HOME/Technical Articles/Terraform: 84 tfstates and 5 repositories turned into a monorepo, and how to operate Terraform with Atlantis

Terraform: 84 tfstates and 5 repositories turned into a monorepo, and how to operate Terraform with Atlantis

2023/7/5 17:092024/9/20 9:00

Mr. Hasegawa (@rarirureluis)is.

#SRG(Service Reliability Group) is a group that mainly provides cross-sectional support for the infrastructure of our media services, improving existing services, launching new ones, and contributing to OSS.

This article is an attempt to reconsider the operation of Terraform.

Before becoming a monorepo How do you run Terraform?Patterns where Apply fails Atlantis should have been introduced sooner...The problem Atlantis solves Prevents patterns where Apply fails Prevents conflicting state updates How Atlantis is built How Atlantis works One Atlantis to multiple AWS environments Tips Terraform version can be specified per directory parallel_plan and parallel_apply Conclusion

Before becoming a monorepo

The Terraform for this service has a structure that is completely separated for each environment and resource, as shown below.

There are five repositories with the directory structure shown above, and five AWS accounts.

We won't go into the merits and demerits of this directory structure here, but our goal is to reduce toil by consolidating all of these into a single repository and managing CI in one place.

How do you run Terraform?

This service operated Terraform using GitHub Actions or CodeBuild.

In this operation, when a PR is created, a Plan is run, and if there are no problems, the plan is merged and Apply is executed.

Patterns where Apply fails

It is possible for the Plan to be successful but the Apply to fail.

For example, if the ECR repository is not empty, or if deletion protection is enabled for EC2, ALB, etc.

When this situation occurred, we would repeatedly create a PR → Plan → Approve → Merge (Apply) to Plan/Apply again.

This is a toil that SREs cannot ignore.

Atlantis should have been introduced sooner...

Atlantis is a CI tool for Terraform.

Terraform Pull Request Automation | Atlantis

Atlantis: Terraform Pull Request Automation

https://www.runatlantis.io/

The problem Atlantis solves

Prevents patterns where Apply fails

IssueOps and branch deploymentsThe merged changes have been applied correctly.You can create

Prevents conflicting state updates

You can see a list of state changes being made from currently open PRs.

And introducing Atlantis can solve many problems.

Prevents patterns where Apply fails

In Atlantis, all operations are done through comments on issues (PRs).

atlantis apply

This means that you will not encounter issues such as Apply failing after merging and having to create a PR to Plan/Apply again.

atlantis apply

This means that the merged changes are correctly applied, and in terms of technique this is called "branch deployment."

The other day, GitHub officially introduced it on their blog.

Enabling branch deployments through IssueOps with GitHub Actions

What if developers want to leverage branch deployments but don't have a full ChatOps stack integrated with their repositories? We wanted to set out to find a way for all developers to be able to take advantage of branch deployments with ease, right from their GitHub repository, and so the branch-deploy Action was born!

https://github.blog/2023-02-02-enabling-branch-deployments-through-issueops-with-github-actions/

Prevents conflicting state updates

Atlantis allows you to take locks on state changes made through PRs.

This way, if another PR detects a change to that state, it will return an error stating that it is already locked.

The locked state can be viewed on the Atlantis web, where you can also view the Terraform execution logs.

How Atlantis is built

This time we used the official Atlantis Terraform module.

GitHub - terraform-aws-modules/terraform-aws-atlantis: Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported 🇺🇦

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported 🇺🇦 - GitHub - terraform-aws-modules/terraform-aws-atlantis: Terraform configurations for run...

https://github.com/terraform-aws-modules/terraform-aws-atlantis

How Atlantis works

Here's how Atlantis works.

Atlantis is triggered by a webhook from GitHub (it also supports other services), and communication between Atlantis and GitHub is carried out via an API.

Therefore, you will need a GitHub App or a Personal Access Token to build Atlantis.

In the Git flow, Plan runs when you create a PR.

At least one Approve is required to Apply, and once Apply is complete, the PR will be automatically closed and the branch will be automatically deleted.

These policies can be defined in detail in atlantis.yaml.

Repo Level atlantis.yaml Config | Atlantis

Atlantis: Terraform Pull Request Automation

https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html

One Atlantis to multiple AWS environments

Terraform supports Assume Role, so we configured it as follows.

Tips

Here are some other good points besides those already mentioned.

Terraform version can be specified per directory

This is a very good feature.

Even before the monorepo, the situation was completely separate, but thanks to this feature, there is no need to unify Terraform versions when migrating to the monorepo.

parallel_plan and parallel_apply

Atlantis automatically marks changed directories as changes, but if you add 40 directories at once, as in this case, it will take a considerable amount of time to Plan and Apply.

However, the option to run in parallel reduces latency considerably.

💡

If you run 40 or more tasks at once, a timeout will occur. In this case, try increasing the vCPU or memory of the task.

Conclusion

Atlantis is open source, the Terraform used to build it is flexible, and Atlantis itself is simple in design, so it can be easily recreated even when in production operation.

We already had a Terraform CI environment in place, but we migrated to Atlantis. There were only advantages and disadvantages.The monthly cost is slightly higher than GitHub Actions/CodeBuildThe process of migrating to a monorepo was hellish.

In terms of infrastructure costs, the Fargate 0.5vCPU/1GB specs are completely fine, so I think the cost is negligible.

Although we've introduced Atlantis a little late, why not take this opportunity to consider introducing it to your business?

SRG is looking for people to work with us. If you're interested, please contact us here.

Recruitment information - CyberAgent SRG #ca_srg

About SRG SRG (Service Reliability Group) is working to improve reliability by promoting the introduction of SRE to the media business as a cross-sectional SRE, based on the vision of "improving reliability across the media business." The work is centered around the following three areas: Consolidating and deploying the technical know-how of each business

https://ca-srg.dev/careers

SRG runs a podcast where we chat about the latest hot topics in IT technology and books. We hope you'll listen to it while you work.

Tech-Talk with SRG #1 by Tech-Talk with SRG

Tech-Talk with SRG is a podcast where members of CyberAgent, Inc.'s horizontal SRE organization, the Service Reliability Group (SRG), chat and introduce the latest hot IT technologies and books. If you have any questions or comments, please tweet them with #ca_srg. ■ Links SRG Portal Site https://ca-srg.dev Recruitment Information https://ca-srg.dev/careers Music generated by Mubert https://mubert.com/render

https://podcasters.spotify.com/pod/show/cyberagent-srg/episodes/Tech-Talk-with-SRG-1-e26fugj