Open cloudmatt opened 11 months ago
make sure the team name is spelled exactly the same otherwise you get 404 errors and make sure atlantis has permissions to read the org
make sure the team name is spelled exactly the same otherwise you get 404 errors and make sure atlantis has permissions to read the org
The names are spelled the same and the Github App has the right perms as far as I can tell
When I tail the logs, I don't even see a 404 or anything so I don't know what it's even doing. There is nothing in the logs even when it's set to debug
level
@cloudmatt does the GH token used for atlantis have the following scopes: ['read:org', 'read:discussion']
?
@cloudmatt does the GH token used for atlantis have the following scopes:
['read:org', 'read:discussion']
?
@MichaelKora - I'm using the Github app integration so it has whatever permissions are added during that setup. I additionally just gave it discussions read permissions and still get the same error. When tailing the logs, I see nothing indicating that it's even attempting to resolve the group so I'm just stumped on why this isn't working.
level":"debug","ts":"2023-07-31T11:56:11.736Z","caller":"events/events_controller.go:103","msg":"handling GitHub post","json":{}}
{"level":"debug","ts":"2023-07-31T11:56:11.736Z","caller":"events/events_controller.go:169","msg":"request valid","json":{"gh-request-id":"X-Github-Delivery=VALUEREMOVEDFORSNIPPET"}}
{"level":"info","ts":"2023-07-31T11:56:11.737Z","caller":"events/events_controller.go:550","msg":"parsed comment as command=\"apply\" verbose=false dir=\"\" workspace=\"\" project=\"\" policyset=\"\", clear-policy-approval=false, flags=\"\"","json":{"gh-request-id":"X-Github-Delivery=VALUEREMOVEDFORSNIPPET"}}
{"level":"debug","ts":"2023-07-31T11:56:11.737Z","caller":"vcs/github_client.go:203","msg":"POST /repos/ORG/REPO/issues/comments/UIDreactions","json":{}}
{"level":"debug","ts":"2023-07-31T11:56:12.049Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.react_to_comment.execution_time","value":0.311784043,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2023-07-31T11:56:12.049Z","caller":"events/events_controller.go:590","msg":"executing command","json":{"gh-request-id":"X-Github-Delivery=VALUEREMOVEDFORSNIPPET"}}
{"level":"debug","ts":"2023-07-31T11:56:12.049Z","caller":"server/middleware.go:72","msg":"POST /events โ respond HTTP 200","json":{}}
{"level":"debug","ts":"2023-07-31T11:56:12.305Z","caller":"vcs/github_client.go:192","msg":"POST /repos/ORG/REPO/issues/565/comments","json":{}}
{"level":"debug","ts":"2023-07-31T11:56:12.412Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.react_to_comment.execution_success","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2023-07-31T11:56:12.412Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github_event.comment_created.success_200","value":1,"tags":{"base_repo":"ORG/REPO","pr_number":"565"},"type":"counter"}}
{"level":"debug","ts":"2023-07-31T11:56:13.026Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.create_comment.execution_time","value":0.720944141,"tags":{"base_repo":"ORG/REPO","pr_number":"565"},"type":"timer"}}
{"level":"debug","ts":"2023-07-31T11:56:13.026Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.cmd.comment.apply.execution_time","value":0.977000231,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2023-07-31T11:56:13.412Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.create_comment.execution_success","value":1,"tags":{"base_repo":"ORG/REPO","pr_number":"565"},"type":"counter"}}
the github app permission when you set it up dos not add permissions for this option , that is why you need to add additional permissions after and I believe is documented.
On Mon, Jul 31, 2023, 4:59 a.m. Matt @.***> wrote:
@cloudmatt https://github.com/cloudmatt does the GH token used for atlantis have the following scopes: ['read:org', 'read:discussion']?
