This blog post will look into two Infrastructure as Code (IaC) automation tools, Atlantis and Terraform Cloud/Enterprise and analyze their similarities and differences.
Atlantis allows users to orchestrate Terraform automation through pull requests by using comments, and it’s a great tool suited for small-scale projects and casual usage. Terraform Cloud provides a specialized CI/CD platform for Terraform automation and a great remote backend solution. Terraform Cloud is more scalable than Atlantis but offers fewer extensibility options.
What is Atlantis
Atlantis is an open-source and self-hosted Terraform “pull request-based” automation tool. It offers an easy way to automate the Terraform workflow using pull request comments. On every new pull request, Atlantis automatically runs the terraform plan command and comments the output back on the pull request. After the suggested changes have been reviewed, a team member can leave a pull request comment with a special meaning to apply the changes.
A great benefit of the Atlantis workflow is that it doesn’t add a new user interface (UI) for operators and developers but integrates nicely with your choice’s version control system (VCS) provider. It provides the option to perform code reviews and Terraform operations via the same graphical user interface. Users don’t need access credentials for the infrastructure provider, and errors can be caught during the code review step. With the Atlantis model, each pull request contains a detailed audit log of changes made via Terraform.
Atlantis self-hosted runners can be given an identity native to your cloud (e.g., AWS instance profile) for access without credentials to the state and managed resources. They can also be configured to run inside the Virtual Private Cloud (VPC) to access local resources (e.g., VPC-internal database) but need inbound connectivity from the VCS provider to receive webhooks. Its configuration is primarily done using environment variables passed to the statically linked binary and the YAML file.
Atlantis is stateless, but one of its main drawbacks is that it doesn’t support a high-availability setup or any scaling and queueing support. To accommodate scaling and highly available setups, a substantial engineering effort and creativity are required to build a custom in-house solution.
Flexibility is one of the core advantages of Atlantis, as it allows easy integration with other Terraform-helper tools(e.g., tfsec, checkov, Infracost, or Terratag). It can work with Terraform wrappers, such as Terragrunt, out of the box and even add some of Terragrunt’s features to vanilla Terraform – like before and after hooks for every execution stage (init, plan, apply, etc.).
Atlantis has a vibrant and active community, with new versions being released often. Something to note here is that although the development is active and there are regular contributions, the efforts aren’t focused on new major features since the lead contributor moved to Hashicorp.
Overall, it’s a great tool suited for small-scale operations and infrastructure topologies. It is much appreciated by its user community and offers a flexible automation solution for occasional use. Having said that, it is strongly limited by its architecture, and scaling it isn’t straightforward. If your company has large-scale infrastructure needs, other more robust and mature solutions exist.
What is Terraform Cloud
Terraform Cloud is a more comprehensive infrastructure provisioning tool that works exclusively for Terraform, developed by Hashicorp. It provides a scalable solution to automate infrastructure delivery, handle compliance, and manage resources in a cloud-agnostic way, utilizing Terraform. It is Hashicorp’s SaaS managed service offering targeting the Terraform workflow.
One of Its main offerings is a specialized CI/CD platform to standardize Terraform deployments and reduce their time. It supports an excellent remote state backend and an API for remote Terraform operations and integration with existing workflows. It integrates with VCS providers and allows fully automated, or manual approval checks for infrastructure provisioning flows.
Interaction with Terraform Cloud can be achieved with the command-line interface (CLI), UI, API, or CI jobs. The remote or enhanced backend allows teams to run the Terraform binary from their laptops or a third-party CI job, but the operation is executed on a remote machine. This is especially useful for one-off administrative tasks like tainting or migrating resources – things that are not trivial with Atlantis and may require dedicated solutions like tfmigrate.
Terraform Cloud offers basic security essentials such as RBAC with custom workspace permissions and different access levels for different types of users. Its integration with single sign-on (SSO) allows administrators easy user onboarding and management.
Unlike Atlantis, Terraform Cloud architecture is highly scalable, so it will take a while to outgrow it. It offers a shared state, distributed execution, concurrent runs, notifications for workspace events, and VCS integrations to support its scalability.
Teams can leverage Terraform Cloud’s rich API imperatively from external scripts or declaratively from Terraform itself, using their provider. Managing Terraform with Terraform is often a secret to managing IaC at scale in dynamic organizations. It also supports exporting audit logs to external systems via its API.
One drawback of Terraform Cloud compared to Atlantis is that it is less extensible. While Atlantis lets you execute arbitrary shell commands as part of your Terraform job, Terraform Cloud depends on clever hacks like the null resource or an external wrapper. For example, suppose you are a Terragrunt user. In that case, you may want to have a CI job (e.g., Jenkins or GitHub Actions) trigger Terragrunt that’s later shelling out to Terraform, which executes the job on your remote Terraform Cloud environment. This extra layer complicates the architecture and workflow and introduces another party to a sensitive flow.
Terraform Cloud offers some native integrations and third-party tools to incorporate into the Terraform workflow, like their proprietary policy-as-code framework, Sentinel. Leveraging Sentinel, you can create security and compliance guardrails. The disadvantage of Sentinel is that it’s not an industry standard and open-source like Open Policy Agent (OPA). HashiCorp recently announced publishing reusable Sentinel policies in their public Terraform Registry, which may give Sentinel a new lease of life in the Terraform ecosystem.
