HOME/Articles/Terraform: 84 tfstates and 5 repositories turned into a monorepo, and how to operate Terraform with Atlantis

Terraform: 84 tfstates and 5 repositories turned into a monorepo, and how to operate Terraform with Atlantis

2023/7/5 17:092024/9/20 9:00

Mr. Hasegawa (@rarirureluis)is.

#SRG(Service Reliability Group) mainly provides cross-sectional support for the infrastructure of our media services, improving existing services, launching new ones, contributing to OSS, etc.

This article is an attempt to reconsider Terraform operations.

Before becoming a monorepo How do you operate Terraform?Patterns where Apply fails Atlantis should have been introduced sooner...The problem Atlantis solves Prevents patterns where Apply fails Prevent conflicting state updates How to build Atlantis How Atlantis works One Atlantis to multiple AWS environments Tips You can specify the Terraform version per directory.parallel_plan and parallel_apply Conclusion

Before becoming a monorepo

The Terraform for this service has a completely separated structure for each environment and resource, as shown below.

There are five repositories with the directory structure above, and five AWS accounts.

We won't go into the merits and demerits of this directory structure here, but our goal is to reduce toil by consolidating all of this into a single repository and managing CI in a single place.

How do you operate Terraform?

This service operated Terraform using GitHub Actions or CodeBuild.

In this operation, when a PR is created, Plan is run, and if there are no problems, it is merged and Apply is executed.

Patterns where Apply fails

It is possible for the Plan to be successful but the Apply to fail.

For example, if the ECR repository is not empty or if deletion protection is enabled on EC2, ALB, etc.

When this situation occurred, I would repeatedly create a PR → Plan → Approve → Merge (Apply) to Plan/Apply again.

This is a toil that SREs cannot ignore.

Atlantis should have been introduced sooner...

Atlantis is a CI tool for Terraform.

Terraform Pull Request Automation | Atlantis

Atlantis: Terraform Pull Request Automation

https://www.runatlantis.io/

The problem Atlantis solves

Prevents patterns where Apply fails

IssueOps, Branch DeploymentThe merged changes have been applied correctly.Can be created

Prevent conflicting state updates

You can see a list of state changes being made from currently open PRs.

Introducing Atlantis can solve many problems.

Prevents patterns where Apply fails

In Atlantis, all operations are done through comments on issues (PRs).

atlantis apply

This means that you will not encounter issues such as Apply failing after merging and having to create a PR to Plan/Apply again.

atlantis apply

This means that the merged changes are correctly applied, and in technical terms this is called "branch deployment."

The other day, GitHub was officially introduced on a blog.

Enabling branch deployments through IssueOps with GitHub Actions

What if developers want to leverage branch deployments but don't have a full ChatOps stack integrated with their repositories? We wanted to set out to find a way for all developers to be able to take advantage of branch deployments with ease, right from their GitHub repository, and so the branch-deploy Action was born!

https://github.blog/2023-02-02-enabling-branch-deployments-through-issueops-with-github-actions/

Prevent conflicting state updates

Atlantis allows you to take a lock on state changes made through PRs.

This way, if another PR detects a change to that state, it will return an error stating that it is already locked.

The locked state can be viewed on the Atlantis web GUI, where you can also view the Terraform execution logs.

How to build Atlantis

This time we used the official Atlantis Terraform module.

GitHub - terraform-aws-modules/terraform-aws-atlantis: Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported 🇺🇦

Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported 🇺🇦 - GitHub - terraform-aws-modules/terraform-aws-atlantis: Terraform configurations for run...

https://github.com/terraform-aws-modules/terraform-aws-atlantis

How Atlantis works

Here's how Atlantis works.

Atlantis is triggered by webhooks from GitHub (it also supports other services), and communication between Atlantis and GitHub is carried out via an API.

Therefore, you will need a GitHub App or a Personal Access Token to build Atlantis.

In the Git flow, Plan runs when you create a PR.

At least one Approve is required before a PR can be applied, and once the Apply is complete, the PR will be automatically closed and the branch will be automatically deleted.

These policies can be specified in detail in atlantis.yaml.

Repo Level atlantis.yaml Config | Atlantis

Atlantis: Terraform Pull Request Automation

https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html

One Atlantis to multiple AWS environments

Terraform supports Assume Role, so I configured it as follows.

Tips

Here are some other good points besides those already mentioned.

You can specify the Terraform version per directory.

This is a very good feature.

Even before the monorepo, the situation was completely separate, but thanks to this feature, there is no need to unify Terraform versions when migrating to a monorepo.

parallel_plan and parallel_apply

Atlantis automatically marks changed directories as changes, but if you add 40 directories at once, as in this case, it will take a considerable amount of time to Plan and Apply.

However, the option to run in parallel reduces latency considerably.

💡

If you try to run 40 or more at once, a timeout will occur. In this case, try increasing the vCPU or memory of the task.

Conclusion

Atlantis is open source, the Terraform used to build it is flexible, and Atlantis itself is simply designed so that it can be easily recreated even when in production.

We already had a Terraform CI environment in place, so we migrated to Atlantis, but there were only advantages and disadvantages.Monthly costs are slightly higher than GitHub Actions/CodeBuildThe process of migrating to a monorepo was hellish.

In terms of infrastructure costs, the Fargate 0.5vCPU/1GB specs are absolutely fine, so I think the cost is negligible.

Although we've introduced Atlantis a little late, why not take this opportunity to consider introducing it to your business?

SRG is looking for people to work with us. If you are interested, please contact us here.

Recruitment Information - CyberAgent SRG #ca_srg

About SRG SRG (Service Reliability Group) is working to improve reliability by promoting the introduction of SREs to the media business as a cross-sectional SRE under the vision of "improving reliability across the media business." The work is centered around the following three pillars: Consolidating and deploying the technical know-how of each business

https://ca-srg.dev/careers

SRG runs a podcast where we chat about the latest hot topics in IT and books. We hope you will enjoy listening to it while you work.

Tech-Talk with SRG #1 by Tech-Talk with SRG

Tech-Talk with SRG is a podcast where members of CyberAgent's horizontal SRE organization, the Service Reliability Group (SRG), chat and introduce the latest hot IT technologies and books. If you have any questions or comments, we would appreciate it if you would tweet them with the hashtag #ca_srg. ■ Links SRG Portal Site https://ca-srg.dev Recruitment Information https://ca-srg.dev/careers Music generated by Mubert https://mubert.com/render

https://podcasters.spotify.com/pod/show/cyberagent-srg/episodes/Tech-Talk-with-SRG-1-e26fugj