@MichaelKora https://github.com/MichaelKora - I'm using the Github app integration so it has whatever permissions are added during that setup. I additionally just gave it discussions read permissions and still get the same error. When tailing the logs, I see nothing indicating that it's even attempting to resolve the group so I'm just stumped on why this isn't working.
level":"debug","ts":"2023-07-31T11:56:11.736Z","caller":"events/events_controller.go:103","msg":"handling GitHub post","json":{}} {"level":"debug","ts":"2023-07-31T11:56:11.736Z","caller":"events/events_controller.go:169","msg":"request valid","json":{"gh-request-id":"X-Github-Delivery=VALUEREMOVEDFORSNIPPET"}} {"level":"info","ts":"2023-07-31T11:56:11.737Z","caller":"events/events_controller.go:550","msg":"parsed comment as command=\"apply\" verbose=false dir=\"\" workspace=\"\" project=\"\" policyset=\"\", clear-policy-approval=false, flags=\"\"","json":{"gh-request-id":"X-Github-Delivery=VALUEREMOVEDFORSNIPPET"}} {"level":"debug","ts":"2023-07-31T11:56:11.737Z","caller":"vcs/github_client.go:203","msg":"POST /repos/ORG/REPO/issues/comments/UIDreactions","json":{}} {"level":"debug","ts":"2023-07-31T11:56:12.049Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.react_to_comment.execution_time","value":0.311784043,"tags":{},"type":"timer"}} {"level":"debug","ts":"2023-07-31T11:56:12.049Z","caller":"events/events_controller.go:590","msg":"executing command","json":{"gh-request-id":"X-Github-Delivery=VALUEREMOVEDFORSNIPPET"}} {"level":"debug","ts":"2023-07-31T11:56:12.049Z","caller":"server/middleware.go:72","msg":"POST /events โ respond HTTP 200","json":{}} {"level":"debug","ts":"2023-07-31T11:56:12.305Z","caller":"vcs/github_client.go:192","msg":"POST /repos/ORG/REPO/issues/565/comments","json":{}} {"level":"debug","ts":"2023-07-31T11:56:12.412Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.react_to_comment.execution_success","value":1,"tags":{},"type":"counter"}} {"level":"debug","ts":"2023-07-31T11:56:12.412Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github_event.comment_created.success_200","value":1,"tags":{"base_repo":"ORG/REPO","pr_number":"565"},"type":"counter"}} {"level":"debug","ts":"2023-07-31T11:56:13.026Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.create_comment.execution_time","value":0.720944141,"tags":{"base_repo":"ORG/REPO","pr_number":"565"},"type":"timer"}} {"level":"debug","ts":"2023-07-31T11:56:13.026Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.cmd.comment.apply.execution_time","value":0.977000231,"tags":{},"type":"timer"}} {"level":"debug","ts":"2023-07-31T11:56:13.412Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.create_comment.execution_success","value":1,"tags":{"base_repo":"ORG/REPO","pr_number":"565"},"type":"counter"}}
โ Reply to this email directly, view it on GitHub https://github.com/runatlantis/atlantis/issues/3627#issuecomment-1658230813, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQ3ERA35HMJPVYN2GFWB3TXS6M2LANCNFSM6AAAAAA2ZHQCHY . You are receiving this because you commented.Message ID: @.***>
@jamengual - I have all the permissions on the Github app as indicated in the docs. I don't know what else more it could need? As shown in the error logs in my previous comment, there's nothing indicating it event attempting to resolve the group (no error or anything).
what version of Atlantis ? if you just upgraded it , I would try to go back a few versions and see if it works.
On Mon, Jul 31, 2023, 9:09 a.m. Matt @.***> wrote:
@jamengual https://github.com/jamengual - I have all the permissions on the Github app as indicated in the docs https://www.runatlantis.io/docs/access-credentials.html#github-app. I don't know what else more it could need? As shown in the error logs in my previous comment, there's nothing indicating it event attempting to resolve the group (no error or anything).
โ Reply to this email directly, view it on GitHub https://github.com/runatlantis/atlantis/issues/3627#issuecomment-1658696398, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQ3ERHYJ3QOGVNWQOQOOFLXS7KB5ANCNFSM6AAAAAA2ZHQCHY . You are receiving this because you were mentioned.Message ID: @.***>
I tried downgrading to v0.23.5
to the latest version of the last 'major' release but now I just get
Error: initializing server: parsing /etc/atlantis/repos.yaml file: workflows: (terragrunt: (plan: (steps: (2: "run" is not a valid step type.).).).).
