That custom atlantis
docker image was created in order to install few helpful tools into "stock" solution:
terragrunt-atlantis-config
- script that dynamically generatesatlantis.yaml
for terragrunt configurationscheckov
(via asdf) - security and "best-practice" scanner (static code analysis)asdf
- version manager used to install needed packeges and versions http://asdf-vm.com/terragrunt
(via asdf) - thin terraform wrapperterraform
(via asdf) - IaC automationhelm
(via asdf) - k8s package manager used byhelm
terraform providerkubectl
(via asdf) - k8s CLI tool used bykubernetes
terraform providertflint
(via asdf) - a pluggable terraform linterterraform-docs
(via asdf) - a utility to generate documentation from terraform modules in various output formatsjq
(via asdf) - command line JSON parseryq
(via asdf) - command like YAML parserglab
(via asdf) - GitLab CLI clientaz-cli
(via pip) - Azure CLIinfracost
(via asdf) - cloud cost estimatesaws-cli
(via apk) - AWS CLI
Files found in the repo:
Dockerfile
is based on an official atlantis docker file (https://github.com/runatlantis/atlantis/blob/v0.17.3/Dockerfile) with some additional tweaks (asdf installation and configuration)check-gitlab-approvals.sh
is a script, intended to work around GitLab CE repository security limitations (CODEOWNERS, allowed approvers, etc.)approval-config-example.yaml
is a sample approver config used bycheck-gitlab-approvers.sh
scriptpull-gitlab-variables.sh
is a script that pulls GitLab variables and creates string with environment variables to be used by Atlantis inmultienv
step (see: https://www.runatlantis.io/docs/custom-workflows.html#multiple-environment-variables-multienv-command)
Free versions of all major VCS systems (GitHub, GitLab, Bitbucket) introduce a set of limitations that should encourage it's users to pay for the service. One of those limitations is no CODEOWNERS
support
and no ability to configure "allowed approvers" in free repositories.
Since Atlantis security depends on VCS level reviews (every approved MR/PR can be atlantis apply
ed) it is crucial to somehow workaround this limitations.
We use hosted GitLab as our primary VCS in GetInData, also self-hosted version of GitLab is very popular among our clients. We're also big fans of Atlantis and engineers in the same time - which took us to obvious conclusions - we should create a solution that allows our clients to use self-hosted GitLab CE and Atlantis securely.
As a result we created a simple bash script check-gitlab-approval.sh that uses GitLab CLI called glab
and few other popular bash tools to verify MR approvals. Script's configuration is stored in
yaml format and can be mounted/saved into the image or passed via environment variable, example configuration can be found here.
This script is intended to be used as one of apply
steps in custom Atlantis workflow, example:
workflows:
myworkflow:
plan:
steps:
- init
- plan
apply:
steps:
- run: check-gitlab-approvals.sh
- apply
During the execution, script checks if any of approving users are present in approval-config.yaml
file. It fails (returns error) when none of approving users were allowed by configuration, blocking atlantis workflow (and apply step).
Pull requests are built automatically using https://github.com/getindata/docker-image-template
Merged pull requests create new release and upload new images automatically. Check changelog for details.
Contributions are very welcomed!
Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.
Apache 2 Licensed. See LICENSE for full details.
Made with contrib.rocks