A “terragrunt plan” Output on a Pull Request
Hi everyone! In this article, I will share our journey to create an environment to show the output of a terragrunt plan command on our Terraform repository as a pull request comment. I assume that you are somewhat familiar with the tools that I am going to mention below, thus, I will directly dive into their implementations.
Why do we need this?
Recently we have decided to embrace IaC principles with Terraform to make our AWS services more observable via storing the related Terragrunt configuration files in a single GitHub repository.
In order to achieve this, we have created a GitHub repository that contains all Terragrunt files with the following file hierarchy, which is pretty common amongst organizations that work on multiple AWS accounts.
So, once a teammate wants to deploy new AWS services, we expect them to open a new PR on this repository. After it is merged, the related services are provisioned automatically by AWS CodePipeline. That means we do not use Atlantis, a tool that I am going to mention below, to apply these Terragrunt files since we find it a little bit insecure for our environment.
However, since the teammate cannot see the terragrunt plan output anywhere, they cannot be sure whether the Terragrunt configuration files work or not, and this is where Atlantis comes to help.
Atlantis Implementation
I mainly relied on this article for the deployment and appreciate it, but I encountered many different errors because of our modifications. I hope you can have your own environment a lot easier by following the steps below.
Deployment
Atlantis offers several types of deployments. Between them, I opted to continue with its Helm chart due to having a ready Kubernetes cluster that I can easily deploy on. Here you can find my “values.yaml” file for the chart.
These configurations can be extended or tweaked with the options here. Let me go through the parameters that I find important.
Secrets: As I stated in the file, I created the secrets outside the chart, and here you can find the YAML files of them.
repoConfig: This is the parameter that we define our custom workflow to work with Terragrunt. This workflow is a little bit more tailored to work with a Javascript script rather than this. So, once an “atlantis plan” command is triggered what actually it does is:
- Declare the environment variable to direct which terraform version will be used by Terragrunt
- Run my Node.js script with the $PLANFILE parameters, which hold paths of terragrunt.hcl files. (e.g
/atlantis-data/repos/<<github-username>>/<<repo-name>>/<<workspace-number>>/<<workspace>>/<<repo-path>>/)
disableApply: This is how we say “we do not want Atlantis to run apply”. As I cited before, we find it too administrative for our environment.
disableRepoLocking: Locking is a method of Atlantis to ensure the exact infrastructure is going to be applied that is planned with “atlantis plan”. But that also has cons, especially if you work with a single repository as we do. Hence, we disable it.
Container Image
Since we want to use Terragrunt, we must create our own image on top of the Atlantis image. Here is the Dockerfile and the Node.js script.
Annotation: Please avoid using “terragrunt run-all plan -out=$FILE” to send the output to a file and “terragrunt show $FILE” to show a less verbose output since there is a known issue regarding this. For more information please check this.
These conclude our deployment process. After completing all the steps that are required here alongside our deployment, whenever we open a PR or commit to an existing PR, we should see the “plan” checks and results as follows.
If you do not see them, please be sure that the following events have been selected for your Github repository webhook.
- Issue comments
- Pull requests
- Pushes
Bonus Part
With the above “gitconfig” configuration, we are able to reach private repositories via HTTPS, to switch it to or use HTTPS concurrently with SSH we need to add the following snippets to the related files.
For More About Insider
As of now, we have been handling over 50k requests per second with petabytes of data flow, hence, non-stop thriving is our motto. If you would like to get to know more about our niche works, you may follow our medium page.
Thanks for your time.
