What are the advantages/disadvantages of calling Terraform directly in GitHub Actions?
When does it make sense to use something like Atlantis or Gruntwork Pipelines? Are there any compelling reason for us to also use something like Gruntworks pipeline or Atlantis apart from not having to store some secrets in Github (i guess we could mitigate this by using aws secrets manager as well)? --- <ins datetime="2022-06-16T01:52:00Z"> <p><a href="https://support.gruntwork.io/hc/requests/108787">Tracked in ticket #108787</a></p> </ins>
One of the main benefits of using Gruntwork Pipeline or Atlantis (amongst other things) is to protect against the threat model laid out in [this post](https://github.com/gruntwork-io/terraform-aws-ci/blob/master/modules/ecs-deploy-runner/core-concepts.md#threat-model-of-the-deploy-runner). If the threat model doesn’t apply to your use case, then it is perfectly reasonable to rely on purely GitHub Actions. Note that there is more to Atlantis/Gruntwork Pipeline than just preventing secrets in GitHub. For example, a core mechanism of Gruntwork Pipeline is the argument checker, where it prevents callers from invoking the pipeline with arbitrary repositories or branches. Since GitHub Actions can be invoked from any branch, a user can circumvent the CI restrictions by creating a branch and modifying the workflow code to switch plan with apply, if you are not careful with the Actions permissions. With Gruntwork Pipelines, the ECS Deploy Runner will reject calls to attempt an apply against a non sanctioned branch. With that said, there are disadvantages to these systems, like having to maintain it over time, as well as adding complexity to your jobs. You have to weight the cost of maintenance against the benefits you get out of them. For example, Atlantis may provide a faster way to achieving your ideal Terraform flow without having to finagle GitHub Actions pipeline scripts. Or you might find value in the security measures offered by Gruntwork Pipelines. We hope that the information we provide can help you make the choice that best fits the needs of your team. --- One other point that is more specific to GitHub Actions: GitHub Actions is fairly limiting when it comes to build minutes, with the paid version only offering a cap of 4000 build minutes. Terraform jobs can take a long time (e.g., deploying CloudFront can take upwards of 1 hour to deploy), making it very easy to reach the build limit fairly quickly. Relying on Atlantis/Gruntwork Pipelines to run jobs can allow you to run those outside of GitHub Actions, preserving precious build minutes. This is less of an issue if you are on the Enterprise plan where you can buy extra build minutes, or if you are using an alternative CI server like CircleCI where you can purchase more build minutes, but will be something you want to keep an eye on. --- For an overview of Atlantis vs Gruntwork Pipelines, refer to this knowledge base post: https://github.com/gruntwork-io/knowledge-base/discussions/75