Skip to main content

Integrate with Atlantis

Atlantis Overview

Atlantis is an application for automating Terraform through pull requests. It is deployed as a standalone application into your infrastructure.

Lacework IaC Security can be used to run IaC Policy checks and Plan Processing.

Lacework currently supports Custom Workflow integration with Atlantis, which allows IaC scans to be performed either as part of the Atlantis plan command or any custom command that organizations wish to use.

To proceed with the integration please note the following requirements:

note

Docker should be running on the Atlantis server. If the Atlantis server runs on a Docker instance, you can include custom tools into the binary using the following instructions.

  1. You should be able to install the Lacework IaC CLI onto the Atlantis Server. You can install the CLI using one of following options:

    wget -O - https://raw.githubusercontent.com/soluble-ai/soluble-cli/master/linux-install.sh | sh
    curl https://raw.githubusercontent.com/soluble-ai/soluble-cli/master/linux-install.sh | sh
  2. After the CLI is installed on the Atlantis server, you should generate an access token for the CLI to run scans. To do this, run the following command on your local system and follow the CLI instructions, which will prompt you to input a key from the browser.

     soluble login --headless
  3. Copy the ~/.config/lacework/cli-config.json from your local directory to the ~/.config/lacework location under the $HOME directory of all the nodes that run the Atlantis server.

Custom Workflow Integration

You can define a custom workflow in the following ways: server-side or repo-level configuration. The following section explains the advantages of each and which one might better suit your workflow. Lacework recommends that you maintain the IaC integration as a server side configuration.

Server Side Configuration

The Custom Workflow integration is maintained on the Atlantis server side. Server-side configuration lets you have granular control of the IaC integration on a per-repo basis and also applies a global custom workflow configuration for all repos. For details, see the Atlantis documentation.

Repo-level config

The repo-level configuration pattern is the ideal integration workflow if individual teams manage each repo and its configurations. With repo-level configurations, each team can manage their IaC integration independently. For details about repo-level config, see the Atlantis documentation

Integrate IaC security with Atlantis via Server Side Config

Create a file called repos.yaml in a local filepath where you would like to maintain your Atlantis configuration. This can be maintained anywhere locally.

The following is a sample configuration file that runs IaC scans as part of the Atlantis plan. It runs a scan immediately after generating the plan file.

note

The configuration yaml is set to use this behavior for any repo and branch.

# repos lists the config for specific repos.
repos:
- id: /.*/
branch: /.*/
apply_requirements: [approved, mergeable]

# allowed_overrides specifies which keys can be overridden by this repo in
# its atlantis.yaml file.

allowed_overrides: []

# allowed_workflows specifies which workflows the repos that match
# are allowed to select.

# allow_custom_workflows defines whether this repo can define its own
# workflows. If false (default), the repo can only use server-side defined
# workflows.

allow_custom_workflows: false

# delete_source_branch_on_merge defines whether the source branch would be deleted on merge
# If false (default), the source branch won't be deleted on merge

delete_source_branch_on_merge: false

# workflows lists server-side custom workflows
workflows:
default:
plan:
steps:
- init
- run: "terraform plan -input=false -refresh -out $PLANFILE"
- run: "terraform show -json $PLANFILE > $SHOWFILE"
- run: "soluble ea terraform-plan-scan --plan $SHOWFILE --format atlantis"

The Server side repos.yaml should be similar to the following to allow custom workflows and override the default workflow.

---
repos:
- id: /.*/
allowed_overrides: [workflow]
allow_custom_workflows: true

Repository side configuration should be similar to the following:

---
projects:
- dir: .
workflow: lacework-iac
workflows:
lacework-iac:
steps:
- init
- run: "terraform plan -input=false -refresh -out $PLANFILE"
- run: "terraform show -json $PLANFILE > $SHOWFILE"
- run: "soluble ea terraform-plan-scan --plan=$SHOWFILE --format atlantis"
- apply

If you want to allow repos to select their own workflows, they must have the allowed_overrides: [workflow] and allow_custom_workflows: true setting. See server-side repo configuration use cases for more details.

note

Soluble CLI version should be v0.5.26 or higher.