This Terraform module automates the deployment of the Atlantis server on an ECS cluster with self-managed EC2 instances. It includes the configuration of an Application Load Balancer (ALB) for traffic routing. The module simplifies the process of setting up and managing Atlantis, enabling automated Terraform pull request workflows.
-
Domain with ACM certificate attached
-
Application secrets stored in AWS SSM Parameter Store with the following names and descriptions:
/atlantis/ATLANTIS_GH_TOKEN: A GitHub personal access token with repo and admin:repo_hook permissions. Generate this from GitHub Developer settings./atlantis/ATLANTIS_GH_WEBHOOK_SECRET: The secret used to validate GitHub webhooks. Create a random secret string for this./atlantis/AWS_ACCESS_KEY_ID: The AWS Access Key ID for an IAM user with necessary permissions. Obtain this from AWS IAM user security credentials./atlantis/AWS_SECRET_ACCESS_KEY: The AWS Secret Access Key for the same IAM user. Obtain this from AWS IAM user security credentials./atlantis/ATLANTIS_GOOGLE_CLIENT_ID: The Client ID for Google OAuth. Obtain this from Google Cloud Console./atlantis/ATLANTIS_GOOGLE_CLIENT_SECRET: The Client Secret for Google OAuth. Obtain this from Google Cloud Console.
-
Set up the following in the Google Cloud Console for the OAuth consent screen:
-
Authorized JavaScript origins:
- Use the value of
ATLANTIS_URLfrom yourlocals.tf, which is defined as:ATLANTIS_URL = "https://${local.atlantis_url}"
- Use the value of
-
Authorized redirect URIs:
- Use the value of
ATLANTIS_GOOGLE_REDIRECT_URIfrom yourlocals.tf, which is defined as:ATLANTIS_GOOGLE_REDIRECT_URI = "https://${local.atlantis_url}/oauth2/idpresponse"
- Use the value of
-
| Name | Version |
|---|---|
| terraform | >= 1.6.0 |
| aws | >= 5.5.0 |
| Name | Version |
|---|---|
| aws | >= 5.5.0 |
| Name | Source | Version |
|---|---|---|
| ecs_deployment | infraspecdev/ecs-deployment/aws | 3.0.1 |
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.google | resource |
| aws_iam_role.task_role | resource |
| aws_route53_record.record | resource |
| aws_security_group.alb | resource |
| aws_security_group.ecs | resource |
| aws_acm_certificate.base_domain_certificate | data source |
| aws_ecs_cluster.default | data source |
| aws_iam_policy_document.ecs_task_assume_policy | data source |
| aws_route53_zone.zone | data source |
| aws_ssm_parameter.environment | data source |
| aws_vpc.selected | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| atlantis_docker_image | The Docker image to use for the Atlantis server | string |
"ghcr.io/runatlantis/atlantis:v0.23.1" |
no |
| atlantis_gh_user | The GitHub username used by Atlantis to access repositories | string |
n/a | yes |
| atlantis_repo_allowlist | Comma delimited string containing repos to use atlantis | string |
n/a | yes |
| atlantis_url | Full URL for the Atlantis server | string |
n/a | yes |
| ecs_cluster_name | The name of the ECS cluster | string |
"default" |
no |
| ecs_launch_type_cpu | EC2 instance CPU | number |
null |
no |
| ecs_launch_type_memory | EC2 instance memory | number |
null |
no |
| ecs_service_desired_count | (Optional) Number of instances of the task definition to place and keep running. | number |
null |
no |
| private_subnet_ids | List of Private subnet ids to deploy Atlantis server. | list(string) |
n/a | yes |
| public_subnet_ids | List of Public subnet ids to deploy application load balancers. | list(string) |
n/a | yes |
| thumbprint_list | The thumbprint of the OIDC provider | list(string) |
[ |
no |
| vpc_id | VPC ID for creating Atlantis Resources. | string |
n/a | yes |
| Name | Description |
|---|---|
| atlantis_url | The URL for Atlantis. |