Atlantis: How can you require an apply before merge?
Our whole Atlantis workflow is working great, except for when we get new users, and they always forget to comment atlantis apply before they merge. How can we require users to apply before merging?
We tried requiring atlantis:apply as a github status check, but then that means atlantis won't run because the branch is not mergeable.
Edit: removing mergeable in apply_requirements is not an options because we run the risk of someone trying to apply their changes on a branch that's not up to date with master.
kenske
All 9 comments
What you need to do is leverage both the Atlantis Apply Requirements and the Github checks (like you are doing).
On the Atlantis side, update the server level Atlantis.yaml to only require Approvals.
apply_requirements: [approved]
This, in combination with the github check you've implemented already should unblock you @kenske.
The workflow should be look like this:
- PR is submitted and planned
- Peer reviews code and approves
- Code Submitter is unable to merge due to status check requirement (Atlantis apply check you already have in place)
- Code Submitter comments atlantis apply
- Atlantis can run since change is approved and will merge/close out the PR
rawlbot
on 15 Dec 2020
@rawlbot thanks for the suggestion, but I don't want to remove the mergeable condition because we run the risk of someone trying to apply their changes on a branch that's not up to date with master. Is there another way to achieve this?
kenske
on 16 Dec 2020
@kenske We have it like that..
- On atlantis:
- Both
approvedandmergableis needed - Set to
automerge
- Both
- On GH:
- We have
CODEOWNERSto allow only our team to approve (otherwise anyone can approve) - We require
atlantis:plancheck pass (sorry originally I wrote apply and apply cannot be set) - We have only atlantis user (In aur case GH app) allowed to merge code..
- We have
ingwarsw
on 16 Dec 2020
@ingwarsw sounds great except that if we require the atlantis:apply check to pass for the repository, then that screws us for our top level directory that has no terraform files in it (just our top level terragrunt.hcl and stuff).
grimm26
on 15 Jan 2021
@ingwarsw If you have mergable set, why do you need approved set?
grimm26
on 27 Jan 2021
if atlantis:apply is required for merge, I can't have mergable set because it won't let me apply until I've applied :)
grimm26
on 28 Jan 2021
@grimm26 I'm running into the same issue. I'm considering setting up some sort of PR bot with its own status check. The bot would check for a plan and then require atlantis apply before setting its own check to pass.
kenske
on 28 Jan 2021
@grimm26 @kenske I fixed my comment.. we are checking atlantis:plan not atlantis:apply .. sorry my mistake..
And yes mergable would be enough on atlantis..
Other than that it works ok and is secure..
CODEOWNERS is most important stuff.. otherwise anyone with any comment access would be able to merge..
ingwarsw
on 29 Jan 2021
I have a setup working now with requiring atlantis/plan and atlantis/apply on github with automerge enabled on atlantis but only setting apply_requirements: [approved], not mergeable. CODEOWNERS is in play, obviously. Seems to be working fine. We have more admins that are allowed to merge, but this keeps them from slapping a green merge button after approvals and plan are done.
grimm26
on 29 Jan 2021
Related issues
sstarcher
路
4Comments
teosoft123
路
5Comments
ojacobson
路
5Comments
cheethoe
路
4Comments
mcdafydd
路
4Comments
Most helpful comment
What you need to do is leverage both the Atlantis Apply Requirements and the Github checks (like you are doing).
On the Atlantis side, update the server level Atlantis.yaml to only require Approvals.
apply_requirements: [approved]This, in combination with the github check you've implemented already should unblock you @kenske.
The workflow should be look like this: