feat(policies): Add granular policy_sets #3086
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Right now I'm thinking of re-factoring contest_client.go to pass a list of structs, instead of text output, which can be interpreted by policy_check_runner.go to generate the output there, and also update pull status with additional info about how many approvals a given policyset requires/has received. |
pseudomorph
force-pushed
the
granular_policy_checks
branch
from
2629f1d
to
8ae774b
Compare
pseudomorph
commented
Feb 7, 2023
This comment was marked as outdated.
This comment was marked as outdated.
nitrocode
added
needs tests
nitrocode
reviewed
Feb 10, 2023
server/events/templates/approve_policies_results_unwrapped.tmpl
Outdated
Show resolved
Hide resolved
nitrocode
reviewed
Feb 10, 2023
nitrocode
reviewed
Feb 10, 2023
nitrocode
reviewed
Feb 10, 2023
nitrocode
reviewed
Feb 10, 2023
nitrocode
changed the title
|
I've verified that the core functionality is set up with local testing. It should just be minor tweaking and polishing from here. I'll get to starting on tests and documentation tonight/tomorrow. |
github-actions
bot
added
docs
|
I was thinking more about sticky policy approvals. Would something like storing the commit ID in the Atlantis DB and preserving reviews if the commit IDs match between policy check runs make sense? This behavior would, of course, be gated behind a parameter which defaults to false. |
|
I'll open a separate issue to encapsulate the above problem and a few other enhancements to policies to take care of once this is merged in. |
|
Is there a way to re-trigger tests/checks? |
|
Seems like the build is stuck. |
I have no idea, I guess github could be having issues? |
|
The PR was in a mergeable state the other day, but something funny is going on now. I'm not quite sure how to resolve. |
|
@nitrocode @jamengual @GenPage - Apologies for the ping. Any chance we can get this merged in this week? It'd be great to get back on an upstream Atlantis image. |
|
@pseudomorph no worries, I will take a look today. I'm also fixing some of the workflows. |
GenPage
approved these changes
Apr 21, 2023
|
Thank you so much! I'll get us on the dev image in the next week. |
nitrocode
pushed a commit
that referenced
this pull request
May 5, 2023
* Initial work. * Periodic push. * Fmt and start adding args to approve_policies cmd. * keep funcs for now. * Periodic push. * Periodic push. * fmt. * Move approve policies logic to project_command_runner. * update some tests * More test fixes. * update more tests. fix som logic. * more tests. add additional info to common data for custom templates. * fix apply with policies bug. update more tests/fmt * file perms * fix error parsing for conftest results. * Update more tests and linting. * update documentation. * Address no-fail case. Address comments. * Forgot changes. * fix markdown renderer * Fix policy fail logic. remove uneeded tmpl var * targeted policy approvals fix * Address PR comments. * empty commit to trigger build --------- Co-authored-by: PePe Amengual <jose.amengual@gmail.com> Co-authored-by: rkstrickland <ross.strickland@instacart.com> Co-authored-by: Dylan Page <dylan.page@autodesk.com>
This was referenced May 19, 2023
mtavaresmedeiros
pushed a commit
to mtavaresmedeiros/atlantis
that referenced
this pull request
Jul 3, 2023
* Initial work. * Periodic push. * Fmt and start adding args to approve_policies cmd. * keep funcs for now. * Periodic push. * Periodic push. * fmt. * Move approve policies logic to project_command_runner. * update some tests * More test fixes. * update more tests. fix som logic. * more tests. add additional info to common data for custom templates. * fix apply with policies bug. update more tests/fmt * file perms * fix error parsing for conftest results. * Update more tests and linting. * update documentation. * Address no-fail case. Address comments. * Forgot changes. * fix markdown renderer * Fix policy fail logic. remove uneeded tmpl var * targeted policy approvals fix * Address PR comments. * empty commit to trigger build --------- Co-authored-by: PePe Amengual <jose.amengual@gmail.com> Co-authored-by: rkstrickland <ross.strickland@instacart.com> Co-authored-by: Dylan Page <dylan.page@autodesk.com>
ijames-gc
pushed a commit
to gocardless/atlantis
that referenced
this pull request
Feb 13, 2024
* Initial work. * Periodic push. * Fmt and start adding args to approve_policies cmd. * keep funcs for now. * Periodic push. * Periodic push. * fmt. * Move approve policies logic to project_command_runner. * update some tests * More test fixes. * update more tests. fix som logic. * more tests. add additional info to common data for custom templates. * fix apply with policies bug. update more tests/fmt * file perms * fix error parsing for conftest results. * Update more tests and linting. * update documentation. * Address no-fail case. Address comments. * Forgot changes. * fix markdown renderer * Fix policy fail logic. remove uneeded tmpl var * targeted policy approvals fix * Address PR comments. * empty commit to trigger build --------- Co-authored-by: PePe Amengual <jose.amengual@gmail.com> Co-authored-by: rkstrickland <ross.strickland@instacart.com> Co-authored-by: Dylan Page <dylan.page@autodesk.com>
ijames-gc
pushed a commit
to gocardless/atlantis
that referenced
this pull request
Feb 13, 2024
* Initial work. * Periodic push. * Fmt and start adding args to approve_policies cmd. * keep funcs for now. * Periodic push. * Periodic push. * fmt. * Move approve policies logic to project_command_runner. * update some tests * More test fixes. * update more tests. fix som logic. * more tests. add additional info to common data for custom templates. * fix apply with policies bug. update more tests/fmt * file perms * fix error parsing for conftest results. * Update more tests and linting. * update documentation. * Address no-fail case. Address comments. * Forgot changes. * fix markdown renderer * Fix policy fail logic. remove uneeded tmpl var * targeted policy approvals fix * Address PR comments. * empty commit to trigger build --------- Co-authored-by: PePe Amengual <jose.amengual@gmail.com> Co-authored-by: rkstrickland <ross.strickland@instacart.com> Co-authored-by: Dylan Page <dylan.page@autodesk.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
what
This change updates policy checks to be more granular.
Namely:
Implementation details:
PolicySet configuration allows for the specifying of owners at the global level and on a per policy set level. Additionally, a new parameter
ReviewCount, which specifies how many approvals are required to override policy checks, has been added on the same levels. These are both considered when determining if a policy set is approved or not.Some changes were made to pass around or expose the additional context needed to manage state between policy_approval commands. The BoltDB/Redis backends have been updated to store information about each policy set on a per-project level.
Since top-level policy set owners can approve all defined policy sets, an additional
--policy-setargument has been added to the comment command parser, which allows for targeted policy approvals. Along with this change, policies can be approved on a per plan, workspace, or dir level, using the same args as all other Atlantis commands.Having discreetly approvable policy sets changes the possible error/success dynamic that the markdown renderer used to rely on.
For example:
A PR might have two failing policy sets. Someone comes along to approve and is authorized for one but not the other. In this case, we want to bubble up both the successful approval one policy set (or at least information about the approval state) along with an error indicating the authorization issue on the other.
This would also be the case where a user is authorized for all policy sets, but the policy set requires more than one approval.
To account for this, I've updated the markdown renderer to render all policies before error or failure, and then if there is error or failure, the rendered content is passed into those templates as additional context.
why
Currently, when multiple policy sets are specified, only one set of owners is considered for all, and only one approval is sufficient for overriding policy checks, where multiple might be desired.
tests
Updated existing tests, and added some new ones.
references