Using Gitlab teams for policy approvals is broken #4799

Open dorian-tsorfy opened 1 month ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

I'm trying to configure Atlantis for my Gitlab environment and I'm having difficulties in setting GitLab teams as policy approvals. Here is a snippet of my Atlantis server configuration that fails -

repoConfig: |
  ---
  repos:
  - id: /.*/
    apply_requirements: [approved, undiverged]
    workflow: custom
    allow_custom_workflows: true
    policy_check: true
    custom_policy_check: true

  policies:
    owners:
      teams:
        - production-engineers
    policy_sets:
      - name: Custom
        source: local

Well, I tried some other verses of the group name, such as -

Adding quotes - "production-engineers"
Using the group id - 41

Needles to say that I'm the user (dorian.ts) who tries to run approve-policies and I'm a maintainer in the production-engineers team. The only configuration that worked was setting a static users list like that -

policies:
    owners:
      users:
        - dorian.ts
        - dan.dan

Apparently I'm not the only one that having that issue as seen in the Slack community, see this thread about the same issue.

I dug a bit in Atlantis code and I saw these pieces of code that might help understand what's the problem -

The GetTeamNamesForUser function inside gitlab_client.go file - It should retrieve the Gitlab team of the user that tried to run approve-policies.
The IsOwner function inside policies.go file - It should iterate the user teams and compare between them and the list of allowed Gitlab teams in the configuration.

Reproduction Steps

Deploy Atlantis with some policy checks
Create a GitLab Webhook to start interacting with your Atlantis deployment
Use the above configuration to set the owner teams for policy approvals
Create a repo and upload a a new simple Terraform state into a branch.
Create an MR and wait for the plan and policy check to happen. Make sure the policy check fails on something
Try to run atlantis approve-policies

Logs

I'm dorian.ts and I'm part of the group production-engineers. I put a comment atlantis approve_policies in my MR. I'll share here screenshot of Atlantis response + corresponding logs from Atlantis server.

WhatsApp Image 2024-07-31 at 11 45 55

atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:127","msg":"handling GitLab post","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:598","msg":"request valid","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:602","msg":"handling as comment event","json":{}}
atlantis-staging-0 atlantis {"level":"info","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:656","msg":"parsed comment as command=\"approve_policies\" verbose=false dir=\"\" workspace=\"\" project=\"\" policyset=\"\", clear-policy-approval=false, flags=\"\"","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"vcs/gitlab_client.go:195","msg":"Adding reaction 'thumbsup' to comment 1021490 on GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"vcs/gitlab_client.go:198","msg":"POST /projects/dorian.ts/terraform-atlantis/merge_requests/9/notes/1021490/award_emoji returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"info","ts":"2024-07-31T08:36:41.264Z","caller":"events/events_controller.go:699","msg":"Running comment command 'approve_policies' on repo 'dorian.ts/terraform-atlantis', pull request: 9 for user 'dorian.ts'.","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"events/events_controller.go:858","msg":"Processing...","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"server/middleware.go:72","msg":"POST /events – respond HTTP 200","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"vcs/gitlab_client.go:504","msg":"Getting GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.507Z","caller":"vcs/gitlab_client.go:507","msg":"GET /projects/dorian.ts/terraform-atlantis/merge_requests/9 returned: 200","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.507Z","caller":"vcs/gitlab_client.go:398","msg":"Updating GitLab commit status for 'atlantis/policy_check' to 'pending'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.507Z","caller":"vcs/gitlab_client.go:504","msg":"Getting GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.708Z","caller":"vcs/gitlab_client.go:507","msg":"GET /projects/dorian.ts/terraform-atlantis/merge_requests/9 returned: 200","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.708Z","caller":"vcs/gitlab_client.go:426","msg":"Head pipeline found for merge request 9, source 'external'. refTarget 'testing-7'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.822Z","caller":"vcs/gitlab_client.go:468","msg":"POST /projects/dorian.ts/terraform-atlantis/statuses/f1b246066a0465323158044a2fc917ccdf021d3f returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9","attempt":1,"max_attempts":10,"repo":"dorian.ts/terraform-atlantis","commit":"f1b246066a0465323158044a2fc917ccdf021d3f","state":"pending"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:425","msg":"building config based on server-side config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting custom_policy_check: true from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting plan_requirements: [policies_passed] from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting import_requirements: [policies_passed] from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting delete_source_branch_on_merge: false from default server config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting allow_custom_workflows: true from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting repo_locks: this is a bug from default server config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting policy_check: true from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting apply_requirements: [approved,mergeable,undiverged,policies_passed] from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting workflow: \"custom\" from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting allowed_overrides: [] from default server config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"events/project_command_context_builder.go:171","msg":"PolicyChecks are enabled","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.824Z","caller":"terraform/terraform_client.go:309","msg":"Found required_version setting of \">= 0.13\"","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis 2024/07/31 08:36:41 [DEBUG] GET https://releases.hashicorp.com/terraform/index.json
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.962Z","caller":"events/project_command_context_builder.go:98","msg":"Building project command context for approve_policies","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"info","ts":"2024-07-31T08:36:42.058Z","caller":"events/project_locker.go:86","msg":"acquired lock with id \"dorian.ts/terraform-atlantis/states/tf-buckets/default\"","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.058Z","caller":"events/project_command_runner.go:332","msg":"acquired lock for project","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"error","ts":"2024-07-31T08:36:42.058Z","caller":"events/instrumented_project_command_runner.go:78","msg":"Error running approve_policies operation: 1 error occurred:\n\t* policy set: Custom user dorian.ts is not a policy owner - please contact policy owners to approve failing policies\n\n","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"},"stacktrace":"github.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:78\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).ApprovePolicies\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:50\ngithub.com/runatlantis/atlantis/server/events.runProjectCmds\n\tgithub.com/runatlantis/atlantis/server/events/project_command_pool_executor.go:48\ngithub.com/runatlantis/atlantis/server/events.(*ApprovePoliciesCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/approve_policies_command_runner.go:75\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:367"}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.059Z","caller":"vcs/gitlab_client.go:175","msg":"Creating comment on GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.229Z","caller":"vcs/gitlab_client.go:184","msg":"POST /projects/dorian.ts/terraform-atlantis/merge_requests/9/notes returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.229Z","caller":"events/db_updater.go:25","msg":"updating DB with pull results","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.231Z","caller":"vcs/gitlab_client.go:398","msg":"Updating GitLab commit status for 'atlantis/policy_check' to 'failed'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.231Z","caller":"vcs/gitlab_client.go:504","msg":"Getting GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.439Z","caller":"vcs/gitlab_client.go:507","msg":"GET /projects/dorian.ts/terraform-atlantis/merge_requests/9 returned: 200","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.439Z","caller":"vcs/gitlab_client.go:426","msg":"Head pipeline found for merge request 9, source 'external'. refTarget 'testing-7'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.546Z","caller":"vcs/gitlab_client.go:468","msg":"POST /projects/dorian.ts/terraform-atlantis/statuses/f1b246066a0465323158044a2fc917ccdf021d3f returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9","attempt":1,"max_attempts":10,"repo":"dorian.ts/terraform-atlantis","commit":"f1b246066a0465323158044a2fc917ccdf021d3f","state":"failed"}}

Environment details

Atlantis version: atlantis v0.28.5 (commit: 92d10ec) (build date: 2024-07-17T17:07:30.148Z)
Deployment method: Helm

I saw there is an open PR about exactly that. https://github.com/runatlantis/atlantis/pull/4001

runatlantis / atlantis