-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict Plan or Apply to Github Teams or Github Users #308
Comments
Could this also be extended into the other repository providers (e.g. GitLab)? |
@darrylb-github any thoughts on this one? |
@osterman Yea we're hitting the same problems. We initially tried via protected branches and requiring approval in atlantis but this way you would have to protect all branches which doesn't work well. Your proposal would solve this for us as well via the Think it would be beyond my atlantis/go experience at the moment to attempt to implement this myself though, but it does feel a bit like a deal breaker at the moment unless we can find another workaround 🤔 |
Note I don't think its necessary to restrict plans though; it's the apply I'm worried about. |
@aknysh on my team started working on this today. Will keep you posted. In our case, plans also need to be restricted since the external data provider runs on every plan and can run any command. |
I think the best way to implement this is to use a server-side Atlantis.yaml config (#47). I don't want to go the direction of server flags because it's not scalable. Inevitably someone is going to want a specific config for a specific Terraform repo/directory/workspace which they won't be able to accomplish with a global flag. Unfortunately the server-side config isn't complete but I think this will have to wait for that. |
Can't this already be achieved with github |
I agree the scary thing from a security stance are the ability to run local and remote exec blocks but those are not run during a plan. |
I suppose longer term supporting commands like |
We've implement this here: cloudposse-archives#7 |
We're taking atlantis to the extreme. My goal is to have it on public repos so we can test modules. Best policy is to know exactly who can run |
@lkysow, I understand your position. As an architect of many systems, I struggle with it daily. Guess from where I stand this is a hard stop, don't even consider using atlantis kind of problem that any one I talk to shares. They love the idea of |
@osterman when you say if you can plan you can do anything you want can you expand? Local/remote exec blocks are not evaluated during a plan so any easy exfiltration and code execution can be stopped by requiring code review on it as long as you are using the
Agreed if that was the case, but like I said with a CLI arg and
If it's meant to be a meaningful protection it must be serverside (whether its a config option or CLI args) as otherwise an attacker can just change the permissions themselves. I do see needing more fine grained access controls in the future to safely support public projects as well as when other commands are implemented such as |
Can you explain why you think this is the case? With Or do you mean that once a PR is approved, then anyone can apply? Which is true. |
Here's an example of using the external data provider to exfiltrate data during a Providers are not like the local or remote provisioners. They can hook into any part of the terraform lifecycle. In this case, the external data provider hooks into the plan cycle so that it can source data from external commands (e.g. a python script). Here's an example of exfiltrating the first line of the Running
This may be true on GitLab or other VCS, but not on GitHub. Per the atlantis documentation anyone can approve a pull request. As far as I understand, the
Maybe there's some extra toggle somewhere in GitHub that further restricts approvals across the board. I won't rule it out. This also seems to be the case per the
But the fact remains, a
Sorry, that was my own ambiguity. I was referring to args passed to @aknysh on our team has implemented this here: cloudposse-archives#7 Since it didn't seem like it was going to be accepted (per the earlier discussion), we didn't open a PR against |
Now, what would be truly nasty is to |
So from what I remember (I could be wrong or not remembering correctly) if you set branch protection to use |
@majormoses that would be cool - would love confirmation if that's how it works. If so, the atlantis documentation may be misleading since the red warning dialog seems to say something different. However, since I could run the following in a
|
It wouldn't be very useful if it couldn't and I agree on the need to restrict that further especially with implementing additional commands |
I have direct knowledge of a company who had 2 developer accounts hacked on the same weekend a few months back. Both had mandatory MFA enabled on their GitHub and Google email accounts. In their case, a social engineering attack allowed SIM jacking. A white list is not perfect. MFA would be better. But I'm just talking baby steps right now. Reducing the attack surface by restricting the number of engineers that can plan/apply changes (at least to production) makes me feel better. |
I just tested and it looks like it does not look at the mergability state to determine if the apply can be run @lkysow is that a bug or intended I might be remembering wrong but I seem to recall us talking about this a while ago. |
Found it, it was something being discussed but not yet implemented: #43 @osterman if that was implemented would that solve most of your concerns? While it still relies on trust from github and a compromised account with enough privs could certainly disable protections I think this would be a huge step in the right direction and should not be too hard to implement I would think. One of the benefits of this approach is that it works with github and gitlab (not sure if bitbucket or other VCS providers have similar concepts) so it would help the most people for the least amount of effort. |
Btw, the GitHub Universe conference is happening this week. Heard through the grapevine that better RBAC is coming (fingerscrossed!) That said, same source said GitHub was not coming out with CI/CD and we know how that turned out. =P @majormoses Re: #43, yes & no. I agree 100% with the intent of #43. Mergability should be a criteria for
If you take a look at our proposed solution in this PR: cloudposse-archives#7 it scales somewhat better in terms of flexibility.
