infracost / infracost-atlantis Goto Github PK

A user mentioned the following, we should test the integration with latest version of Infracost and latest version of Atlantis to see if we can reproduce this:

I'm not sure if it's Infracost and the way it runs the Terraform commands or the newer version of Atlantis we installed when we enabled Infracost, but our Atlantis Plans/Applys show as failed in the GitHub comments now if either of these are true.
Warnings about targeted plan/apply
Deprecation warnings in the plan/apply

Within the bitbucket subsection we should remove the 261 line and put it right after the line 257. In the way it is, all apply workflows will be considered as failed because there'll be no files there when the run is executed.

See images with my tests.
With the config provided in repo

With the config changed

I just implemented infracost with Atlantis for a small POC and found that the json path is differently configured in different places. I used the docs here: https://github.com/infracost/infracost-atlantis/blob/master/examples/combined-infracost-comment/README.md#running-with-azure-repos
In the post workflow hook the path is --path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/'*'-infracost.json while in the workflow the path is /tmp/${BASE_REPO_OWNER//\//-}-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE-${REPO_REL_DIR//\//-}-infracost.json.
Took me a while to see the issue, but in the post workflow hook a subdirectory is expected after the $PULL_NUM while in the workflow a simple dash is configured. The other docs look correct, although I did not test them, only Azure DevOps has this typo it seems.

I'm following the docs, but I'm confuse about how to setup the post_workflow_hook together with Terragrunt setup.

My repoConfig:

repoConfig: |
  repos:
  - id: "/.*/"
    workflow: terragrunt
    pre_workflow_hooks: #TGENV and TFENV setup
      - run: git clone --depth=1 https://github.com/tfutils/tfenv.git /home/atlantis/.tfenv && git clone https://github.com/cunymatthieu/tgenv.git /home/atlantis/.tgenv
      - run: chmod -R +x .tgenv/bin .tfenv/bin
  workflows:
    terragrunt:
      plan:
        steps:
        - env:
            name: INFRACOST_OUTPUT
            command: 'echo "/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/$WORKSPACE-${REPO_REL_DIR//\//-}-infracost.json"'
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'        
        - env:
            name: PATH #Set PATH of binaries of TGenv and TFenv at atlantis user /home
            command: 'echo "${PATH}:${HOME}/.tgenv/bin:${HOME}/.tfenv/bin"'
        - run: echo "Setup Terragrunt version if necessary"
        - run: tgenv install
        - run: echo "Running Terragrunt Plan now!"        
        - run: terragrunt plan -input=false -out=$PLANFILE
        - run: terragrunt show -json $PLANFILE > $SHOWFILE
      apply:
        steps:
        - env:
            name: PATH
            command: 'echo "${PATH}:${HOME}/.tgenv/bin:${HOME}/.tfenv/bin"'
        - run: terragrunt apply -input=false $PLANFILE

Because in this example is about running with Terraform.

Someone can help to understand better?

Update 1

After run the altantis plan in my pull-request returns:

running "infracost breakdown --path=$PLANFILE --format=json --out-file=/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE-$REPO_REL_DIR-infracost.json" in "/atlantis-data/repos/TiendaNube/terragrunt/47/default/providers/aws/linkedstore/stg/us-west-2/engenharia/sre/sqs-apresentacao": exit status 1: running "infracost breakdown --path=$PLANFILE --format=json --out-file=/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE-$REPO_REL_DIR-infracost.json" in "/atlantis-data/repos/TiendaNube/terragrunt/47/default/providers/aws/linkedstore/stg/us-west-2/engenharia/sre/sqs-apresentacao": 
time="2022-12-08T00:52:08Z" level=info msg="Detected Terraform plan binary file at /atlantis-data/repos/TiendaNube/terragrunt/47/default/providers/aws/linkedstore/stg/us-west-2/engenharia/sre/sqs-apresentacao/default.tfplan"

Error: Could not detect Terraform directory for /atlantis-data/repos/TiendaNube/terragrunt/47/default/providers/aws/linkedstore/stg/us-west-2/engenharia/sre/sqs-apresentacao/default.tfplan.
Either the current working directory or the plan file's parent directory must be a Terraform directory.

If the above does not work you can generate the plan JSON file with:
terraform show -json tfplan.binary > plan.json
and then run Infracost with --path=plan.json

[...]

e.g. is it possible to hide the "noisy"/informational log messages that add clutter to the GH post?

It would be nice to have a really clean, concise infracost output!

Thanks,
Rich

Hello, I was configuring a post_workflow_hooks to add a comment on my PR with Infracost information, but nothing was happening. After debug for a while, I checked the WORKSPACE and REPO_REL_DIR variables were not avail on post_workflow_hooks, so Atlantis couldn’t find the path with the Infracost information to post the comment. My current setup is configured with Altantis + Terragrunt.

