GitHub
02/23/2024, 3:33 PM--automerge-allow-partial-applied-plans
that could be set to true, if the user desires.
Describe the drawbacks of your solution
this should be accompanied by a warning in the docs, as it would require the checks that we have implemented, or something similar
Describe alternatives you've considered
not use automerging at all
runatlantis/atlantisGitHub
02/23/2024, 6:40 PMGitHub
02/25/2024, 12:30 PMGitHub
02/26/2024, 4:04 PMGitHub
02/28/2024, 3:00 PM-chdir
using atlantis. This would provide more flexibility with module layout and reduce a significant amount of copy pasta.
Describe the solution you'd like
Ideally TF_CLI_ARGS
would provide a way to handle this. See this issue: hashicorp/terraform#28037. Unfortunately their docs are very clear on its behavior:
These arguments are inserted directly after the subcommand (such as plan) and before any flags specified directly on the command-line. This behavior ensures that flags on the command-line take precedence over environment variables.My initial thought for an implementation would be an additional
extra_args
add under workflow:
workflows:
myworkflow:
extra_args: ["-chdir=myawesomedir"]
plan:
steps:
- init:
extra_args: ["-lock=false"]
- plan:
extra_args: ["-lock=false"]
Describe the drawbacks of your solution
Additional complexity around supporting global flags. For instance what about cases where the user only wants to chdir on specific commands?
Describe alternatives you've considered
- run: terraform -chdir=myawesomedir plan
runatlantis/atlantisGitHub
02/29/2024, 1:32 AMatlantis force_unlock <lockID>
Describe the drawbacks of your solution
So long as proper access controls can be applied to the command, I do not see any issues.
Describe alternatives you've considered
N/A
runatlantis/atlantisGitHub
02/29/2024, 9:42 AMatlantis.yaml
in the mainline, and configure it with a new workflow.
3. atlantis plan
in the PR
4. old workflow will still be used
Logs
{"level":"info","ts":"2024-02-29T09:19:20.809Z","caller":"events/project_command_builder.go:427","msg":"successfully parsed atlantis.yaml file","json":{"repo":"repo","pull":"7158"}}
{"level":"info","ts":"2024-02-29T09:19:20.945Z","caller":"events/project_command_builder.go:467","msg":"5 projects are to be planned based on their when_modified config","json":{"repo":"repo","pull":"7158"}}
...
{"level":"info","ts":"2024-02-29T09:19:31.283Z","caller":"events/working_dir.go:133","msg":"base branch has been updated, using merge strategy and will clone again","json":{}}
...
Environment details
• Atlantis version: 0.27.1
• Deployment method: helm
Additional Context
runatlantis/atlantisGitHub
02/29/2024, 3:28 PMatlantis apply
, I'd like to know if apply failed because the pull request is not mergeable or because Atlantis failed to determine if the pull request is mergeable. The behaviour today is to say the pull request "must be mergeable before apply". But this is very confusing if the pull request is in fact mergeable, just that Atlantis had an error the user would not be aware of. This could happen if Atlantis for example is missing certain permissions to GitHub.
Describe the solution you'd like
Instead of just swallowing the error as is done here:
atlantis/server/events/apply_command_runner.go
Line 111 in </runatlantis/atlantis/commit/b4ab9c08e24df655c01b221a6cb581c87506b4ed|b4ab9c0>
. The fact that an error occurred could be used in rendering the response message, depending on the configuration if mergeability is required or not.
Describe the drawbacks of your solution
Describe alternatives you've considered
runatlantis/atlantisGitHub
03/01/2024, 8:45 AMv0.25.0
) with GitHub App.
With comment atlantis approve_policies -d xxx
, I got the following message.
1 error occurred:
* policy set: example user tetsuya28 is not a policy owner - please contact policy owners to approve failing policies
policies:
owners:
teams:
- MY_ORG/MY_TEAM
policy_sets:
- name: example
path: /home/atlantis/policies
source: local
The GitHub App has Members
permission.
s 457
When I set users in policy owners, I can approve.
policies:
owners:
users:
- tetsuya28
runatlantis/atlantisGitHub
03/01/2024, 9:37 AMplan
), there is no way to cancel it in the run, nor kill a hanging workflow.
For our case, we have a PR that forgot to configure a variable in the hcl. And the workflow didn't set --input=false
for tf. Atlantis hangs on that plan workflow forever, which holds the work directory lock and prevents other people from working on it.
The most frustrating part is that atlantis unlock
or running unlock from the ui won't fix this, as they only deals with the project lock not the directory lock.
The only way to fix this is to restart the atlantis server.
