Restrict Plan or Apply to Github Teams or Github Users

[osterman]

what

• Allow operator to define a list of permitted users who can trigger atlantis commands

why

• Currently, the only way to restrict access is by adding/revoking users from a repository altogether. We believe in transparency, so that anyone should be able to view the activity.
• Not being able to restrict users is scary

proposal

add the following flags.

Allow an explicit set of users.

--gh-user-whitelist=osterman,goruha,aknysh

Allow teams in an organization

--gh-team-whitelist=ops
--gh-org-whitelist=cloudposse

The arg convention is piggybacking on the existing convention of --repo-whitelist and that all github features are prefix with --gh-*

---

an alternative interface could be based on CODEOWNERS, but I think that will be more work to implement.

• https://help.github.com/articles/about-codeowners/
• https://github.com/nathanleiby/github-codeowners

[lkysow]

@red8888 I'm going to answer your question here https://github.com/runatlantis/atlantis/issues/701 so as to not pollute this ticket

[Ninir]

@lkysow thoughts about the plan_requirements config? I am happy to work on that if we all agree that makes sense. It should be fairly trivial if we mimic apply_requirements

[lkysow]

@lkysow thoughts about the plan_requirements config? I am happy to work on that if we all agree that makes sense. It should be fairly trivial if we mimic apply_requirements

What requirements are you thinking about adding?

[Ninir]

What requirements are you thinking about adding?

mergeable perhaps? or approved too

It solves the issue about the plan being gated by the approval/mergeable status, which means there is no plan if there is no approval or if the PR is not ready to merge at all. The idea is taken from https://github.com/runatlantis/atlantis/issues/308#issuecomment-478389499 actually.

[geota]

To take it a step further, atlantis could check if the commit is GPG signed and verified by the SCM.

https://docs.gitlab.com/ee/api/commits.html#get-gpg-signature-of-a-commit https://developer.github.com/v3/git/commits/

Lack of a more robust auth solution is likely a blocker for my company to move forward with Atlantis - particularly because we cant lock down Atlantis to our current SCM (Gitlab.com) since Gitlab.com does not provide a static CIDR space from which their webhooks will fire from - see: https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/434

We may be willing to contribute this feature for Gitlab and/or Github if there is general alignment on how to implement this as a first class feature within Atlantis. The custom server-side workflow seems like a decent workaround for now. Ill bring that to my team. Thanks!

[jamengual]

This can be accomplished via a custom server-side workflow now:

workflows:
  custom:
    plan:
      steps:
      - if [ $USERNAME != "username" ]; then exit 1; fi
      - init
      - plan

Where is this documented ? I have been trying to find examples for matching CUSTOM_ARGS but I can't find any example of if statements

[jamengual]

is the run that is missing...nevermind

[lkysow]

is the run that is missing...nevermind

Updated the comment, what command ended up working for you?

[jamengual]

is the run that is missing...nevermind

Updated the comment, what command ended up working for you?

I did 👍

- run: if [ $USER_NAME != "jamengual" ]; then exit 1; fi

But this results in a blank plan as a comment, is that expected?

[lkysow]

You could change what it outputs, e.g.

- run: "if [ $USER_NAME != "jamengual" ]; then echo \"not jamengual, sorry\" && exit 1; fi"

[jamengual]

ok so that means I could change it to not output anything like any bash script, right?

is there a catch_all workflow like if there is not workflow define with a specific name I can just ignore it? instead of doing the above.

[lkysow]

@jamengual for any replies can you please open a new issue so we're not spamming everyone on this issue.

ok so that means I could change it to not output anything like any bash script, right?

No, it will always output a comment.

is there a catch_all workflow like if there is not workflow define with a specific name I can just ignore it? instead of doing the above.

You can set a default workflow.

[Lawands]

Is there any way to whitelist bitbucket user groups at repos.yaml or at env variables similar like --gh-team-whitelist=ops?

[osterman]

@Lawands, unfortunately, no... and --gh-team-whitelist=ops was just a proposal that we implemented in a fork but was not accepted.

[czerasz]

Created this project to support a custom apply experience: https://github.com/czerasz/atlantis-org-applyer

[jamengual]

We are working on https://github.com/runatlantis/atlantis/pull/1206 which hopefully will be done in a couple of months

[dimisjim]

Isn't https://github.com/runatlantis/atlantis/pull/1317 a way to achieve https://github.com/runatlantis/atlantis/issues/1476 and basically close this issue too?

@jamengual how does the above relate to your open PR? Should it be dropped in favor of the above?

[jamengual]

it could be and I think it will be once we get the VCS context exposed to the pre-workflow hook which is not exposed right now.

On Sat., Mar. 27, 2021, 3:43 a.m. Dimitris Moraitidis, < @.***> wrote:

Isn't #1317 https://github.com/runatlantis/atlantis/pull/1317 a way to achieve #1476 https://github.com/runatlantis/atlantis/issues/1476 and basically close this issue too?

@jamengual https://github.com/jamengual how does the above relate to your open PR? Should it be dropped in favor of the above?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/runatlantis/atlantis/issues/308#issuecomment-808709699, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQ3ERDSOHGX6JOI7ZDHJ73TFWZFRANCNFSM4FZGLEUQ .

[guitmz]

hey what's the status of this?

[Abhilash-sandupatla]

amazing! So if I wanted to run apply and destroy with the default behavior and just add a check for an allowed list of users I would just have to do this right?

apply:
  steps:
    - run: echo 'Checking Bitbucket user is allowed to run atlantis apply'
    - run: "if [ $USERNAME != "username" ]; then exit 1; fi"
    - init
    - apply
destroy:
  steps:
    - run: echo 'Checking Bitbucket user is allowed to run atlantis apply'
    - run: "if [ $USERNAME != "username" ]; then exit 1; fi"
    - init
    - apply

When I give multiple user names, it is throwing following error

sh: syntax error: unexpected "("

[nitrocode]

@Abhilash-sandupatla I think that's because of the quotation within a quotation in your second run step

    - run: "if [ $USERNAME != "username" ]; then exit 1; fi"

See this https://github.com/nitrocode/atlantis-terraform-module/blob/732b4ac00c4516707a3546247cc927d59b4fba17/atlantis.yaml#L18