https://www.runatlantis.io/ logo
Title
r

rick

05/25/2023, 7:21 PM
anyone had issues pulling github secrets to atlantis.yaml? seems like I am unable to get the secrets values to env variables.
workflows:
  terraform:
    plan:
      steps:        
        - env:
            name: AWS_ACCESS_KEY_ID
            value: ${{secrets.AWS_ACCESS_KEY_ID}}
        - env:
            name: AWS_SECRET_ACCESS_KEY
            value: ${{secrets.AWS_SECRET_ACCESS_KEY}}
        - env:
            name: AWS_DEFAULT_REGION
            value: ${{secrets.AWS_DEFAULT_REGION}}
        - run: echo $AWS_ACCESS_KEY_ID
        - init
        - plan
version: 3
projects:
- name: project1
  dir: all/core/
  terraform_version: v0.14.7
  workflow: terraform
j

jwr

05/25/2023, 7:45 PM
github secrets wouldn't be populated by way of
atlantis.yml
, they would be populated by way of github actions workflows, if you are indeed running atlantis by way of github actions (which probably isn't common). but if you are indeed running atlantis by way of github actions, then your environment variables should be populated in
.github/workflows/*.yml
👀 1
i personally wouldn't even attempt to use atlantis as a github action because github actions doesn't have persistent storage, AFAIK. one of these options will be better: https://www.runatlantis.io/docs/deployment.html
r

rick

05/25/2023, 8:00 PM
Not sure to understand when you mean by "atlantis as a github action"? In my case I am using the atlantis.yaml at the root of the repo, and was trying to feed env variables so I can have Terraform authenticate to AWS 🤔
j

jwr

05/25/2023, 8:01 PM
how is atlantis being run? eg. i run it on AWS fargate.
r

rick

05/25/2023, 8:01 PM
I am running it on AWS Fargate as well
j

jwr

05/25/2023, 8:02 PM
provision a fargate task role which has the desired permissions, then fargate will populate the AWS variables for you.
atlantis.yml
has no involvement in that part.
r

rick

05/25/2023, 8:03 PM
I am trying to avoid setting the AWS variables within the container definition, is there any way to achieve that?
j

jwr

05/25/2023, 8:04 PM
if a role is assigned to a task then AWS will populate those AWS variables on its own, without explicitly defining them in a task definition.
r

rick

05/25/2023, 8:07 PM
Would that work in a setup where a single instance of atlantis is dealing with multiple repos?
j

jwr

05/25/2023, 8:10 PM
depends on if the permissions granted in the role will provide the necessary access level to do
terraform plan
and
terraform apply
in multiple repos.
r

rick

05/25/2023, 8:14 PM
Then my role should have the permissions to assume a role on a different account? And everytime I would add a repo to Atlantis I would need to grant my fargate role access to the required aws account to run terraform. Is that correct?
j

jwr

05/25/2023, 8:15 PM
yes. and none of that is different if you hadn't used atlantis either. like if you just ran terraform on your laptop, if you added an AWS account you would have to rig up some way for your laptop to assume a role in that new account too.
r

rick

05/25/2023, 8:17 PM
I see, thank you very much for your insight helped a ton
j

jwr

05/25/2023, 8:17 PM
np.
r

rick

05/26/2023, 10:05 AM
Hello, I created the required roles and policies. Terraform is still unable to initialize de backend on S3 which is within a different account 🤔 edit: my backend was referencing a profile: "profile = default" Removed that line, now backend can init but I can't fetch the state from S3 somehow. My policies are allowing that.