Migrate from GitHub Actions GitOps
This guide helps you migrate from the legacy GitHub Actions GitOps workflows to Atmos Pro. Atmos Pro provides a simplified and more powerful alternative with built-in dependency ordering, drift detection, and policy controls.
Overview
The legacy GitHub Actions GitOps approach required:
- Custom GitHub Action workflows for plan, apply, drift detection, and remediation
- Manual configuration of S3 buckets and DynamoDB tables for plan storage
- Complex IAM role setup with
aws-teamsandaws-team-rolescomponents - Custom workflow dispatch logic and matrix strategies
Atmos Pro replaces all of this with:
- Three simple workflow files that Atmos Pro manages
- Built-in plan storage and management
- Simplified IAM setup using the
iam-rolecomponent - Automatic dependency ordering and parallel execution
Migration Steps
Step 1: Set Up Atmos Pro
Follow the Atmos Pro Setup Guide to:
- Sign up for Atmos Pro and create a workspace
- Install the Atmos Pro GitHub App
- Grant repository permissions
- Add the three Atmos Pro workflow files
Step 2: Deploy New IAM Roles
Atmos Pro uses the iam-role component instead of aws-teams and aws-team-roles for GitHub Actions authentication. Deploy the new roles:
atmos workflow deploy/iam-role -f identity
This creates terraform and planner IAM roles in each account that GitHub Actions can assume via OIDC.
Step 3: Update GitHub OIDC Provider
Ensure the github-oidc-provider component is deployed to all accounts where Terraform will run:
atmos workflow deploy/github-oidc-provider -f github
Step 4: Test Atmos Pro Workflows
Before removing the legacy workflows:
- Create a test pull request with a small change
- Verify Atmos Pro comments on the PR with affected stacks
- Verify plan workflows are dispatched and complete successfully
- Merge the PR and verify apply workflows run correctly
Step 5: Remove Legacy Workflows
Once Atmos Pro is working correctly, remove the legacy workflow files:
.github/workflows/atmos-terraform-plan.yaml.github/workflows/atmos-terraform-apply.yaml.github/workflows/atmos-terraform-drift-detection.yaml.github/workflows/atmos-terraform-drift-remediation.yaml.github/workflows/atmos-terraform-dispatch.yaml.github/workflows/atmos-terraform-plan-matrix.yaml.github/workflows/atmos-terraform-apply-matrix.yaml
Step 6: Clean Up Legacy Infrastructure (Optional)
If you no longer need the legacy GitOps infrastructure, you can remove:
gitops/s3-bucketcomponent — Plan file storage bucketgitops/dynamodbcomponent — Plan metadata tablegitopscomponent — Legacy GitHub OIDC roles
Only remove these components after confirming Atmos Pro is working correctly and you no longer need access to historical plan files.
Key Differences
| Feature | Legacy GitOps | Atmos Pro |
|---|---|---|
| Workflow configuration | 7+ custom workflow files | 3 simple workflow files |
| Plan storage | Self-managed S3 + DynamoDB | Built-in |
| IAM roles | aws-teams + aws-team-roles | iam-role component |
| Dependency ordering | Manual or none | Automatic |
| Drift detection | Scheduled workflow | Built-in with dashboard |
| Policy controls | Custom implementation | Built-in |
Troubleshooting
Workflows Not Triggering
If Atmos Pro workflows aren't being dispatched:
- Verify the Atmos Pro GitHub App is installed and has access to the repository
- Check that repository permissions are configured in the Atmos Pro console
- Ensure the workflow files exist in the default branch
Authentication Errors
If workflows fail with authentication errors:
- Verify
github-oidc-provideris deployed to the target account - Check that
iam-rolecomponents are deployed with correct trust policies - Ensure the workflow has
id-token: writepermission
See Also
- Atmos Pro Setup — Complete setup guide
- Atmos Pro Overview — Features and capabilities
- Legacy GitOps Documentation — Reference for existing deployments