Requirements

• You will need an Azure account.
• You will need a github account. You will have to setup an access token for Atlantis to use for access to github. You will also need to setup a webhook secret for github to securely communicate with Atlantis.
• You can review the documentation here https://www.runatlantis.io/
• You will need an infracost API Key. You can install Infracost locally by downloading https://infracost.io/ and running the following command 'infracost register' to get an API key.

Notes

I started this as a module to learn terraform and Azure better. if I am doing something wrong or if it can be done better please feel free to let me know. markweaver697@gmail.com

What this module is doing

• Creates a resource group for all atlantis resources
• Creates a vnet with 2 subnets and provisions the backend subnet for container instance delegation and a blob storage service endpoint.
• Uses the Github provider to get a list of IP's where webhooks will be sent from Github. It then adds those to a firewall policy associated with the Web Application Firewall v2.
• Creates a Azure application and service principal with contributor access to be used with the Atlantis deployment
• Creates a Container instance with the Infracost and Atlantis Docker image. You can download and edit the module and put the runatlantis/atlantis:latest image if you do not want infracost comments on your pull requests
• Atlantis repos_json is configured to run an infracost evaluation and a terraform fmt check on all pull requests. you can add more workflow actions by adding them to the repos_json in infracost_repos_json variable.
• Create a Web Application Firewall with a public IP and firewall policy that whitelists any IP CIDRs from 'input_atlantis_whitelist_ip' variable and the collected Github public IP's that send webhooks
• Optional feature to create and attach a Azure blob storage account and map the storage to "/mnt/atlantis-data" on the container instance. This feature can be enabled by answering true to the 'create_and_attach_storage' variable
• [PLEASE READ!] Optional feature to secure Atlantis UI with a basic username/password authentication. This feature seems to be broken in the current atlantis images. it is set to default'false' at this time. you can use variable 'input_atlantis_ui_basic_auth' set to true to enable

Quick self signed certificate

Source: https://www.baeldung.com/openssl-self-signed-cert

• You will need openssl (use linux, macos, wsl). You can create one in powershell as well but I have not included that here.
• Let's create a password-protected, 2048-bit RSA private key (domain.key) with the openssl command: openssl genrsa -out domain.key 2048
• Let's create a CSR (domain.csr) from our existing private key:] openssl req -key domain.key -new -out domain.csr
• Let's create a self-signed certificate (domain.crt) with our existing private key and CSR: openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt
• We'll use the following command to take our private key and certificate, and then combine them into a PKCS12 file: openssl pkcs12 -inkey domain.key -in domain.crt -export -out domain.pfx

Providers

Name	Version
azuread	n/a
azurerm	n/a
github	n/a

Modules

No modules.

Resources

Name	Type
azuread_application.atlantis	resource
azuread_service_principal.atlantis	resource
azuread_service_principal_password.atlantis	resource
azurerm_application_gateway.network	resource
azurerm_container_group.containergroup_atlantis	resource
azurerm_network_profile.containergroup_profile	resource
azurerm_public_ip.atlantis	resource
azurerm_resource_group.atlantis	resource
azurerm_role_assignment.aci	resource
azurerm_storage_account.atlantis_storage	resource
azurerm_storage_container.atlantis_container	resource
azurerm_storage_share.container_share	resource
azurerm_subnet.backend	resource
azurerm_subnet.frontend	resource
azurerm_virtual_network.atlantis	resource
azurerm_web_application_firewall_policy.atlantis	resource
azuread_client_config.current	data source
azurerm_subscription.current	data source
github_ip_ranges.waf	data source

