-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds support for specifying the atlantis.yaml filename on the server side #310
Conversation
…atlantis.yaml config file to use. This means multiple Atlantis servers can point at the same repo (e.g. for prod and staging).
Codecov Report
@@ Coverage Diff @@
## master #310 +/- ##
==========================================
+ Coverage 70.54% 70.58% +0.04%
==========================================
Files 61 61
Lines 3639 3644 +5
==========================================
+ Hits 2567 2572 +5
Misses 893 893
Partials 179 179
Continue to review full report at Codecov.
|
@darrylb-github was thinking about this some more and wonder if a So, for example a PR that merges into If not based on the target branch, how are you approaching it? project folders per account? dedicated repos per account? |
@osterman We don't use gitflow approach so for us in that scenario we would keep those files in master and do separate PRs for dev/staging/prod changes. The staging atlantis server would monitor the dev and staging files and the production atlantis server would monitor prod. We don't have long lived branches outside of master like develop / staging etc, so our PRs all go into master. |
What about the scenario where you have this scenario?
Each account would have an Atlantis, but one would run for 3 environments. Would this work in that scenario? It seems so, but I just wanted to verify. |
@johncblandii Yup, that should work no problem as you expect. One atlantis server would use creds from account 1 and the other from account 2. You'd then point the server using account 1 at an atlantis.yaml config looking at dev terraform files and the second server using account 2 at another atlantis.yaml config looking at prod, uat and support terraform files. You then setup two webhooks, one for each server. Both will fire every time but only one will come back with a plan depending on which terraform files change. |
Excellent. Thx @darrylb-github. |
@lkysow any feedback on this PR? |
I'm looking forward to this anything I can assist with? |
Hey @lkysow , Any feedback on this PR? Anything else I need to do to get it considered for merging? Thanks, |
Same here @sstarcher. I have a PR pending this release so I'm def' willing to help however I can. |
I'm writing up an RFC to cover multi-account deployments. I understand that this is one way to accomplish multi-account, however this specific method might not work for all use cases. I want to make sure everyone has a chance to speak to their use-case so we can find the best way to get this functionality into Atlantis. If I merge this PR today then we have to support this functionality for many years, even if we find a better way to accomplish what you're trying to do. I want to avoid making that mistake. |
@johncblandii I'm curious what's your PR builds on top of this. Want to get that into the RFC. |
@lkysow my PR is an internal deployment and configuration of Atlantis. It doesn't build upon, but I'm awaiting this so I can implement these features. Sorry for the confusion. |
@darrylb-github do you have separate workflows for each account? That is, is the yaml in your staging config different from your production one? If so, in what way. Or is the one file for staging, one for prod just to get Atlantis to ignore webhooks that pertain to one account. |
@lkysow They are very similar, but our staging one has 2 workflows (dev and staging) and production just one. These workflows just look at different directories, so for us we have 3 directories (dev, staging, prod) each with their own terraform configs and backends. The main reason we want to run 2 atlantis servers is so that we can use different AWS accounts and permissions, and have the atlantis server for each environment/account live in that account (vs sharing one atlantis server with resources from other accounts/environments). An atlantis server applying changes to our staging environment shouldn't have access to apply changes to our production account. |
We have it up and running now with our fork. Here's how we're organizing it. We're doing a demo tomorrow. Each AWS account has a dedicated repo (e.g. for prod, staging, dev, root, testing, audit, etc) based on our geodesic base image. Each account runs it's own atlantis daemon on ECS Fargate, so we can gate upgrades of atlantis like all other software. Sometimes we'll want multiple atlantis repo configs per repo, but most of the time we'll be okay with just one. https://github.com/cloudposse/root.cloudposse.co/blob/master/atlantis/root.yaml Here's an alternative approach where we can deploy one repo to multiple clusters by addressing atlantis differently ( We also are close to getting something working with submodules, so we can make We're assigning each We implemented We don't use terraform workspaces. State is isolated to each AWS account, which share nothing. @lkysow might help if we give you a demo to see how we're using it, so you can incorporate some ideas. |
@lkysow is the draft RFC somewhere public where it can be viewed? |
@lkysow I don't see the reason a server side config would be blocked by "multi-account RFC". My desire for a server side configuration is as a security measure to prevent users from running adhoc commands in a highly elevated environment such as Atlantis. |
Hey Shane, it's not blocked by multi-account. Server-side will come first. But this PR is about multi-account. |
@lkysow ahh sorry after looking past the title that makes more sense. As the title currently is I thought it was the other ticket. |
This can be accomplished by setting a different server-side workflow on each of your servers. |
Hi @lkysow , Just to clarify, how would I use this to support staging and production environments looking at the same repo? I.e. production atlantis monitoring one directory in the repo and staging atlantis monitoring a different directory in the same repo. Example directory structure:
In this scenario I want the atlantis server running in the staging AWS account to monitor the staging folder and the atlantis server running in the production AWS account to monitor the production folder. How do I use server-side-workflows to instruct staging atlantis to only monitor the staging folder? 🤔 With the code in this PR I did this by having Thanks, |
Ahh okay sorry server-side workflows might not work then. You could define both workflows on each server with staging's server using a no-op prod workflow and the prod server using a no-op staging workflow. But the status checks and empty comments might be annoying. |
I'm in the exact same situation as you. A single terraform repo that has folders for our different environments spread across two different aws accounts. Did you happen to find a solution to your problem? I'd think that by using the server side repo config you'd run into the problem that @lkysow mentioned where atlantis would just comment back status checks and empty comments. |
This allows setting different configs for different instances of atlantis, which is useful when wanting to run different servers for production and staging.
Our use case is to have separate production and staging Atlantis servers. This enables that by using multiple atlantis.yaml config files in the same repo and setting the
--repo-config
flag on each server. This allows you to launch a staging Atlantis server pointing at a staging atlantis.yaml file (e.g.--repo-config atlantis-staging.yaml
) and a production Atlantis server pointing at a production atlantis.yaml file in the same repo (e.g.--repo-config atlantis-production.yaml
).This way you can use different credentials for staging and production and maintain cleaner separation between environments.
Related to #249