This says that a team called Granted, if a user wants to do full-on RBAC per workflow/step/etc, it's a very slippery slope. I admit that this is kind'a GitHub centric approach. We needed something before 10/25 =) |
@osterman makes sense I agree that more granular is better and hope github RBAC is gonna improve although it will probably mean tons of refactoring again at my org. There are several things to consider with the proposed approach. At my current organization we have 85 teams (and that might actually go up quite a but as we are breaking up some of our larger teams) so providing even 15-20 teams seems like not the best solution for CLI arg though with a config file that might be OK. How would we handle sub/child teams? The more you specify on the command line, the more it is exposed to the process table which is accessible to any user and could be used to plan the next attack. I generally recommend providing anything sensitive (secrets, team names, repo names, permissions, etc) to be specified via a config file, ENV var, or pulled from a secret manager directly (such as hashicorp vault, aws ssm, etc).
I don't think atlantis should be in the business of providing real RBAC for this very reason. In its current state I'd say it's best to let some external process push status checks to your VCS provider and using the Anyways that's just my |
Wow, a lot to read here and I agree with both of you. I'm going to write up a bigger response with some plans to move forward so don't think I'm ignoring this, just crafting it! |
oh, and anyone with access to the repo can trigger an apply
Can you explain why you think this is the case?
With --require-approval you need to be able to approve a pull request prior to apply. The list of approvers can be gated in all VCS providers.
I don't know of a way to do this with Bitbucket (Server / Data Center). You can have a list of required approvers for a merge, but anyone can be added as a reviewer and then approve it.
…-- Kip
|
For those interested, we have a prototype of See pulls: It also includes a number of other experimental features like |
@lkysow thoughts about the plan_requirements config? I am happy to work on that if we all agree that makes sense. It should be fairly trivial if we mimic apply_requirements |
What requirements are you thinking about adding? |
It solves the issue about the plan being gated by the approval/mergeable status, which means there is no plan if there is no approval or if the PR is not ready to merge at all. |
To take it a step further, atlantis could check if the commit is GPG signed and verified by the SCM. https://docs.gitlab.com/ee/api/commits.html#get-gpg-signature-of-a-commit Lack of a more robust auth solution is likely a blocker for my company to move forward with Atlantis - particularly because we cant lock down Atlantis to our current SCM (Gitlab.com) since Gitlab.com does not provide a static CIDR space from which their webhooks will fire from - see: https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/434 We may be willing to contribute this feature for Gitlab and/or Github if there is general alignment on how to implement this as a first class feature within Atlantis. The custom server-side workflow seems like a decent workaround for now. Ill bring that to my team. Thanks! |
Where is this documented ? I have been trying to find examples for matching CUSTOM_ARGS but I can't find any example of if statements |
is the |
Updated the comment, what command ended up working for you? |
I did 👍
But this results in a blank plan as a comment, is that expected? |
You could change what it outputs, e.g.
|
ok so that means I could change it to not output anything like any bash script, right? is there a |
@jamengual for any replies can you please open a new issue so we're not spamming everyone on this issue.
No, it will always output a comment.
You can set a default workflow. |
Is there any way to whitelist bitbucket user groups at repos.yaml or at env variables similar like --gh-team-whitelist=ops? |
@Lawands, unfortunately, no... and |
Created this project to support a custom apply experience: https://github.com/czerasz/atlantis-org-applyer |
We are working on #1206 which hopefully will be done in a couple of months |
Isn't #1317 a way to achieve #1476 and basically close this issue too? @jamengual how does the above relate to your open PR? Should it be dropped in favor of the above? |
it could be and I think it will be once we get the VCS context exposed to
the pre-workflow hook which is not exposed right now.
…On Sat., Mar. 27, 2021, 3:43 a.m. Dimitris Moraitidis, < ***@***.***> wrote:
Isn't #1317 <#1317> a way to
achieve #1476 <#1476> and
basically close this issue too?
@jamengual <https://github.com/jamengual> how does the above relate to
your open PR? Should it be dropped in favor of the above?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#308 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQ3ERDSOHGX6JOI7ZDHJ73TFWZFRANCNFSM4FZGLEUQ>
.
|
hey what's the status of this? |
When I give multiple user names, it is throwing following error sh: syntax error: unexpected "(" |
@Abhilash-sandupatla I think that's because of the quotation within a quotation in your second run step - run: "if [ $USERNAME != "username" ]; then exit 1; fi" |
what
why
proposal
add the following flags.
Allow an explicit set of users.
Allow teams in an organization
The arg convention is piggybacking on the existing convention of
--repo-whitelist
and that all github features are prefix with--gh-*
an alternative interface could be based on
CODEOWNERS
, but I think that will be more work to implement.The text was updated successfully, but these errors were encountered: