Terraform PR automation has become a standard practice for platform engineering teams, and Atlantis is the tool that defined the pattern. Comment atlantis plan on a PR to see infrastructure changes, review with your team, then comment atlantis apply to deploy. This simple workflow has made Atlantis the most widely deployed Terraform automation tool in the open-source ecosystem. This review evaluates its capabilities after years of production use across thousands of organizations.
The core workflow is elegantly simple. A developer opens a PR that modifies Terraform files. Atlantis receives a webhook, runs terraform plan against the affected workspaces, and posts the plan output as a PR comment. Team members review the plan alongside the code changes. When approved, a team member comments atlantis apply, and Atlantis executes terraform apply. The entire infrastructure deployment workflow happens within the PR, creating an auditable record of every infrastructure change.
Resource locking prevents the most dangerous Terraform failure mode: concurrent applies to the same state. When Atlantis runs a plan or apply for a workspace, it acquires a lock that prevents other PRs from modifying the same state simultaneously. The lock is visible in PR comments, and team members can see which PR currently holds the lock. This eliminates the race condition that causes state corruption when two engineers apply changes to the same infrastructure.
The self-hosted deployment model is straightforward. Atlantis runs as a single Go binary or Docker container with minimal resource requirements — a small VM or container with 1-2 GB RAM handles most team sizes. Configuration is done through an atlantis.yaml file in your repository that defines which directories contain Terraform, which workspaces to manage, and any custom workflow steps. The setup from zero to working PR automation typically takes 1-2 hours.
Custom workflows extend Atlantis beyond basic plan/apply. Pre-workflow hooks run before plan or apply — useful for Terraform validation, linting (tflint), security scanning (tfsec, Checkov), and cost estimation (Infracost). Post-workflow hooks can trigger notifications, update tracking systems, or run cleanup tasks. The hook system is flexible enough to embed Atlantis into complex deployment pipelines without external orchestration.
Multi-environment support handles the common pattern of dev/staging/production workspaces. Atlantis can be configured to require different approval policies per environment — auto-apply in development, require one approval in staging, require two approvals in production. This graduated deployment model provides safety nets proportional to the risk of each environment.
The security model relies on Git permissions. Anyone who can comment on a PR can trigger plan and apply operations. For most teams, this aligns with existing access controls — if you can push code and create PRs, you can deploy infrastructure. For teams needing finer-grained controls (restrict applies to specific users, require webhook signature validation), custom middleware or wrapper scripts provide additional authorization layers.