Get Started with GitOps
Operations by Pull Request enable Terraform for Teams
<hello@cloudposse.com>�https://cloudposse.com/
@cloudposse
What to Expect
Feelings of Euphoria
Aha! Moments
Reduced Anxiety
What is GitOps? (not rocket science)
Why it’s awesome (and you’ll agree)
How to get started… (our way)
Live demo. . . � Q&A . . .
And...
Who is this dude?
Founder of a DevOps Professional Services Company��We’ve pioneered ��� Collaborative DevOps for Companies
(cloudposse.com)
SweetOps
Me
(Erik Osterman)
( 100% Open Source )
We got problems.
We Maintain 100+ Terraform Modules (the largest!)
Dozens of Helm Charts
Pain in the *ss to test everything
Multi-stage rollouts get complicated
Lots of tools like Helm, Kops, Terraform and Cloud Formation
Thousands of users (hey, some problems are good to have!)
Goal:� Effortlessly Deploy Infrastructure.� (e.g. spin up RDS Database with Terraform, or deploy Helm Chart)
One Approach...
Make changes in the �privacy of your personal laptop. �(sometimes after a few beers)
“I ^ it worked on my� machine.”
SWEAR .
Then comes… Launch Day
Production
Other Problems...
No Audit Trails (huge risk)
Complicated Manual Rollouts
Not clear what’s been deployed (configuration drift)
Failed Deployments on Merge (now what?!)
Insufficient Code Reviews
No one knows how to make changes
So….�Let’s fix this.
Let’s Practice GitOps.
Use Git as a System of Record for the desired state of configuration
Do Operations by Pull Request for Infrastructure as Code
Then use Continuous Delivery to apply changes to infrastructure� (basically it’s a CI/CD for DevOps)� Issue commands using comments to trigger actions (a.k.a “ChatOps”) � (E.g. “@bot give me a plan”, “@bot deploy these changes”)�� Run PLAN Run APPLY � See what should change See what actually happened
The “Git Workflow”
Why do you care?
Teamwork.
GitOps Objectives
Repeatable - Apply changes the same way every time� (even your entire stack all at once!)
Predictable - Know what’s going to happen� (e.g. before you merge)
Auditable - See what was done� (e.g. when things were applied. see if there were errors)
Accessible - Anyone who can open a PR can contribute
The Solution
https://runatlantis.io
Tool of...
Now an official HashiCorp sponsored project
Built for
(but will run anything)
About Atlantis
Purpose-built for Terraform (understands init, plan, apply)
Project started at
�Officially forked into
https://github.com/runatlantis/atlantis
Open Source APACHE2
100% Golang with good test coverage
Current Maintainer is �Luke Kysow
Basic Flow Diagram
How We Use Atlantis
Terraform� Cloud Formation� Helm� Helmfile
Because we can � run any command
But will it work with...
Terragrunt? YES� GITLAB? YES� BITBUCKET? YES� Docker? YES
“Interactive” � Pull Requests
Step One: Open Pull Request
Step Two: Review “Auto Plan”
Step Three: Seek Approval
Code Review
Step Four: Deploy Changes
Step Five: Merge Pull Request
That was easy.
Atlantis Users?
(...and soon most of our customers)
What others are saying...
Kelsey Hightower says...
https://runatlantis.io
Extra Dope
How to get started
Or just ask us for help =)
Deploy Atlantis on ECS Fargate
fargate certificate create�fargate certificate validate�fargate lb create�fargate lb alias�fargate service create
2. Activate it�� 3. Create Load Balancer�� 4. Assign DNS�� 5. Deploy Container
https://github.com/cloudposse/geodesic-aws-atlantis
Example atlantis.yaml.
version: 2�projects:�- name: "alpinist"� dir: "terraform"� workspace: "default"� terraform_version: "v0.11.7"� autoplan:� when_modified:� - "*.tf"� enabled: true� apply_requirements:� - "approved"� workflow: "default"�
# define list of chart repositories�# list of projects in this repo�# friendly name for this project�# directory with the tf code�# workspace to use with this project�# terraform version to use�# automatically run terraform plan�# when…�# any .tf file changes�# and enabled�# then run terraform apply �# only when approved�# run this workflow
Steps can be Entirely Customized.
Example atlantis.yaml. (Continued)
workflows:� default:� plan:� steps:� - run: "init-terraform"� - run: |-� terraform plan -no-color \� -var-file atlantis.tfvars -out $PLANFILE� apply:� steps:� - run: |-� terraform apply -no-color \� -var-file atlantis.tfvars $PLANFILE
# define list of workflows�# friendly name for this workflow�# to do a plan�# perform some steps�# run a command to initialize tf state�# use fancy YAML conventions�# run a terraform plan use with -var-file�# save the plan to a file for later�# to do a plan...�# run these steps..�# with some fancy YAML�# run apply using previous plan�# $PLANFILE ensures WYSIWYG
Steps can be Entirely Customized.
Live Demo
Demo Time!
Our Best Practices
Use one Atlantis Server per account (prod, dev, staging, identity, security, etc)
Use IAM Service Account for credentials (not hardcoded credentials)
Use GitHub CODEOWNERS
Use -var-files for non-secrets
Use chamber by segmentio for secrets (SSM+KMS)
Disable for forks
Atlantis�“Best Practices”
Gotchas
Atlantis is under active development
We’ve forked it to support what we needed
https://github.com/cloudposse/atlantis
GitOps
Stop living dangerously. � Start using GitOps.
https://github.com/runatlantis/atlantis
HashiConf 2018 Announcements
0.12 (alpha 1) released�+ “Terraform State as a Service”
Automatic Unsealing -> Open Source
New provider! Manage charts with terraform
Links
Our Fork
https://github.com/cloudposse/atlantis
Our Slack Community
Our Demo
https://github.com/cloudposse/root.cloudposse.co
Join our community!
Totally Bodacious
Geodesic (container+env pattern for Infrastructure as Code)� github.com/cloudposse/geodesic�Packages (our complete toolchain + alpine packages) � github.com/cloudposse/packages�Build Harness (Makefiles on Steroids; build anything)� github.com/cloudposse/build-harness�Reference Architectures� github.com/cloudposse?q=cloudposse.co�Documentation� docs.cloudposse.com
Hire us. =)
A Totally Sweet DevOps Professional Services Company
100+ Free Terraform Modules github.com/cloudposse/�
Active Community slack.cloudposse.com
�Awesome Documentation docs.cloudposse.com
415 535 8615��hello@cloudposse.com
(free consultation)