Inputs

Name	Description	Type	Default	Required
atlanits_repo_whitelist	the address for the github repo. do not include http://. just 'github.com/org/repo' is needed	string	""	no
atlantis_gh_token	The github token to use for the access to the github repo	string	""	no
atlantis_gh_user	The github user to use for the access to the github repo	string	""	no
atlantis_gh_webhook_secret	The github webhook to use for the access to the github	string	""	no
atlantis_ui_basic_auth	if you answer true this will enable a user/pass defined in atlantis_ui_user and atlantis_ui_pass variables as a basic auth to the atlantis UI. However right now this feature seems to be broken on current docker images. don't enable this until it's fixed	bool	false	no
atlantis_ui_pass	the password to use in the atlantis_ui_pass auth	string	""	no
atlantis_ui_user	the user name to use in the atlantis_ui_user auth	string	""	no
atlantis_whitelist_ips	We are protecting Atlantis with a WAFv2 App gateway. Git webhook IP's are being automatically added to the WAFv2 policy. Here you should include any public IP CIDR's you want to access the atlantis UI with . I.E. Home connection, Data centers, offices, etc.	list(string)	[ "" ]	no
az_subscription_id	the subscription ID for Azure	string	""	no
az_tenant_id	the tenant_id for azure subscription	string	""	no
create_and_attach_storage	if you do not want blob storage created and mapped to the container change this to false	bool	true	no
enable_ssl	if you answer true this will enable SSL config for atlantis and the WAFv2. you will need pfx, pem and crt files. you can create your own self signed for testing but be sure to disable SSL verification on github webhook	bool	false	no
infracost_api_key	the api key from infracost. if you do not have one , install infracost locally and run go to https://www.infracost.io/ and download , then run 'infracost register' to get the key	string	""	no
infracost_repos_json	this is the JSON config for infracost workflow. it needs to be added as a environment variable to the atlantis container. this is the standard template per project commit but you can customize it if you want to, directions and options are here : https://github.com/infracost/infracost-atlantis	string	" {\r\n \"repos\": [\r\n {\r\n \"id\": \"/.*/\",\r\n \"workflow\": \"terraform-infracost\"\r\n }\r\n ],\r\n \"workflows\": {\r\n \"terraform-infracost\": {\r\n \"plan\": {\r\n \"steps\": [\r\n {\r\n \"env\": {\r\n \"name\": \"INFRACOST_OUTPUT\",\r\n \"command\": \"echo \\\"/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE-${REPO_REL_DIR//\\\\//-}-infracost.json\\\"\"\r\n }\r\n },\r\n {\r\n \"env\": {\r\n \"name\": \"INFRACOST_COMMENT_TAG\",\r\n \"command\": \"echo \\\"$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM-$WORKSPACE-${REPO_REL_DIR//\\\\//-}\\\"\"\r\n }\r\n },\r\n \"init\",\r\n \"plan\",\r\n \"show\",\r\n {\r\n \"run\": \"infracost breakdown --path=$SHOWFILE \\\\\\n --format=json \\\\\\n --log-level=info \\\\\\n --out-file=$INFRACOST_OUTPUT\\n\"\r\n },\r\n {\r\n \"run\": \"# Choose the commenting behavior, 'new' is a good default:\\n# new: Create a new cost estimate comment on every run of Atlantis for each project.\\n# update: Create a single comment and update it. The \\\"quietest\\\" option.\\n# hide-and-new: Minimize previous comments and create a new one.\\n# delete-and-new: Delete previous comments and create a new one.\\n# You can use tag to customize the hidden markdown tag used to detect comments posted by Infracost. We pass in the project directory here\\n# so that there are no conflicts across projects when posting to the pull request. This is especially important if you\\n# use a comment behavior other than \\\"new\\\".\\ninfracost comment github --repo $BASE_REPO_OWNER/$BASE_REPO_NAME \\\\\\n --pull-request $PULL_NUM \\\\\\n --path $INFRACOST_OUTPUT \\\\\\n --github-token $GITHUB_TOKEN \\\\\\n --tag $INFRACOST_COMMENT_TAG \\\\\\n --behavior new\\n\"\r\n },\r\n {\r\n \"run\": \"terraform fmt -check=true -diff=true -write=false\"\r\n }\r\n ]\r\n }\r\n }\r\n }\r\n}\r\n"	no
location	Azure region you want to deploy atlantis	string	"eastus"	no
ssl_pfx_file	filename for the ssl pfx file.f.f put this in the same folder you are running the module from	string	""	no
ssl_pfx_file_password	filename for the ssl pfx file.f.f put this in the same folder you are running the module from	string	""	no
subscription_name	the name of the subscription. This will be used as a prefix for resource group and resource names.	string	""	no
vnet_cidr	The CIDR of the vnet that will be used for the frontend and backend subnets. this cidr will be split in to 2 subnets. it is suggested to use /23 cidr for the vnets and they will be split int two /24 subnets. you could use a smaller cidr like a /28 if you want	string	""	no

Outputs

Name	Description
container_instance_ip	Azure container instance ip
waf_public_ip	Azure waf public ip
waf_whitelisted_ips	list of waf whitelisted ip cidrs