-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce only certain people can plan/apply for gitlab, bitbucket, etc #103
Comments
Either certain people per repo, or those who have admin rights in the repo, or for some other repo those who have write access. It would be nice to have some flexibility here. |
it would make a sense for our use-cases to not only have certain people to allow run apply, but as well limit their domain, eg. Alice can approve env/testing/, Bob can approve env/... |
A lot of this enforcement can be achieved through:
This way, you atlantis requires a review before allowing |
@natalysheinin yes you're absolutely correct that the enforcement for who can approve can be done through CODEOWNERS (well at least if you're on GitHub). The original ticket for who is allowed to apply can't be achieved through that though since once the pull request is approved anyone can apply. We should probably document how to achieve the approval enforcement though. Thanks for the reminder. |
I updated this to also expand to |
Noting this is something we'd be interested in as well. We're also aware of things we can do on the Github side with CODEOWNERS and requiring approvals within Atlantis, but we'd love something simple like --apply-whitelist or something that would allow us to define a list of users who should be able to actually apply infrastructure with Atlantis. --plan-whitelist would also be very good although I'm personally less worried about that for our environment. |
It would be good if that whitelist was defined via |
I'd just like to note that, in my testing, it's not possible to restrict who can |
@mikeraimondi yes, Atlantis needs a |
It's not currently doable but if you read through #43 if we make the serverside option for |
Hey :) What if this was done as k8s CI robot, having a OWNERS and OWNERS_ALIASES per repository/folder specifying who can approve / run the commands? https://github.com/kubernetes/test-infra/tree/master/prow/plugins/approve/approvers is an example :) |
This pull request :#1206 Addressed this for Github but support for other VCS can be added. Some of the solutions mention before are only available on Github Enterprise which we do not have and CODEOWNERS is pretty fragile, one bad char in the file and the whole file gets ignored, which is pretty bad. |
The teams allowlist command has been added to github but it has not been added to gitlab or bitbucket so help is still wanted |
is there way we can do in bitbucket or still this issue |
not currently. this was added to github only.
PRs are welcome .
…On Thu, Apr 27, 2023, 1:03 a.m. Thatsk ***@***.***> wrote:
is there way we can do in bitbucket or still this issue
—
Reply to this email directly, view it on GitHub
<#103 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQ3ERHYDWA3RPZI35X52SDXDIR3XANCNFSM4EYIQCWQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
can we implement a normal script like this? |
|
yes you can do that if you already have a way to extract that information.
…On Thu, Apr 27, 2023 at 8:01 AM Thatsk ***@***.***> wrote:
-H 'Content-Type: application/json' \
-d '{
"name": "my_fork",
"owner": {
"account_id": "557058:c0b72ad0-1cb5-4018-9cdc-0cde8492c443"
}
}'```
—
Reply to this email directly, view it on GitHub
<#103 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQ3ERBGT4H5TDCVNOMHGPLXDKC3LANCNFSM4EYIQCWQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
The reason why |
I use gitlab, and we've implemented this via atlantis/server/events/vcs/gitlab_client.go Line 323 in 90f6324
I recently proposed an update #3830 that, among other things, changes the docs to explicitly say that anything more complicated than "at least one user has approved" should be implemented via @dfsdevops I haven't thought about a desire to have atlantis apply happen before merge, how is that implemented? I wonder if we could on a per VCS basis "ignore" that as part of the mergeable check. For example, on gitlab we currently ignore a "failing" CI job if it is atlantis itself ( atlantis/server/events/vcs/gitlab_client.go Line 305 in 90f6324
|
Via @psalaberria002, would like to be able to only allow certain people to run apply.
The text was updated successfully, but these errors were encountered: