-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support atlantis import
subcommand
#217
Comments
Hi Ted, thanks for the ticket! So the workflow with Atlantis would be something like:
How does that sound? |
Hey Luke, Yeah, that sounds correct. We are still running v0.3.8 in production so I did not account for the autoplan in my original workflow but I believe it would be fine. Autoplan would show that it was creating a new resource but once |
Is this on the roadmap for 0.5.x? Also with the above mentioned workflow would we be able to disable the autoplan on resource importing? |
What I do currently is create a PR with a no-op change (such as add a comment) which with auto plan enabled will create the lock making it safe to do imports from the CLI locally without worrying that someone will be able to run a plan/apply through atlantis. After I have done the imports I just do another plan and then it will be business as usual. |
Interesting idea to do for the interim. Just thinking from an auditing perspective it would be nice to see what was/wasn't imported. |
No, server-side config is my focus right now.
How would Atlantis know that you were going to do a resource import ahead of time? |
If you are using a backend such as s3 and enable versioning you should be able to determine who pushed the latest version and you can diff the versions to see the delta. But ya I really would prefer to have atlantis be able to do it for me so that I can say github pull requests are my audit log. Now it's technically both. |
If you open you pull request it starts planning, you run an import (locally or via atlantis [1]: this is true when using a |
@majormoses Your comment made me re-evaluate my statement and I see that you're absolutely right about the plans and locks. I guess you'd have to have something where But this got me thinking and I realized this is not even the most interesting part of the problem. How would
I'm sure there are other ways as well. I, personally, would lean towards something that makes an effort to minimize the already clutter-prone PR comments, though. |
Yes this is how I imagined the interface/experience.
I will respond there as well but I think that the best interface would be to have it be a comment, committing a file to git to import/taint a resource/module seems like a bad idea. If someone forgets to clean it up then it could be a problem. I would vote taint follows the same pattern where you are explicit in what resource you want tainted.
Ya I have thought about it but if we want github to be our audit trail I don't see around this. What I personally do in my org is minimize comments if they are not important or relevant. This leaves all the data intact and reduces the need to scroll a bunch of times. |
I don't know that I would call it useless it can be very helpful to see a plan before importing resources as it can help with recalling all the sub module objects that need to be imported, check for issues with variable/module/data references. It also helps paint a story (an audit log) of what things were like before you made any "manual" changes and then can be compared with a plan after the changes/import takes plan to confirm desired changes or a no-op. I can certainly see where you are coming from though, you can always hide or delete those comments if they really bug you. |
can someone recommend a workaround this feature is developed? Is the only way we could achieve it by following what @majormoses suggests? |
@rohitshrivastava04 You can accomplish this with an atlantis custom command. I'm working on this now to create This seems like a common enough use case that this could easily be made part of the core atlantis stack, but until then I'll proceed with my custom command. |
After looking closer, it appears that we can't setup custom commands for the github comment interface. The custom commands must run inside of a workflow as part of either init, plan, or apply. Looks like a simple workaround is out of the question on this, and this will need to be part of the official tool. |
This should be achievable with a custom workflow by parsing the CUSTOM_ARGS env variable. Adapting from my comment on the similar issue for supporting Then a comment like workflows:
standard-with-custom-args:
plan:
steps:
- init
- run: /usr/local/bin/parse-custom-args.sh
- plan |
That seems like a gaping security hole, and allows for imports without approval, by any user who is able to comment on the ticket. And, if not VERY carefully coded - that script would allow for command injection on the server. Far too easy for an attacker to make that command |
Hi folks who want to run terraform state mv/rm/import commands in Atlantis, |
Hi @minamijoyo . But I propose back to the proposal from the comment: It is more straightforward than implementing additional tool. |
@piotr-vimn Thank you for checking. Of course, there are pros and cons, but one thing I would like to emphasize that the tfmigrate is a declarative state migration tool, it allows you to require a review of the import command which your colleagues will run before changing remote states. |
@piotr-vimn agree that an |
Any updates on this ? |
Please. We need this 🙏 |
Hey folks. What's the consensus on correct workflow/steps to import existing resources into atlantis? |
atlantis import
subcommand
@lkysow update? |
* Enhance project command runner and project context builder to be platform mode aware * refactor project context builder to not rely on command context * move project context building to initializers * conditional policy check * policy check errors should be failures * remove unnecessary constants * improve disabled apply text * fix tests and rename initializers to wrappers * add e2e tests * add unit tests * fix text * remove reldir check in project context init * fix e2e tests * revert unnecessary shuffle * fix * fix tests
Terraform support importing existing resources in to the TF state file by way of the
terraform import
command. Typical usage looks like this:The text was updated successfully, but these errors were encountered: