https://www.runatlantis.io/ logo
Title
o

Oleg Gumbar

05/03/2023, 10:27 PM
I would like to get multi-tenant atlantis deployment which acts as CI for Terragrunt or Terraform code from multiple repos. I’m planning to use AssumeRole mechanism for AWS auth. Is there a possibility to separate credentials per AWS accounts/repos physically?
p

PePe Amengual

05/04/2023, 5:37 AM
define physically?
I use an atlantis ECS fargate that can assume roles in multiple accounts
then my providers is set :
provider "aws" {
  region = var.region
  assume_role {
    role_arn = format("arn:aws:iam::%s:role/atlantis-%s-automation-role", var.account_number, var.account_name)
  }
}
there is a map of variables that hold the accounts numbers or you can us the account_name
o

Oleg Gumbar

05/04/2023, 9:40 AM
Yes, let’s say we have Atlantis instance in ECS fargate, but it has god mode permissions. Let’s imagine we have repo A and repo B. Repo A needs access for AWS account X, repo B needs access for AWS account Y. Sure, I can assume specific roles, but theoretically someone can try to assume role in AWS account Y using repo A and I would like to prevent that physically, in addition to control of IaC repository contents.
j

Justin S

05/04/2023, 1:49 PM
@Oleg Gumbar I dont think you have an atlantis issue, its a user/trust issue. You could probably tell atlantis to not allow applies until the PR is approved, and require approvals. So someone has to review your code before its allowed to run.
o

Oleg Gumbar

05/04/2023, 3:21 PM
“trust me bro” isn’t solution here I believe
j

Justin S

05/04/2023, 3:22 PM
good thing i didnt say that
o

Oleg Gumbar

05/04/2023, 3:22 PM
I have 4 teams working separately
And I would like them to outsource review of code planned and applied by someone
I would like solution to be a bit zero-trust by design and not depend from how much do you trust users
Solution where human factor plays role - cannot be scaled
Probably I can solve this using pre-hooks
Where I can get/set credentials per repo
p

PePe Amengual

05/04/2023, 3:29 PM
open an issue as "zero trust in atlantis " or something like that , there is a big move lately about this, you might get ideas on how to implement some of it, but at this point Atlantis have Opa/contest policies and some VCS rules and that is all
o

Oleg Gumbar

05/04/2023, 3:29 PM
Yes, but policy check is running after plan
=/
p

PePe Amengual

05/04/2023, 3:31 PM
what you describe could be acchived by having multiple Atlantis servers and locked down at the cloud provider level and using Vault etc
not exactly but close
o

Oleg Gumbar

05/04/2023, 3:32 PM
Is there possibility to use policies before plan or init?
p

PePe Amengual

05/04/2023, 3:34 PM
I don't know
that doesn't stop you running a pre-workflow hook to do whatever
and that is before any command run