Atlantis is tool which provides unified workflow for collaborating on Terraform through GitHub and GitLab.
This repository contains Terraform infrastructure code which creates AWS resources required to run Atlantis on AWS, including:
- Virtual Private Cloud (VPC)
- SSL certificate using Amazon Certificate Manager (ACM)
- Application Load Balancer (ALB)
- Domain name using AWS Route53 which points to ALB
- AWS Elastic Cloud Service (ECS) and AWS Fargate running Atlantis Docker image
- AWS Parameter Store to keep secrets and access them in ECS task natively
AWS Fargate is used instead of AWS ECS/EC2 to reduce the bill, and it is also a cool AWS service.
Depending on which SCM system you use, Github repositories or Gitlab projects has to be configured to post events to Atlantis webhook URL.
See README.md in examples for Github or Gitlab for complete details.
Before using Atlantis and the code in this repository please make sure that you have read and understood the security implications described in the official Atlantis documentation.
As often with the code published in terraform-aws-modules GitHub organization you should have everything to run this code and get Atlantis up and running.
There are three ways to do this:
- Clone this github repository:
$ git clone [email protected]:terraform-aws-modules/terraform-aws-atlantis.git
$ cd terraform-aws-atlantis
-
Copy sample
terraform.tfvars.sampleintoterraform.tfvarsand specify required variables there. -
Run
terraform initto download required providers and modules. -
Run
terraform applyto apply the Terraform configuration and create required infrastructure. -
Run
terraform output atlantis_urlto get URL where Atlantis is publicly reachable. (Note: It may take a minute or two to get it reachable for the first time) -
Github webhook is automatically created if
github_token,github_organizationandgithub_repo_nameswere specified. Read Add GitHub Webhook in the official Atlantis documentation or check example "GitHub repository webhook for Atlantis" to add more webhooks.
This way allows integration with your existing Terraform configurations.
module "atlantis" {
source = "terraform-aws-modules/atlantis/aws"
name = "atlantis"
# VPC
cidr = "10.20.0.0/20"
azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"]
public_subnets = ["10.20.101.0/24", "10.20.102.0/24", "10.20.103.0/24"]
# DNS (without trailing dot)
route53_zone_name = "example.com"
# ACM (SSL certificate) - Specify ARN of an existing certificate or new one will be created and validated using Route53 DNS
certificate_arn = "arn:aws:acm:eu-west-1:135367859851:certificate/70e008e1-c0e1-4c7e-9670-7bb5bd4f5a84"
# Atlantis
atlantis_github_user = "atlantis-bot"
atlantis_github_user_token = "examplegithubtoken"
atlantis_repo_whitelist = ["github.com/terraform-aws-modules/*"]
}This way allows integration with your existing AWS resources - VPC, public and private subnets. Specify the following arguments (see methods described above):
vpc_id = "vpc-1651acf1"
private_subnet_ids = ["subnet-1fe3d837", "subnet-129d66ab"]
public_subnet_ids = ["subnet-1211eef5", "subnet-163466ab"]
If vpc_id is specified it will take precedence over cidr and existing VPC will be used. private_subnet_ids and public_subnet_ids must be specified also.
Make sure that both private and public subnets were created in the same set of availability zones (ALB will be created in public subnets, ECS Fargate service in private subnets).
If all provided subnets are public (no NAT gateway) then ecs_service_assign_public_ip should be set to true.
- AWS Route53 zone is not created by this module, so zone specified as a value in
route53_zone_nameshould be created before using this module. Check documentation for aws_route53_zone. - Currently this module configures Atlantis in a way that it can not be used to work with GitHub and Gitlab simultaneously (can't make list of ECS secrets conditionally).
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acm_certificate_domain_name | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance. Specify if it is different from value in route53_zone_name |
string | "" |
no |
| alb_ingress_cidr_blocks | List of IPv4 CIDR ranges to use on all ingress rules of the ALB. | list | [ "0.0.0.0/0" ] |
no |
| allow_repo_config | When true allows the use of atlantis.yaml config files within the source repos. | string | "false" |
no |
| atlantis_allowed_repo_names | Github repositories where webhook should be created | list | [] |
no |
| atlantis_github_user | GitHub username that is running the Atlantis command | string | "" |
no |
| atlantis_github_user_token | GitHub token of the user that is running the Atlantis command | string | "" |
no |
| atlantis_github_user_token_ssm_parameter_name | Name of SSM parameter to keep atlantis_github_user_token | string | "/atlantis/github/user/token" |
no |
| atlantis_gitlab_hostname | Gitlab server hostname, defaults to gitlab.com | string | "gitlab.com" |
no |
| atlantis_gitlab_user | Gitlab username that is running the Atlantis command | string | "" |
no |
| atlantis_gitlab_user_token | Gitlab token of the user that is running the Atlantis command | string | "" |
no |
| atlantis_gitlab_user_token_ssm_parameter_name | Name of SSM parameter to keep atlantis_gitlab_user_token | string | "/atlantis/gitlab/user/token" |
no |
| atlantis_image | Docker image to run Atlantis with. If not specified, official Atlantis image will be used | string | "" |
no |
| atlantis_port | Local port Atlantis should be running on. Default value is most likely fine. | string | "4141" |
no |
| atlantis_repo_whitelist | List of allowed repositories Atlantis can be used with | list | n/a | yes |
| atlantis_version | Verion of Atlantis to run. If not specified latest will be used | string | "latest" |
no |
| azs | A list of availability zones in the region | list | [] |
no |
| certificate_arn | ARN of certificate issued by AWS ACM. If empty, a new ACM certificate will be created and validated using Route53 DNS | string | "" |
no |
| cidr | The CIDR block for the VPC which will be created if vpc_id is not specified |
string | "" |
no |
| cloudwatch_log_retention_in_days | Retention period of Atlantis CloudWatch logs | string | "7" |
no |
| container_memory_reservation | The amount of memory (in MiB) to reserve for the container | string | "128" |
no |
| create_route53_record | Whether to create Route53 record for Atlantis | string | "true" |
no |
| custom_container_definitions | A list of valid container definitions provided as a single valid JSON document. By default, the standard container definition is used. | string | "" |
no |
| custom_environment_secrets | List of additional secrets the container will use (list should contain maps with name and valueFrom) |
list | [] |
no |
| custom_environment_variables | List of additional environment variables the container will use (list should contain maps with name and value) |
list | [] |
no |
| ecs_service_assign_public_ip | Should be true, if ECS service is using public subnets (more info: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_cannot_pull_image.html) | string | "false" |
no |
| ecs_service_deployment_maximum_percent | The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment | string | "200" |
no |
| ecs_service_deployment_minimum_healthy_percent | The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment | string | "50" |
no |
| ecs_service_desired_count | The number of instances of the task definition to place and keep running | string | "1" |
no |
| ecs_task_cpu | The number of cpu units used by the task | string | "256" |
no |
| ecs_task_memory | The amount (in MiB) of memory used by the task | string | "512" |
no |
| name | Name to use on all resources created (VPC, ALB, etc) | string | "atlantis" |
no |
| policies_arn | A list of the ARN of the policies you want to apply | list | [ "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" ] |
no |
| private_subnet_ids | A list of IDs of existing private subnets inside the VPC | list | [] |
no |
| private_subnets | A list of private subnets inside the VPC | list | [] |
no |
| public_subnet_ids | A list of IDs of existing public subnets inside the VPC | list | [] |
no |
| public_subnets | A list of public subnets inside the VPC | list | [] |
no |
| route53_zone_name | Route53 zone name to create ACM certificate in and main A-record, without trailing dot | string | "" |
no |
| ssm_kms_key_arn | ARN of KMS key to use for entryption and decryption of SSM Parameters. Required only if your key uses a custom KMS key and not the default key | string | "" |
no |
| tags | A map of tags to use on all resources | map | {} |
no |
| vpc_id | ID of an existing VPC where resources will be created | string | "" |
no |
| webhook_ssm_parameter_name | Name of SSM parameter to keep webhook secret | string | "/atlantis/webhook/secret" |
no |
| Name | Description |
|---|---|
| atlantis_allowed_repo_names | Github repositories where webhook should be created |
| atlantis_url | URL of Atlantis |
| atlantis_url_events | Webhook events URL of Atlantis |
| task_role_arn | The Atlantis ECS task role arn |
| vpc_id | ID of the VPC that was created or passed in |
| webhook_secret | Webhook secret |
Module is created and maintained by Anton Babenko.
Seth Vargo has created atlantis-on-gke(Terraform configurations for running Atlantis on Google Kubernetes Engine). This inspired me to do similar stuff for AWS Fargate.
Apache 2 Licensed. See LICENSE for full details.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent