Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Atlantis arg require_approval flag should be ignored if --allow-repo-config is enabled #255

Closed
mechastorm opened this issue Sep 6, 2018 · 4 comments
Closed

Atlantis arg require_approval flag should be ignored if --allow-repo-config is enabled #255

mechastorm opened this issue Sep 6, 2018 · 4 comments
Labels
feature New functionality/enhancement

Comments

@mechastorm
Copy link

Issue

In my atlantis server, I have my executable reading a config.yaml which has these contents

# other configs
require-approval: true
allow-repo-config: true

And then I have a project in my atlantis.yaml config like so

  - name: iam-preprod
    dir: terraform/iam/preprod
    workspace: default
    terraform_version: 0.11.7
    autoplan:
      when_modified: ["*.tf", "terraform.tfvars"]
      enabled: true
    #: [approved]
    workflow: preprod

Note that apply_requirements has been commentted out. My aim it to allow atlantis apply on terraform/iam/preprod without approval.

Expected Behaviour

I can run atlantis apply on terraform/iam/preprod without approval.

Actual Behaviour

Atlantis denies me asking that I need approval before I apply.

Workaround.

The workaround I did to get my desired behaviour was to set require-approval to false

# other configs
require-approval: false
allow-repo-config: true
@lkysow
Copy link
Member

lkysow commented Sep 7, 2018

Right, so basically you want to be able to have the server default to requiring approvals but allow overrides per repo.

@mechastorm
Copy link
Author

Yeap that is what we want.

By default follow the whatever the server is configured with ie require-approval: false, but this can be overriden by the atlantis.yaml config.

Now that I further think about this, some would assume that this idea be a security flaw if it can be overriden in the atlantis.yaml file. But I think there was already a separate discussion and docs mentioned the security percautions one must take with the atlantis.yaml config file.

@majormoses
Copy link
Contributor

majormoses commented Sep 10, 2018
edited
Loading

I am not sure where I stand on this, I feel like any option defined serverside should win in merge cases unless specifically configured to allow specific bits of config client side to win. The server is a trusted resource vs a repo is a less trusted resource and options should therefore win on the server because of the security implications. I think having serverside options to say --client-wins-require-approval allows the operator to opt into the level of security they want with sane defaults being the server always wins.

@lkysow
Copy link
Member

lkysow commented Apr 4, 2019

Now with server-side repo config you can configure defaults on the server per-repo: https://www.runatlantis.io/docs/server-side-repo-config.html#repos-can-set-their-own-apply-requirements

This should accomplish what you'd like.

@lkysow lkysow closed this as completed Apr 4, 2019
@lkysow lkysow added the feature New functionality/enhancement label Apr 9, 2019
jamengual pushed a commit that referenced this issue Nov 24, 2022
@Aayyush
Refactor markdown renderer (#255)
cda21bc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New functionality/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lkysow @mechastorm @majormoses