Skip to content

Commit

Permalink
Added new --repo-config option and deprecated --allow-repo-config
Browse files Browse the repository at this point in the history
This enables atlantis.yaml in all repos, but by default restricts
certain sensitive keys from being used.

The keys apply_requirements, workflow, and workflows can only be
specified in an atlantis.yaml file if explicitly allowed by a
server side repo config.

The repo config file provides the ability to specify a default set of
workflows, and default values for apply_requirements and workflow to use
use on a per repo basis.  It also supports applying to a collection of
repos by using regex to match a repo name.

If more than one repo name matches, the values from last repo matched
are used.

This deprecates the --allow-repo-config option
  • Loading branch information
jjulien authored and lkysow committed Mar 27, 2019
1 parent a793607 commit 1fcdaba
Show file tree
Hide file tree
Showing 19 changed files with 1,267 additions and 249 deletions.
21 changes: 21 additions & 0 deletions cmd/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ const (
GitlabWebhookSecretFlag = "gitlab-webhook-secret" // nolint: gosec
LogLevelFlag = "log-level"
PortFlag = "port"
RepoConfigFlag = "repo-config"
RepoWhitelistFlag = "repo-whitelist"
RequireApprovalFlag = "require-approval"
RequireMergeableFlag = "require-mergeable"
Expand Down Expand Up @@ -168,6 +169,10 @@ var stringFlags = []stringFlag{
description: "Log level. Either debug, info, warn, or error.",
defaultValue: DefaultLogLevel,
},
{
name: RepoConfigFlag,
description: "Path to a repo config file, used to configure how atlantis.yaml will behave on repos. Repos can be specified as an exact string or using regular expressions",
},
{
name: RepoWhitelistFlag,
description: "Comma separated list of repositories that Atlantis will operate on. " +
Expand Down Expand Up @@ -211,6 +216,7 @@ var boolFlags = []boolFlag{
" Should only be enabled in a trusted environment since it enables a pull request to run arbitrary commands" +
" on the Atlantis server.",
defaultValue: false,
deprecated: fmt.Sprintf("use --%s to allow sensitive keys in atlantis.yaml", RepoConfigFlag),
},
{
name: AutomergeFlag,
Expand Down Expand Up @@ -245,16 +251,19 @@ type stringFlag struct {
name string
description string
defaultValue string
deprecated string
}
type intFlag struct {
name string
description string
defaultValue int
deprecated string
}
type boolFlag struct {
name string
description string
defaultValue bool
deprecated string
}

// ServerCmd is an abstraction that helps us test. It allows
Expand Down Expand Up @@ -330,6 +339,9 @@ func (s *ServerCmd) Init() *cobra.Command {
usage = fmt.Sprintf("%s (default \"%s\")", usage, f.defaultValue)
}
c.Flags().String(f.name, "", usage+"\n")
if f.deprecated != "" {
c.Flags().MarkDeprecated(f.name, f.deprecated) // nolint: errcheck
}
s.Viper.BindPFlag(f.name, c.Flags().Lookup(f.name)) // nolint: errcheck
}

Expand All @@ -340,12 +352,18 @@ func (s *ServerCmd) Init() *cobra.Command {
usage = fmt.Sprintf("%s (default %d)", usage, f.defaultValue)
}
c.Flags().Int(f.name, 0, usage+"\n")
if f.deprecated != "" {
c.Flags().MarkDeprecated(f.name, f.deprecated) // nolint: errcheck
}
s.Viper.BindPFlag(f.name, c.Flags().Lookup(f.name)) // nolint: errcheck
}

// Set bool flags.
for _, f := range boolFlags {
c.Flags().Bool(f.name, f.defaultValue, f.description+"\n")
if f.deprecated != "" {
c.Flags().MarkDeprecated(f.name, f.deprecated) // nolint: errcheck
}
s.Viper.BindPFlag(f.name, c.Flags().Lookup(f.name)) // nolint: errcheck
}

Expand Down Expand Up @@ -438,6 +456,9 @@ func (s *ServerCmd) validate(userConfig server.UserConfig) error {
if (userConfig.SSLKeyFile == "") != (userConfig.SSLCertFile == "") {
return fmt.Errorf("--%s and --%s are both required for ssl", SSLKeyFileFlag, SSLCertFileFlag)
}
if userConfig.AllowRepoConfig && userConfig.RepoConfig != "" {
return fmt.Errorf("You cannot use both --%s and --%s together. --%s is deprecated and will be removed in a later version, you should use --%s instead", AllowRepoConfigFlag, RepoConfigFlag, AllowRepoConfigFlag, RepoConfigFlag)
}

// The following combinations are valid.
// 1. github user and token set
Expand Down
10 changes: 10 additions & 0 deletions cmd/server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -914,6 +914,16 @@ func TestExecute_BitbucketServerBaseURLPort(t *testing.T) {
Equals(t, "http://mydomain.com:7990", passedConfig.BitbucketBaseURL)
}