repoConfig: |
workflows:
terragrunt:
plan:
steps:
- env:
name: TERRAGRUNT_TFPATH
command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
- env:
name: TF_IN_AUTOMATION
value: 'true'
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output: strip_refreshing
- run: terragrunt show -json $PLANFILE > $SHOWFILE
apply:
steps:
- env:
name: TERRAGRUNT_TFPATH
command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
- env:
# Reduce Terraform suggestion output
name: TF_IN_AUTOMATION
value: 'true'
- run: terragrunt apply -input=false $PLANFILE
the docs say run
is a step so I don't know what else to do here. Is there a different version I could test with? Or just randomly keep picking old versions until I find one that works? I'm a bit stumped on what to do here because there's just no error logging for this gh-team-allowlist
showing up anywhere ๐
Well now I've downgraded and I can't even run plan
now so that's an improvement ๐ข
Okay - so it looks like maybe the helm chart isn't passing the value in correctly. I switched to using the ATLANTIS_GH_TEAM_ALLOWLIST
env var and that seems to have resolved it?
in latest or 0.23?
On Tue, Aug 1, 2023 at 6:48โฏAM Matt @.***> wrote:
Okay - so it looks like maybe the helm chart isn't passing the value in correctly. I switched to using the ATLANTIS_GH_TEAM_ALLOWLIST env var and that seems to have resolved it?
โ Reply to this email directly, view it on GitHub https://github.com/runatlantis/atlantis/issues/3627#issuecomment-1660373367, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQ3ERHLNOOKXO2H3E2K7HDXTECLBANCNFSM6AAAAAA2ZHQCHY . You are receiving this because you were mentioned.Message ID: @.***>
in latest or 0.23?
On Tue, Aug 1, 2023 at 6:48โฏAM Matt @.***> wrote:
Okay - so it looks like maybe the helm chart isn't passing the value in
correctly. I switched to using the ATLANTIS_GH_TEAM_ALLOWLIST env var and
that seems to have resolved it?
โ
Reply to this email directly, view it on GitHub
https://github.com/runatlantis/atlantis/issues/3627#issuecomment-1660373367,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAQ3ERHLNOOKXO2H3E2K7HDXTECLBANCNFSM6AAAAAA2ZHQCHY
.
You are receiving this because you were mentioned.Message ID:
@.***>
Both. Upgraded back to latest and observed the same behavior
if the HELM chart is not doing that right, please feel free to create a PR. I'm glad you found out the issue.
Hello, I have the same issue, this are the permission on my token:
This is the configuration on my helm chart:
- name: ATLANTIS_GH_TEAM_ALLOWLIST
value: "ambt:plan, ambt:apply"
This is on my pod:
atlantis-79cfc75cb5-c7tvx:~$ env | grep GH
ATLANTIS_GH_TEAM_ALLOWLIST=ambt:plan, ambt-atlantis-github-prod:apply
ATLANTIS_GH_HOSTNAME=ghe.megaleo.com
ATLANTIS_GH_TOKEN=<RETRACTED>
ATLANTIS_GH_WEBHOOK_SECRET=<RETRACTED>
ATLANTIS_GH_USER=ambt-atlantis-prod
atlantis-79cfc75cb5-c7tvx:~$
this is my team in github:
This is the issue I'm getting:
This is the log from atlantis pod:
{"level":"debug","ts":"2024-01-03T11:12:12.065Z","caller":"events/events_controller.go:169","msg":"request valid","json":{"gh-request-id":"X-Github-Delivery=d6393070-aa28-11ee-80bc-4665a01cc370"}}
{"level":"info","ts":"2024-01-03T11:12:12.067Z","caller":"events/events_controller.go:550","msg":"parsed comment as command=\"plan\" verbose=false dir=\"\" workspace=\"\" project=\"\" policyset=\"\", clear-policy-approval=false, flags=\"\"","json":{"gh-request-id":"X-Github-Delivery=d6393070-aa28-11ee-80bc-4665a01cc370"}}
{"level":"debug","ts":"2024-01-03T11:12:12.067Z","caller":"vcs/github_client.go:203","msg":"POST /repos/ambt/terraform-artifactory-gcp/issues/comments/1637386/reactions","json":{}}
{"level":"debug","ts":"2024-01-03T11:12:12.289Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.react_to_comment.execution_time","value":0.222623376,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2024-01-03T11:12:12.289Z","caller":"events/events_controller.go:590","msg":"executing command","json":{"gh-request-id":"X-Github-Delivery=d6393070-aa28-11ee-80bc-4665a01cc370"}}
{"level":"debug","ts":"2024-01-03T11:12:12.289Z","caller":"server/middleware.go:72","msg":"POST /events โ respond HTTP 200","json":{}}
{"level":"debug","ts":"2024-01-03T11:12:12.359Z","caller":"vcs/github_client.go:192","msg":"POST /repos/ambt/terraform-artifactory-gcp/issues/21/comments","json":{}}
{"level":"debug","ts":"2024-01-03T11:12:12.668Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github_event.comment_created.success_200","value":1,"tags":{"base_repo":"ambt/terraform-artifactory-gcp","pr_number":"21"},"type":"counter"}}