Reproduction Steps
global:
plan:
steps:
- run: sleep 1000000
Logs
I've added logging to work_dir_locker.go
, which gives:
```
{"level":"info","ts":"2024-03-01T090745.062Z","caller":"events/plan_command_runner.go:132","msg":"Running plans in parallel","json":{"repo":"repo","pull":"7189"}}
{"level":"info","ts":"2024-03-01T090745.062Z","caller":"vcs/instrumented_client.go:236","msg":"updating vcs status","json":{"repository":"repo","pull-num":"7189","src":"atlantis/plan: production","description":"Plan in progress...","state":"pending","url":"http://atlantis-ui.fa.tesla.services/jobs/96bbd14a-3cb8-4edc-961a-7e297df08b42"}}
{"level":"info","ts":"2024-03-01T090745.062Z","caller":"vcs/instrumented_client.go:236","msg":"updating vcs status","json":{"repository":"repo","pull-num":"7189","src":"atlantis/plan: staging","description":"Plan in progress...","state":"pending","url":"http://atlantis-ui.fa.tesla.services/jobs/428d5e6d-61d3-4a5f-b621-cdf78a4facc1"}}
{"level":"info","ts":"2024-03-01T090745.198Z","caller":"events/project_locker.go:86","msg":"acquired lock with id \"repo/staging/default\"","json":{"repo":"repo","pull":"7189"}}
{"level":"warn","ts":"2024-03-01T090745.198Z","caller":"events/working_dir_locker.go:93","msg":"Trying to lock repo/7189/default/staging","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultWorkingDirLocker).TryLock\n\tgithub.com/runatlantis/atlantis/server/events/working_dir_locker.go:93\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).doPlan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:549\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).Plan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:226\ngithub.com/runatlantis/atlantis/server/events.(*ProjectOutputWrapper).updateProjectPRStatus\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:184\ngithub.com/runatlantis/atlantis/server/events.(*ProjectOutputWrapper).Plan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go164\ngithub.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented project command runner.go74\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).Plan\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go38\ngithub.com/runatlantis/atlantis/server/events.runProjectCmdsParallel.func1\n\tgithub.com/runatlantis/atlantis/server/events/project command pool executor.go29"}
{"level":"warn","ts":"2024-03-01T090745.198Z","caller":"events/working_dir_locker.go:105","msg":"Locked repo/7189/default/staging","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultWorkingDirLocker).TryLock\n\tgithub.com/runatlantis/atlantis/server/events/working_dir_locker.go:105\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).doPlan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:549\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).Plan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:226\ngithub.com/runatlantis/atlantis/server/events.(*ProjectOutputWrapper).updateProjectPRStatus\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:184\ngithub.com/runatlantis/atlantis/server/events.(*ProjectOutputWrapper).Plan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go164\ngithub.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented project command runner.go74\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).Plan\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go38\ngithub.com/runatlantis/atlantis/server/events.runProjectCmdsParallel.func1\n\tgithub.com/runatlantis/atlantis/server/events/project command pool executor.go29"}
{"level":"info","ts":"2024-03-01T090745.201Z","caller":"events/project_locker.go:86","msg":"acquired lock with id \"repo/production/default\"","json":{"repo":"repo","pull":"7189"}}
{"level":"warn","ts":"2024-03-01T090745.201Z","caller":"events/working_dir_locker.go:93","msg":"Trying to lock repo/7189/default/production","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultWorkingDirLocker).TryLock\n\tgithub.com/runatlantis/atlantis/server/events/working_dir_locker.go:93\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).doPlan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:549\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).Plan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:226\ngithub.com/runatlantis/atlantis/server/events.(*ProjectOutputWrapper).updateProjectPRStatus\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:184\ngithub.com/runatlantis/atlantis/server/events.(*ProjectOutputWrapper).Plan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go164\ngithub.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented project command runner.go74\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).Plan\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go38\ngithub.com/runatlantis/atlantis/server/events.runProjectCmdsParallel.func1\n\tgithub.com/runatlantis/atlantis/server/events/project command pool executor.go29"}
{"level":"warn","ts":"2024-03-01T090745.201Z","caller":"events/working_dir_locker.go:105","msg":"Locked repo/7189/default/production","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultWorkingDirLocker).TryLock\n\tgithub.com/runatlantis/atlantis/server/events/working_dir_locker.go:105\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).doPlan\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:549\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectC…
runatlantis/atlantisGitHub
03/01/2024, 10:40 AMExecute atlantis plan in a pull request.
Encounter a workspace lock error.
Attempt to unlock using atlantis unlock.
Re-run atlantis plan and face the same lock error.
Error details
Ran Plan for dir: terraform/sandbox/atlantis workspace: default
Plan Error
The default workspace at path terraform/sandbox/atlantis is currently locked by another command that is running for this pull request.
Wait until the previous command is complete and try again.
