feat: Add option allowing usage of custom policy check tools #3765

bgalkows · 2023-09-13T16:39:50Z

what

Adds custom_policy_check setting in repo config and atlantis.yaml
Allows overrides for custom_policy_check in atlantis.yaml
Renames ConftestOutput field to PolicyOutput in PolicySetResult struct for clarity
When set, project_command_runner no longer tries to parse the policy output as a JSON object directly into a struct assuming Conftest output format
- Instead of parsing from JSON, assigns custom tool output into the struct directly
- Custom policy output is parsed for "fail" substrings to determine passing

why

This change enables users to leverage other policy tools besides Conftest in their custom workflows
- Other tools will not have the same level of Atlantis integration, but they will at least run without errors in a policy check and interact with the approve_policies command

tests

I have tested this in a private repo, both with the server-side setting and atlantis.yaml override setting. Approve_policies behavior is unaffected.
Open to any suggestions for adding a test case where relevant. I didn't see many tests for policy check steps to use for reference.
- This PR's only behavior change is within the Policy Check step, when the flag is set

references

Closes Custom policy checks with non-JSON output produce errors #3682

jamengual

@X-Guardian I know you worked on this a bit and I was wondering if you have any input
@GenPage

jamengual · 2023-09-13T18:31:01Z

runatlantis.io/docs/repo-level-atlantis-yaml.md

-| repo_locking                             | bool                  | `true`      | no       | Get a repository lock in this project when plan.                                                                                                                                                                                          |
+| repo_locking                             | bool                  | `true`      | no       | Get a repository lock in this project when plan.                                                                         
+
+| custom_policy_check                             | bool                  | `false`      | no       | Enable using policy check tools other than Conftest                                                                                                                                                           |


could you add an example on how to use this with another tool?

@jamengual Added custom-policy-checks.md with examples for both ways to set the flag and linked to it from server-side-repo-config.md

GenPage

I don't a big fan of trying to jam custom policy check support into the existing model, however I understand the need to have support for other tooling. I'm going to leave this open for a couple weeks to gather other feedback from the community before deciding on whether to merge this as-is or not.

bgalkows · 2023-10-06T06:06:21Z

Updated the PolicySetResult struct's fields to be more general for clarity when used with custom tooling

…round

…ep_runner

…ntis#3765) * Adding new flag everywhere relevant, implementing policy result workaround * Fixing unit test str matching, adding custom policy conditional to step_runner * Adding documentation steps for custom policy tools * Refactoring ConftestOutput attribute to PolicyOutput

bgalkows requested a review from a team as a code owner September 13, 2023 16:39

github-actions bot added docs Documentation go Pull requests that update Go code labels Sep 13, 2023

bgalkows marked this pull request as draft September 13, 2023 16:47

bgalkows changed the title ~~Add option allowing usage of custom policy check tools~~ feat: Add option allowing usage of custom policy check tools Sep 13, 2023

jamengual reviewed Sep 13, 2023

View reviewed changes

jamengual added waiting-on-review Waiting for a review from a maintainer feature New functionality/enhancement conftest-policy labels Sep 13, 2023

bgalkows marked this pull request as ready for review September 14, 2023 23:46

bgalkows requested a review from jamengual September 17, 2023 03:21

GenPage reviewed Sep 25, 2023

View reviewed changes

GenPage added needs discussion Large change that needs review from community/maintainers work-in-progress and removed waiting-on-review Waiting for a review from a maintainer labels Sep 25, 2023

bgalkows added 4 commits October 5, 2023 23:06

Adding new flag everywhere relevant, implementing policy result worka…

b415f30

…round

Fixing unit test str matching, adding custom policy conditional to st…

a3270ec

…ep_runner

Adding documentation steps for custom policy tools

d3bc4e3

Refactoring ConftestOutput attribute to PolicyOutput

d29ed31

bgalkows force-pushed the bgalkows/custom-policy-check branch from 298d708 to d29ed31 Compare October 6, 2023 06:06

GenPage approved these changes Oct 6, 2023

View reviewed changes

GenPage merged commit 22060fe into runatlantis:main Oct 6, 2023
15 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add option allowing usage of custom policy check tools #3765

feat: Add option allowing usage of custom policy check tools #3765

bgalkows commented Sep 13, 2023 •

edited

Loading

jamengual left a comment

jamengual Sep 13, 2023

bgalkows Sep 14, 2023 •

edited

Loading

GenPage left a comment

bgalkows commented Oct 6, 2023

feat: Add option allowing usage of custom policy check tools #3765

feat: Add option allowing usage of custom policy check tools #3765

Conversation

bgalkows commented Sep 13, 2023 • edited Loading

what

why

tests

references

jamengual left a comment

Choose a reason for hiding this comment

jamengual Sep 13, 2023

Choose a reason for hiding this comment

bgalkows Sep 14, 2023 • edited Loading

Choose a reason for hiding this comment

GenPage left a comment

Choose a reason for hiding this comment

bgalkows commented Oct 6, 2023

bgalkows commented Sep 13, 2023 •

edited

Loading

bgalkows Sep 14, 2023 •

edited

Loading