Here is some informations bellow:
terragrunt-infracost:

    plan:
      steps:
        - env:
            name: INFRACOST_OUTPUT
            command: 'echo "/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE-${REPO_REL_DIR//\//-}-infracost.json"'
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
        - run: terragrunt plan -out=$PLANFILE
        - run: terragrunt show -json $PLANFILE > $SHOWFILE

post_workflow_hooks:

        - run: |
            echo "testing post_workflow_hooks for PR $PULL_NUM" >> /tmp/test.txt
            echo "/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE/'*'-infracost.json"
            # post_workflow_hooks are executed after the repo workflow has run.
            # This enables you to post an Infracost comment with the combined cost output
            # from all your projects. However, post_workflow_hooks are also triggered when
            # an apply occurs. In order to stop commenting on PRs twice we need to check
            # if the Infracost output directory created in our 'plan' stage exists before continuing.
            echo "before if stage exists" >> /tmp/test.txt
            echo "/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE" >> /tmp/test.txt
            echo "WORKSPACE: $WORKSPACE" >> /tmp/test.txt
            echo "REPO_REL_DIR: ${REPO_REL_DIR//\//-}" >> /tmp/test.txt
            if [ ! -d "/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE" ]; then
              exit 0
            fi
            echo "after if stage exists" >> /tmp/test.txt
            # Choose the commenting behavior, 'new' is a good default:
            # new: Create a new cost estimate comment on every run of Atlantis for each project.
            # update: Create a single comment and update it. The "quietest" option.
            # hide-and-new: Minimize previous comments and create a new one.
            # delete-and-new: Delete previous comments and create a new one.
            echo "before infracost comment" >> /tmp/test.txt
            echo "--repo $BASE_REPO_OWNER/$BASE_REPO_NAME" >> /tmp/test.txt
            echo "--pull-request $PULL_NUM" >> /tmp/test.txt
            echo "--path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE/'*'-infracost.json" >> /tmp/test.txt
            echo "--github-token $GITHUB_TOKEN" >> /tmp/test.txt
            infracost comment github --repo $BASE_REPO_OWNER/$BASE_REPO_NAME \
                                      --pull-request $PULL_NUM \
                                      --path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE/'*'-infracost.json \
                                      --github-token $GITHUB_TOKEN \
                                      --behavior new
            # remove the Infracost output directory so that `infracost comment` is not
            # triggered on an `atlantis apply`
            echo "before deleting foolder" >> /tmp/test.txt
            rm -rf /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE

debug output:

bash-5.1$ cat test.txt 
testing post_workflow_hooks for PR 175
before if stage exists
/tmp/org-respository-175-
WORKSPACE: 
REPO_REL_DIR: 
after if stage exists
before infracost comment
--repo org/repository
--pull-request 175
--path /tmp/org-repository-175-/'*'-infracost.json
--github-token 123456

As a workaround to solve this issue, I stoped using WORKSPACE on my infracost output and I created a single folder for my PR /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/ with all outputs inside.

This feedback is from a user:

Sometimes infracost script silently fails our atlantis workflow without showing any exceptions and since we depend on Atlantis success plan before merge - it blocks our workflow.

Hello,

I am using Github App for Git Host authentication with Atlantis. I have private repo so ATLANTIS_WRITE_GIT_CREDS is set to true so that it write git credentials to /home/atlantis/.git-credentials

infracost comment github should read from this file for the --github-token value

Many of us will already be using policy_check to check the terraform plan output and run conftest against it.

There is a lack of documentation available on how to achieve both conftest on the terraform plan file and the infracost json output.

Though conftest makes available --combine this is less than optimal as it would mean re-writing all existing policies to accommodate the combined input sources.

Thoughts?

'looks like its on v0.17.5 when using the infracost/infracost-atlantis:latest image. The current atlantis release is v0.18.1

In the official integration docs, it shows a custom workflow with the following.

          infracost comment github --repo $BASE_REPO_OWNER/$BASE_REPO_NAME \
                                   --pull-request $PULL_NUM \
                                   --path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/'*'-infracost.json \
                                   --github-token $GITHUB_TOKEN \
                                   --behavior new

I'd much rather omit the --github-token and have infracost comment github subcommand read the token from an environment variable. Is this possible today? If so, can we update the docs accordingly? If not, could this gh issue serve as a feature request to enable that?

Seems I have run into an issue configuring infracost to run with Terraform/Terragrunt. Following the docs here and basically adapting the config to work with GH.

Receiving the following error:

Error running post-workflow hooks exit status 1: running "infracost comment github --repo $BASE_REPO_OWNER/$BASE_REPO_NAME \\\n  --pull-request $PULL_NUM \\\n  --path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/'*'-infracost.json \\\n  --github-token $ATLANTIS_GH_TOKEN \\\n  --behavior hide-and-new\n" in "/home/atlantis/.atlantis/repos/foo/4532/default": 
�[91mError:�[0m Error reading JSON file: open /tmp/foo-4532/*-infracost.json: no such file or directory

It looks like something doesn't quite look right with the flag syntax on the comment command? I have looked and the /tmp/foo-4532 directory exists but not sure what else I'm missing.

Will arm image be supported?
Currently, only amd images seem to be supported.

This setting is already known by atlantis, infracost should scrape the atlantis server --default-tf-version= setting, and use this for its binary.

Thanks!

is it possible to use the github app token instead of the the github token

Please see infracost/infracost#1179 to upvote ideas or provide feedback on what you'd like to see next

The latest atlantis release, version 0.27.3 resolves a problem where atlantis can't download terraform version 1.8.2. Can we please get an update to this image to use the latest atlantis release?

Currently there is no precise bitbucket example (unlike others like GH and Gitlab)

Ill try to work on this myself as im currently doing this integration

From the community slack:
jwr: unrelated to my initial problem, but speaking of docker tags... since there's only a :latest tag being offered, how do terraform upgrades work? would there be a scenario when a new :latest gets pushed and the TF version that we're pinned on becomes unavailable?

me: The infracost-atlantis image just does this, I doubt atlantis would remove those TF versions but you raise a good point, we should start to version the infracost-atlantis integration repo itself. There’s also this ticket so we pin the infracost CLI version too.

We can update this repo's Dockerfile to use the latest released version of infracost's atlantis_diff.sh, something like might help:

curl -s -L https://api.github.com/repos/infracost/infracost/releases/latest | jq '.tarball_url' | xargs curl -s -L | tar xz -C /tmp/infracost...