Logs
[DBUG] 5 files were modified in this pull request
[DBUG] got workspace lock
[DBUG] clone directory "/home/atlantis/.atlantis/repos/Projects/terraform-sandbox/11/default" already exists, checking if it's at the right commit
[DBUG] repo is at correct commit "a053e755a69ca20ca902397974d5eaf66cb1b2f1" so will not re-clone
[INFO] successfully parsed atlantis.yaml file
[DBUG] moduleInfo for /home/atlantis/.atlantis/repos/Projects/terraform-sandbox/11/default (matching "") = map[]
[DBUG] found downstream projects for "atlantis.yaml": []
[DBUG] found downstream projects for "terraform/_env/atlantis.hcl": []
[DBUG] found downstream projects for "terraform/sandbox/atlantis/terragrunt.hcl": []
[DBUG] found downstream projects for "terraform/sandbox/atlantis_wrapper/main.tf": []
[DBUG] found downstream projects for "terraform/sandbox/atlantis_wrapper/server-atlantis.yaml": []
[DBUG] checking if project at dir "terraform/sandbox/base" workspace "default" was modified
[DBUG] checking if project at dir "terraform/sandbox/application" workspace "default" was modified
[DBUG] checking if project at dir "terraform/sandbox/cluster" workspace "default" was modified
[DBUG] checking if project at dir "terraform/sandbox/atlantis" workspace "default" was modified
[DBUG] file "terraform/sandbox/atlantis/terragrunt.hcl" matched pattern
[INFO] 1 projects are to be planned based on their when_modified config
[DBUG] determining config for project at dir: "terraform/sandbox/atlantis" workspace: "default"
[DBUG] MergeProjectCfg started
[DBUG] setting apply_requirements: [approved] from repos[1], id: /.*/
[DBUG] setting import_requirements: [] from default server config
[DBUG] setting workflow: "default" from repos[1], id: /.*/
[DBUG] setting allowed_overrides: [apply_requirements,workflow] from repos[1], id: /.*/
[DBUG] setting allow_custom_workflows: true from repos[1], id: /.*/
[DBUG] setting delete_source_branch_on_merge: false from default server config
[DBUG] setting repo_locking: true from default server config
[DBUG] setting plan_requirements: [] from default server config
[DBUG] MergeProjectCfg completed
[DBUG] overriding server-defined workflow with repo-specified workflow: "terragrunt"
[DBUG] MergeProjectCfg completed
[DBUG] final settings: plan_requirements: [], apply_requirements: [approved], import_requirements: [], workflow: terragrunt
[DBUG] Building project command context for plan
[INFO] Cannot determine which version to use from terraform configuration, detected 0 possibilities.
[DBUG] deleting previous plans and locks
[INFO] acquired lock with id "Projects/terraform-sandbox/terraform/sandbox/atlantis/default"
[DBUG] acquired lock for project
[EROR] Error running plan operation: The default workspace at path terraform/sandbox/atlantis is currently locked by another command that is running for this pull request.
Wait until the previous command is complete and try again.
runatlantis/atlantisGitHub
03/03/2024, 11:04 AMrepos:
- id: /.*/
branch: /^(production|develop|release)$/
# pre_workflow_hooks defines arbitrary list of scripts to execute before workflow execution.
pre_workflow_hooks:
- run: echo "executing atlantis_config_gen" && /home/atlantis/atlantis_config_gen.sh
# allowed_overrides specifies which keys can be overridden by this repo in
# its atlantis.yaml file.
allowed_overrides: [workflow]
# allowed_workflows specifies which workflows the repos that match
# are allowed to select.
allowed_workflows: [dev, prod, showcase, test, uat, state_bucket, poc, qa]
# apply_requirements sets the Apply Requirements for all repos that match.
apply_requirements:
- approved
- mergeable
workflows:
dev:
plan:
steps:
- run: if [ "${BASE_BRANCH_NAME}" != "develop" ]; then echo "The BASE branch ($BASE_BRANCH_NAME) is NOT allowed to deploy in DEV environment" && exit 1; fi
- init
- plan
- run: terraform show -json $PLANFILE > $SHOWFILE
- run: cp $SHOWFILE "${PROJECT_NAME}_${PULL_NUM}_$(git rev-parse HEAD).json"
- run: aws s3 cp "${DIR}/${PROJECT_NAME}_${PULL_NUM}_$(git rev-parse HEAD).json" s3://${S3_STORING_PLANS}/plans/dev/planned/$(date +"%m_%d_%y")/ >/dev/null
apply:
steps:
- apply
- run: cp $SHOWFILE "${PROJECT_NAME}_${PULL_NUM}_$(git rev-parse HEAD).json"
- run: aws s3 cp "${DIR}/${PROJECT_NAME}_${PULL_NUM}_$(git rev-parse HEAD).json" s3://${S3_STORING_PLANS}/plans/dev/applied/$(date +"%m_%d_%y")/ >/dev/null
policy_check:
steps:
- show
- run: conftest pull git::<https://bitbucket.org/<project>/<opa-policies>.git>
- run: conftest test --update git::<https://bitbucket.org/<project>/<opa-policies>.git> $(basename $SHOWFILE) -o table -p policy/common_policies/ --all-namespaces --no-fail
Repo atlantis.yaml
file:
# config file
Any other information you can provide about the environment/deployment (efs/nfs, aws/gcp, k8s/fargate, etc)
ECS Forgate, NFS mounted at /data
--->
Additional Context
runatlantis/atlantisGitHub
03/04/2024, 1:51 PMGitHub
03/05/2024, 1:38 PMGitHub
03/05/2024, 6:58 PM[signal 1 ](signal: killed)
error message which results to OOM based on monitoring data. To overview the architecture that we have - it's a primary terragrunt.hcl file with a subfolders with terraform configuration.
