Run Atlantis on ECS with git-crypt

atlantis.yaml

workflows:
  decrypt:
    plan:
      steps:
        - run: git-crypt unlock /tmp/<your-git-crypt-exported-key>
        - init
        - plan

Dockerfile-atlantis-ecs-git-crypt

# This Dockerfile is intended to be uploaded to a PRIVATE repository.
# This method involves copying the git-crypt key into this image,
# which will allow one to use a custom workflow in Atlantis
# to decrypt before running init/plan/apply.

FROM runatlantis/atlantis

ENV GIT_CRYPT_VERSION 0.6.0

RUN apk --update add \
   bash \
   curl \
   git \
   g++ \
   make \
   openssh \
   openssl \
   openssl-dev \
   && rm -rf /var/cache/apk/*

RUN curl -L https://github.com/AGWA/git-crypt/archive/$GIT_CRYPT_VERSION.tar.gz | tar zxv -C /var/tmp
RUN cd /var/tmp/git-crypt-$GIT_CRYPT_VERSION && make && make install PREFIX=/usr/local

COPY <your-git-crypt-exported-key> /tmp/.

CMD ["server"]

upload_image_to_ecr.sh

#!/bin/bash

AWS_REGION=<region>
AWS_ACCOUNT_ID=<your_account_id>
AWS_ECR_DOMAIN=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com

if [ -z "$1" ]; then
  echo "Must provide Docker image ID as first argument!"
fi

# Spits out the docker login command for you, so just run the output:
$(AWS_PROFILE=master aws ecr get-login --region $AWS_REGION --no-include-email)

# Tag & push, boys:
docker tag $1 $AWS_ECR_DOMAIN/atlantis:latest
docker push $AWS_ECR_DOMAIN/atlantis:latest