Test yourself
Atlantis
Final exam · 12 questions · answers explained as you pick
Beginner
4 questions
01Atlantis brings which workflow to Terraform?
Incorrect — that is Chef/Puppet; Atlantis is PR automation.
Correct — runs are proposed, reviewed, and executed in the PR with an audit trail.
Incorrect — no.
Incorrect — no.
02A key security benefit of Atlantis is that cloud credentials…
Correct — centralized, off laptops, used only through the reviewed PR path.
Incorrect — no.
Incorrect — never.
Incorrect — applies need credentials — the point is where they live.
03The webhook secret (--gh-webhook-secret) exists to…
Incorrect — no.
Incorrect — no.
Correct — without it, anyone reaching /events could trigger Terraform runs.
Incorrect — no.
04Atlantis locking prevents…
Incorrect — no.
Correct — one project changes through one PR at a time.
Incorrect — no.
Incorrect — unrelated.
4 questions · explanations appear as you answer
Intermediate
4 questions
01atlantis.yaml is used to…
Correct — the map of a multi-directory infrastructure repo.
Incorrect — never put secrets there.
Incorrect — no.
Incorrect — no.
02A custom workflow run step is dangerous because it…
Incorrect — the risk is not speed.
Incorrect — it can ($PLANFILE etc.) — that is not the issue.
Correct — so untrusted repo-defined workflows = code exec with your creds.
Incorrect — no.
03when_modified globs should include a project’s shared module paths so that…
Incorrect — not the reason.
Correct — missing globs = a change that never gets planned, surfacing as later drift.
Incorrect — no.
Incorrect — unrelated.
04Atlantis native policy checks…
Correct — puts guardrails at the exact moment of change, in the tool that applies.
Incorrect — they do security policy, not just fmt.
Incorrect — they gate before apply.
Incorrect — mandatory policies block; advisory ones only annotate.
4 questions · explanations appear as you answer
Advanced
4 questions
01Server-side config (repos.yaml) matters because it…
Incorrect — no — it is operator policy for Atlantis.
Correct — the real security control; repo-side config is a convenience within its bounds.
Incorrect — that is repo-side atlantis.yaml — repos.yaml is operator-controlled.
Incorrect — no.
02The safest cloud-credential setup for Atlantis is…
Incorrect — worst-case blast radius on a server compromise.
Incorrect — never.
Correct — minimize durable secret material on the highest-value server you run.
Incorrect — applies need them; the point is short-lived + scoped.
03allow_custom_workflows: true for an untrusted repo means…
Correct — keep it false by default; grant only to fully-trusted repos.
Incorrect — no.
Incorrect — it is a serious risk.
Incorrect — unrelated.
04Compared with a managed platform (TFC, Spacelift), self-hosted Atlantis means…
Incorrect — the opposite — more control, self-hosted.
Correct — the trade for control is full security responsibility.
Incorrect — still needs them.
Incorrect — it has native policy checks.
4 questions · explanations appear as you answer