Atlantis is an open-source Golang project that listens for pull-request events via webhooks. It is self-hosted, built for Terraform and is highly extendible. You can define custom workflows (e.g, Terragrunt ) and integrate it with other tools such as Infracost .

Why should you use it?

The main reason is to run Terraform from a centralized place. You can’t have developers running IaC changes from their workstation, or from CLI on a bastion host. Atlantis helps with that and ease the process of streamline infrastructure changes through a pull-request workflow.

The second advantage is it makes the changes visible to the team. Anyone can review the code changes, and see what has been actually changed.

Third, it streamline, standardize and enforcing Terraform workflows.

If you’re checking CI/CD options for Terraform, I suggest you look at this project. But this post isn’t about what Atlantis does. It’s about how to integrate it with Slack, which as of now, not really documented.

Slack Integration

It is useful to receive notifications of infrastructure changes (terraform applies). I expected it to be fairly simple, but this isn’t well-documented in the project.

Googling “atlantis slack integration” lead me to this issue https://github.com/runatlantis/atlantis/issues/444 , where I found the relevant config.

slack-token: <token>
webhooks:
- event: plan
  workspace-regex: .*
  kind: slack
  channel: your-channel

On the first try it failed with a token issue. The required token is a Bot User OAuth Token, under your App page on slack. (api.slack.com/apps/). Check the OAuth & Permissions page to create it. The token starts with xoxb-*.

I also found a useful blog post of the author of this. But it doesn’t mention the token type, nor the permissions the bot requires.

After placing the correct token, I had permission issues: initializing server: initializing webhooks: missing_scope

I started by adding them one by one, until I found this issue https://github.com/runatlantis/atlantis/pull/1350 where jmericha finally put the required scope for this bot: channels:readchat:writegroups:readim:readincoming-webhookmpim:read.

Applied these changes, and everything was up and running.

To sum it up

  1. Create a Slack bot
  2. Create OAuth bot token (starts with xoxb-)
  3. Add the required permissions to the Scopes under OAuth & Permissions
  4. Place the configuration in your atlantis config.yaml