anyone had issues pulling github secrets to atlantis.yaml? seems like I am unable to get the secrets values to env variables.

workflows:
  terraform:
    plan:
      steps:        
        - env:
            name: AWS_ACCESS_KEY_ID
            value: ${{secrets.AWS_ACCESS_KEY_ID}}
        - env:
            name: AWS_SECRET_ACCESS_KEY
            value: ${{secrets.AWS_SECRET_ACCESS_KEY}}
        - env:
            name: AWS_DEFAULT_REGION
            value: ${{secrets.AWS_DEFAULT_REGION}}
        - run: echo $AWS_ACCESS_KEY_ID
        - init
        - plan
version: 3
projects:
- name: project1
  dir: all/core/
  terraform_version: v0.14.7
  workflow: terraform

github secrets wouldn't be populated by way of

atlantis.yml

, they would be populated by way of github actions workflows, if you are indeed running atlantis by way of github actions (which probably isn't common). but if you are indeed running atlantis by way of github actions, then your environment variables should be populated in

.github/workflows/*.yml

Not sure to understand when you mean by "atlantis as a github action"? In my case I am using the atlantis.yaml at the root of the repo, and was trying to feed env variables so I can have Terraform authenticate to AWS 🤔

how is atlantis being run? eg. i run it on AWS fargate.

I am running it on AWS Fargate as well

provision a fargate task role which has the desired permissions, then fargate will populate the AWS variables for you.

atlantis.yml

has no involvement in that part.

I am trying to avoid setting the AWS variables within the container definition, is there any way to achieve that?

if a role is assigned to a task then AWS will populate those AWS variables on its own, without explicitly defining them in a task definition.

Would that work in a setup where a single instance of atlantis is dealing with multiple repos?

depends on if the permissions granted in the role will provide the necessary access level to do

terraform plan

and

terraform apply

in multiple repos.

Then my role should have the permissions to assume a role on a different account? And everytime I would add a repo to Atlantis I would need to grant my fargate role access to the required aws account to run terraform. Is that correct?

yes. and none of that is different if you hadn't used atlantis either. like if you just ran terraform on your laptop, if you added an AWS account you would have to rig up some way for your laptop to assume a role in that new account too.

I see, thank you very much for your insight helped a ton

np.

Hello, I created the required roles and policies. Terraform is still unable to initialize de backend on S3 which is within a different account 🤔 edit: my backend was referencing a profile: "profile = default" Removed that line, now backend can init but I can't fetch the state from S3 somehow. My policies are allowing that.