Example
• terragrunt.hcl
• account_1
• main.tf
• account_2
• main.tf
...
Updating an aws provider version from v4 to v5 in terragrunt.hcl file triggers plan execution in all sub folders. The reason for this bug we didn't have similar behavior before and 10Gb of RAM should be enough for that.
I've tested by removing -parallel
and -num-executors
but with no luck as well as previous atlantis/terragrunt versions.
Atlantis release: 0.26.0
Terragrunt version: 0.52.1
Terraform version: 1.5.7
terragrunt_atlantis_config version: 1.16.0
Reproduction Steps
Might be by building similar structure with 10+ sub folders and make terragrunt.hcl aws provider change.
Logs
logs can be retrieved from the deployment or from atlantis comments by adding --debug
such as atlantis plan --debug
Logs
{"level":"error","ts":"2023-10-30T19:23:40.537Z","caller":"events/instrumented_project_command_runner.go:78","msg":"Error running plan operation: running \"terragrunt plan -refresh -no-color -out=$PLANFILE --terragrunt-non-interactive -input=false\" in \"/atlantis-data/repos/devops/terraform/aws-main/228/spoke-accounts_cb-subscription-management/spoke-accounts/cb-subscription-management\": exit status 1
runatlantis/atlantisGitHub
03/07/2024, 10:56 AMapply
and plan
I'm receiving an 500 Internal Server Error
. This issue appear only on POST request and GET healthz
and status
are working.
Reproduction Steps
I'm using the curl example :
curl --request POST 'https://<ATLANTIS_HOST_NAME>/api/plan' \
--header 'X-Atlantis-Token: <ATLANTIS_API_SECRET>' \
--header 'Content-Type: application/json' \
--data-raw '{
"Repository": "repo-name",
"Ref": "main",
"Type": "Github",
"Paths": [{
"Directory": ".",
"Workspace": "default"
}],
"PR": 2
}'
The answer I get is : 500 Internal Server Error
. I've been able to reproduce remote from my computer and in local directly inside the atlantis pod.
This issue is only in API mode, when I perform plan
and apply
within Github directly it's working like a charm.
Logs
Unfortunately I'm not able to get any relevant log to perform a debug session. I've enable debug
level and the only logs that I can see is :
{
"level": "debug",
"ts": "2024-03-07T10:48:53.393Z",
"caller": "server/middleware.go:45",
"msg": "POST /api/plan – from 10.96.3.2:60750",
"json": {}
}
Nothing else is showing up...
Environment details
I'm running atlantis : "version": "v0.27.1 (commit: da67e7d) (build date: 2024-01-21T23:42:41.099Z)"
using Helm chart on a bare-metal cluster.
Here is the values from my helm chart
values: |
allowDraftPRs: true
atlantisUrl: <https://atlantis>.<my>.<domain>
image:
repository: <my/builtin>/atlantis
tag: "v0.27.1.6"
volumeClaim:
enabled: true
dataStorage: 25Gi
environment:
ATLANTIS_PARALLEL_APPLY: true
ATLANTIS_PARALLEL_PLAN: true
ATLANTIS_USE_TF_PLUGIN_CACHE: false
ATLANTIS_TFE_TOKEN: foobar
ATLANTIS_TFE_LOCAL_EXECUTION_MODE: true
api:
secret: foorbar
logLevel: error
githubApp:
id: 123456
key: |
-----BEGIN RSA PRIVATE KEY-----
foorbar
-----END RSA PRIVATE KEY-----
secret: foobar
orgAllowlist: <http://github.com/<myorg>/*|github.com/<myorg>/*>
ingress:
annotations:
<http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: letsencrypt
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: haproxy
<http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>: "true"
host: atlantis.<my>.<domain>
path: /
tls:
- hosts:
- atlantis.<my>.<domain>
secretName: atlantis-my-super-secret
serviceAccount:
name: atlantis
annotations:
<http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: <my-service-account>
basicAuthSecretName: atlantis-my-super-secret-access
repoConfig: |
---
repos:
- id: /.*/
allowed_overrides: [apply_requirements, workflow, plan_requirements, repo_locking]
runatlantis/atlantisGitHub
03/07/2024, 4:29 PMGitHub
03/08/2024, 2:21 PMcurl --request POST '<https://URL/api/plan>' \
--header 'X-Atlantis-Token: ATLANTIS_KEY' \
--header 'Content-Type: application/json' \
--data-raw '{
"Repository": "REPO/ORG",
"Ref": "BRANCH",
"Type": "Github",
"Paths": [{
"Directory": "infra/teste",
"Workspace": "default"
}],
"PR": PR_NUMBER
}'
• Ensure another user approves your PR.
