Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Overview of the Issue
I have a github repo that uses a pre_workflow_webhook to dynamically create its atlantis.yaml file. I'm now trying to add team_authz to control who can/can't run atlantis apply for our prod environment.
I submit a comment in the PR: atlantis plan -p my-project-prod; notice that the environment is embedded in the project name.
However, since the team_authz command runs before the pre_workflow_webhook, the atlantis.yaml file does not yet exist. Under those conditions, the PROJECT_NAME environment variable passed to the team_authz command is empty.
I need the actual value of the -p option so that I can check the permissions. All other environment variables that I need are fine
Reproduction Steps
- Create a repo with a pre_workflow_webhook that dynamically creates the atlantis.yaml file.
- Create a server side repo config such as:
---
repos:
# default catch-all (this needs to be first in the list)
- id: /.*/
plan_requirements: []
apply_requirements: [mergeable, approved]
workflow: default
allowed_overrides: [workflow]
allow_custom_workflows: true
autodiscover:
mode: disabled
- id: github.com/MyOrg/my-repo-dynamic-atlantis
plan_requirements: []
apply_requirements: [mergeable, approved]
allowed_overrides: [workflow]
autodiscover:
mode: disabled
pre_workflow_hooks:
- run: ./bin/create-atlantis-dynamic-configs.sh
team_authz:
command: /home/atlantis/bin/team-authz.sh- Make sure that the team-authz.sh script is installed in the image and it's executable.
- Create a PR in the test repo and add a comment
atlantis plan -p my-project-prod(make sure my-project-prod would be in your atlantis.yaml file when it is created dynamically.
The team-authz.sh script can be something as simple as:
#!/bin/bash
# Set variables from command-line arguments for convenience
# command is one of: plan, apply, destroy, import, ouput, state, taint, untaint
COMMAND="$1"
shift
# the repo of the PR for this atlantis command
REPO="$1"
shift
# the list of teams the user is a member of
TEAMS="$*"
# save the environment variables passed into the script
env > /tmp/team-authz-$$.log
# pass everything since this is a dummy script
echo "pass"
exit 0This is a dummy script just for testing, but notice that the script prints the output of env to a file in /tmp. If you check that file you'll see that PROJECT_NAME is empty.
You could also simply these steps by just creating a repo without an atlantis.yaml file and no pre_workflow_webhook. Same difference.
Logs
There are no logs because the team_authz activity is not logged, even in debug mode. Is that a bug?
Environment details
- Atlantis version: v0.33.0 (commit: 618d5ac) (build date: 2025-02-03T20:21:38.676Z)
- Deployment method: terraform-aws-modules/terraform-aws-atlantis on ECS/fargate
- If not running the latest Atlantis version have you tried to reproduce this issue on the latest version:
- Atlantis flags:
Atlantis server-side config file:
# there is no server config in yaml form. All server side settings are made by setting ATLANTIS_XXX
# environments in the ECS task definition passed to the terraform module. But here are the environment variables that are being used:
environment = [
{
name = "ATLANTIS_GH_ORG"
value = "MyOrg"
},
{
# NOTE: using github apps and webhooks for this atlantis
name = "ATLANTIS_GH_APP_ID"
value = var.gh_app_id
},
{
# NOTE: this is reqwuired when this atlantis has to access remote
# accounts
name = "ATLANTIS_WRITE_GIT_CREDS"
value = true
},
{
# NOTE: allow all here, but access is enabled/disabled in the github
# console per repo
name = "ATLANTIS_REPO_ALLOWLIST"
value = "github.com/MyOrg/*"
},
{
# NOTE: server-side repo configs
name : "ATLANTIS_REPO_CONFIG_JSON"
value : jsonencode(yamldecode(file("${path.module}/server-atlantis${local.env_suffix}.yaml")))
},
{
# NOTE: make each repo define its own list of projects
name : "ATLANTIS_AUTODISCOVER_MODE"
value : "disabled"
},
{
# NOTE: disable all policy checks (for now)
name : "ATLANTIS_ENABLE_POLICY_CHECKS"
value : "false"
},
{
name : "ATLANTIS_LOG_LEVEL"
value : "debug"
},
]
secrets = [
{
name = "ATLANTIS_GH_APP_KEY"
valueFrom = data.aws_secretsmanager_secret.atlantis_gh_app_key.arn
},
{
name = "ATLANTIS_GH_WEBHOOK_SECRET"
valueFrom = data.aws_secretsmanager_secret.atlantis_gh_webhook_secret.arn
},
]
Repo atlantis.yaml file:
# a simple dummy atlantis.yaml file; but for testing, there should not be one in the repo in order
# to simulate one being dynamically created.
version: 3
projects:
- name: my-project-qa
dir: path/to/a/terraform/stack
workflow: qa
autoplan:
enabled: false
- name: my-project-stage
dir: path/to/a/terraform/stack
workflow: stage
autoplan:
enabled: false
- name: my-project-prod
dir: path/to/a/terraform/stack
workflow: prod
autoplan:
enabled: falseAny other information you can provide about the environment/deployment (efs/nfs, aws/gcp, k8s/fargate, etc)
Additional Context
See discussion #5351
Activity