DEV Community

Amit Chaturvedi
Amit Chaturvedi

Posted on

Terraform Atlantis: GitOps-Driven Infrastructure Management

Introduction
Infrastructure as Code (IaC) has revolutionized how we manage cloud infrastructure. Terraform, being one of the most popular IaC tools, allows declarative, repeatable, and version-controlled infrastructure provisioning. However, as teams grow, managing Terraform execution securely and collaboratively becomes challenging.

Atlantis solves this by bringing Terraform into your GitOps workflow. In this post, we’ll explore what Atlantis is, how it works, why it’s useful, and how to set it up.

What is Atlantis?
Atlantis is an open-source tool that automates Terraform workflows via pull requests. It listens to Git events (PRs, pushes, etc.) and triggers Terraform commands such as plan and apply automatically in response to PR comments.

Core Features:

  • Git-based Terraform automation
  • PR-based infrastructure change visibility
  • Secure plan and apply in CI/CD pipelines
  • Team collaboration with role-based approvals_

How Atlantis Works

PR Creation: A developer creates a pull request with Terraform changes.
Atlantis Webhook Triggered: Atlantis detects the PR via a Git webhook.
Terraform Plan: Atlantis runs terraform plan and comments the output on the PR.
Approval: A reviewer comments atlantis apply once satisfied with the plan.
Terraform Apply: Atlantis applies the changes using terraform apply.

Prerequisite

  • Storage (I am Using Longhorn)
  • MINIO (Object Storage)
  • Kubernetes
  • Atlantis (Open-source tool used to automate Terraform workflows)
  • Istio/Ingress (For Exposing Atlantis)
  • Gitlab
  • AWS Free Tier

** Generate Random Token**

head -c 32 /dev/urandom | base64
Enter fullscreen mode Exit fullscreen mode

Create Secret for Minio

apiVersion: v1
kind: Secret
metadata:
  name: minio-credentials
type: Opaque
stringData:
  access_key: <access_key>
  secret_key: <access_secret>

# kubectl apply -f minio.yml
Enter fullscreen mode Exit fullscreen mode

Create values.yml

environmentSecrets:
  # MinIO Credentials for remote backend
  - name: MINIO_ACCESS_KEY_ID
    secretKeyRef:
        name: minio-credentials
        key: access_key
  - name: MINIO_SECRET_ACCESS_KEY
    secretKeyRef:
        name: minio-credentials
        key: secret_key

gitlab:
  user: "champ25"
  token: "<gitlab-token>"
  secret: "<random-secret>"
  hostname: "gitlab.com"
aws:
   credentials: |
     [default]
     aws_access_key_id=<AWS ACCESS KEY>
     aws_secret_access_key=<AWS SECRET KEY>
   directory: "/home/atlantis/.aws"
repoConfig: |-                                     
    - id: gitlab.com/infrastructure149/*
      apply_requirements: [approved, mergeable]
      import_requirements: [approved, mergeable]
      workflow: default
      allowed_overrides: [workflow, apply_requirements]
      allow_custom_workflows: true
      workflows:
         default:
            plan:
             steps:
              - run: |
                  terraform init -reconfigure\
                    -input=false \
                    -backend-config="bucket=terraform-statefile" \
                    -backend-config="key=envs/dev/terraform.tfstate" \
                    -backend-config="region=us-east-1" \
                    -backend-config="access_key=${MINIO_ACCESS_KEY_ID}" \
                    -backend-config="secret_key=${MINIO_SECRET_ACCESS_KEY}" \
                    -backend-config="skip_credentials_validation=true" \
                    -backend-config="skip_metadata_api_check=true" \
                    -backend-config="force_path_style=true" \
                    -backend-config="skip_requesting_account_id=true" \
                    -backend-config="force_path_style=true" \
                    -backend-config="endpoint=https://minioapi.kubeopscloud.uk"
                  terraform plan -input=false

            apply:
             steps:
               - run: |
                   terraform apply -input=false --auto-approve
Enter fullscreen mode Exit fullscreen mode

Install Atlantis

helm repo add runatlantis https://runatlantis.github.io/helm-charts
helm install atlantis runatlantis/atlantis \
  --namespace atlantis -f values.yaml \
  --create-namespace
Enter fullscreen mode Exit fullscreen mode

Expose via Istio to access from Gitlab


root@master:~# kubectl exec -ti atlantis-0 -n atlantis -- printenv | grep -i webhook
ATLANTIS_GITLAB_WEBHOOK_SECRET=0adfa526cfdgdgsgsdhsdgtewsgsfgsdhshgsgsd
Enter fullscreen mode Exit fullscreen mode

Copy the Webhook Secret to Use in Gitlab

Login To Gitlab
Create A Project : VPC Creation
Copy The Terraform Code to VPC Creation Project

Click On Setting --> Click Webhook

Note : Copy the Webhook Token

Create A Branch and Create MR
_As soon as we create ME, Atlatis Webhook will get triggered
_

Click On Show Output and we will see the plan

If Plan Looks Good, type atlantis apply -d . in commit message

Wait For Some Time and you Will See Output

Click On Show Output

We have Sucessfully Integrated Atlantis to create workflow with Terraform using Gitlab

Verify state file in Minio


Successfully state file updated in Minio Storage
Conclusion
Atlantis brings safety, visibility, and collaboration to Terraform workflows by integrating with Git. With pull request automation, it enables true GitOps-style infrastructure management — ensuring all changes are reviewed, tracked, and auditable.

Top comments (0)