlantis.*.fqdn, list("")), 0), module.alb.dns_name)}"
},
{
"name": "ATLANTIS_GH_USER",
"value": "${var.atlantis_github_user}"
},
{
"name": "ATLANTIS_GH_TOKEN",
"value": "${var.atlantis_github_user_token}"
},
{
"name": "ATLANTIS_GH_WEBHOOK_SECRET",
"value": "${random_id.webhook.hex}"
},
{
"name": "ATLANTIS_REPO_WHITELIST",
"value": "${join(",", var.atlantis_repo_whitelist)}"
}
],
"essential": true,
"image": "${local.atlantis_image}",
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "${var.name}",
"awslogs-region": "${data.aws_region.current.name}",
"awslogs-stream-prefix": "master"
}
},
"mountPoints": [],
"name": "atlantis",
"portMappings": [
{
"containerPort": 4141,
"hostPort": 4141,
"protocol": "tcp"
}
],
"volumesFrom": []
}
]
EOF

Do something like this:

locals {
  log_group = "test-group"
  definition = {
    name = "example"
    memory = "500"
  }
  default_definition = {
    name = "test"
    image = "test_image"
    memory = 200
    essential = true
    command = "node"
    portMappings = [
        {
          containerPort = 8008
          hostPort = 80
        }
      ]
    logConfiguration = {
        logDriver = "awslogs"
        options = {
          awslogs-group = "${local.log_group}"
          awslogs-region = "us-west-2"
      }
    }

  }
}

output "test" {
  value = "${jsonencode(merge(local.default_definition, local.definition))}"
}

Kudos to @osterman

Only create VPC if no VPC ID is passed

terraform-aws-atlantis/main.tf

Line 18 in 508eb0c

module "vpc" {

Great work Anton!

Recently I also developed an Atlantis module to which I pass a vpc_id as a variable instead of a cidr_block to create a new one - under the assumption that it's more common for someone to deploy Atlantis in an existing VPC.

My proposal:

  • have 2 input variables (cidr_block and vpc_id), both with dummy defaults.
  • use count to determine whether a new VPC is needed, in which case the cidr_block would be used.

Webhook docs out of date?

I'm in the middle of trying to upgrade from a much older version of atlantis which managed the Github webhooks for you.

The docs still indicate that the module can create the github webhooks for you:

Github webhook is automatically created if github_token, github_organization and github_repo_names were specified.

However looking at the code I am not seeing how this actually works - I can't find any reference to the github_repo_names in the code for example.

I think this functionality might've been removed during the refactor to support gitlab? In any case just wanted to confirm, and wondering what the recommended way to set up the webhooks is now.

Looking at the tf code, it looks like it's being passed in correctly. I'd like to fully eliminate the chances of the credentials being passed to Atlantis being incorrect. Can you verify what values were passed in to the container by creating a custom workflow that echo's out the environment variables?

Looking at the tf code, it looks like it's being passed in correctly. I'd like to fully eliminate the chances of the credentials being passed to Atlantis being incorrect. Can you verify what values were passed in to the container by creating a custom workflow that echo's out the environment variables?

# atlantis.yaml
version: 3
projects:
- dir: .
  workflow: echo
workflows:
  echo:
    plan:
      steps:
      - run: echo $ATLANTIS_BITBUCKET_USER
      - run: echo $ATLANTIS_BITBUCKET_TOKEN

Originally posted by @lkysow in #54 (comment)

custom_environment_variables with ATLANTIS_REPO_CONFIG_JSON

I'm having issues with setting env variables for the container. With the definition below

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "~> v1.0"

  name             = "atlantis"
  atlantis_version = "v0.7.2"

  allow_repo_config = true
  policies_arn      = ["arn:aws:iam::aws:policy/AdministratorAccess"]

  # VPC
  vpc_id             = "XXXXXXXXX"                          
  cidr               = "XXXXXXXXX"
  azs                = ["XXXXXXXXX"]
  private_subnet_ids = ["XXXXXXXXX"]
  public_subnet_ids  = ["XXXXXXXXX"]

  # DNS (without trailing dot)
  route53_zone_name = "XXXXXX"

  # ACM (SSL certificate) - Specify ARN of an existing certificate or new one will be created and validated using Route53 DNS
  certificate_arn = "XXXXX"

  # Atlantis
  atlantis_github_user       = "X"
  atlantis_github_user_token = "XXXXX"
  atlantis_repo_whitelist    = ["github.com/XXXX/Xxxxxxxxx"]

  custom_environment_variables = [{
    name  = "ATLANTIS_REPO_CONFIG_JSON"
    value = "XXXXXX"
  }]
}

When I try to list the env variables in custom plan, I can't see any env variable named ATLANTIS_REPO_CONFIG_JSON.

Content of atlantis.yaml with custom workflow:

version: 3
automerge: true

projects:
  - name: XXXX
    dir: XXXX
    workspace: default
    terraform_version: v0.11.14
    autoplan:
      when_modified: ["*.tf", "../modules/**.tf"]
      enabled: true
    workflow: custom
workflows:
  custom:
    plan:
      steps:
        - run: env
        - init
        - plan
    apply:
      steps:
        - apply

My goal is to modify the default workflow using env variable ATLANTIS_REPO_CONFIG_JSON and json as argument as described here https://www.runatlantis.io/docs/server-side-repo-config.html#enabling-server-side-repo-config

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.