Deploy with Atmos and Terraform
Verify and complete the AWS infrastructure setup for Atmos Pro using Atmos and Terraform. This approach checks your existing backend infrastructure and deploys the additional resources needed for plan file storage and GitHub OIDC integration.
You will learn
- Verify existing Terraform backend infrastructure (S3 + DynamoDB)
- Deploy new S3 bucket and DynamoDB table for plan file storage
- Ensure GitHub OIDC integration is properly configured
- Create IAM roles for GitHub Actions authentication
Overview
This deployment method verifies your existing backend infrastructure (which should already be deployed as part of the reference architecture) and deploys the additional resources needed for plan file storage and GitHub OIDC integration.
Quick Start
| Steps | |
|---|---|
| 1. Vendor | atmos workflow vendor -f quickstart/foundation/gitops |
| 2. Deploy | atmos workflow deploy -f quickstart/foundation/gitops |
Currently, the workflows use the terminology "gitops". In the future, we plan to replace this with "atmos-pro".
Requirements
1 Authentication Prerequisites
The GitHub Action workflows expect the gitops AWS Team to be properly setup and connected to GitHub OIDC. This component should already be deployed with aws-teams/aws-team-roles and github-oidc-provider respectively. Verify the following to complete the authentication prerequisites.
By default in the Reference Architecture, the trusted_github_repos input is commented out for aws-teams. Now is the time to uncomment those lines. Please see stacks/catalog/aws-teams.yaml
- The
gitopsTeam is defined and deployed byaws-teams - The team has trusted relationships with the infrastructure repo via
trusted_github_reposCapitalization matters! In the reference architecture, these values are initially commented out and will need to be updated with your specific repository information:components:
terraform:
aws-teams:
vars:
trusted_github_repos:
gitops:
- "acme/infra:main" - The
aws-team-rolesdefault catalog allows thegitopsteam to assume theterraformrole github-oidc-provideris deployed to the account where Atmos Pro infrastructure will be created- The workflows have adequate permission
In order to assume GitHub OIDC roles, a workflow needs the following:
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
How To Setup
1 Vendor Components
The gitops stacks depends on components that may already exist in your component library (s3-bucket and dynamodb) and adds new components to manage the GitHub OIDC access. Vendor these components either with the included Atmos Workflows or using Atmos Vendoring.
2 Deploy Atmos Pro Infrastructure
Deploy the Atmos Pro infrastructure components with the following workflow:
Review
Congratulations! The Atmos components have now verified and deployed:
- Verified existing Terraform backend infrastructure (S3 bucket and DynamoDB table for state)
- Deployed new S3 bucket to store Terraform plan files
- Deployed new DynamoDB table for managing plan files
- Ensured GitHub OIDC provider is properly configured
- Created IAM roles for GitHub Actions authentication
You're now ready to start using Atmos Pro with GitHub Actions.