Document security concerns of Atlantis UI

[lkysow]

Via #49 (comment), document the impact of access to the Atlantis UI in the security section

[aldenstpage]

Is there an undocumented setting for disabling the UI entirely? If not, I'm interested in implementing it.

Since the UI runs on the same port as the version control webhooks, which necessarily is exposed to the open internet for those of us using services like GitHub, the only way that I can think of to firewall off the UI without interfering with the webhooks is to whitelist GitHub's backend IPs. Polling GitHub for its IPs sounds like a lot of operational overhead to secure a feature that I don't use. I would rather be able to just switch off the UI.

edit: Like others in this thread, I ended up putting Atlantis behind a reverse proxy that allows fine-grained access control.

[lkysow]

There isn't an undocumented setting and I don't think I'd want a PR to implement it. The UI is necessary for normal Atlantis usage, I'd be surprised if you never needed it.

You could also front Atlantis with a server that only lets through requests to /events. I'm also not sure how often GitHub changes their backend IPs, but you probably don't have to poll them?

I know those aren't great solutions but that's where we're at today.

[chenrui333]

In my case, UI is pretty good for just showing the information across the repos (atlantis tool for all our repos).

[chadasapp]

On the IP whitelisting: if you use Terraform, you can get the IPs from the Github provider.

[epacke]

You could also potentially run nginx in front of atlantis and use basic auth. The web hook could then be configured as https://user:password@url-to-atlantis. Disclaimer, I have not tested this myself yet as I've just started to set it up.

[ted-fastly]

We use the whitelisted IPs through terraform like @chadasapp, it also goes through a custom tool that checks the signature, who is attached to the request, if the repo is truly a private repo, all those bits. It also has our company's next-gen WAF protecting it.

It would be easier if API traffic and human traffic were on different ports. It's a lot easier to trust a security group, for instance.

[netguino]

I've very succesfully been deploying https://github.com/pusher/oauth2_proxy in front of atlantis, with the github integration.

You can specify to skip auth for the /events path, so the webhooks still work fine.

[pdhara]

You can update the ingress to handle only /events, thereby disabling UI partially.

Google Managed Certs

Update ingress block in helm chart deployment:

ingress:
  enabled: true
  annotations:
    networking.gke.io/managed-certificates: gke-managed-cert
    kubernetes.io/ingress.global-static-ip-name: gke-managed-ip
    kubernetes.io/ingress.class: "gce"
  path: /events
  host: atlantis.testxxx.com

[dashford]

I've very succesfully been deploying https://github.com/pusher/oauth2_proxy in front of atlantis, with the github integration.

You can specify to skip auth for the /events path, so the webhooks still work fine.

@netguino How did you implement this if you can remember? I've used the --skip-auth-regex argument for the oauth proxy but it doesn't look to be having any effect, the proxy is still redirecting requests to oauth.

[netguino]

@dashford

@netguino How did you implement this if you can remember? I've used the --skip-auth-regex argument for the oauth proxy but it doesn't look to be having any effect, the proxy is still redirecting requests to oauth.

These are my settings for oauth2_proxy

 26         "name": "OAUTH2_PROXY_EMAIL_DOMAINS",
 27         "value": "*"

 30         "name": "OAUTH2_PROXY_GITHUB_ORG",
 31         "value": "FOO"

 34         "name": "OAUTH2_PROXY_GITHUB_TEAM",
 35         "value": "${team_whitelist}"

 38         "name": "OAUTH2_PROXY_UPSTREAMS",
 39         "value": "http://atlantis.${discovery_zone}:4141"

 42         "name": "OAUTH2_PROXY_COOKIE_SECURE",                                                 
 43         "value": "true"

 46         "name": "OAUTH2_PROXY_PROVIDER",
 47         "value": "github"

 50         "name": "OAUTH2_PROXY_REVERSE_PROXY",
 51         "value": "true"

 54         "name": "OAUTH2_PROXY_HTTP_ADDRESS",
 55         "value": "0.0.0.0:4180"

 58         "name": "OAUTH2_PROXY_SKIP_PROVIDER_BUTTON",
 59         "value": "true"

 62         "name": "OAUTH2_PROXY_SILENCE_PING_LOGGING",
 63         "value": "true"

 66         "name": "OAUTH2_PROXY_REDIRECT_URL",
 67         "value": "${atlantis_url}/oauth2/callback"

 70         "name": "OAUTH2_PROXY_SKIP_AUTH_REGEX",
 71         "value": "/events"

[dashford]

Many thanks for that @netguino 🙂