Merge pull request #8684 from upodroid/atlantis-bump

k8s-ci-robot · web-flow · commit 32d773e48870 · 2025-10-22T20:46:38.000-07:00
bump atlantis and configure it to run against our AWS organization
diff --git a/.atlantis.yaml b/.atlantis.yaml
@@ -6,8 +6,27 @@ parallel_plan: true
 parallel_apply: true
 abort_on_execution_order_fail: true
 projects:
-- name: k8s-infra-ii-sandbox
-  branch: /main/
-  dir: infra/gcp/terraform/k8s-infra-ii-sandbox
-  workspace: default
-  terraform_version: v1.3.0
+  - name: artifacts.k8s.io
+    branch: /main/
+    dir: infra/aws/terraform/artifacts.k8s.io
+    workflow: aws
+# For AWS, atlantis needs to assume a specific role in each account except the management account
+# so we read it from the folder that atlantis will work on
+workflows:
+  aws:
+    plan:
+      steps:
+        - init:
+            extra_args: ["--backend-config", "atlantis.config"]
+        - plan:
+            extra_args: ["-var-file", "atlantis.tfvars"]
+    apply:
+      steps:
+        - apply:
+            extra_args: ["-var-file", "atlantis.tfvars"]
+    import:
+      steps:
+        - init:
+            extra_args: ["--backend-config", "atlantis.config"]
+        - import:
+            extra_args: ["-var-file", "atlantis.tfvars"]
diff --git a/kubernetes/gke-utility/atlantis/kustomization.yaml b/kubernetes/gke-utility/atlantis/kustomization.yaml
@@ -9,7 +9,7 @@ resources:
 
 images:
   - name: ghcr.io/runatlantis/atlantis
-    newTag: v0.34.0
+    newTag: v0.36.0
 
 configMapGenerator:
   - name: atlantis-config
@@ -29,6 +29,12 @@ patchesStrategicMerge:
           containers:
           - name: atlantis
             env:
+              - name: AWS_ROLE_ARN
+                value: arn:aws:iam::348685125169:role/atlantis
+              - name: AWS_WEB_IDENTITY_TOKEN_FILE
+                value: /var/run/secrets/aws-iam-token/serviceaccount/token
+              - name: AWS_REGION
+                value: us-east-2
               - name: ATLANTIS_CONFIG
                 value: /config/atlantis.yaml
               - name: ATLANTIS_GH_TOKEN
@@ -51,7 +57,18 @@ patchesStrategicMerge:
             volumeMounts:
             - name: config
               mountPath: /config
+            - mountPath: /var/run/secrets/aws-iam-token/serviceaccount
+              name: aws-iam-token
+              readOnly: true
           volumes:
           - name: config
             configMap:
               name: atlantis-config
+          - name: aws-iam-token
+            projected:
+              defaultMode: 420
+              sources:
+              - serviceAccountToken:
+                  audience: sts.amazonaws.com
+                  expirationSeconds: 86400
+                  path: token
