Integrate with Atlantis

Atlantis Overview

Atlantis is an application for automating Terraform through pull requests. It is deployed as a standalone application into your infrastructure.

Lacework IaC Security can be used to run IaC Policy checks and Plan Processing.

Lacework currently supports Custom Workflow integration with Atlantis, which allows IaC scans to be performed either as part of the Atlantis plan command or any custom command that your organization wishes to use.

To proceed with the integration please note the following requirements:

1. Docker should be running on the Atlantis server.

2. Your Lacework API credentials should be stored somewhere on the Atlantis server (for example, /root/atlantis/lw_credentials ) with contents like:

   LW_ACCOUNT=[Your Lacework account name]
   LW_API_KEY=[Your Lacework API key]
   LW_API_SECRET=[Your Lacework API secret]

Custom Workflow Integration

You can define a custom workflow in the following ways: server-side or repo-level configuration. The following section explains the advantages of each and which one might better suit your workflow. Lacework recommends that you maintain the IaC integration as a server side configuration.

Server Side Configuration

The Custom Workflow integration is maintained on the Atlantis server side. Server-side configuration lets you have granular control of the IaC integration on a per-repo basis and also applies a global custom workflow configuration for all repos. For details, see the Atlantis documentation.

Repo-level config

The repo-level configuration pattern is the ideal integration workflow if individual teams manage each repo and its configurations. With repo-level configurations, each team can manage their IaC integration independently. For details about repo-level config, see the Atlantis documentation

Integrate IaC Security with Atlantis through Server-Side Configuration

Create a file called repos.yaml on the Atlantis server where you would like to maintain your Atlantis configuration.

The following is a sample configuration file that runs IaC scans as part of the Atlantis plan. It runs a scan immediately after generating the plan file.

note

The configuration yaml is set to use this behavior for any repo and branch.

note

The following example assumes that your Terraform code is in a terraform directory in the project root:

. (project root)
└── terraform
    ├── main.tf
    └── vars.tf

# repos lists the config for specific repos.
repos:
- id: /.*/
  branch: /.*/
  apply_requirements: [approved, mergeable]

  # allowed_overrides specifies which keys can be overridden by this repo in
  # its atlantis.yaml file.

  allowed_overrides: []

  # allowed_workflows specifies which workflows the repos that match
  # are allowed to select.

  # allow_custom_workflows defines whether this repo can define its own
  # workflows. If false (default), the repo can only use server-side defined
  # workflows.

  allow_custom_workflows: false

  # delete_source_branch_on_merge defines whether the source branch would be deleted on merge
  # If false (default), the source branch won't be deleted on merge

  delete_source_branch_on_merge: false

# workflows lists server-side custom workflows
projects:
 - name: lacework-iac
   dir: .
   workflow: lacework-iac
workflows:
  default:
    plan:
      steps:
      # Generate TF plan files
      - run: "terraform -chdir=terraform init"
      - run: "terraform -chdir=terraform plan -input=false -refresh -out $PLANFILE"
      - run: "terraform -chdir=terraform show -json $PLANFILE > $SHOWFILE"
      # Create an env.list file with environment values that must be passed to Lacework's IaC docker image
      # # Atlantis vars
      - run: "echo \"ATLANTIS_TERRAFORM_VERSION=${ATLANTIS_TERRAFORM_VERSION}\" > env.list"
      - run: "echo \"DIR=${WDIR}\" >> env.list"
      - run: "echo \"PLANFILE=${PLANFILE}\" >> env.list"
      - run: "echo \"SHOWFILE=${SHOWFILE}\" >> env.list"
      - run: "echo \"BASE_REPO_NAME=${BASE_REPO_NAME}\" >> env.list"
      - run: "echo \"BASE_REPO_OWNER=${BASE_REPO_OWNER}\" >> env.list"
      - run: "echo \"HEAD_REPO_NAME=${HEAD_REPO_NAME}\" >> env.list"
      - run: "echo \"HEAD_REPO_OWNER=${HEAD_REPO_OWNER}\" >> env.list"
      - run: "echo \"HEAD_BRANCH_NAME=${HEAD_BRANCH_NAME}\" >> env.list"
      - run: "echo \"PROJECT_NAME=${PROJECT_NAME}\" >> env.list"
      - run: "echo \"PULL_NUM=${PULL_NUM}\" >> env.list"
      - run: "echo \"PULL_AUTHOR=${PULL_AUTHOR}\" >> env.list"
      - run: "echo \"REPO_REL_DIR=${REPO_REL_DIR}\" >> env.list"
      - run: "echo \"USER_NAME=${USER_NAME}\" >> env.list"
      - run: "echo \"COMMENT_ARGS=${COMMENT_ARGS}\" >> env.list"
      # # Lacework vars
      - run: "echo \"SCAN_COMMAND=tf-plan-scan\" >> env.list"
      - run: "echo \"TF_PLAN_JSON=$(basename $SHOWFILE)\" >> env.list"
      - run: "echo \"WORKSPACE=src\" >> env.list"
      # # Add the LW credentials from Atlantis server into the env for docker
      - run: "cat /root/atlantis/lw_credentials >> env.list"
      # Run the Lacework Terraform plan scan
      - run: "docker run --env-file env.list -v \"$(pwd):/app/src\" lacework/codesec-iac:latest"

Integrate IaC Security with Atlantis through Repo-Side Configuration

For repo-side configuration, the Server side repos.yaml should be similar to the following to allow repos to select their own workflow. See server-side repo configuration use cases for more details.

---
repos:
- id: /.*/
  allowed_overrides: [workflow]
  allow_custom_workflows: true

Repository side configuration should be similar to the following:

note

The following example assumes that your Terraform code is in a terraform directory in the project root. Your Atlantis configuration will be in an atlantis.yaml file at the project root.
For example:

. (project root)
├── atlantis.yaml
└── terraform
    ├── main.tf
    └── vars.tf

---
version: 3
projects:
 - name: lacework-iac
   dir: .
   workflow: lacework-iac
workflows:
  lacework-iac:
    plan:
      steps:
      # Generate TF plan and show files
      - run: "terraform -chdir=terraform init"
      - run: "terraform -chdir=terraform plan -input=false -refresh -out $PLANFILE"
      - run: "terraform -chdir=terraform show -json $PLANFILE > $SHOWFILE"
      # Create an env.list file with environment values that must be passed to Lacework's IaC docker image
      # # Atlantis vars
      - run: "echo \"ATLANTIS_TERRAFORM_VERSION=${ATLANTIS_TERRAFORM_VERSION}\" > env.list"
      - run: "echo \"DIR=${WDIR}\" >> env.list"
      - run: "echo \"PLANFILE=${PLANFILE}\" >> env.list"
      - run: "echo \"SHOWFILE=${SHOWFILE}\" >> env.list"
      - run: "echo \"BASE_REPO_NAME=${BASE_REPO_NAME}\" >> env.list"
      - run: "echo \"BASE_REPO_OWNER=${BASE_REPO_OWNER}\" >> env.list"
      - run: "echo \"HEAD_REPO_NAME=${HEAD_REPO_NAME}\" >> env.list"
      - run: "echo \"HEAD_REPO_OWNER=${HEAD_REPO_OWNER}\" >> env.list"
      - run: "echo \"HEAD_BRANCH_NAME=${HEAD_BRANCH_NAME}\" >> env.list"
      - run: "echo \"PROJECT_NAME=${PROJECT_NAME}\" >> env.list"
      - run: "echo \"PULL_NUM=${PULL_NUM}\" >> env.list"
      - run: "echo \"PULL_AUTHOR=${PULL_AUTHOR}\" >> env.list"
      - run: "echo \"REPO_REL_DIR=${REPO_REL_DIR}\" >> env.list"
      - run: "echo \"USER_NAME=${USER_NAME}\" >> env.list"
      - run: "echo \"COMMENT_ARGS=${COMMENT_ARGS}\" >> env.list"
      # # Lacework vars
      - run: "echo \"SCAN_COMMAND=tf-plan-scan\" >> env.list"
      - run: "echo \"TF_PLAN_JSON=$(basename $SHOWFILE)\" >> env.list"
      - run: "echo \"WORKSPACE=src\" >> env.list"
      # # Add the LW credentials from Atlantis server into the env for docker
      - run: "cat /root/atlantis/lw_credentials >> env.list"
      # Run the Lacework Terraform plan scan
      - run: "docker run --env-file env.list -v \"$(pwd):/app/src\" lacework/codesec-iac:latest"