server-side atlantis.yaml #47
Comments
|
My mistake, output of these hooks isn't printed to comments |
|
I think this is still an issue actually. If there's an error while running the scripts then we print out the output if you run the command with |
|
I think the best way to fix this is to only execute the atlantis.yaml file that's on the branch being pull requested into. |
|
Using old |
|
@eriksw in that case you'd have to do 2 pull requests. The first would be the version change and the second would be the tf changes. It's kind of annoying but if we use the I anticipate that |
|
I can't say I'm a fan of having to go through a two-PR process every time there's a new version of terraform. (Pinning in both .tf The simplicity of requiring a simple detached hmac "signature" of |
|
@eriksw you're right that that is a poor workflow. Thank you for your concerns. As a result I've spent some more time looking into how drone.io deals with these issues and why they removed the signing step. This thread is particularly illuminating: harness/harness#1935 My conclusions:
|
|
I like the conclusion - in Drone we do provide a list of admins as part of the configuration, but you will get this from the repo attributes? Does this mean |
|
Yes, for now until I have time to work on a more robust authentication/authorization system
Yes, exactly–because otherwise you could put malicious changes in the plan step |
|
Another use case:
The proposed solution there won't work, as a user could simply change atlantis.yml in master and then create a PR. An additionally solution for such mono repo use cases: separate atlantis.yml from the terraform files and load it directly on the (secured) server. |
|
I've created an RFC to address this change with a proposed schema. Please add any comments there. |
|
+1 for the server-side config described in the RFC. It would allow us to enforce controls and implement custom workflows centrally, which is well... needed in enterprise environments like ours, where you have numerous teams, multiple vendors, and a wide variety in Terraform skills level. |
|
Also +1 on the server-side config described in the RFC. Seems like a good solution to me and is clearly needed. |
|
Hi All, • You can read docs about it here: https://deploy-preview-546--runatlantis.netlify.com/docs/repos-yaml-reference.html#overview |
|
Closed by release v0.7.0 |
* Adding the ability to get lock data and show it using the detail view in the ui for boltdb * adding modal style * Adding new modal based discard ui * Adding detail view and get lock funtionality with unlocking with the UI * lots of clean up after review * using jquery most places now * missed in merge * this should cause a build failure * moving e2e test as part of the test override step so they run if unit tests fail * fixing boltdb tests * turns out you can't fail fast in circleci * don't compare locks
Monday Jan 29, 2018 at 08:24 GMT
Migrated from hootsuite/atlantis#236
Why was it migrated?
Atm, any developer can add
pre_get,pre_init,pre/post_plancommands to expose secrets viaatlantis.yaml- as Atlantis requires quite significant permissions, this might be a concern.Drone used to have a signing step required for the
drone.yamlfile, ensuring unauthorized modifications toatlantis.yamlcan be preventedThe text was updated successfully, but these errors were encountered: