Adding documentation steps for custom policy tools

runatlantis · Oct 6, 2023 · d3bc4e3 · d3bc4e3
1 parent a3270ec
commit d3bc4e3
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/runatlantis.io/docs/custom-policy-checks.md b/runatlantis.io/docs/custom-policy-checks.md
@@ -0,0 +1,45 @@
+# Custom Policy Checks
+If you want to run custom policy tools or scripts instead of the built-in Conftest integration, you can do so by setting the `custom_policy_check` option and running it in a custom workflow.  Note: custom policy tool output is simply parsed for "fail" substrings to determine if the policy set passed. 
+
+This option can be configured either at the server-level in a [repos.yaml config file](server-configuration.md) or at the repo-level in an [atlantis.yaml file.](repo-level-atlantis-yaml.md). 
+
+## Server-side config example
+Set the `policy_check` and `custom_policy_check` options to true, and run the custom tool in the policy check steps as seen below.  No
+
+```yaml
+repos:
+  - id: /.*/
+    branch: /^main$/
+    apply_requirements: [mergeable, undiverged, approved]
+    policy_check: true
+    custom_policy_check: true
+    workflow: custom
+workflows:
+  custom:
+    policy_check:
+      steps:
+        - show
+        - run: cnspec scan terraform plan $SHOWFILE --policy-bundle example-cnspec-policies.mql.yaml 
+policies:
+  owners:
+    users:
+      - example_ghuser
+  policy_sets:
+    - name: example-set
+      path: example-cnspec-policies.mql.yaml 
+      source: local
+```
+
+
+## Repo-level atlantis.yaml example
+First, you will need to ensure `custom_policy_check` is within the `allowed_overrides` field of the server-side config.  Next, just set the custom option to true on the specific project you want as shown in the example `atlantis.yaml` below:
+
+```yaml
+version: 3
+projects:
+  - name: example
+    dir: ./example
+    custom_policy_check: true
+    autoplan:
+      when_modified: ["*.tf"]
+```
diff --git a/runatlantis.io/docs/server-side-repo-config.md b/runatlantis.io/docs/server-side-repo-config.md
@@ -344,6 +344,9 @@ unless you've created your own server-side workflow with that key (overriding it
 See [Custom Workflows](custom-workflows.html) for more details on writing
 custom workflows.
 
+### Allow Using Custom Policy Tools
+Conftest is the standard policy check application integrated with Atlantis, but custom tools can still be run in custom workflows when the `custom_policy_check` option is set.  See the [Custom Policy Checks page](custom-policy-checks.md) for detailed examples.
+
 ### Allow Repos To Define Their Own Workflows
 If you want repos to be able to define their own workflows you need to
 allow them to override the `workflow` key and set `allow_custom_workflows` to `true`.