atlantis
atlantis copied to clipboard
runatlantis
[Feature Request] Specify environment variables inside repos.yaml
Various infrastructure repositories require different credentials for managing the infrastructure. Right now there is no easy way to pass environment variables to Atlantis workflow to be accessible only to one repository. I propose to create, inside of the repos.yaml, a field environment similar to docker-compose to be able to pass in repository specific variables. This feature would be great for passing in secrets that terraform uses, especially for provider specific variables that change depending on a repository.
I would be more then willing to implement this feature, however I would need some guidance from the team where to begin in the code and the best approach to take.
We are looking for the same feature. Would you commit the secrets to your repo in the case you had the environment variables section in the repos.yaml? I do not think it is secure enough. Do you know any workaround for passing environment variables to the server as of now? I raised a related question, what is your view? https://github.com/runatlantis/atlantis/discussions/1773
can I see a use case for this ? one that doesn't imply a bad practice such as dropping secrets into a repo.
I believe it would be best if it was possible to specify environment variables that should be included from the host. Thus in the yaml we would just define variables that should be passed forward to the server from the host. Then it would be possible to store the YAML in a repo without leaking them.
The specified variables should be checked for their existence when starting the server the same way the repos.yaml is check for any errors. I believe this way would be most secure.
Hi @djboboch,
We implemented a similar feature you described and waiting for the community review. Due to the new multienv step multiple environment variables can be added dynamically just before executing Terraform commands via Atlantis. We specifically use this step in Atlantis workflow to call a Linux script hosted on Atlantis server, the script reads the reference to an Azure key vault from a file committed to the repo and having authorization reads the secrets from the key vault. In our case the Linux script is nothing more than a bridge to call further functionality and the committed extra file in the repo does not contain any sensitive info but a name of a key vault. All the sensitive info comes from a safe key vault on-the-fly and the result is passed to Atlantis workflow as environment variables similarly to the original env workflow step.
Plese check this: https://github.com/runatlantis/atlantis/pull/1793
We did something similar for AWS Secrets Manager. We look for a secret based on a known convention, and pull that secret, setting TF_VAR_<key> as environment variables prior to running further terraform commands.
Hello everyone, anyone got any feedback regarding this issue?
We are currently trying to figure out a specific problem:
- How to make sure that Atlantis, within a specific GitHub repo, can only manage a specific endpoint (GitHub org, GCP project, Azure subscription or AWS account);
Since we are using Atlantis as an app, every repo has all the permissions, which can be tricky (a repo refering to a client's GCP project also has permissions to mess around with other Azure/AWS client projects) within the same terraform project. You just have to specify a different provider and you're there.
We should be able, server-side, to force a list of variables to limit the endpoints that each repo can target with atlantis.
What we are currently doing, for more sensitive projects, is trying to apply pre-workflow hooks to provide a specific PAT for Atlantis to use. And that workflow is only triggered for specific repos. This is complex since we use Atlantis as a GitHub app and have deployed it with helm-charts in a k8s cluster.
EDIT: Grammar verification.
