Atlantis

This guide assumes that you have an existing Atlantis server configured as a Terraform runner.

You can integrate Resourcely with Atlantis to automatically evaluate your Terraform plans on pull requests. The Resourcely guardrail evaluation will result in findings that help developers address the violations.

In order to set up Resourcely with Atlantis, you must perform the following steps:

Verifying Prerequisites
Change management
Setup Resourcely with Custom workflows

Verifying Prerequisites

Before adding Resourcely to existing workflows, please verify that your Atlantis server environment:

Has internet egress access to download the Resourcely CLI binary or container (e.g., through a NAT Gateway).
Is configured to allow custom workflows.
Is used with GitHub as a VCS.

Change Management

This setup assumes you have already completed the integration of Source Code Management (SCM). If you have not, please follow this guide to complete the SCM integration.

Setup Resourcely with Custom workflows

This requires an Atlantis server-side workflow written in Atlantis YAML. Create a new file called repos.yaml or update your existing YAML and add the following content:

repos:
  - id: /.*/
    workflow: resourcely_guardrails
    allow_custom_workflows: false # if set to true, anyone that can create a pull request to that repo can essentially run arbitrary code on your Atlantis server.
    policy_check: false
    pre_workflow_hooks:
      # Install resourcely cli, use location `/opt/resourcely-cli` to run the CLI
      - run: |
            LATEST_RELEASE_TAG=$(curl -s -I <https://github.com/Resourcely-Inc/resourcely-container-registry/releases/latest> | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}')
            curl -s -L -O https://github.com/Resourcely-Inc/resourcely-container-registry/releases/download/$LATEST_RELEASE_TAG/resourcely-cli-${LATEST_RELEASE_TAG}-linux-amd64.tar.gz > /dev/null && tar xvzf resourcely-cli-${LATEST_RELEASE_TAG}-linux-amd64.tar.gz && mv resourcely-cli /opt/resourcely-cli
workflows:
  resourcely_guardrails:
    plan:
      steps:
        - env:
            name: RESOURCELY_API_TOKEN
            value: '<RESOURCELY_API_TOKEN>' # get a token from https://portal.resourcely.io/settings/generate-api-token
        - init
        - plan
        - show 
        # Run Resourcely 
        - run: /opt/resourcely-cli --log debug --api_host https://api.resourcely.io evaluate --change_request_url $PULL_URL  --change_request_sha $HEAD_COMMIT --format plain --plan $SHOWFILE
        description: Running Resourcely Guardrails

The resourcely-cli command in your repos.yaml evaluates your Terraform plans by downloading policies from Resourcely, assessing them, and submitting the results to Resourcely. These findings will be displayed on the pull request associated with the Atlantis run.

Note that the server needs to run with --repo-config=repos.yaml

atlantis server \\
...
--repo-config=repos.yaml \\
...
...

Atlantis should now run the Resourcely CLI on every pull request whenever new code is created or updated.

Deployment Scenario 1

Deployment Scenario 2

If you have questions, please email us at support@resourcely.io or contact us.

PreviousCI/CD & Terraform Runners NextAWS CodeBuild

Last updated 7 months ago

repos: - id: /.*/ workflow: resourcely_guardrails allow_custom_workflows: false # if set to true, anyone that can create a pull request to that repo can essentially run arbitrary code on your Atlantis server. policy_check: false pre_workflow_hooks: # Install resourcely cli, use location `/opt/resourcely-cli` to run the CLI - run: | LATEST_RELEASE_TAG=$(curl -s -I <https://github.com/Resourcely-Inc/resourcely-container-registry/releases/latest> | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}') curl -s -L -O https://github.com/Resourcely-Inc/resourcely-container-registry/releases/download/$LATEST_RELEASE_TAG/resourcely-cli-${LATEST_RELEASE_TAG}-linux-amd64.tar.gz > /dev/null && tar xvzf resourcely-cli-${LATEST_RELEASE_TAG}-linux-amd64.tar.gz && mv resourcely-cli /opt/resourcely-cli workflows: resourcely_guardrails: plan: steps: - env: name: RESOURCELY_API_TOKEN value: '<RESOURCELY_API_TOKEN>' # get a token from https://portal.resourcely.io/settings/generate-api-token - init - plan - show # Run Resourcely - run: /opt/resourcely-cli --log debug --api_host https://api.resourcely.io evaluate --change_request_url $PULL_URL --change_request_sha $HEAD_COMMIT --format plain --plan $SHOWFILE description: Running Resourcely Guardrails