Atlantis: Please document a production deployment setup

@coretemp totally agreed. I need to have a fully fleshed out set of docs. While I add this to my backlog to put together a good set of docs is there anything specific I can help you out with? Are you trying to deploy on AWS or GCP or...

We would probably first be interested in an AWS deployment with state files backed by e.g. S3, but really, the more backends the better.

The backends have nothing to do with the configuration and deployment of Atlantis. You can use any backend out of the box.

I guess it would be nice for some people to have a single-click setup/deploy solution, but usually production deployments vary between platforms. Atlantis is a simple Go application, you can deploy it wherever you want.

Regarding the Kubernetes manifests, those are identical to the ones we use in production. You should not need anything else than that.

I had the impression that there was some state being stored somewhere on a single machine. I am talking about different storage backends for that.

I might simply have to just set it up to see exactly what it does and how and when it can fail. It does seems the audience for such an application is quite demanding already, so perhaps you already have everything in place.

The last thing I want to have to say is "Atlantis crashed and we have no way to get data X to do Y".

Oh, I thought you were talking about Terraform states. The only state Atlantis handles is the database file for locks. Only supported backend at the moment is the filesystem.

OK, so what happens when the server breaks? Can you just spin up a new one or is something more complicated required? Let's assume that at no point there are two instances of Atlantis running.

All that atlantis stores on the filesystem is:

• unapplied plans
• Atlantis locks on those projects with unapplied plans

If you lose that data then you will need to re-run atlantis plan and if you lose the locks then another pull request could acquire the lock and they would get to run plan and apply first.

So while it's not ideal, it's not the end of the world. There are plans to add a new backend that isn't a filesystem however that is not implemented yet.

If you're in AWS then you have some options:

• Single server in an ASG with an EBS volume attached for persistence. The server runs the golang binary. An ALB/ELB fronts the server.
• Run the Docker container on AWS Fargate. See https://github.com/runatlantis/atlantis#aws-fargate. This configuration doesn't have persistence so if the Fargate container stops then you'll lose the above data.
• Running on EKS (Kubernetes service) when it's available. Although this would be overkill if it was just for Atlantis.

I created some Terraform configurations for doing a production deployment on GCP: https://github.com/sethvargo/atlantis-on-gke. You can pick-and-choose from there if you'd like 😄

There is documentation now for:

• Kubernetes Deployment
• Kubernetes w/ Helm
  
  
  
  • Chart in repo: https://github.com/runatlantis/atlantis/tree/master/helm/atlantis
  
  
  • Soon to be merged official helm chart: https://github.com/helm/charts/pull/8177
  
  
• Fargate
• GKE

As a result I am closing this issue.

A quick peek at the Fargate link suggests it's not production ready, considering there is an issue named "the famous security bug" or something like that.

That issue is referring to a famous issue (apparently, I haven't heard of it) around creating dependent security groups in Terraform.

Solve creation of dependent security groups (the famous bug) https://github.com/terraform-aws-modules/terraform-aws-atlantis/issues/4

It's not a security issue with Atlantis or the fargate deployment.

@lkysow I agree that issue is not a security concern though this is: https://github.com/terraform-aws-modules/terraform-aws-atlantis/issues/1 in the context of AWS there is no reason that a service that is exposed to the world should be connected to by HTTP when AWS offerns LBs (at very little cost) and ACM (at no cost) so I'd have to agree its not a production grade setup. When I have some time I will try to write up my current setup which consists of ec2, ELB, and ACM.