Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to use custom workflows and restrict actions by username #701

Closed
lkysow opened this issue Jul 11, 2019 · 7 comments

Comments

@lkysow
Copy link
Member

commented Jul 11, 2019

amazing! So if I wanted to run apply and destroy with the default behavior and just add a check for an allowed list of users I would just have to do this right?

apply:
  steps:
    - run: echo 'Checking Bitbucket user is allowed to run atlantis apply'
    - if [ $USER_NAME != "username" ]; then exit 1; fi
    - init
    - apply
destroy:
  steps:
    - run: echo 'Checking Bitbucket user is allowed to run atlantis apply'
    - if [ $USER_NAME != "username" ]; then exit 1; fi
    - init
    - apply

Originally posted by @red8888 in #308 (comment)

@lkysow

This comment has been minimized.

Copy link
Member Author

commented Jul 11, 2019

@red8888 I've moved your question here.

There is no such thing as a destroy workflow. Only plan and apply are supported. You can run atlantis plan -- -destroy which would create a plan to destroy the infra.

Your apply workflow looks good (I haven't tested it), except you don't need the init step. init has already been run in the directory before you get to planning.

@lkysow lkysow added the question label Jul 12, 2019

@lkysow lkysow closed this Jul 12, 2019

@red8888

This comment has been minimized.

Copy link

commented Jul 16, 2019

This does not appear to be working. Im using the following config:

      ---
      workflows:
        default:
          apply:
            steps:
            - run: echo "Checking Bitbucket user ($USERNAME) is allowed to run atlantis apply"
            - run: if [ $USERNAME != "username" ]; then echo ($USERNAME) is NOT allowed to apply && exit 1; fi
            #- apply

Even if I comment out apply it still just runs apply instead of the custom commands

@red8888

This comment has been minimized.

Copy link

commented Jul 16, 2019

ok it seems im misunderstanding "default" because this does run custom commands but it seems $USERNAME is blank

      repos:
      - id: /.*/
        workflow: allowed_approvers
      workflows:
        allowed_approvers:
          apply:
            steps:
            - run: echo "Checking Bitbucket user ($USERNAME) is allowed to run atlantis apply"
            - run: if [ $USERNAME != "username" ]; then echo ($USERNAME) is NOT allowed to apply && exit 1; fi
            #- apply
@lkysow

This comment has been minimized.

Copy link
Member Author

commented Jul 16, 2019

oops, it looks like the environment variable is actually USER_NAME. Sorry about that. They're documented here for reference: https://www.runatlantis.io/docs/custom-workflows.html#custom-run-command

@red8888

This comment has been minimized.

Copy link

commented Jul 16, 2019

ah i just did a printenv and i see it is USER_NAME

Also, was I using "default:" wrong? It doesn't matter, using id: /.*/ does literally the same thing i want so works for me, but just curious

@lkysow

This comment has been minimized.

Copy link
Member Author

commented Jul 16, 2019

If you're writing atlantis.yaml repo-side config then default isn't a special name. You'll still need to do

projects:
- dir: .
  workflow: default

If you're doing this server-side, the default workflow that Atlantis ships with will be used unless you override with id: /.*/ like you did. I think that probably deserves better docs.

@red8888

This comment has been minimized.

Copy link

commented Jul 16, 2019

gotcha thanks for clarifying

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.