• Run `atlantis apply`:
curl --request POST '<https://URL/api/apply>' \
--header 'X-Atlantis-Token: ATLANTIS_KEY' \
--header 'Content-Type: application/json' \
--data-raw '{
"Repository": "REPO/ORG",
"Ref": "BRANCH",
"Type": "Github",
"Paths": [{
"Directory": "infra/teste",
"Workspace": "default"
}],
"PR": PR_NUMBER
}'
The counterpart is performing the first two steps but using the normal Atlantis flow by commenting on the PR.
Logs
logs can be retrieved from the deployment or from atlantis comments by adding --debug
such as atlantis plan --debug
First Error Logs
{
"level": "error",
"ts": "2024-03-07T19:11:52.962Z",
"caller": "events/project_command_runner.go:188",
"msg": "updating project PR status%!(EXTRA *github.ErrorResponse=POST <https://api.github.com/repos/ORG/REPO/statuses/BRANCH>: 404 Not Found [])",
"json": {},
"stacktrace": "<http://github.com/runatlantis/atlantis/server/events.(*ProjectOutputWrapper).updateProjectPRStatus|github.com/runatlantis/atlantis/server/events.(*ProjectOutputWrapper).updateProjectPRStatus>\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:188\ngithub.com/runatlantis/atlantis/server/events.(*ProjectOutputWrapper).Apply\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:170\ngithub.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:74\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).Apply\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:46\ngithub.com/runatlantis/atlantis/server/controllers.(*APIController).apiApply\n\tgithub.com/runatlantis/atlantis/server/controllers/api_controller.go:166\ngithub.com/runatlantis/atlantis/server/controllers.(*APIController).Apply\n\tgithub.com/runatlantis/atlantis/server/controllers/api_controller.go:127\nnet/http.HandlerFunc.ServeHTTP\n\tnet/http/server.go:2136\ngithub.com/gorilla/mux.(*Router).ServeHTTP\n\tgithub.com/gorilla/mux@v1.8.1/mux.go:212\ngithub.com/urfave/negroni/v3.(*Negroni).UseHandler.Wrap.func1\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:59\ngithub.com/urfave/negroni/v3.HandlerFunc.ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:33\ngithub.com/urfave/negroni/v3.middleware.ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:51\ngithub.com/runatlantis/atlantis/server.(*RequestLogger).ServeHTTP\n\tgithub.com/runatlantis/atlantis/server/middleware.go:70\ngithub.com/urfave/negroni/v3.middleware.ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:51\ngithub.com/urfave/negroni/v3.(*Recovery).ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/recovery.go:210\ngithub.com/urfave/negroni/v3.middleware.ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:51\ngithub.com/urfave/negroni/v3.(*Negroni).ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:111\nnet/http.serverHandler.ServeHTTP\n\tnet/http/server.go:2938\nnet/http.(*conn).serve\n\tnet/http/server.go:2009"
}
Second Error Logs
{
"level": "error",
"ts": "2024-03-07T19:11:52.962Z",
"caller": "events/instrumented_project_command_runner.go:84",
"msg": "Failure running apply operation: Pull request must be approved according to the project's approval rules before running apply.",
"json": {},
"stacktrace": "<http://github.com/runatlantis/atlantis/server/events.RunAndEmitStats|github.com/runatlantis/atlantis/server/events.RunAndEmitStats>\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:84\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).Apply\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:46\ngithub.com/runatlantis/atlantis/server/controllers.(*APIController).apiApply\n\tgithub.com/runatlantis/atlantis/server/controllers/api_controller.go:166\ngithub.com/runatlantis/atlantis/server/controllers.(*APIController).Apply\n\tgithub.com/runatlantis/atlantis/server/controllers/api_controller.go:127\nnet/http.HandlerFunc.ServeHTTP\n\tnet/http/server.go:2136\ngithub.com/gorilla/mux.(*Router).ServeHTTP\n\tgithub.com/gorilla/mux@v1.8.1/mux.go:212\ngithub.com/urfave/negroni/v3.(*Negroni).UseHandler.Wrap.func1\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:59\ngithub.com/urfave/negroni/v3.HandlerFunc.ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:33\ngithub.com/urfave/negroni/v3.middleware.ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:51\ngithub.com/runatlantis/atlantis/server.(*RequestLogger).ServeHTTP\n\tgithub.com/runatlantis/atlantis/server/middleware.go:70\ngithub.com/urfave/negroni/v3.middleware.ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:51\ngithub.com/urfave/negroni/v3.(*Recovery).ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/recovery.go:210\ngithub.com/urfave/negroni/v3.middleware.ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:51\ngithub.com/urfave/negroni/v3.(*Negroni).ServeHTTP\n\tgithub.com/urfave/negroni/v3@v3.0.0/negroni.go:111\nnet/http.serverHandler.ServeHTTP\n\tnet/http/server.go:2938\nnet/http.(*conn).serve\n\tnet/http/server.go:2009"
}
Environment details
• Atlantis version: atlantis 0.27.1 (commit: da67e7d) (build date: 2024-01-21T234215Z)
• Deployment method: I'm using locally via docker-compose and Github App
• If not running the latest Atlantis version have you tried to reproduce this issue on the latest version: yes (firstly I've tried on a older version, then a updated to lates)
• Atlantis flags: I'm using with docker compose and ngrok. I'll write my docker compose file bellow:
```
version: "3.9"
services:
atlantis:
image: ghcr.io/runatlantis/atlantis:v0.27.1
environment:…
runatlantis/atlantisGitHub
03/11/2024, 9:51 PMGitHub
03/11/2024, 9:55 PMGitHub
03/11/2024, 10:30 PM--tf-download-url
but it would be nice to have this officially documented so people can start using opentf instead of terraform for future releases.
