atlantis
atlantis copied to clipboard
runatlantis
Using Gitlab teams for policy approvals is broken
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Overview of the Issue
I'm trying to configure Atlantis for my Gitlab environment and I'm having difficulties in setting GitLab teams as policy approvals. Here is a snippet of my Atlantis server configuration that fails -
repoConfig: |
---
repos:
- id: /.*/
apply_requirements: [approved, undiverged]
workflow: custom
allow_custom_workflows: true
policy_check: true
custom_policy_check: true
policies:
owners:
teams:
- production-engineers
policy_sets:
- name: Custom
source: local
Well, I tried some other verses of the group name, such as -
- Adding quotes -
"production-engineers" - Using the group id -
41
Needles to say that I'm the user (dorian.ts) who tries to run approve-policies and I'm a maintainer in the production-engineers team. The only configuration that worked was setting a static users list like that -
policies:
owners:
users:
- dorian.ts
- dan.dan
Apparently I'm not the only one that having that issue as seen in the Slack community, see this thread about the same issue.
I dug a bit in Atlantis code and I saw these pieces of code that might help understand what's the problem -
- The
GetTeamNamesForUserfunction insidegitlab_client.gofile - It should retrieve the Gitlab team of the user that tried to runapprove-policies. - The
IsOwnerfunction insidepolicies.gofile - It should iterate the user teams and compare between them and the list of allowed Gitlab teams in the configuration.
Reproduction Steps
- Deploy Atlantis with some policy checks
- Create a GitLab Webhook to start interacting with your Atlantis deployment
- Use the above configuration to set the owner teams for policy approvals
- Create a repo and upload a a new simple Terraform state into a branch.
- Create an MR and wait for the plan and policy check to happen. Make sure the policy check fails on something
- Try to run
atlantis approve-policies
Logs
I'm dorian.ts and I'm part of the group production-engineers. I put a comment atlantis approve_policies in my MR. I'll share here screenshot of Atlantis response + corresponding logs from Atlantis server.
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:127","msg":"handling GitLab post","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:598","msg":"request valid","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:602","msg":"handling as comment event","json":{}}
atlantis-staging-0 atlantis {"level":"info","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:656","msg":"parsed comment as command=\"approve_policies\" verbose=false dir=\"\" workspace=\"\" project=\"\" policyset=\"\", clear-policy-approval=false, flags=\"\"","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"vcs/gitlab_client.go:195","msg":"Adding reaction 'thumbsup' to comment 1021490 on GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"vcs/gitlab_client.go:198","msg":"POST /projects/dorian.ts/terraform-atlantis/merge_requests/9/notes/1021490/award_emoji returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"info","ts":"2024-07-31T08:36:41.264Z","caller":"events/events_controller.go:699","msg":"Running comment command 'approve_policies' on repo 'dorian.ts/terraform-atlantis', pull request: 9 for user 'dorian.ts'.","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"events/events_controller.go:858","msg":"Processing...","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"server/middleware.go:72","msg":"POST /events – respond HTTP 200","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"vcs/gitlab_client.go:504","msg":"Getting GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.507Z","caller":"vcs/gitlab_client.go:507","msg":"GET /projects/dorian.ts/terraform-atlantis/merge_requests/9 returned: 200","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.507Z","caller":"vcs/gitlab_client.go:398","msg":"Updating GitLab commit status for 'atlantis/policy_check' to 'pending'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.507Z","caller":"vcs/gitlab_client.go:504","msg":"Getting GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.708Z","caller":"vcs/gitlab_client.go:507","msg":"GET /projects/dorian.ts/terraform-atlantis/merge_requests/9 returned: 200","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.708Z","caller":"vcs/gitlab_client.go:426","msg":"Head pipeline found for merge request 9, source 'external'. refTarget 'testing-7'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.822Z","caller":"vcs/gitlab_client.go:468","msg":"POST /projects/dorian.ts/terraform-atlantis/statuses/f1b246066a0465323158044a2fc917ccdf021d3f returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9","attempt":1,"max_attempts":10,"repo":"dorian.ts/terraform-atlantis","commit":"f1b246066a0465323158044a2fc917ccdf021d3f","state":"pending"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:425","msg":"building config based on server-side config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting custom_policy_check: true from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting plan_requirements: [policies_passed] from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting import_requirements: [policies_passed] from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting delete_source_branch_on_merge: false from default server config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting allow_custom_workflows: true from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting repo_locks: this is a bug from default server config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting policy_check: true from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting apply_requirements: [approved,mergeable,undiverged,policies_passed] from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting workflow: \"custom\" from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting allowed_overrides: [] from default server config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"events/project_command_context_builder.go:171","msg":"PolicyChecks are enabled","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.824Z","caller":"terraform/terraform_client.go:309","msg":"Found required_version setting of \">= 0.13\"","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis 2024/07/31 08:36:41 [DEBUG] GET https://releases.hashicorp.com/terraform/index.json
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.962Z","caller":"events/project_command_context_builder.go:98","msg":"Building project command context for approve_policies","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"info","ts":"2024-07-31T08:36:42.058Z","caller":"events/project_locker.go:86","msg":"acquired lock with id \"dorian.ts/terraform-atlantis/states/tf-buckets/default\"","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.058Z","caller":"events/project_command_runner.go:332","msg":"acquired lock for project","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"error","ts":"2024-07-31T08:36:42.058Z","caller":"events/instrumented_project_command_runner.go:78","msg":"Error running approve_policies operation: 1 error occurred:\n\t* policy set: Custom user dorian.ts is not a policy owner - please contact policy owners to approve failing policies\n\n","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"},"stacktrace":"github.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:78\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).ApprovePolicies\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:50\ngithub.com/runatlantis/atlantis/server/events.runProjectCmds\n\tgithub.com/runatlantis/atlantis/server/events/project_command_pool_executor.go:48\ngithub.com/runatlantis/atlantis/server/events.(*ApprovePoliciesCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/approve_policies_command_runner.go:75\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:367"}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.059Z","caller":"vcs/gitlab_client.go:175","msg":"Creating comment on GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.229Z","caller":"vcs/gitlab_client.go:184","msg":"POST /projects/dorian.ts/terraform-atlantis/merge_requests/9/notes returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.229Z","caller":"events/db_updater.go:25","msg":"updating DB with pull results","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.231Z","caller":"vcs/gitlab_client.go:398","msg":"Updating GitLab commit status for 'atlantis/policy_check' to 'failed'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.231Z","caller":"vcs/gitlab_client.go:504","msg":"Getting GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.439Z","caller":"vcs/gitlab_client.go:507","msg":"GET /projects/dorian.ts/terraform-atlantis/merge_requests/9 returned: 200","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.439Z","caller":"vcs/gitlab_client.go:426","msg":"Head pipeline found for merge request 9, source 'external'. refTarget 'testing-7'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.546Z","caller":"vcs/gitlab_client.go:468","msg":"POST /projects/dorian.ts/terraform-atlantis/statuses/f1b246066a0465323158044a2fc917ccdf021d3f returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9","attempt":1,"max_attempts":10,"repo":"dorian.ts/terraform-atlantis","commit":"f1b246066a0465323158044a2fc917ccdf021d3f","state":"failed"}}
Environment details
- Atlantis version:
atlantis v0.28.5 (commit: 92d10ec) (build date: 2024-07-17T17:07:30.148Z) - Deployment method: Helm
I saw there is an open PR about exactly that. https://github.com/runatlantis/atlantis/pull/4001