// Cannot use both --allow-repo-config and --repo-config
func TestExecute_AllowRepoConfigWithAllowRestrictedRepoConfig(t *testing.T) {
c := setup(map[string]interface{}{
cmd.AllowRepoConfigFlag: true,
cmd.RepoConfigFlag: "somefile",
})
err := c.Execute()
ErrEquals(t, "You cannot use both --allow-repo-config and --repo-config together. --allow-repo-config is deprecated and will be removed in a later version, you should use --repo-config instead", err)
}

func setup(flags map[string]interface{}) *cobra.Command {
vipr := viper.New()
for k, v := range flags {
Expand Down
1 change: 1 addition & 0 deletions runatlantis.io/.vuepress/config.js
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ module.exports = {
collapsable: true,
children: [
['customizing-atlantis', 'Overview'],
'repos-yaml-reference',
'atlantis-yaml-reference',
'upgrading-atlantis-yaml-to-version-2',
'apply-requirements',
Expand Down
74 changes: 66 additions & 8 deletions runatlantis.io/docs/apply-requirements.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,21 @@ by at least one person other than the author.
#### Usage
You can set the `approved` requirement by:
1. Passing the `--require-approval` flag to `atlantis server` or
1. Creating an `atlantis.yaml` file with the `apply_requirements` key:
1. Creating a `repos.yaml` file with the `apply_requirements` key:
```yaml
repos:
- id: /.*/
apply_requirements: [approved]
```
1. Or by allowing an `atlantis.yaml` file to specify the `apply_requirements` key in your `repos.yaml` config:
#### repos.yaml
```yaml
repos:
- id: /.*/
allowed_overrides: [apply_requirements]
```

#### atlantis.yaml
```yaml
version: 2
projects:
Expand All @@ -47,14 +61,29 @@ The `mergeable` requirement will prevent applies unless a pull request is able t
#### Usage
You can set the `mergeable` requirement by:
1. Passing the `--require-mergeable` flag to `atlantis server` or
1. Creating an `atlantis.yaml` file with the `apply_requirements` key:
1. Creating a `repos.yaml` file with the `apply_requirements` key:
```yaml
repos:
- id: /.*/
apply_requirements: [mergeable]
```

1. Or by allowing an `atlantis.yaml` file to specify the `apply_requirements` key in your `repos.yaml` config:
#### repos.yaml
```yaml
repos:
- id: /.*/
allowed_overrides: [apply_requirements]
```

#### atlantis.yaml
```yaml
version: 2
projects:
- dir: .
apply_requirements: [mergeable]
```

```
#### Meaning
Each VCS provider has a different concept of "mergeability":
#### GitHub
Expand Down Expand Up @@ -92,18 +121,47 @@ If you need a specific check, please
[open an issue](https://github.com/runatlantis/atlantis/issues/new).

## Setting Apply Requirements
As mentioned above, you can set apply requirements via flags or `atlantis.yaml`.
As mentioned above, you can set apply requirements via flags, in `repos.yaml`, or in `atlantis.yaml` if `repos.yaml`
allows the override.

### Flags Override
Flags **override** any `atlantis.yaml` settings so they are equivalent to always
Flags **override** any `repos.yaml` or `atlantis.yaml` settings so they are equivalent to always
having that apply requirement set.

### Project-Specific Settings
If you only want some projects/repos to have apply requirements, then you must
1. Not set the `--require-approval` or `--require-mergeable` flags, since those
will override any `atlantis.yaml` settings
1. Specify which projects have which requirements via an `atlantis.yaml` file.
will override any `repos.yaml` or `atlantis.yaml` settings
1. Specifying which repos have which requirements via the `repos.yaml` file.
```yaml
repos:
- id: /.*/
apply_requirements: [approved]
# Regex that defaults all repos to requiring approval
- id: /github.com/runatlantis/.*/
# Regex to match any repo under the atlantis namespace, and not require approval
# except for repos that might match later in the chain
apply_requirements: []
- id: github.com/runatlantis/atlantis
apply_requirements: [approved]
# Exact string match of the github.com/runatlantis/atlantis repo
# that sets apply_requirements to approved
```

1. Specify which projects have which requirements via an `atlantis.yaml` file, and allowing
`apply_requirements` to be set in in `atlantis.yaml` by the server side `repos.yaml`
config.

For example if I have two directories, `staging` and `production`, I might use:
#### repos.yaml
```yaml
repos:
- id: /.*/
allowed_overrides: [apply_requirements]
# Allow any repo to specify apply_requirements in atlantis.yaml
```

#### atlatis.yaml
```yaml
version: 2
projects:
Expand Down
Loading

0 comments on commit 1fcdaba

Please sign in to comment.