https://www.runatlantis.io/docs/server-configuration.html#tf-download-url
Describe the solution you'd like
See above
Describe the drawbacks of your solution
N/A
Describe alternatives you've considered
N/A
* * *
• epic #3741
• Previous ticket #3727
• #1776
• https://github.com/warrensbox/terraform-switcher
• warrensbox/terraform-switcher#315
* * *
atlantis/cmd/server.go
Line 173 in </runatlantis/atlantis/commit/a793620475519d19c86caa01242a8bc6a125045e|a793620>
atlantis/server/server.go
Line 405 in </runatlantis/atlantis/commit/a793620475519d19c86caa01242a8bc6a125045e|a793620>
atlantis/server/core/terraform/terraform_client.go
Lines 239 to 253 in </runatlantis/atlantis/commit/a793620475519d19c86caa01242a8bc6a125045e|a793620>
atlantis/server/core/terraform/terraform_client.go
Line 379 in </runatlantis/atlantis/commit/3ea2914e1637066f336f64984c41f62391632223|3ea2914>
atlantis/server/core/terraform/terraform_client.go
Lines 555 to 562 in </runatlantis/atlantis/commit/3ea2914e1637066f336f64984c41f62391632223|3ea2914>
atlantis/server/core/terraform/terraform_client.go
Line 538 in </runatlantis/atlantis/commit/3ea2914e1637066f336f64984c41f62391632223|3ea2914>
Listing versions
atlantis/server/core/terraform/terraform_client.go
Line 304 in </runatlantis/atlantis/commit/3ea2914e1637066f336f64984c41f62391632223|3ea2914>
* * *
The terraform url is constructed
• url = <https://releases.hashicorp.com>
• format string = %s/terraform/%s/terraform_%s
, prefix, version, version
• %s_%s_%s.zip
, prefix, os, arch
• full url <https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_darwin_amd64.zip>
Opentofu
• url = <https://github.com/opentofu/opentofu/releases>
• format string = %s/download/%s/tofu_%s
, prefix, version, version
• %s_%s_%s.zip
, prefix, os, arch
• full url <https://github.com/opentofu/opentofu/releases/download/v1.6.0-alpha4/tofu_1.6.0-alpha4_darwin_amd64.zip>
Seems like the following changes are needed
☐ overriding the url string
• this can be done already
☐ overriding the format string with a new flag
☐ simplifying default format string to use %[2]s
to remove redundant argument
☐ a way to search opentf versions to know which version to download
• opentofu/opentofu#928
☐ opentf-enabled flag
☐ change the name of the binary downloaded
☐ allow a required_version block at or below a certain version such as 1.5.x which would download terraform binaries instead of opentofu if needed
• if we don't implement this then users with older and newer versions would get blocked for all older root dirs
runatlantis/atlantisGitHub
03/12/2024, 4:15 PMCustom
We get :
Show Output diff
#### Policy Set: `Custom`
```diff
Attached screenshots. Looks like the summary block is interfering with the diff.
*Reproduction Steps*
Custom policy checks outputting anything always throw this on first policy. Second policy looks ok but first one probably due to being hidden behind the Show Output breaks format.
