Automatically analyze Terraform plans with Overmind risk assessment through Atlantis pull request workflows.
This integration adds automated blast radius analysis and complete lifecycle tracking to your Atlantis Terraform workflow. Every time you run atlantis plan, the plan is automatically submitted to Overmind for analysis. When you run atlantis apply, the change is tracked from start to completion, giving you:
- Blast radius - What resources will be affected by this change
- Risk assessment - Potential security, compliance, or operational risks
- Change impact - Dependencies and downstream effects
- Lifecycle tracking - Full visibility from plan → apply → completion
- Change history - Historical record of all infrastructure changes
- Recommendations - Suggested mitigations and best practices
- Atlantis server (self-hosted or cloud)
- Overmind account (sign up)
- Terraform 0.12 or later
-
Get your Overmind API key from app.overmind.tech/settings/api-keys
-
Add the configuration to your repository:
# Copy atlantis.yaml to your repository root cp atlantis.yaml /path/to/your/repo/ # Copy the integration script cp scripts/overmind-integration.sh /path/to/your/repo/scripts/ chmod +x /path/to/your/repo/scripts/overmind-integration.sh
-
Set the environment variable on your Atlantis server:
export OVM_API_KEY="your-overmind-api-key"
-
Test it:
- Create a PR with Terraform changes
- Comment
atlantis planon the PR - View the analysis in Overmind dashboard
Test the integration locally before deploying:
# Set your API key
export OVM_API_KEY="your-overmind-api-key"
# Run the quick test
./quick-test.shThis will create a Terraform plan and submit it to Overmind for analysis.
Developer creates PR with Terraform changes
↓
Comments "atlantis plan" on PR
↓
Atlantis executes Terraform plan
↓
Plan submitted to Overmind (submit-plan)
↓
Change ID saved for apply phase
↓
Risk analysis available in Overmind dashboard
↓
Developer comments "atlantis apply"
↓
Change marked as starting (start-change)
↓
Terraform apply executes
↓
Change marked as complete (end-change)
↓
Final validation and summary retrieved
The integration provides full lifecycle tracking of infrastructure changes:
Plan Phase:
- Executes
terraform plan - Converts plan to JSON format
- Submits to Overmind via
submit-plan - Saves the Change ID to
.overmind-change-idfile - Links to PR and adds repository tags
Apply Phase:
- Reads saved Change ID from
.overmind-change-id - Calls
start-changeto mark execution beginning - Executes
terraform apply - Calls
end-changeto mark completion - Retrieves final change summary
- Cleans up temporary files
The included atlantis.yaml configures Atlantis with complete lifecycle tracking. Key sections:
Lifecycle-Tracked Workflow:
workflows:
overmind-tracked:
plan:
steps:
- init
- plan
- run: |
# Submit plan and save Change ID
terraform show -json $PLANFILE | \
overmind changes submit-plan - \
--ticket-link "$PULL_REQUEST_URL" \
--tags "atlantis=true,repo=$BASE_REPO_NAME" \
--format json > .overmind-response.json
CHANGE_ID=$(cat .overmind-response.json | grep -o '"uuid":"[^"]*"' | head -1 | cut -d'"' -f4)
echo "$CHANGE_ID" > .overmind-change-id
apply:
steps:
- run: |
# Mark change as starting
CHANGE_ID=$(cat .overmind-change-id)
overmind changes start-change --uuid "$CHANGE_ID"
- apply
- run: |
# Mark change as complete
CHANGE_ID=$(cat .overmind-change-id)
overmind changes end-change --uuid "$CHANGE_ID"
overmind changes get-change --uuid "$CHANGE_ID" --format markdownThe workflow saves the Change ID during plan to a file (.overmind-change-id), which is then used during apply to track the complete lifecycle.
Fallback Hook (for repositories without custom workflows):
repos:
- id: /.*/
post_workflow_hooks:
- run: |
# Simple post-plan submission for basic integration
if [ "$COMMAND_NAME" = "plan" ]; then
terraform show -json "$PLANFILE" | \
overmind changes submit-plan - \
--ticket-link "$PULL_REQUEST_URL"
fiFor centralized configuration across multiple repositories, use atlantis-server.yaml:
repos:
- id: github.com/your-org/your-repo
post_workflow_hooks:
- run: ./scripts/overmind-integration.shPlace scripts/overmind-integration.sh on your Atlantis server and reference it in your server configuration.
- Complete Lifecycle Tracking - Track changes from plan → apply → completion
- Risk Analysis - Every plan analyzed for blast radius and impact
- Change Status Updates - Real-time status in Overmind (planned, running, complete)
- Automatic Tagging - Plans tagged with repo, PR, and workspace info
- Targeted Plans - Supports
atlantis plan -- -target=resource.name - Secure - API key-based authentication
- Detailed Insights - View full analysis in Overmind dashboard with historical tracking
| Variable | Description |
|---|---|
OVM_API_KEY |
Your Overmind API key |
| Variable | Description | Default |
|---|---|---|
OVM_LOG_LEVEL |
Log level for Overmind CLI | info |
These variables are automatically provided by Atlantis:
PLANFILE- Path to the generated plan filePULL_REQUEST_URL- URL of the pull requestBASE_REPO_NAME- Repository nameBASE_REPO_OWNER- Repository ownerPULL_NUM- Pull request numberWORKSPACE- Terraform workspace name
The integration supports Atlantis targeted plans:
# Analyze only specific resources
atlantis plan -- -target=aws_instance.webOvermind will analyze only the targeted resources and their dependencies.
Check Atlantis logs:
atlantis server --log-level debugVerify atlantis.yaml is in repository root and committed.
Verify API key is set:
echo $OVM_API_KEYTest connectivity:
curl -I https://app.overmind.techCheck Overmind CLI installation:
overmind --versionThe integration submits plans to Overmind but doesn't post comments to PRs by default. View analysis at:
- Overmind Dashboard
- Use the change link from Atlantis logs
This occurs when the .overmind-change-id file is missing:
Cause: Plan and apply ran in different Atlantis workspaces, or file was manually deleted
Solution:
- Run
atlantis planagain to generate a new Change ID - Then run
atlantis apply
Prevention: Ensure you're using the same workspace for plan and apply
If end-change fails:
Check:
# Verify change exists in Overmind
overmind changes get-change --uuid <CHANGE_ID>Common Issues:
- Network connectivity to Overmind API
- Invalid or expired Change ID
- API key permissions
For local development and testing with Docker:
# 1. Set environment variables in .env file
cp .env.example .env
# Edit .env and add your OVM_API_KEY
# 2. Start Atlantis
docker compose up
# 3. Configure webhook in your GitHub repo
# URL: http://localhost:4141/events (or use ngrok for external access)See docker-compose.yml for configuration details.
| File | Purpose |
|---|---|
atlantis.yaml |
Repository-specific Atlantis configuration |
atlantis-server.yaml |
Example server-side configuration |
scripts/overmind-integration.sh |
Reusable integration hook script |
docker-compose.yml |
Docker setup for local testing |
quick-test.sh |
Local testing script |
main.tf |
Example Terraform configuration |
- Never commit your
.envfile or API keys - Store
OVM_API_KEYin a secure secrets manager in production - Use read-only API keys when possible
- Rotate API keys regularly
- Review Overmind's security documentation
- Documentation: docs.overmind.tech
- Atlantis Docs: www.runatlantis.io
- Issues: Open an issue in this repository
- Overmind Support: support@overmind.tech
This example repository is provided as-is for demonstration and integration purposes.
Ready to get started? Get your API key at app.overmind.tech/settings/api-keys