I've trouble with setting up the Atlantis Pull Request on EKS ( used Helm Chart ). When I tried to push a code commit, it display an error "This repo is not allowlisted for Atlantis."
Here is my values.yaml
## -------------------------- ##
# Values to override for your instance.
## -------------------------- ##
# Provide a name to substitute for the full names of resources
fullnameOverride: ""
# Provide a name to substitute for the name of the chart
nameOverride: ""
## An option to override the atlantis url,
## if not using an ingress, set it to the external IP.
# atlantisUrl: http://10.0.0.0
# Replace this with your own repo allowlist:
orgAllowlist: "dev.azure.com/PHARMACITYJSC/Pharmacity%20Digital/atlantis"
logLevel: "debug"
# Deprecated in favor of orgAllowlist
# orgWhitelist: dev.azure.com/PHARMACITYJSC/Pharmacity%20Digital/atlantis
# If using Azure DevOps, specify like the following:
azuredevops:
user: $$$$$$$$$$$$
token: $$$$$$$$$$$$$
webhookUser: $$$$$$$$$$$$$$$
webhookPassword: $$$$$$$$$$$$
# To specify AWS credentials to be mapped to ~/.aws or to aws.directory:
aws:
credentials: |
[default]
aws_access_key_id=EXAMPLE
aws_secret_access_key=EXAMPLE
region=ap-southeast-1
config: |
[profile a_role_to_assume]
role_arn = arn:aws:iam::191227657176:user/test
source_profile = default
directory: "/home/atlantis/.aws"
## -------------------------- ##
# Default values for atlantis (override as needed).
## -------------------------- ##
image:
repository: ghcr.io/runatlantis/atlantis
# if not set appVersion field from Chart.yaml is used
tag: ""
pullPolicy: Always
## Use Server Side Repo Config,
## ref: https://www.runatlantis.io/docs/server-side-repo-config.html
## Example default configuration
repoConfig: |
---
repos:
- id: /.*/
workflow: myworkflow
apply_requirements: [approved, mergeable]
allowed_overrides: [apply_requirements, workflow, delete_source_branch_on_merge]
allowed_workflows: [myworkflow]
allow_custom_workflows: true
workflows:
myworkflow:
plan:
steps:
- run: echo "In Terraform Init and Plan"
- init
- plan:
extra_args: ["-lock=", "false"]
apply:
steps:
- run: echo "In Terraform Apply"
- apply
# Optionally specify an username and a password for basic authentication
basicAuth:
username: $$$$$$$$$$$
password: $$$$$$$$$$
# We only need to check every 60s since Atlantis is not a high-throughput service.
livenessProbe:
enabled: true
periodSeconds: 60
initialDelaySeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
scheme: HTTP
readinessProbe:
enabled: true
periodSeconds: 60
initialDelaySeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
scheme: HTTP
service:
type: NodePort
annotations: {}
port: 80
nodePort: null
targetPort: 4141
loadBalancerIP: null
loadBalancerSourceRanges: []
podTemplate:
annotations: {}
# kube2iam example:
# iam.amazonaws.com/role: role-arn
labels: {}
# It is not recommended to run atlantis as root
statefulSet:
annotations: {}
labels: {}
securityContext:
fsGroup: 1000
runAsUser: 100
fsGroupChangePolicy: "OnRootMismatch"
priorityClassName: ""
updateStrategy: {}
# option to share process namespace with atlantis container
shareProcessNamespace: false
## Optionally customize the terminationGracePeriodSeconds
# terminationGracePeriodSeconds: 60
ingress:
enabled: true
ingressClassName: "nginx"
apiVersion: ""
labels: {}
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/whitelist-source-range: >-$$$$$$$$$$$
path: / # / for nginx
## this is in case we want several paths under the same host, with different backend services
# paths:
# - path: "/path1"
# service: test1
# port:
# - path: "/path2"
# service: test2
# port:
pathType: ImplementationSpecific
## in case we need several hosts:
hosts:
- host: MY_DOMAIN
paths: ["/"]
# service: chart-example1
# - host: chart-example.local2
# service: chart-example1
# paths: ["/lala"]
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
webhook_ingress:
enabled: false # true to create secondary webhook.
