-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Server Side YAML Restrictions #486
Conversation
Codecov Report
@@ Coverage Diff @@
## master #486 +/- ##
==========================================
+ Coverage 72.18% 72.72% +0.53%
==========================================
Files 62 63 +1
Lines 4516 4641 +125
==========================================
+ Hits 3260 3375 +115
- Misses 1012 1017 +5
- Partials 244 249 +5
Continue to review full report at Codecov.
|
d312079
to
9854e2f
Compare
Hi John, thanks for the amazing PR! I'm hoping to get some time this week to review. |
This is an implementation of the [RFC] Server-side atlantis.yaml @jjulien - can you comment as to what may be different or missing in this implementation from what is documented in the RFC? |
@kipkoan I followed the RFC with the exception of two changes that I commented on in the RFC doc but were never officially included.
|
While I haven’t looked at the code I read the RFC and really excited about this feature. This will address our concerns I’ve been having in regards to any pull request creator automatically having sudo “so to speak” on the Atlantis server which makes it hard to justify with the security team as “we just have to trust Users at our org will be not be malicious” in an enterprise environment but theoretically could take down production and/or expose sensitive secrets from terraforms remote state storage. |
540c07c
to
0588a06
Compare
83d09ab
to
8edd9bb
Compare
@lkysow This is ready to go now with the changes you mentioned in the RFC.
|
Thanks @jjulien! I'm going to pull this into my own branch and make some finishing touches. |
This enables atlantis.yaml in all repos, but by default restricts certain sensitive keys from being used. The keys apply_requirements, workflow, and workflows can only be specified in an atlantis.yaml file if explicitly allowed by a server side repo config. The repo config file provides the ability to specify a default set of workflows, and default values for apply_requirements and workflow to use use on a per repo basis. It also supports applying to a collection of repos by using regex to match a repo name. If more than one repo name matches, the values from last repo matched are used. This deprecates the --allow-repo-config option
8e03fed
to
9819e5f
Compare
@lkysow Commits have been squashed. Thanks! |
Thanks! I'm going to merge something that might cause conflicts here but don't worry about fixing it, I will handle that. |
Question: why did you add a new FullNameWithHost: "github.com/owner/repo" field. Instead of adding a method that generates that data using existing fields: // ID returns the atlantis ID for this repo.
// ID is in the form: {vcs hostname}/{repoFullName}.
func (r Repo) ID() string {
return fmt.Sprintf("%s/%s", r.VCSHost.Hostname, r.FullName)
} The only difference is that you're adding the port number which I don't think is necessary info. |
Hi all subscribers, • You can read docs about it here: https://deploy-preview-546--runatlantis.netlify.com/docs/repos-yaml-reference.html#overview |
@jjulien I've refactored your changes and pushed everything to a release-0.7 branch because I don't want to merge into master and have the website update. If you're curious you can see the diff here: https://github.com/runatlantis/atlantis/compare/release-0.7?expand=1 Once 0.7 is ready I'll merge that branch into master. I'm going to close this due to ☝️. Thanks for all your hard work 🙏! Should hopefully get a release out soon. |
Added new --allow-restricted-repo-config and --repo-config options
This allows usage of a server side repo config file to restrict certain fields from being used in a repos atlantis.yaml file.
When this feature is activated apply_requirements, workflow, and workflows can only be specified in an atlantis.yaml file if explicitly allowed by the server side repo config.
The repo config file provides the ability to specify a default set of workflows, and default values for apply_requirements and workflow to use use on a per repo basis. It also supports applying to a collection of repos by using regex to match a repo name.
If more than one repo name matches, the values from last repo matched are used.
Closes #47