-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(policies): Add granular policy_sets (#3086)
* Initial work. * Periodic push. * Fmt and start adding args to approve_policies cmd. * keep funcs for now. * Periodic push. * Periodic push. * fmt. * Move approve policies logic to project_command_runner. * update some tests * More test fixes. * update more tests. fix som logic. * more tests. add additional info to common data for custom templates. * fix apply with policies bug. update more tests/fmt * file perms * fix error parsing for conftest results. * Update more tests and linting. * update documentation. * Address no-fail case. Address comments. * Forgot changes. * fix markdown renderer * Fix policy fail logic. remove uneeded tmpl var * targeted policy approvals fix * Address PR comments. * empty commit to trigger build --------- Co-authored-by: PePe Amengual <[email protected]> Co-authored-by: rkstrickland <[email protected]> Co-authored-by: Dylan Page <[email protected]>
- Loading branch information
Showing
63 changed files
with
2,187 additions
and
450 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified
BIN
+127 KB
(330%)
runatlantis.io/docs/images/policy-check-apply-status-failure.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 21 additions & 7 deletions
28
...lers/events/testdata/test-repos/policy-checks-apply-reqs/exp-output-auto-policy-check.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,29 @@ | ||
Ran Policy Check for dir: `.` workspace: `default` | ||
|
||
**Policy Check Error** | ||
``` | ||
exit status 1 | ||
Checking plan against the following policies: | ||
test_policy | ||
**Policy Check Failed**: Some policy sets did not pass. | ||
#### Policy Set: `test_policy` | ||
```diff | ||
FAIL - <redacted plan file> - main - WARNING: Null Resource creation is prohibited. | ||
|
||
1 test, 0 passed, 0 warnings, 1 failure, 0 exceptions | ||
|
||
``` | ||
* :heavy_check_mark: To **approve** failing policies an authorized approver can comment: | ||
|
||
|
||
#### Policy Approval Status: | ||
``` | ||
policy set: test_policy: requires: 1 approval(s), have: 0. | ||
``` | ||
* :heavy_check_mark: To **approve** this project, comment: | ||
* `atlantis approve_policies -d .` | ||
* :put_litter_in_its_place: To **delete** this plan click [here](lock-url) | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan -d .` | ||
|
||
--- | ||
* :heavy_check_mark: To **approve** all unapplied plans from this pull request, comment: | ||
* `atlantis approve_policies` | ||
* :repeat: Or, address the policy failure by modifying the codebase and re-planning. | ||
* :put_litter_in_its_place: To delete all plans and locks for the PR, comment: | ||
* `atlantis unlock` | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan` |
27 changes: 26 additions & 1 deletion
27
...llers/events/testdata/test-repos/policy-checks-diff-owner/exp-output-approve-policies.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,29 @@ | ||
Ran Approve Policies for 1 projects: | ||
|
||
1. dir: `.` workspace: `default` | ||
|
||
### 1. dir: `.` workspace: `default` | ||
**Approve Policies Error** | ||
``` | ||
contact policy owners to approve failing policies | ||
1 error occurred: | ||
* policy set: test_policy user runatlantis is not a policy owner - please contact policy owners to approve failing policies | ||
|
||
|
||
``` | ||
#### Policy Approval Status: | ||
``` | ||
policy set: test_policy: requires: 1 approval(s), have: 0. | ||
``` | ||
* :heavy_check_mark: To **approve** this project, comment: | ||
* `atlantis approve_policies -d .` | ||
* :put_litter_in_its_place: To **delete** this plan click [here](lock-url) | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan -d .` | ||
|
||
--- | ||
* :heavy_check_mark: To **approve** all unapplied plans from this pull request, comment: | ||
* `atlantis approve_policies` | ||
* :put_litter_in_its_place: To delete all plans and locks for the PR, comment: | ||
* `atlantis unlock` | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan` |
28 changes: 21 additions & 7 deletions
28
...lers/events/testdata/test-repos/policy-checks-diff-owner/exp-output-auto-policy-check.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,29 @@ | ||
Ran Policy Check for dir: `.` workspace: `default` | ||
|
||
**Policy Check Error** | ||
``` | ||
exit status 1 | ||
Checking plan against the following policies: | ||
test_policy | ||
