-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement a new policy check workflow #1317
Implement a new policy check workflow #1317
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1317 +/- ##
==========================================
- Coverage 70.01% 69.40% -0.62%
==========================================
Files 74 93 +19
Lines 5586 6291 +705
==========================================
+ Hits 3911 4366 +455
- Misses 1312 1543 +231
- Partials 363 382 +19
Continue to review full report at Codecov.
|
Here are two screenshots showing an example workflow. The policy check is a bit contrived, it fails if a PR is created with
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💯 . e2e tests and docs will be the final touch. Looks great!
Super cool I have to say this is an awesome feature to add. |
Amazing, I was literally just thinking about this. Some thoughts on policies though, it would be nice if multiple ways of policy-provisioning would be supported, like:
Another couple of thoughts on features I had:
I'll try to understand the PR and see if I can contribute something |
2 and 3 are being planned on and the code seems structured well enough to support those with minimal effort. I think what makes 3 a bit difficult from supporting off the bat is running different policy sets under different conftest versions. With only server side right now its assumed that there is a single version for all policies. This shouldn't be done in the scope of this PR, and this PR is a very solid first step |
One of the things I would like to see here, is the ability to not have to depend on an actual file. It seems that the policies require a file path, so if I was to run atlantis stateless-ish, I'd love to be able to define all the policies the same way I can define the server side config by passing a json string. Otherwise such a great feature! So much potential. |
It can be explored in a future PR, I think conftest requires a folder as input |
It would be more work, but since Atlantis is written in the same language as Open Policy Agent, instead of using conftest, it could embed OPA as a library https://www.openpolicyagent.org/docs/latest/integration/#integrating-with-the-go-api That would allow more control of where policies come from perhaps |
policy runner backend should be pluggable, if someone wants to write OPA support they should be able to. Might need to change the interface for that. Personally, prefer the simplicity of conftest and with newer features simplicity is 🔑 |
could it be possible to define teams instead of user for approvers? |
we don't use teams, so i think supporting both would be better. @msarvar might actually be worthwhile to change
to
to allow us to add support for teams in the future without having to rev the major version |
As @nishkrishnan mentioned we are planning on adding different ways to define your policies. Probably bundles are the next obvious and easy choice to implement.
Can you expand on what would be the use case for this? Our main thinking was to keep policy enforcement scoped around your infrastructure changes.
This is something we considered to add but decided to keep things simple and only support pass/fail/approve for now. I think adding some extra functionality like auto-approve/auto-apply might make things interesting and improve devX. |
This sort of integrates with how I envisioned the auto-approval I also suggested would work, I think I can best illustrate this with some example flows. Example 1:We have some Terraform stack which represents cloud resources for development environment (maybe some instances, storage etc.) we invoke a module for every developer so everyone gets the same resources unless specific overrides are made. In this case the metadata used is the attached username of the person who opened the PR and all the groups and memberships of the repository system in question, whether that is github, gitlab, bitbucket etc. This could also resolve the issue @jamengual raised Example 2:You use Kops with the Terraform target to generate a terraform module. Here the flow of approval itself you could say is part of the metadata, if you were to have the input JSON look something like the following psuedo-json all kinds of custom flows could be made possible:
You could even use this to (potentially) get rid of certain built-in commands like |
38208f5
to
98386ba
Compare
runAutoPlanCommand - does what originally RunAutoplancommand was doing except now it returns CommandResult and []models.ProjectCommandContext runAutoPolicyCheckCommand - accepts CommandContext, CommandResult, and []models.ProjectCommandContext as arguments and runs PolicyCheckStep runner
* [ORCA-666] Ensure failing policy checks don't discard the locks. * Fix tests * fix.
// can happen once at the beginning | ||
envVars = append(envVars, os.Environ()...) | ||
|
||
// honestly not entirely sure why we're using sh -c but it's used |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's because folks set extra_args
and other things that may require shell interpolation
89f1f74
to
d3d1a6c
Compare
6cae32f
to
38e05e7
Compare
Hi @msarvar, I'm trying to get conftest working but I'm getting an error:
The documentation does not covert if the path is relative or what env variables are recognized. Could you please help me? |
I got the answer eventually from https://github.com/runatlantis/atlantis/tree/master/server/testfixtures/test-repos/policy-checks-multi-projects. |
@nishkrishnan |
if you want to propose a feature you can create an issue or commit code on a PR, contributions are welcome. |
Created a ticket for the group feature - #2116 |
This PR adds policy check workflow into atlantis. It uses conftest to execute policies. At the moment you can only define policies locally and configure them in the server side config.
How it works
Policy checks step, if enabled, will always run after plan step. If the policy check fails an approval from a policy owner is required, to approve the policy owner needs to comment
atlantis approve_policies
in the PR . We decided against overloading the PR approval to also approve policies, for that reason there is a newapprove_policies
command to approve failing policies. This makes policy approval an explicit action that avoids any ambiguity that might be created by PR approvals.To define the list of policy owners you will need to update server side config, currently we are only supporting github usernames(example below).
How to use it
Enable the policy checks by adding
--enable-policy-checks=true
flag to your server launch script.Define your
policy_sets
,owners
, andconftest_version
in the server config underpolicies
key. Example below:Notes
CommandRunner
was broken down intoApplyCommandRunner
,PlanCommandRunner
,UnlockCommandRunner
andApprovePoliciesCommandRunner
. NowCommandRunner
just creates a required object in runtime based on request. There is notPolicyCheckCommandRunner
because policy checks are running after plan step so the logic is encapsulated within thePlanCommandRunner
.This PR is not fully ready to be merged, I still need to add e2e tests and update the docs.