vault-secrets-operator VS atlantis

For home use, I wouldn't bother with Vault unless that's really what you want to learn. Then it's worth looking into setting something up where you could use vault secrets, using one of the available options (I haven't seen the vault-secrets-operator being mentioned).

It is but it affects vault-secrets-operator too, see https://github.com/ricoberger/vault-secrets-operator/issues/104 (and no, I’ve only use vault-secrets-operator)

If you are using an external KMS in any case, then there are other options, such as the kubernetes-external-secrets operator that was originally started by GoDaddy and the externalsecret-operator from Container Solutions. If you use HashiCorp Vault, you also have the option of using the Vault Secrets operator. This works similarly to the Sealed Secrets Operator, but instead of managing its own key material, it retrieves the secrets from Vault. The CNCF Technology Radar from January 2021 provides an overview of the types of tools that are available for secrets management.

Atlantis has an issue open for OpenTofu support [1]. This might be something to look out for.

[1] https://github.com/runatlantis/atlantis/issues/3741

Atlantis is a pull request automation tool that works well with plain Terraform right away. But what if we're already using Terramate to generate Terraform code?

Atlantis automates reviewing and deploying Terraform via pull requests, streamlining collaboration and ensuring consistency across Terraform deployments.

For example, Atlantisgo for Terraform, Zapier’s Kubechecks for Argo CD, Quizlet’s GitHub action all do something similar to this. But a generic, extensible tool for IaC providers doesn’t seem to exist. Additionally, many of them require exposing your Kubernetes cluster or other infrastructure to third-party access, webhooks, etc.

Our first attempt was to introduce other engineering teams to Terraform - the Platform team was already using it extensively with Terragrunt, and using Atlantis to automate plan and apply operations in a Git flow to ensure infrastructure was consistent. We'd written modules, with documentation, and an engineer would simply need to raise a PR to use the module and provide the right values, and Atlantis (once the PR was approved by Platform) would go ahead and set it up for them.

Alternatively, you can look at solutions like Atlantis or spacelift.

Atlantis: https://www.runatlantis.io/

Looking at the commits at https://github.com/runatlantis/atlantis, it looks like 1.6.5. Am I right?

We use Atlantis [0] for CI/CD automation of Terraform pull requests to a centralized repository. It's pretty good too, especially for a self-hosted solution. I can't see how Terraform Cloud's costs would be justifiable for us without a custom contract.

[0] https://www.runatlantis.io/