Last but not least, Terraform Cloud recently announced a drift detection feature, which allows you to monitor the synchronization between your resources and their respective Terraform definitions. This feature can, to some extent, be replicated using /plan and /apply HTTP endpoints from Atlantis, but it’s a far cry from the native, built-in solution that Terraform Cloud offers.
Terraform Cloud vs. Terraform Enterprise
If for any reason (compliance, regulatory needs, etc.), your organization needs an on-premise version of Terraform Cloud, you can use Terraform Enterprise. Terraform Enterprise is a self-hosted distribution of Terraform Cloud.
It provides organizations with a private environment installation of the Terraform Cloud instance and enterprise-grade features like single sign-on, compliance enforcement with policies, and audit logging.
If you plan on hosting your own Terraform Enterprise distribution, have a look at the requirements, reference architectures for common cloud providers, and the installation and configuration guide.
Atlantis and Terraform Cloud Similarities
On-premise Support
Both Atlantis and Terraform Enterprise offer the possibility to host your own installation of the tools.
Integration with VCS providers
Most of the standard VCS providers are supported and integrated seamlessly with Atlantis and Terraform Cloud/Enterprise.
Integration with CI/CD
Both tools can be incorporated into your organization’s existing CI/CD flows and work in parallel with existing continuous integration jobs.
Atlantis and Terraform Cloud Differences
SaaS Offering
Terraform Cloud/Enterprise is a managed service SaaS offering, while Atlantis doesn’t have a similar offering.
User Interface
Atlantis uses the same UI as the VCS provider that you are using and allows operators to trigger automation jobs from pull requests. Terraform Cloud/Enterprise comes with its own UI and portal.
Open Source Availability
Atlantis is entirely open-source and free, while Terraform Cloud/Enterprise is a proprietary solution, although it offers a free version.
Remote State Backend
As part of its offering, Terraform Cloud provides an excellent backend for the Terraform state, while Atlantis doesn’t.
High Availability
Terraform Cloud/Enterprise is designed for scale and offers a highly available setup. Scaling and building highly available setups with Atlantis requires additional effort.
Flexibility/Extensibility
Atlantis is very flexible and can integrate with other helper tools easily. Extending Terraform Cloud functionality is a bit more cumbersome.
Security Features
Atlantis keeps all the infrastructure changes and ties them to pull requests that can be used as audit logs. Terraform Cloud offers more elaborate security essentials like RBAC, single sign-on with SAML, and an audit log.
Drift Detection
Terraform Cloud offers drift detection, whereas Atlantis doesn’t by default, although similar functionality can be replicated with additional effort.
Cost Calculation
Terraform Cloud offers cost estimation, whereas Atlantis doesn’t by default, although similar functionality can be replicated by adding external tooling.
Atlantis and Terraform Cloud Synergies
Actually, Atlantis and Terraform Cloud can be used together since Atlantis integrates seamlessly with Terraform Cloud/Enterprise. It doesn’t matter which flavor or Terraform Cloud/Enterprise your team uses since Atlantis can work with all of them.
If that’s up your alley, you can have the “pull request-based” flow with some of the benefits of a managed solution, like history, access to policies with Sentinel, stopping runs, secret storage, etc. At this point, any generic CI tool would likely do the trick, so there may not be a point in maintaining a self-hosted installation of Atlantis to hand over the work to Terraform Cloud.
Alternative to Terraform Cloud and Atlantis - Try Spacelift
Terraform Cloud has been one of the first players in the space, but it’s not the most feature-rich platform anymore. Atlantis is great for small projects, but missing features and scaling might cause headaches.
If you’re choosing between Atlantis and Terraform Cloud, why not give a chance to Spacelift, a modern collaborative infrastructure delivery tool with a great focus on user experience? It works with Terraform, Terragrunt, and many other IaC frameworks, supports self-hosted on-prem workers, workflow customization, drift detection, and much more.
For more differences between the tools, I encourage you to check the article Spacelift vs. Atlantis and Spacelift vs. Terraform Cloud.
Spacelift provides a more mature way of automating the whole infrastructure provisioning lifecycle. Its flexible and robust workflow allows teams to get up to speed quickly and collaborate efficiently. Spacelift is highly extensible and will enable teams to enhance the Terraform workflow with custom providers, linters, security tools, and any other custom tooling they see fit.
Spacelift connects directly to the version control system of your choice and provides a truly GitOps native approach. It can support setups with multiple repositories or massive monorepos and leverages the APIs of the VCS provider to give you visibility.
Spacelift has a built-in CI/CD functionality for developing custom modules allowing teams to incorporate testing, checks, and linting early into the development phase of modules. Another benefit of using Spacelift is its flexible workflow management. It provides a policy-based process to handle dependencies between projects and deployments with Trigger Policies.
Spacelift provides a plethora of Policies to allow teams to define and automate rules governing the infrastructure as code. By utilizing Open Policy Agent, users can create their own custom policies and ensure the compliance of Terraform resources.
Check out the Getting Started Guide and start automating your infrastructure delivery seamlessly!
Key Points
We have looked into two infrastructure automation and delivery tools, Atlantis and Terraform Cloud. We analyzed each of them and discussed their strengths and weaknesses, along with a feature comparison. Finally, we saw how a modern collaborative infrastructure delivery tool like Spacelift could be used as an alternative.
Thank you for reading, and I hope you enjoyed this article as much as I did.
Top comments (0)