After PR approval, it's possible to plan and apply any directory

[jasonrberk]

I'm curious if others noticed this and how they might be dealing with it.

If I run a plan, and get an approval, I could then run another plan, in an entirely different directory (using -d) and apply it w/o getting another approval. The gist of it is that once I get an approval on my first plan, it seems like I can plan / approve anything. Seems like the plan command should dismiss any approvals so that I have to apply what was approved.

it feels like I'm just missing something, but testing seems to indicate otherwise.

[mwarkentin]

You can configure github to dismiss approvals when further commits are added to a branch.

[jasonrberk]

atlantis is not a commit on a branch, it's a PR comment....

[mwarkentin]

Oh, good point - sorry I misread the concern earlier. I guess the mitigation would be that anything in that other directory should automatically trigger a plan in that dir if there is any diff from main branch when you open the PR? And if there aren't any diffs, than that plan should be a no-op?

[jasonrberk]

so I open my PR..... plan my destroy changes.... and my coworker approves the plan, like so:

after the approval, I run another plan on a completely unrelated module (ie: folder). Nobody sees this plan or approves it

notice, both plans were applied and auto merged, but nobody ever saw the second plan or approved it. This seems like something I'd want to button up, or else, once you get any approvals, you can plan / apply anything you want, so long as you don't push any other commits to your branch (as mentioned above).

maybe this is fallout from our TG repo strategy, but our repo layout seems fairly standard from my understanding of TG.

I see two obvious options so far:

1. another webhook that watches for atlantis comments, and dismisses any approvals
2. override the plan command to dismiss the approvals before running any plan

[mwarkentin]

Ok, doing a destroy plan wasn't something I'd thought of. 👍

[carmo-evan]

+1 on plan dismissing existing approvals.

[jamengual]

is this still an issue with v0.19.8?

[jasonrberk]

is this still an issue with v0.19.8?

is there a specific PR / changelog that updated behavior? I'm on 0.17.2 but plan to upgrade soon....I hope

EDIT: I assume you are referring to https://www.runatlantis.io/docs/apply-requirements.html#undiverged

that seems like it would solve the issue....

I don't see anything wrong with closing this now....I can always open it (or a new issue) later

[jamengual]

you will need to look at the changelog but we have fixed a number of issues lately

[krzysztof-magosa]

IMO it would make sense to dismiss any approvals granted before completing all plans (as an option).
anyway approvers should review all plans to be sure that there are no undesired side-effects (e.g. caused by potential manual change to environment).

[nitrocode]

@jasonrberk could you update and see if you are still getting the issue with the latest release?

[gregoirefra]

+1 on this, we are using the latest version of Atlantis and it's still possible to have the apply_requirement set to mergeable, approve the PR first and then create a plan that is applied afterwards without any more/new review

[jasonrberk]

sorry. I no longer work at the company where I set this all up. I might be setting it up at my new employer. If so I'll comment back, but it looks like @gregoirefra validated the concern still exists