ingressClassName:
apiVersion: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
path: /* # / for nginx
## this is in case we want several paths under the same host, with different backend services
# paths:
# - path: "/path1"
# service: test1
# port:
# - path: "/path2"
# service: test2
# port:
pathType: ImplementationSpecific
host:
## in case we need several hosts:
hosts:
# - host: chart-example.local
# paths: ["/"]
# service: chart-example1
# - host: chart-example.local2
# service: chart-example1
# paths: ["/lala"]
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
labels: {}
## Allow to override the /etc/ssl/certs/ca-certificates.cer with your custom one
# You have to create a secret `my-ca-certificates`
# customPem: my-ca-certificates
resources: {}
# requests:
# memory: 1Gi
# cpu: 100m
# limits:
# memory: 1Gi
# cpu: 100m
## Path to the data directory for the volumeMount
atlantisDataDirectory: /atlantis-data
## Embedded data volume & volumeMount (default working)
volumeClaim:
enabled: true
## Disk space for to check out repositories
dataStorage: 5Gi
## Storage class name (if possible, use a resizable one)
# storageClassName: value
accessModes: ["ReadWriteOnce"]
## To keep backwards compatibility
## DEPRECATED - Disk space for Atlantis to check out repositories
# dataStorage: 5Gi
## DEPRECATED - Storage class name for Atlantis disk
# storageClassName: value
replicaCount: 1
## test container details
test:
enabled: true
image: bats/bats
imageTag: 1.9.0
annotations: {}
nodeSelector: {}
tolerations: []
affinity: {}
# topologySpreadConstraints -- You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. (requires Kubernetes >= 1.19).
topologySpreadConstraints: []
# - labelSelector:
# matchLabels:
# app.kubernetes.io/name: aws-example-cluster
# maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# Set the `automountServiceAccountToken` field on the pod template spec
# If false, no kubernetes service account token will be mounted to the pod
mount: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name: null
# Annotations for the Service Account
# Example:
#
# annotations:
# annotation1: value
# annotation2: value
annotations: {}
# IRSA example:
# eks.amazonaws.com/role-arn: role-arn
# Optionally deploy rbac to allow for the serviceAccount to manage terraform state via the kubernetes backend
enableKubernetesBackend: false
# tlsSecretName: tls
environment: {}
# environment:
# ATLANTIS_DEFAULT_TF_VERSION: v1.2.9
# Optionally specify additional environment variables to be populated from Kubernetes secrets.
# Useful for passing in TF_VAR_foo or other secret environment variables from Kubernetes secrets.
environmentSecrets: []
# environmentSecrets:
# - name: THE_ENV_VAR
# secretKeyRef:
# name: the_k8s_secret_name
# key: the_key_of_the_value_in_the_secret
# Optionally specify additional environment variables in raw yaml format
# Useful to specify variables refering to k8s objects
# environmentRaw:
# - name: POD_IP
# valueFrom:
# fieldRef:
# fieldPath: status.podIP
environmentRaw: []
# Optionally specify additional Kubernetes secrets to load environment variables from.
# All key-value pairs within these secrets will be set as environment variables.
# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset.
# For example, providing ATLANTIS_GH_USER here and defining a value for github.user will result in the github.user value being used.
loadEnvFromSecrets: []
# loadEnvFromSecrets:
# - secret_one
# - secret_two
# Optionally specify additional Kubernetes ConfigMaps to load environment variables from.
# All key-value pairs within these ConfigMaps will be set as environment variables.
# Note that any variables set here will be ignored if also defined in the env block of the atlantis statefulset.
# For example, providing ATLANTIS_ALLOW_FORK_PRS here and defining a value for allowForkPRs will result in the allowForkPRs value being used.
loadEnvFromConfigMaps: []
# loadEnvFromConfigMaps:
# - config_one
# - config_two
# Optionally specify google service account credentials as Kubernetes secrets. If you are using the terraform google provider you can specify the credentials as "${file("/var/secrets/some-secret-name/key.json")}".
googleServiceAccountSecrets: []
# googleServiceAccountSecrets:
# - name: some-secret-name
# secretName: the_k8s_secret_name
# Optionally specify additional volumes for the pod.
extraVolumes: []