**Policy Check Failed**: Some policy sets did not pass. | ||
#### Policy Set: `test_policy` | ||
```diff | ||
FAIL - <redacted plan file> - main - WARNING: Null Resource creation is prohibited. | ||
|
||
1 test, 0 passed, 0 warnings, 1 failure, 0 exceptions | ||
|
||
``` | ||
* :heavy_check_mark: To **approve** failing policies an authorized approver can comment: | ||
|
||
|
||
#### Policy Approval Status: | ||
``` | ||
policy set: test_policy: requires: 1 approval(s), have: 0. | ||
``` | ||
* :heavy_check_mark: To **approve** this project, comment: | ||
* `atlantis approve_policies -d .` | ||
* :put_litter_in_its_place: To **delete** this plan click [here](lock-url) | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan -d .` | ||
|
||
--- | ||
* :heavy_check_mark: To **approve** all unapplied plans from this pull request, comment: | ||
* `atlantis approve_policies` | ||
* :repeat: Or, address the policy failure by modifying the codebase and re-planning. | ||
* :put_litter_in_its_place: To delete all plans and locks for the PR, comment: | ||
* `atlantis unlock` | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan` |
28 changes: 21 additions & 7 deletions
28
...lers/events/testdata/test-repos/policy-checks-extra-args/exp-output-auto-policy-check.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,29 @@ | ||
Ran Policy Check for dir: `.` workspace: `default` | ||
|
||
**Policy Check Error** | ||
``` | ||
exit status 1 | ||
Checking plan against the following policies: | ||
test_policy | ||
**Policy Check Failed**: Some policy sets did not pass. | ||
#### Policy Set: `test_policy` | ||
```diff | ||
FAIL - <redacted plan file> - null_resource_policy - WARNING: Null Resource creation is prohibited. | ||
|
||
1 test, 0 passed, 0 warnings, 1 failure, 0 exceptions | ||
|
||
``` | ||
* :heavy_check_mark: To **approve** failing policies an authorized approver can comment: | ||
|
||
|
||
#### Policy Approval Status: | ||
``` | ||
policy set: test_policy: requires: 1 approval(s), have: 0. | ||
``` | ||
* :heavy_check_mark: To **approve** this project, comment: | ||
* `atlantis approve_policies -d .` | ||
* :put_litter_in_its_place: To **delete** this plan click [here](lock-url) | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan -d .` | ||
|
||
--- | ||
* :heavy_check_mark: To **approve** all unapplied plans from this pull request, comment: | ||
* `atlantis approve_policies` | ||
* :repeat: Or, address the policy failure by modifying the codebase and re-planning. | ||
* :put_litter_in_its_place: To delete all plans and locks for the PR, comment: | ||
* `atlantis unlock` | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan` |
5 changes: 0 additions & 5 deletions
5
...s/events/testdata/test-repos/policy-checks-multi-projects/exp-output-approve-policies.txt
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 21 additions & 7 deletions
28
server/controllers/events/testdata/test-repos/policy-checks/exp-output-auto-policy-check.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,29 @@ | ||
Ran Policy Check for dir: `.` workspace: `default` | ||
|
||
**Policy Check Error** | ||
``` | ||
exit status 1 | ||
Checking plan against the following policies: | ||
test_policy | ||
**Policy Check Failed**: Some policy sets did not pass. | ||
#### Policy Set: `test_policy` | ||
```diff | ||
FAIL - <redacted plan file> - main - WARNING: Null Resource creation is prohibited. | ||
|
||
1 test, 0 passed, 0 warnings, 1 failure, 0 exceptions | ||
|
||
``` | ||
* :heavy_check_mark: To **approve** failing policies an authorized approver can comment: | ||
|
||
|
||
#### Policy Approval Status: | ||
``` | ||
policy set: test_policy: requires: 1 approval(s), have: 0. | ||
``` | ||
* :heavy_check_mark: To **approve** this project, comment: | ||
* `atlantis approve_policies -d .` | ||
* :put_litter_in_its_place: To **delete** this plan click [here](lock-url) | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan -d .` | ||
|
||
--- | ||
* :heavy_check_mark: To **approve** all unapplied plans from this pull request, comment: | ||
* `atlantis approve_policies` | ||
* :repeat: Or, address the policy failure by modifying the codebase and re-planning. | ||
* :put_litter_in_its_place: To delete all plans and locks for the PR, comment: | ||
* `atlantis unlock` | ||
* :repeat: To re-run policies **plan** this project again by commenting: | ||
* `atlantis plan` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.