What Atlantis is: PR-driven Terraform

GitOps for Terraform via the PR.

Advanced12 min · lesson 1 of 12

Atlantis brings a GitOps workflow to Terraform through the pull request. Instead of engineers running terraform apply from their laptops with production credentials, Atlantis is a server that listens for pull-request events: when you open a PR that changes Terraform, it automatically runs terraform plan and posts the output as a PR comment; after the team reviews that plan, a reviewer comments atlantis apply and Atlantis runs the apply. The entire change is proposed, reviewed, and executed in the PR, with a full audit trail.

This solves real problems with ad-hoc Terraform: credentials no longer live on developer machines (they live on the Atlantis server, once, controlled), every change is reviewed against its actual plan, applies are serialized and locked so two people cannot clobber shared state, and there is a permanent record of who applied what. It is the same plan-on-PR / apply-on-merge idea the IaC courses describe, packaged as a purpose-built server for Terraform.

The Atlantis PR loop
1open PR
changes .tf
2autoplan
Atlantis posts the plan
3review
team reads the diff
4atlantis apply
comment triggers apply
Plan is automatic and visible; apply is a reviewed comment. Credentials stay on the server, never on laptops.

Why the PR is the control point

Centering the workflow on the PR means the pull request becomes the single place where an infrastructure change is proposed, its exact plan is shown, discussion happens, approval is recorded, and the apply is triggered and logged. That is a strong governance position: you can require approvals before apply, gate on policy checks, and know that nothing reaches production except through this reviewed path. The PR is both the developer experience and the audit boundary.

The Atlantis server holds the keys to your infrastructure
To run applies, Atlantis has cloud credentials with the power to change (and destroy) infrastructure, and it acts on webhooks from your VCS. That makes the server a top-tier target: a compromise of it, or of the webhook path, is a compromise of everything it can apply. Every later hardening lesson exists because of this — treat Atlantis as critical infrastructure from the first deploy.