Show HN: Atlantis workflow without a backend
2 by ujnproduct | 0 comments on Hacker News.
Last week we created a TF cloud alternative that could just run in GH actions and got an overwhelming response on Reddit. A lot of people recommended Atlantis as a way to run terraform plan and apply jobs in your CI. It is used by many great teams (Lyft for example) - however, we see the following issues: - You need to deploy and maintain an Atlantis backend in your infrastructure - It runs terraform commands locally on the same server it is installed in. This makes it tricky to achieve high levels of isolation and repeatability that is typically needed in CI/CD scenarios So we thought: does this really need a backend? Can we somehow make it work without a need to deploy a dedicated service and with terraform jobs running natively in Github Actions with proper isolation? Actually, the only need that makes Atlantis backend irreplaceable is code-level locks (not to be confused with state locks). But these can be stored in a database, accessed directly from the action - it can even be the same DB that is used by Terraform for state locks! So we’ve built a proof-of-concept that does just that: it stores higher-level locks in DynamoDB, so there’s no need for any backend. It works like this : - create a PR - this will create a lock - comment digger plan - terraform plan output will be added as comment - create another PR - plan or apply won’t work in this PR until the first lock is released - you will get Locked by PR #1 comment This proof-of-concept is very much a WIP - for example, there’s no support for apply and then there are things like one PR applied making plans from other PRs thinking new resources need to be deleted; so you need to merge main before re-running plan - and other things like that. Would love to hear what the HN community thinks!
2 by ujnproduct | 0 comments on Hacker News.
Last week we created a TF cloud alternative that could just run in GH actions and got an overwhelming response on Reddit. A lot of people recommended Atlantis as a way to run terraform plan and apply jobs in your CI. It is used by many great teams (Lyft for example) - however, we see the following issues: - You need to deploy and maintain an Atlantis backend in your infrastructure - It runs terraform commands locally on the same server it is installed in. This makes it tricky to achieve high levels of isolation and repeatability that is typically needed in CI/CD scenarios So we thought: does this really need a backend? Can we somehow make it work without a need to deploy a dedicated service and with terraform jobs running natively in Github Actions with proper isolation? Actually, the only need that makes Atlantis backend irreplaceable is code-level locks (not to be confused with state locks). But these can be stored in a database, accessed directly from the action - it can even be the same DB that is used by Terraform for state locks! So we’ve built a proof-of-concept that does just that: it stores higher-level locks in DynamoDB, so there’s no need for any backend. It works like this : - create a PR - this will create a lock - comment digger plan - terraform plan output will be added as comment - create another PR - plan or apply won’t work in this PR until the first lock is released - you will get Locked by PR #1 comment This proof-of-concept is very much a WIP - for example, there’s no support for apply and then there are things like one PR applied making plans from other PRs thinking new resources need to be deleted; so you need to merge main before re-running plan - and other things like that. Would love to hear what the HN community thinks!