# extraVolumes:
# - name: some-volume-name
# emptyDir: {}
# Optionally specify additional volume mounts for the container.
extraVolumeMounts: []
# extraVolumeMounts:
# - name: some-volume-name
# mountPath: /path/in/container
extraManifests: []
# extraManifests:
# - apiVersion: cloud.google.com/v1beta1
# kind: BackendConfig
# metadata:
# name: "{{ .Release.Name }}-test"
# spec:
# securityPolicy:
# name: "gcp-cloud-armor-policy-test"
initContainers: []
# initContainers:
# - name: example
# image: alpine:latest
# command: ['sh', '-c', 'echo The init container is running! && sleep 10']
# Install providers/plugins into a path shared with the Atlantis pod
initConfig:
enabled: false
image: alpine:latest
imagePullPolicy: IfNotPresent
# sharedDir is set as env var INIT_SHARED_DIR
sharedDir: /plugins
workDir: /tmp
sizeLimit: 100Mi
# example of how the script can be configured to install tools/providers required by the atlantis pod
script: |
#!/bin/sh
set -eoux pipefail
# example for terragrunt
TG_VERSION="v0.47.0"
TG_SHA256_SUM="98d45f6bfbfae84b51364c1ad6920f09ecb4d834908b0535e4e331a9fc6fc75b"
TG_FILE="${INIT_SHARED_DIR}/terragrunt"
wget https://github.com/gruntwork-io/terragrunt/releases/download/${TG_VERSION}/terragrunt_linux_amd64 -O "${TG_FILE}"
echo "${TG_SHA256_SUM} ${TG_FILE}" | sha256sum -c
chmod 755 "${TG_FILE}"
terragrunt -v
# example for terragrunt-atlantis-config
TAC_VERSION="1.16.0" # without v
TAC_SHA256_SUM="fc3b069cf4ae51e9b7a7d01f09862d1974b260fffb3ec857d661d7b1756fe26f"
TAC_FILE="${INIT_SHARED_DIR}/terragrunt-atlantis-config"
wget "https://github.com/transcend-io/terragrunt-atlantis-config/releases/download/v${TAC_VERSION}/terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz"
echo "${TAC_SHA256_SUM} terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz" | sha256sum -c
tar xf "terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64.tar.gz"
cp -fv "terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64/terragrunt-atlantis-config_${TAC_VERSION}_linux_amd64" "${TAC_FILE}"
chmod 755 "${TG_FILE}"
terragrunt-atlantis-config version
# hostAliases:
# - hostnames:
# - aaa.com
# - test.ccc.com
# ip: 10.0.0.0
# - hostnames:
# - bbb.com
# ip: 10.0.0.2
hostNetwork: false
# these annotations will be added to all the resources
extraAnnotations: {}
# team: example
extraArgs: []
# extraArgs:
# - --disable-autoplan
# - --disable-repo-locking
extraContainers: []
# extraContainers:
# - name: <container name>
# args:
# - ...
# image: <docker images>
# imagePullPolicy: IfNotPresent
# resources:
# limits:
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# volumeMounts:
# - ...
containerSecurityContext: {}
# containerSecurityContext:
# allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
servicemonitor:
# to enable a Prometheus servicemonitor, set enabled to true,
# and enable the metrics in this file's repoConfig
# by setting a value for metrics.prometheus.endpoint
enabled: false
interval: "30s"
path: /metrics
# Prometheus ServiceMonitor labels
additionalLabels: {}
auth:
# if auth is enabled on Atlantis, use one of the following mechanism
basicAuth:
# authentication from the secret generated with the basicAuth values
# this will reference the username and password keys
# from the atlantis-basic-auth secret
enabled: false
externalSecret:
# authentication based on an external secret
enabled: false
# name: atlantis-env
# keys:
# username: USERNAME
# password: ATLANTIS_WEB_PASSWORD
# Enable this if you're using Google Managed Prometheus
podMonitor:
enabled: false
interval: "30s"
# Set the desired Locking DB type
# lockingDbType: <boltdb|redis>
# Configure Redis Locking DB
# lockingDbType value must be redis for the config to take effect
redis: {}
# host: redis.host.name
# password: myRedisPassword
# port: 6379
# db: 0
# tlsEnabled: false
# insecureSkipVerify: false
# If managing secrets outside the chart for the Redis secret, use this variable to reference the secret name
# redisSecretName: "myRedisSecret"
# Set lifecycle hooks https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
lifecycle: {}
Here is my atlantis.yaml
version: 3
automerge: true
delete_source_branch_on_merge: true
parallel_plan: true
parallel_apply: true
projects:
- name:
dir: ./ec2
workspace: default
terraform_version: v1.6.3
delete_source_branch_on_merge: true
autoplan:
when_modified: ["*.tf", "*.tfvars"]
enabled: true
apply_requirements: [mergeable, approved]
workflow: myworkflow
workflows:
myworkflow:
plan:
steps:
- run: echo "In Terraform Init and Plan"
- init
- plan:
extra_args: ["-lock=false"]
apply:
steps:
- run: echo "In Terraform Apply"
- apply
I already tried set variable OrgAllowlist: but it still display an error.