{"level":"debug","ts":"2024-01-03T11:12:12.668Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.react_to_comment.execution_success","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2024-01-03T11:12:12.719Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.create_comment.execution_time","value":0.360236452,"tags":{"base_repo":"ambt/terraform-artifactory-gcp","pr_number":"21"},"type":"timer"}}
{"level":"debug","ts":"2024-01-03T11:12:12.719Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.cmd.comment.plan.execution_time","value":0.429502396,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2024-01-03T11:12:12.738Z","caller":"server/middleware.go:45","msg":"POST /events โ from 10.192.0.6:56466","json":{}}
{"level":"debug","ts":"2024-01-03T11:12:12.738Z","caller":"events/events_controller.go:103","msg":"handling GitHub post","json":{}}
{"level":"debug","ts":"2024-01-03T11:12:12.750Z","caller":"events/events_controller.go:169","msg":"request valid","json":{"gh-request-id":"X-Github-Delivery=d6a363f0-aa28-11ee-804e-e76e98ffdd03"}}
{"level":"debug","ts":"2024-01-03T11:12:12.750Z","caller":"server/middleware.go:72","msg":"POST /events โ respond HTTP 200","json":{}}
{"level":"debug","ts":"2024-01-03T11:12:13.668Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github_event.comment_created.success_200","value":1,"tags":{"base_repo":"ambt/terraform-artifactory-gcp","pr_number":"21"},"type":"counter"}}
{"level":"debug","ts":"2024-01-03T11:12:13.668Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.create_comment.execution_success","value":1,"tags":{"base_repo":"ambt/terraform-artifactory-gcp","pr_number":"21"},"type":"counter"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.cpu.goroutines","value":10,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.cpu.cgo_calls","value":0,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.stack.sys","value":325920,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.stack.mspan_inuse","value":277368,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.stack.mcache_inuse","value":19200,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.stack.mcache_sys","value":31200,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.stack.inuse","value":1114112,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.total","value":24685104,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.sys","value":24878096,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.lookups","value":0,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.malloc","value":175924,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.frees","value":147723,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.othersys","value":3105038,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.alloc","value":5822592,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.gc.sys","value":4633480,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.gc.next","value":9890000,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.gc.last","value":1704280316668990700,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.gc.pause_total","value":732679,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.gc.count","value":9,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.heap.objects","value":28201,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.heap.alloc","value":5822592,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.heap.sys","value":15663104,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.heap.idle","value":7331840,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.heap.inuse","value":8331264,"tags":{},"type":"gauge"}}
{"level":"debug","ts":"2024-01-03T11:12:16.668Z","caller":"metrics/debug.go:47","msg":"gauge","json":{"name":"atlantis.scheduled.runtime.memory.heap.released","value":4038656,"tags":{},"type":"gauge"}}
I really don't know what to do anymore, I know the ATLANTIS_GH_TEAM_ALLOWLIST
get read as if I remove it it works without issue, it also work when i set it to ATLANTIS_GH_TEAM_ALLOWLIST=*:plan
Atlantis version v0.25.0 Any help?
It was that the atlantis service account which is a github user was not in the organization as my github team
@cloudmatt is this still an issue?
Community Note
Overview of the Issue
I'm setting the flag
--gh-team-allowlist
to- --gh-team-allowlist="Security:apply, Security:import"
whereSecurity
is the team name of a group within my Github organization. I'm a member of that team but when I put the commentatlantis apply
I get an error message saying that I'm not permitted to.Reproduction Steps
Deploy atlantis via helm to a GKE cluster and set the following field in the
values.yaml
file:Logs
I don't see anything in the logs that seems remotely related but can provide them if helpful
Environment details
Atlantis server-side config file:
Running the latest version of the atlantis docker image on a kubernetes cluster deployed into the GKE Autopilot cluster using the helm chart.