Last week we asked a question on r/terraform and got an overwhelming response. A lot of people recommended Atlantis as a way to run terraform plan and apply jobs in your CI. It is used by many great teams (Lyft for example) - however, we see the following issues:
- You need to deploy and maintain an Atlantis backend in your infrastructure
- It runs terraform commands locally on the same server it is installed in. This makes it tricky to achieve high levels of isolation and repeatability that is typically needed in CI/CD scenarios
So we thought: does this really need a backend? Can we somehow make it work without a need to deploy a dedicated service and with terraform jobs running natively in Github Actions with proper isolation?
Actually, the only need that makes Atlantis backend irreplaceable is code-level locks (not to be confused with state locks). But these can be stored in a database, accessed directly from the action - it can even be the same DB that is used by Terraform for state locks!
So we’ve built a proof-of-concept that does just that: it stores higher-level locks in DynamoDB, so there’s no need for any backend. It works like this :
- create a PR - this will create a lock
- comment digger plan - terraform plan output will be added as comment
- create another PR - plan or apply won’t work in this PR until the first lock is released
- you will get Locked by PR #1comment
This proof-of-concept is very much a WIP - for example, there’s no support for apply and then there are things like one PR applied making plans from other PRs thinking new resources need to be deleted; so you need to merge main before re-running plan - and other things like that.
Check it out here! What do you think?