Using Atlantis To Automate Terraform
As a DevOps engineer at ZOOZ for over one year now, I have been working with an almost fully automated deployment system. The only part missing was the ability to deliver automated Terraform operations. One of my team members came across an open-source automation tool called Atlantis, a tool that, as it seemed, could bring us the last part of automation we were missing!
Using Terraform locally on your computer has some drawbacks
When everyone is executing Terraform on their own computers, it's hard to know the current state of your infrastructure:
- Is what’s in master deployed?
- Did someone forget to create a merge request for that latest change?
- What was the output from that last terraform apply?
- Who should get permissions for running Terraform?
Well, with Atlantis those drawbacks vanished. And as a bonus, we got new features we didn’t even know about!
How does Atlantis work?
- For every merge request you make for a Terraform project, Atlantis will run a plan operation and comment it back to the merge request.
- You view and approve the `plan` output.
- You comment back Atlantis apply.
- Atlantis will run the `apply` operation.
- On successful apply, Atlantis will comment back and merge the merge request.
What did we gain by using Atlantis?
Increased visibility
With Atlantis, everything is visible on the merge request. You can view the history of everything that was done to your infrastructure.
Collaboration with everyone
You no longer have to distribute Terraform credentials to everyone in your engineering organization. With Atlantis, anyone can open a merge request on the Terraform project. You can require approval before the merge request is applied, so nothing happens accidentally.
Better reviews of Terraform merge requests
You can’t fully review a Terraform change without seeing the output of a Terraform plan.
Now that output is automatically added to the merge request’s comment, it’s much easier and faster to do the review. It also ensures you apply changes before merging to master.
Standardized workflows
Atlantis locks a directory/workspace until the merge request is merged, or until the lock is manually deleted. This ensures that changes are applied in the expected order.
The exact commands that Atlantis runs are configurable. You can run custom scripts to construct your ideal workflow.
Implementation at ZOOZ
We decided to deploy Atlantis as an AWS Fargate service, and do some custom modifications:
Changing Terraform modules to use HTTPS
Atlantis will try to pull Terraform modules using SSH and it will fail on SSH authentication. The solution was to either add SSH keys to the Atlantis container or to change the modules from using SSH to using HTTPS instead. By using HTTPS, Atlantis only has to confirm the usual SSL certificate.
Minimizing the module provided by Atlantis
The module provided by Atlantis is ready to be used without any modification and is flexible enough to suit any system. This flexibility also means there’s a lot of extra code that we did not require.
Customizing the Atlantis docker image
Eventually, we created our own custom Atlantis docker image, as we needed the AWS CLI binary to be present on the container to run local-exec provisioners. For increased security, Atlantis was granted permissions only for one AWS account. Each AWS account has its own Atlantis deployment.