*Logs*
{"level":"info","ts":"2024-03-12T142718.971Z","caller":"models/shell_command_runner.go:161","msg":"successfully ran \"echo \\\"Required test output below:\\\" && conftest test -o table --policy /atlantis-data/library/general/mypolicy/mypolicy.rego --namespace terraform.ourpolicy $SHOWFILE\" in \"/atlantis-data/repos/redacted"","json":{"repo":"redacted","pull":"1","duration":0.049932837}}
{"level":"error","ts":"2024-03-12T142719.136Z","caller":"events/project_command_runner.go:529","msg":"Required test output below:\n+---------+------------------------------------------------------------------------------------+----------------+---------+\n| RESULT | FILE | NAMESPACE | MESSAGE |\n+---------+------------------------------------------------------------------------------------+----------------+---------+\n| success | redacted/workspace.json | terraform.ourpolicy | SUCCESS |\n| success | /atlantis-data/repos/redacted/workspace.json | terraform.ourpolicy | SUCCESS |\n| success | /atlantis-data/repos/redacted/workspace.json | terraform.ourpolicy | SUCCESS |\n+---------+------------------------------------------------------------------------------------+----------------+---------+\n\nAnother test output below:\n| UPDATE? | NAME | CONSTRAINT | VERSION | LATEST MATCHING | LATEST |\n|---------|------|------------|---------|-----------------|--------|\n+---------+-----------------+-------------------+---------+\n| RESULT | FILE | NAMESPACE | MESSAGE |\n+---------+-----------------+-------------------+---------+\n| success | version.json | tf_version | SUCCESS |\n| success | version.json | tf_version | SUCCESS |\n+---------+-----------------+-------------------+---------+\n","json":{"repo":"redacted","pull":"1"},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).doPolicyCheck\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:529\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).PolicyCheck\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go240\ngithub.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented project command runner.go74\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).PolicyCheck\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go42\ngithub.com/runatlantis/atlantis/server/events.runProjectCmds\n\tgithub.com/runatlantis/atlantis/server/events/project command pool executor.go48\ngithub.com/runatlantis/atlantis/server/events.(*PolicyCheckCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/policy_check_command_runner.go:65\ngithub.com/runatlantis/atlantis/server/events.(*PlanCommandRunner).run\n\tgithub.com/runatlantis/atlantis/server/events/plan_command_runner.go:290\ngithub.com/runatlantis/atlantis/server/events.(*PlanCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/plan_command_runner.go:306\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:365"}
{"level":"info","ts":"2024-03-12T142719.136Z","caller":"events/instrumented_project_command_runner.go:88","msg":"policy_check success. output available at: https://redacted","json":{"repo":"redacted","pull":"1"}}
*Environment details*
• Atlantis version: 0.27.2
• Deployment method: helm
• If not running the latest Atlantis version have you tried to reproduce this issue on the latest version: Reproducible on each version since the custom policy check released.
• Atlantis flags: --enable-policy-checks
*Additional Context*
Atlantis server-side policy check conf:
policy_check:
steps:
- run: echo "Required test output below:" && conftest test -o table --policy /atlantis-data/library/general/mypolicy/mypolicy.rego --namespace terraform.ourpolicy $SHOWFILE
- run: echo "nAnother test output below:" && version check $DIR && conftest test -o table --policy /atlantis-data/library/general/tf_version/version.rego --namespace tf_version version.json
```
Another issue showing the same problem :
#4243
Screenshot 2024-03-12 at 16 52 15
runatlantis/atlantisGitHub
03/14/2024, 11:04 PM--emoji-reaction=""
on the cli and emoji-reaction: ""
in the config, but Atlantis 0.27.2 still does emoji reactions on github enterprise.
Reproduction Steps
1. Set the options described above
2. Comment atlantis plan
on a PR
3. See that it reacts anyway
Logs
The New Issue instruction said to use atlantis plan --debug
, but atlantis replies to this saying Error: unknown flag: --debug
. I tried with --verbose
, which is valid, but the logs looked too sensitive to post. In any case, the words "react" or "emoji" don't appear in them...
The server-side logs show items like:
{
"level": "debug",
"ts": "2024-03-14T22:58:52.580Z",
"caller": "metrics/debug.go:42",
"msg": "counter",
"json": {
"name": "atlantis.github.react_to_comment.execution_success",
"value": 1,
"tags": {},
"type": "counter"
}
}
Environment details
• Atlantis version: 0.27.2
• Deployment method: docker
• Atlantis flags: -config=/etc/atlantis.yml --repo-config=/etc/repos.yml --emoji-reaction=
Atlantis server-side config file:
version: 3
port: 8080
automerge: true
gh-hostname: private
gh-user: private
repo-allowlist: private
atlantis-url: <https://private/>
log-level: debug
write-git-creds: true
hide-prev-plan-comments: true
allow-draft-prs: true
enable-diff-markdown-format: true
emoji-reaction: ""
use-tf-plugin-cache: true
Repo atlantis.yaml
file:
This is an example:
- name: private
dir: private
workflow: private
terraform_version: private
autoplan:
when_modified:
- '**/**'
Additional Context
I've seen it mentioned that disabling it is only meant to work for nick plan/apply
style comments (no @). I'm using that form.
runatlantis/atlantisGitHub
03/15/2024, 7:22 AMv0.27.2
Atlantis is still not able to handle Terraform version 1.7.x
Reproduction Steps
Have a <http://versions.tf|versions.tf>
like:
terraform {
required_version = "~> 1.7"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.40"
}
}
}
then simply run atlantis plan
(See logs below)
Logs
running "terraform init -upgrade -input=false" in "/atlantis-data/repos/<our-repo>/241/default/environments/test": exit status 1: running "terraform init -upgrade -input=false" in "/atlantis-data/repos/<our-repo>/241/default/environments/test":
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Upgrading modules...
- kms in ../../modules/<our-module>
╷
│ Error: Unsupported Terraform Core version
│
│ on <http://providers.tf|providers.tf> line 11, in terraform:
│ 11: required_version = "~> 1.7"
│
│ This configuration does not support Terraform version 1.6.3. To proceed,
│ either choose another supported Terraform version or update this version
│ constraint. Version constraints are normally set for good reason, so
│ updating the constraint may lead to other errors or unexpected behavior.
