plan_requirements (similar to apply_requirements)

[jbg]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

"apply_requirements": ["mergeable"] (with appropriate branch protection settings) is great for preventing accidental applying of a plan generated based on a branch that isn't up-to-date with changes in master. However, we still waste time and resources on planning those branches. Since the apply requirements prevent the plan from being applied without merging/rebasing the base branch, and since that merge/rebase will cause a new plan to be generated, running a plan before the merge/rebase is done serves no purpose.

It would be great if there was a way to make atlantis refuse to run a plan if the branch is not up-to-date with all changes from the base branch. This way, we don't have locks held unnecessarily, for plans that can never be applied anyway, blocking other work from progressing.

[Skeen]

We are also very interested in plan_requirements, but from a different perspective, namely security.

As described here: https://www.runatlantis.io/docs/security.html#protect-terraform-planning, planning involves security risks similar to applying (i.e. by simply local-execing credentials to a sniffer-site). Thus apply_requirements do not cover all security bases, and it would make sense to be able to apply the same policies for planning and application.

[nitrocode]

While not directly related to this, one of our passionate contributions has been working on atlantis import subcommand and has introduced import_requirements.

For anything interested in contributing plan_requirements, please see the PR #2783. It might be an easy, straight forward change.

[hanpeter]

It looks like this is implemented in #2979 and scheduled to be released with v0.23.0.

Unfortunately, the documentation was updated at the same time. So, it falsely appears to be available already.

[nitrocode]

@hanpeter feel free to contribute a pr to say that it will be available in the upcoming release.

You can also use the dev tagged image to test out the feature before the release. We encourage users to do this in order to find any bugs sooner.

[douglascayers]

It looks like this is implemented in #2979 and scheduled to be released with v0.23.0.

Unfortunately, the documentation was updated at the same time. So, it falsely appears to be available already.

@hanpeter I thought I was going crazy tonight 😆

This is my first venture into Atlantis and I'm using the ghcr.io/runatlantis/atlantis:v0.22.3 docker image (because at the time of writing it's tagged as the latest release), and per the docs I included the following config but on startup the server kept complaining that plan_requirements wasn't part of the schema. A real head scratcher until I found this comment thread. Thanks!

repos:
- id: /.*/
  plan_requirements: [undiverged]
  apply_requirements: [approved, mergeable, undiverged]
  import_requirements: [approved, mergeable, undiverged]

Per @nitrocode's comment, changing my dockerfile to pull from dev tag allowed the server to parse the config and start.

That's as far as I've gotten on this journey... getting it started. No idea if the rest of it works 😆