Atlantis: How can you require an apply before merge?

Created on 15 Dec 2020  路  9Comments  路  Source: runatlantis/atlantis

Our whole Atlantis workflow is working great, except for when we get new users, and they always forget to comment atlantis apply before they merge. How can we require users to apply before merging?

We tried requiring atlantis:apply as a github status check, but then that means atlantis won't run because the branch is not mergeable.

Edit: removing mergeable in apply_requirements is not an options because we run the risk of someone trying to apply their changes on a branch that's not up to date with master.

Most helpful comment

What you need to do is leverage both the Atlantis Apply Requirements and the Github checks (like you are doing).
On the Atlantis side, update the server level Atlantis.yaml to only require Approvals.

apply_requirements: [approved]

This, in combination with the github check you've implemented already should unblock you @kenske.

The workflow should be look like this:

  • PR is submitted and planned
  • Peer reviews code and approves
  • Code Submitter is unable to merge due to status check requirement (Atlantis apply check you already have in place)
  • Code Submitter comments atlantis apply
  • Atlantis can run since change is approved and will merge/close out the PR

All 9 comments

What you need to do is leverage both the Atlantis Apply Requirements and the Github checks (like you are doing).
On the Atlantis side, update the server level Atlantis.yaml to only require Approvals.

apply_requirements: [approved]

This, in combination with the github check you've implemented already should unblock you @kenske.

The workflow should be look like this:

  • PR is submitted and planned
  • Peer reviews code and approves
  • Code Submitter is unable to merge due to status check requirement (Atlantis apply check you already have in place)
  • Code Submitter comments atlantis apply
  • Atlantis can run since change is approved and will merge/close out the PR

@rawlbot thanks for the suggestion, but I don't want to remove the mergeable condition because we run the risk of someone trying to apply their changes on a branch that's not up to date with master. Is there another way to achieve this?

@kenske We have it like that..

  • On atlantis:

    • Both approved and mergable is needed

    • Set to automerge

  • On GH:

    • We have CODEOWNERS to allow only our team to approve (otherwise anyone can approve)

    • We require atlantis:plan check pass (sorry originally I wrote apply and apply cannot be set)

    • We have only atlantis user (In aur case GH app) allowed to merge code..

@ingwarsw sounds great except that if we require the atlantis:apply check to pass for the repository, then that screws us for our top level directory that has no terraform files in it (just our top level terragrunt.hcl and stuff).

@ingwarsw If you have mergable set, why do you need approved set?

if atlantis:apply is required for merge, I can't have mergable set because it won't let me apply until I've applied :)

@grimm26 I'm running into the same issue. I'm considering setting up some sort of PR bot with its own status check. The bot would check for a plan and then require atlantis apply before setting its own check to pass.

@grimm26 @kenske I fixed my comment.. we are checking atlantis:plan not atlantis:apply .. sorry my mistake..
And yes mergable would be enough on atlantis..

Other than that it works ok and is secure..
CODEOWNERS is most important stuff.. otherwise anyone with any comment access would be able to merge..

I have a setup working now with requiring atlantis/plan and atlantis/apply on github with automerge enabled on atlantis but only setting apply_requirements: [approved], not mergeable. CODEOWNERS is in play, obviously. Seems to be working fine. We have more admins that are allowed to merge, but this keeps them from slapping a green merge button after approvals and plan are done.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

sstarcher picture sstarcher  路  4Comments

teosoft123 picture teosoft123  路  5Comments

ojacobson picture ojacobson  路  5Comments

cheethoe picture cheethoe  路  4Comments

mcdafydd picture mcdafydd  路  4Comments