atlantis icon indicating copy to clipboard operation
atlantis copied to clipboard

Published 20 hours ago verified publisher icon runatlantis

Preventing merging without running `atlantis apply` on Gitlab

Open tiagomeireles opened this issue 11 months ago • 12 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

Currently, I am able to merge a merge request in Gitlab before atlantis apply is ran. I want the ability to prevent merge requests from being able to be merged without atlantis apply completing successfully.

There has been previous attempts for example https://github.com/runatlantis/atlantis/pull/2053 introduced this behavior but was rolled back because of workflows that are dependent on all CI jobs being completed.

https://github.com/runatlantis/atlantis/pull/3378 (unintentionally?) introduced this behavior again, then was reverted in https://github.com/runatlantis/atlantis/pull/3747.

https://github.com/runatlantis/atlantis/pull/2436#issuecomment-1211252243 describes the behavior I expect using Github.

Using 0.27.2, when I open a merge request that creates new resources. (I’m using resource "terraform_data" "example" {}) Atlantis autoplans, creating an external stage with the following jobs. image

I expect there to be a pending atlantis/apply job to prevent the merge request from being merged as my repo require CI to be passing. If I revert https://github.com/runatlantis/atlantis/pull/3747/files#diff-6583ec7260b28e573c74e18e783ee24ba8dce7d0a2e6929c105cc7e74d3d9c6fL318-R319 from https://github.com/runatlantis/atlantis/pull/3747, I get the behavior I expect.

image

Then after a successful atlantis apply, the atlantis/apply job and atlantis/apply: <project> succeed and I can merge the merge request.

image

Are there other Gitlab users who have similar requirements? Am I missing something(e.g a flag?) that makes this possible?

I'm open to other methods of preventing merging without successful atlantis apply's. Happy to contribute any patches that support this workflow.

Reproduction Steps

Logs

Environment details

  • Atlantis version: 0.27.2
  • Deployment method: helm
  • Atlantis flags:
  - --automerge
  - --default-tf-version=v1.5.7 
  - --enable-policy-checks

Atlantis server-side config file:

  ---
  repos:
  - id: /.*/
    plan_requirements: [undiverged]
    apply_requirements: [approved, mergeable, undiverged]
    import_requirements: [approved, mergeable, undiverged]
    workflow: terragrunt
  policies:
    owners:
      users:
        - tiago.meireles
    policy_sets:
      - name: standard
        path: /home/atlantis/policies/
        source: local
  workflows:
    terragrunt:
      plan:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
        - env:
            # Reduce Terraform suggestion output
            name: TF_IN_AUTOMATION
            value: 'true'
        - run:
            # Allow for targetted plans/applies as not supported for Terraform wrappers by default
            command: terragrunt plan -input=false $(printf '%s' $COMMENT_ARGS | sed 's/,/ /g' | tr -d '\\') -no-color -out $PLANFILE
            output: hide
        - run: terragrunt show $PLANFILE
        - run: terragrunt show -no-color -json $PLANFILE > $SHOWFILE
      apply:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
        - env:
            # Reduce Terraform suggestion output
            name: TF_IN_AUTOMATION
            value: 'true'
        - run: terragrunt apply -input=false $PLANFILE
      import:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${DEFAULT_TERRAFORM_VERSION}"'
        - env:
            name: TF_VAR_author
            command: 'git show -s --format="%ae" $HEAD_COMMIT'
        # Allow for imports as not supported for Terraform wrappers by default
        - run: terragrunt import -input=false $(printf '%s' $COMMENT_ARGS | sed 's/,/ /' | tr -d '\\')
      state_rm:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${DEFAULT_TERRAFORM_VERSION}"'
        # Allow for state removals as not supported for Terraform wrappers by default
        - run: terragrunt state rm $(printf '%s' $COMMENT_ARGS | sed 's/,/ /' | tr -d '\\')
      policy_check:
        steps:
        - env:
            name: TERRAGRUNT_TFPATH
            command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
        - env:
            # Reduce Terraform suggestion output
            name: TF_IN_AUTOMATION
            value: 'true'
        - run: terragrunt show -no-color -json $PLANFILE > $SHOWFILE
        - policy_check:
            extra_args: ["-p", "/home/atlantis/policies/", "--all-namespaces", "--parser=json", "--no-color"]

Repo atlantis.yaml file: N/A

Additional Context

tiagomeireles avatar Mar 19 '24 01:03 tiagomeireles

This is an ancient, foolish decision to adopt this MR, resulting in us living on v0.19.2.

shurkus avatar Mar 19 '24 10:03 shurkus

@shurkus What exactly makes you live on v0.19.2? PR that you referenced added an optional, disabled by default, feature for GitHub only.

stasostrovskyi avatar Mar 23 '24 10:03 stasostrovskyi

wrong here is this one #2053, corrected

shurkus avatar Mar 23 '24 11:03 shurkus

So this is completely broken for us on latest. The atlantis/apply top level job only ever shows up after we have applied one of the projects in a repo. But it doesn't prevent merging before anything has been applied.

To be clear I am not sure it has ever worked on gitlab or if it did I didn't notice when it broke and it's been burning us the last while

chriskuchin avatar Mar 25 '24 20:03 chriskuchin

Any updates? Our developers sometimes merge MRs before applying the terraform content because the pipeline succeeds even if there are changes ti be applied. We would love to have back the way to block this behavior!

ebeltramo96 avatar Apr 08 '24 10:04 ebeltramo96

Maybe remove the right to merge to all developers ? (only Atlantisbot and Maintainer allowed to merge)

tweiss-mdm avatar Apr 22 '24 14:04 tweiss-mdm

we have it already limited, nevertheless this is something that should be blocked by a pending status pipeline in case some changes are detected

ebeltramo96 avatar Apr 24 '24 14:04 ebeltramo96

Any news?

shurkus avatar May 31 '24 08:05 shurkus

Can be fixed by adding to plan_command_runner.go#L117

	// At this point we are sure Atlantis has work to do, so set commit status to pending
	if err := p.commitStatusUpdater.UpdateCombined(ctx.Log, ctx.Pull.BaseRepo, ctx.Pull, models.PendingCommitStatus, command.Plan); err != nil {
		ctx.Log.Warn("unable to update plan commit status: %s", err)
	}
	if err := p.commitStatusUpdater.UpdateCombinedCount(ctx.Log, ctx.Pull.BaseRepo, ctx.Pull, models.PendingCommitStatus, command.Apply, 0, len(projectCmds)); err != nil {
		ctx.Log.Warn("unable to update apply commit status: %s", err)
	}

but looks like it can break Github :crying_cat_face:

shurkus avatar Jun 11 '24 21:06 shurkus

I think this thread can be considered closed after the last version: v0.28.3

ebeltramo96 avatar Jun 27 '24 14:06 ebeltramo96

Yep, tested and work fine

shurkus avatar Jun 27 '24 18:06 shurkus

Actually we are now able to merge again if the MR presents atlantis changes. It got reverted: https://github.com/runatlantis/atlantis/compare/v0.28.3...v0.28.4

ebeltramo96 avatar Aug 05 '24 09:08 ebeltramo96