Currently, atlantis only supports a shared token which presents a secret separation problem when using atlantis across multiple teams.
It would be unwieldy and difficult to build an RBAC solution into atlantis, but I believe a relatively small change could help with this.
Currently, both the gitlabtoken configuration and github token configuration consists of a string which is read from an environment variable or a command line flag. This environment variable is a string which is compared with the string from the webhook request.
Changing the string flag to be a stringslice (allowing multiple tokens to be provided) then changing the following validation comparison here to check if the headerstring is in the secret string slice could allow for further configurability.
A further enhancement could be to reach the name of the secret environment variable from the atlantis.yaml file. For example, inside a repo you could have an atlantis.yaml file like so:
Then, when you start the atlantis server, you could allow the user to provide arbitrary environment variables and do a comparison on those.
I may be able to find some time to push the former enhancement, but I'm not familiar enough with the code base to do the latter, although I do believe it would be very helpful.
Currently, atlantis only supports a shared token which presents a secret separation problem when using atlantis across multiple teams.
It would be unwieldy and difficult to build an RBAC solution into atlantis, but I believe a relatively small change could help with this.
Currently, both the gitlabtoken configuration and github token configuration consists of a string which is read from an environment variable or a command line flag. This environment variable is a string which is compared with the string from the webhook request.
Changing the string flag to be a stringslice (allowing multiple tokens to be provided) then changing the following validation comparison here to check if the headerstring is in the secret string slice could allow for further configurability.
A further enhancement could be to reach the name of the secret environment variable from the
atlantis.yaml
file. For example, inside a repo you could have anatlantis.yaml
file like so:Then, when you start the atlantis server, you could allow the user to provide arbitrary environment variables and do a comparison on those.
I may be able to find some time to push the former enhancement, but I'm not familiar enough with the code base to do the latter, although I do believe it would be very helpful.