Preventing merging without running atlantis apply on Gitlab

[tiagomeireles]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

Currently, I am able to merge a merge request in Gitlab before atlantis apply is ran. I want the ability to prevent merge requests from being able to be merged without atlantis apply completing successfully.

There has been previous attempts for example #2053 introduced this behavior but was rolled back because of workflows that are dependent on all CI jobs being completed.

#3378 (unintentionally?) introduced this behavior again, then was reverted in #3747.

#2436 (comment) describes the behavior I expect using Github.

Using 0.27.2, when I open a merge request that creates new resources. (I’m using resource "terraform_data" "example" {})
Atlantis autoplans, creating an external stage with the following jobs.

I expect there to be a pending atlantis/apply job to prevent the merge request from being merged as my repo require CI to be passing. If I revert https://github.com/runatlantis/atlantis/pull/3747/files#diff-6583ec7260b28e573c74e18e783ee24ba8dce7d0a2e6929c105cc7e74d3d9c6fL318-R319 from #3747, I get the behavior I expect.

Then after a successful atlantis apply, the atlantis/apply job and atlantis/apply: <project> succeed and I can merge the merge request.

Are there other Gitlab users who have similar requirements? Am I missing something(e.g a flag?) that makes this possible?

I'm open to other methods of preventing merging without successful atlantis apply's. Happy to contribute any patches that support this workflow.

Reproduction Steps

Logs

Environment details

• Atlantis version: 0.27.2
• Deployment method: helm
• Atlantis flags:

  - --automerge
  - --default-tf-version=v1.5.7 
  - --enable-policy-checks

Atlantis server-side config file:

  ---
  repos:
  - id: /.*/
    plan_requirements: [undiverged]
    apply_requirements: [approved, mergeable, undiverged]
    import_requirements: [approved, mergeable, undiverged]
    workflow: terragrunt
  policies:
    owners:
      users:
        - tiago.meireles
    policy_sets:
      - name: standard
        path: /home/atlantis/policies/
        source: local
  workflows:
    terragrunt:
      plan:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
        - env:
            # Reduce Terraform suggestion output
            name: TF_IN_AUTOMATION
            value: 'true'
        - run:
            # Allow for targetted plans/applies as not supported for Terraform wrappers by default
            command: terragrunt plan -input=false $(printf '%s' $COMMENT_ARGS | sed 's/,/ /g' | tr -d '\\') -no-color -out $PLANFILE
            output: hide
        - run: terragrunt show $PLANFILE
        - run: terragrunt show -no-color -json $PLANFILE > $SHOWFILE
      apply:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
        - env:
            # Reduce Terraform suggestion output
            name: TF_IN_AUTOMATION
            value: 'true'
        - run: terragrunt apply -input=false $PLANFILE
      import:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${DEFAULT_TERRAFORM_VERSION}"'
        - env:
            name: TF_VAR_author
            command: 'git show -s --format="%ae" $HEAD_COMMIT'
        # Allow for imports as not supported for Terraform wrappers by default
        - run: terragrunt import -input=false $(printf '%s' $COMMENT_ARGS | sed 's/,/ /' | tr -d '\\')
      state_rm:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${DEFAULT_TERRAFORM_VERSION}"'
        # Allow for state removals as not supported for Terraform wrappers by default
        - run: terragrunt state rm $(printf '%s' $COMMENT_ARGS | sed 's/,/ /' | tr -d '\\')
      policy_check:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
        - env:
            # Reduce Terraform suggestion output
            name: TF_IN_AUTOMATION
            value: 'true'
        - run: terragrunt show -no-color -json $PLANFILE > $SHOWFILE
        - policy_check:
            extra_args: ["-p", "/home/atlantis/policies/", "--all-namespaces", "--parser=json", "--no-color"]

Repo atlantis.yaml file: N/A

Additional Context

[shurkus]

This is an ancient, foolish decision to adopt this MR, resulting in us living on v0.19.2.

[stasostrovskyi]

@shurkus What exactly makes you live on v0.19.2? PR that you referenced added an optional, disabled by default, feature for GitHub only.

[shurkus]

wrong here is this one #2053, corrected

[chriskuchin]

So this is completely broken for us on latest. The atlantis/apply top level job only ever shows up after we have applied one of the projects in a repo. But it doesn't prevent merging before anything has been applied.

To be clear I am not sure it has ever worked on gitlab or if it did I didn't notice when it broke and it's been burning us the last while

[ebeltramo96]

Any updates? Our developers sometimes merge MRs before applying the terraform content because the pipeline succeeds even if there are changes ti be applied. We would love to have back the way to block this behavior!

[tweiss-mdm]

Maybe remove the right to merge to all developers ? (only Atlantisbot and Maintainer allowed to merge)

[ebeltramo96]

we have it already limited, nevertheless this is something that should be blocked by a pending status pipeline in case some changes are detected

[shurkus]

Any news?

[shurkus]

Can be fixed by adding to
plan_command_runner.go#L117

	// At this point we are sure Atlantis has work to do, so set commit status to pending
	if err := p.commitStatusUpdater.UpdateCombined(ctx.Log, ctx.Pull.BaseRepo, ctx.Pull, models.PendingCommitStatus, command.Plan); err != nil {
		ctx.Log.Warn("unable to update plan commit status: %s", err)
	}
	if err := p.commitStatusUpdater.UpdateCombinedCount(ctx.Log, ctx.Pull.BaseRepo, ctx.Pull, models.PendingCommitStatus, command.Apply, 0, len(projectCmds)); err != nil {
		ctx.Log.Warn("unable to update apply commit status: %s", err)
	}

but looks like it can break Github 😿

[ebeltramo96]

I think this thread can be considered closed after the last version: v0.28.3

[shurkus]

Yep, tested and work fine

[ebeltramo96]

Actually we are now able to merge again if the MR presents atlantis changes.
It got reverted: v0.28.3...v0.28.4