-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PROPOSAL] Allow specifying environment variables in workflows #542
Comments
@lkysow / @majormoses this is something I was planning on doing but just wanted to get feedback on whether this makes sense or if there are better ways to do something similar |
So the idea would be you use something like chamber to execute the atlantis process with all the env vars exposed and then create a mapping to tell each team which to use? I like the idea but without strong stronger protections such as RBAC there is no way to enforce it so team A can't see team B's credentials. I think it would be better to run multiple instances of the atlantis process for each team, rely on an encrypted terraform vars file, etc that way if a team/project was compromised they would not be able to exfiltrate all the secrets. Otherwise we start treating atlantis like a secret store/vault and I think it would be better to implement integration with various vaults (hashicorp and aws ssm for example) and allow admins to specify paths that each project can access based on a namespace. |
How would team A see team B's credentials, when they are stored in files on atlantis and nobody has access to atlantis except the operations team? The use case here is to have a single atlantis instance and use a monorepo to hold all the teams infra and use a CODEOWNERS file to restrict access. Running multiple atlantis instance is a huge PITA; devs teams don't care, they just want a working atlantis. |
Most constructs in atlantis have a repo config which is part of my concern. If it's server side only it limits its exploitability. If the repo can say for |
Can this be achieved with https://github.com/runatlantis/atlantis/blob/master/CHANGELOG.md#v090 ?
|
Yes, you're right, this does close the issue! workflows:
team_A:
plan:
steps:
- env:
name: GOOGLE_APPLICATION_CREDENTIALS
command: echo $GOOGLE_APPLICATION_CREDENTIALS_TEAM_A
- init
- plan
- apply
team_B:
plan:
steps:
- env:
name: GOOGLE_APPLICATION_CREDENTIALS
command: echo $GOOGLE_APPLICATION_CREDENTIALS_TEAM_B
- init
- plan
- apply |
Closed by #751 |
As a user of atlantis, I want to be able to specify a custom list of environment variables and use the default
init
,plan
,apply
steps. This allows me to not write custom commands when running terraform. Specifically:atlantis.yaml
file looks much cleaner without custom commandsIt also seems like there are many related asks to this where the users seem to be asking for the ability to specify environment variables.
My proposal:
envs
to the Step type which would hold key value pairs specifying the environment: variable mapping e.g.The text was updated successfully, but these errors were encountered: