search

runatlantis / atlantis

Terraform Pull Request Automation
https://www.runatlantis.io
Other
7.86k stars 1.06k forks source link

How to disable Github App for module repos #2749

Open mihneastaub opened 1 year ago

mihneastaub commented 1 year ago

Community Note

Overview of the Issue

Hello Guys,

Is not exactly a issue, the idea is that we have repos for deploying with terraform and some repos that are for terraform modules. After I have added the Github App inside of the atlantis it seems that atlantis will run terraform plan for all repositories that have access.

The questions is: Is there a way to change the .gitconfig file in order to clone module repos with ssh and use the GitHub app only for cloning the repo that terraform is running?

Reproduction Steps

Use atlantis with GitHub App, add two repos inside of the GitHub App and the plan will run for both PRs.

Logs

No logs.

Environment details

There are repositories for deploying with terraform and they are repositories for private module.

Additional Context

No additional context.

nitrocode commented 1 year ago

You want to allow the GitHub app on your org but you only want to use select repos.

Have you considered only allowing specific repos using the --repo-allowlist

https://www.runatlantis.io/docs/server-configuration.html#repo-allowlist

Have you considered creating atlantis.yaml and disable auto planning in your tf module repo?

https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#disabling-autoplanning

mihneastaub commented 1 year ago

Hello @nitrocode,

Thanks for the information, yes we have thinking about those workarounds.

This why I have asked it is possible to change/replace .gitconfig.

nitrocode commented 1 year ago

You can set the github app to only give permissions to select repos instead of the entire org. I assumed you wanted it setup for the entire org, but if not, simply select the repos that are not module repos, and atlantis will no longer run in the module repos.

mihneastaub commented 1 year ago

It will not work, because if you don't give permission to the module repository inside of the GithubApp, Atlantis will not have the power in order to clone those modules.

I have tried a lot of things here and the only one is related to changing the .gitconfig.

nitrocode commented 1 year ago

Oh I see. So you have to give atlantis gh app access to module repos or it will not be able to run terraform init on terraform dirs that use those modules.

I clone all the internal modules using ssh via this method for local and atlantis.

module "example" {
  source = "git::ssh://git@github.com/owner/repo//modules/example"
}

You could also run something like this in your container to modify .gitconfig to change sources of https to ssh but then you would also require this config locally for all developers 

git config --system url.git@github.com:.insteadOf https://github.com/

Which should work if using this type of source

module "example" {
  source = "github.com/owner/repo//modules/example"
}
mihneastaub commented 1 year ago

This is not possible to change the .gitconfig inside of the container, because it will be overwrite by atlantis.

You can look here to see how the commands is running.

When atlantis will run terraform on a repository, automatically that command will run and this means that .gitconfig will be overwrite.

What I want to accomplish is to clone the repository using GithubApp and clone the module using ssh.

nitrocode commented 1 year ago

@mihneastaub the command I shared above shows that it will change the --system level config. I believe atlantis only handles the --user level config implicitly. Run the command I shared in a post-start command and it should work the way you want it to. I have used the same command before with success.

mihneastaub commented 1 year ago

Thanks for the information @nitrocode.

From what I see in the source code, atlantis handles the --global level config, you can see here.

But if I will run that command the --system will be changed and from what I see the priority for .gitconfig is:

More information here.

nitrocode commented 1 year ago

Does that unblock you?

mihstaub commented 1 year ago

Sorry for the late response.

@nitrocode what you are suggest it is not working, because k8s pod will run without root privileges.

Can you reopen this issue, as this not unblock me?

nitrocode commented 1 year ago

You can't override the system git config? You should be able to as root. If not, you can customize the container.

mihstaub commented 1 year ago

Yes, but I don't want to make as root, as is not recommended to run like a root.

And the container cannot be customize, because it will overwrite by the atlantis.

mihstaub commented 1 year ago

Related to this comment: https://github.com/runatlantis/atlantis/issues/2749#issuecomment-1346008238 The system it will not work also :).

nitrocode commented 1 year ago

I don't believe atlantis will override the system gitconfig. It only overrides the user gitconfig. So if you override the system gitconfig, even if you do not run as root, you can take advantage of it. If you cannot do it in the default container, you can do so by customizing the container

nitrocode commented 1 year ago

I have been able to successfully customize the system gitconfig in the past to do exactly what you're trying to do.

If you cannot figure it out, please reach out in the slack community and then we can update with a summary here.

mihstaub commented 1 year ago

As I said, I have able to successfully the system gitconfig, this was not the problem.

But if you change the system gitconfig it will not take into the consideration as the git priorty is:

As I said you can read more here.

nitrocode commented 1 year ago

Each level overrides the previous.

If you have settings in the system one and in the local one but the local one doesnt override the system specific settings, then the config will "deep merge" and you will inherit from both.

Atlantis only modifies a single entry of the gitconfig which is to add the git creds to the local gitconfig

mihstaub commented 1 year ago

I agree with you and I know this.

But Atlantis will not modify a single entry of the gitconfig, it will create the entire file. Please see the code below:

credentialCmd := exec.Command("git", "config", "--global", "credential.helper", "store")
if out, err := credentialCmd.CombinedOutput(); err != nil {
return errors.Wrapf(err, "There was an error running %s: %s", strings.Join(credentialCmd.Args, " "), string(out))
}
logger.Info("successfully ran %s", strings.Join(credentialCmd.Args, " "))

urlCmd := exec.Command("git", "config", "--global", fmt.Sprintf("url.https://%s@%s.insteadOf", gitUser, gitHostname), fmt.Sprintf("ssh://git@%s", gitHostname)) // nolint: gosec
if out, err := urlCmd.CombinedOutput(); err != nil {
return errors.Wrapf(err, "There was an error running %s: %s", strings.Join(urlCmd.Args, " "), string(out))
}
logger.Info("successfully ran %s", strings.Join(urlCmd.Args, " "))
return nil

And from what you see above, the global will be modified. And now if I modify the --system, it will be overwrite by the --global.

And also you can see the code in the atlantis repo.

jmreicha commented 1 year ago

Did anyone find a solution for this one?

jmreicha commented 1 year ago

Is this line even necessary?

urlCmd := exec.Command("git", "config", "--global", fmt.Sprintf("url.https://%s@%s.insteadOf", gitUser, gitHostname), fmt.Sprintf("ssh://git@%s", gitHostname))

It seems like it would give more flexibility to allow a user to choose if/how to configure their gitconfig, if they needed to disallow ssh.

glasser commented 1 year ago

Note that one of the main downsides to just enabling the GitHub app on the modules repositories and using the repo allowlist to control where it is run is that Atlantis will post a comment on PRs on non-allowed repos with an error; you can override this with ATLANTIS_SILENCE_ALLOWLIST_ERRORS.