Using Abbey with Atlantis
Last updated
Last updated
In this tutorial, you'll learn how to use Abbey with .
Abbey helps you manage the workflows for access requests and approvals, making it easier for people to get access to .
Atlantis is an application for automating Terraform via pull requests. It is deployed as a standalone application into your infrastructure. No third-party has access to your credentials.
By using Abbey and Atlantis together, you can:
Scalably manage your infrastructure access.
Standardize your workflows.
Increase visibility for how and when Terraform changes occur.
Create an account.
Have a account.
Setting up Atlantis contains 5 steps:
Make sure to follow instructions on the Atlantis installation screen titled "Visit https://github.com/apps/installation//installations/new to install the app for your user or organization…".
Your connection won't be complete without doing this step.
You will be redirected to GitHub's website to perform the typical OAuth flow. Select repo scopes for your app, then install.
If you miss some of the above steps, you'll see an error when launching Atlantis:
Because you have set up GitHub using Atlantis's native GitHub App setup flow, you won't have to configure webhook secrets and a webhook URL.
You may configure Atlantis Secrets in one of two ways:
Using atlantis.yaml
Using environment variables
atlantis.yaml
GitHub App ID
App Key
Webhook Secret
Web Basic Auth
Web Username
Web Password
This is where you can also configure optional configurations such as your Repo Allowlist.
To do this, you will prefix your variables with ATLANTIS
.
Now you will configure your Terraform provider credentials.
For each Terraform Provider or Module you have in your repo, you will need to add credentials so Atlantis can make API calls (via the providers) to each of their services.
For example, if you have infrastructure configuration for GitHub, AWS, and Okta, you will need 3 sets of credentials, one for each of those services.
You will add your provider credentials similar to step 3 above, either using the atlantis.yaml
or environment variables.
Atlantis by default does not come with a state backend.
Some of the usual options for a state backend are:
AWS S3 to hold state with AWS Dynamo DB for state locking
Terraform Cloud (only for state)
That's it! Congrats, you have now set up Abbey with Atlantis!
When your users request access to resources in Abbey, a Pull Request will be created on GitHub. Once all policy and workflow checks pass, reviewers will be notified to approve or deny the request.
You can then perform atlantis apply
as usual.
After that, you can approve the request on the Abbey App. Abbey will merge the Pull Request.
If your resource has an auto revocation policy, then Abbey will automatically revoke access in which another Pull Request will be created and the same git-based flow will occur, this time undoing the previous access grant.
Atlantis needs to be exposed to GitHub.
If via the public internet, configure Basic Auth with a strong password for your Atlantis server.
If via VPC, then make sure to have a proxy to relay/route traffic from GitHub to your private/isolated Atlantis server.
Make sure that you properly scope your access to repos specific to Atlantis and have appropriate number of members and member privileges to those repos.
Make sure to configure a webhook secret if using GitHub. This is the way to authenticate Atlantis against GitHub.
Make sure to configure a Repo Allowlist to only repos you want Atlantis to watch. This helps with security scope and scalability as Atlantis will only need to watch a select number of repos.
To learn more about what Resources you can configure, try one of our Step-by-Step Tutorials.
First, follow the official Atlantis docs to for deploying an Atlantis server.
Follow the official instructions to .
Modify your Atlantis server's to configure required configurations, such as:
You may also configure these same configuration variables via .
You must not use file state with Atlantis because .
Hold your sensitive variables in a secrets manager such as , , or AWS (or their Azure and GCP equivalent).