Running Atlantis (https://www.runatlantis.io) on Azure Container Instances
Requirements:
Run the following commands from the same location as the master script.
#! /bin/bash
GITHUB_USER=YOUR-USER
GITHUB_TOKEN=YOUR-TOKEN
GITHUB_WEBHOOK_SECRET=YOUR-SECRET
REPO_WHITELIST=github.com/YOUR-ORG/YOUR-REPO
ATLANTIS_LOCATION=YOUR-AZURE-LOCATION
SUFFIX=123
. ./atlantis-on-aci.sh
Change the argument values as needed, and note that you can remove the 'SUFFIX' argument entirely and have a unique suffix generated on your behalf, if you wish. See the master script for additional arguments you can optionally set if you don't want the defaults.
Notes:
-
Authenticate from the Azure CLI to a valid Azure Active Directory tenant
-
Set your target Azure subscription
az account set --subscription "my sub"
-
The script creates the following resources on your behalf:
- A new resource group
- A new storage account within the RG
- A new blob container within the storage account (used for durable storage of Terraform execution state)
- A new file share within the storage account (used to hold SSL self-signed certs for Atlantis HTTPS support)
- A new container group within the RG configured to execute the Atlantis Docker image
- An MSI identity configured with Contributor role access to your Azure subscription, under which the ACI group executes. This identity has sufficient permission to create new resources on your behalf, within the Atlantis workflow
-
The script generates a self-signed certificate using openssl and uploads it to an Azure File share. The certificate is then configured within Atlantis to provide HTTPS support. You should switch to a real (non-self-signed) cert in any production scenario.
-
The script configures MSI support for Atlantis/Terraform execution as well as configuration of an ambient ARM_SUBSCRIPTION_ID so that you don't need to provide one in each Terraform script you apply using the Atlantis workflow
-
For convenience, the script also configures SKIP_CREDENTIALS_VALIDATION = false and SKIP_PROVIDER_REGISTRATION = false, but you can change these by setting environment variables prior to script execution