╵
Environment details
• Atlantis version: v0.27.2
• Deployment method: helm
Atlantis server-side config file:
- name: ATLANTIS_REPO_ALLOWLIST
value: '*'
- name: ATLANTIS_WRITE_GIT_CREDS
value: 'true'
- name: ATLANTIS_API_SECRET
valueFrom:
secretKeyRef:
key: ATLANTIS_API_SECRET
name: atlantis
- name: ATLANTIS_GH_APP_KEY
valueFrom:
secretKeyRef:
key: ATLANTIS_GH_APP_KEY
name: atlantis
- name: ATLANTIS_GH_WEBHOOK_SECRET
valueFrom:
secretKeyRef:
key: ATLANTIS_GH_WEBHOOK_SECRET
name: atlantis
- name: ATLANTIS_DATA_DIR
value: /atlantis-data
- name: ATLANTIS_PORT
value: '4141'
- name: ATLANTIS_REPO_CONFIG
value: /etc/atlantis/repos.yaml
Repo atlantis.yaml
file:
version: 3
automerge: true
projects:
- name: test
dir: environments/test
autoplan:
enabled: false
- name: stage
dir: environments/stage
autoplan:
enabled: false
- name: prod
dir: environments/prod
autoplan:
enabled: false
workflows:
default_workflow:
plan:
steps:
- run: terraform init -upgrade -input=false
- run: terraform plan -input=false -refresh -out $PLANFILE
apply:
steps:
- run: terraform apply $PLANFILE
runatlantis/atlantisGitHub
03/16/2024, 8:32 PMexample1/terraform.tf
terraform {
required_version = ">=1.2"
cloud {
organization = "example-org"
workspaces {
name = "example"
}
}
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 3"
}
}
}
2. Push the module example1
to the GitHub repository
3. Atlantis will use default
workspace and doesn't detect name example
name for the workspace from the example1/terraform.tf
.
running "/usr/local/bin/terraform workspace new default" in "/home/atlantis/.atlantis/repos/xxxxxx/atlantis-example/9/default/example1": exit status 1: default workspace not supported
You can create a new workspace with the "workspace new" command.
Logs
2023-03-20 17:38:21 | {"level":"debug","ts":"2023-03-20T16:38:21.101Z","caller":"events/project_finder.go:106","msg":"no Terraform Cloud workspace explicitly configured in Terraform codes. Use default workspace (\"default\")","json":{"repo":"xxxx/atlantis-example","pull":"9"}}
Additional Context
Related to the implementation #2432, it works only for the root of the repository, but not for the subfolders.
Here is a line with the issue
atlantis/server/events/project_command_builder.go
Line 398 in </runatlantis/atlantis/commit/16746632b1ddfe967b33710013277d6985e60c5c|1674663>
repoDir is always the same for all projects.
runatlantis/atlantisGitHub
03/18/2024, 2:21 PMGitHub
03/18/2024, 4:03 PMterraform init
.
From logs:
• Update event 1 was triggered at 175029 and completed the first step of executing the planning workflow at 175037.
• Update event 2 was triggered at 175053 and subsequently force-cloned the repo while building the autoplan command context.
The plan workflow requires a lock on the working dir, called by `DefaultProjectCommandRunner.doPlan`. The clone procedure is also invoked behind this same lock when called from `DefaultProjectCommandBuilder.buildAllCommandsByCfg` or other similar functions.
My understanding is that event 1 should have a working dir lock at some time prior to ~175037 and hold it until the workflow exits at 175059. However event 2 was able to acquire this lock to clone the repo at 175053. Note that event 2 then failed to acquire the lock at 175055, which I imagine was when it attempted to begin executing its plan workflow.
Reproduction Steps
1. Open PR to trigger autoplan
2. Push new commits while the plan workflow is running
Logs
Logs
```
Mar 13 175029 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175029.211Z","caller":"events/events_controller.go:620","msg":"identified event as type \"updated\"","json":{}}
Mar 13 175029 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175029.455Z","caller":"events/working_dir.go:239","msg":"creating dir \"/home/user/.atlantis/repos/analytics/terraform/my-project/3323/default\"","json":{}}
Mar 13 175030 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175030.449Z","caller":"events/project_command_builder.go:427","msg":"successfully parsed atlantis.yaml file","json":{"repo":"analytics/terraform/my-project","pull":"3323"}}
Mar 13 175030 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175030.449Z","caller":"events/project_command_builder.go:467","msg":"1 projects are to be planned based on their when_modified config","json":{"repo":"analytics/terraform/my-project","pull":"3323"}}
Mar 13 175030 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175030.490Z","caller":"terraform/terraform_client.go:362","msg":"Detected module requires version: 1.7.4","json":{"repo":"analytics/terraform/my-project","pull":"3323"}}
Mar 13 175031 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175031.049Z","caller":"events/project_locker.go:86","msg":"acquired lock with id \"analytics/terraform/my-project/environments/prod/default\"","json":{"repo":"analytics/terraform/my-project","pull":"3323"}}
Mar 13 175037 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175037.394Z","caller":"models/shell_command_runner.go:161","msg":"successfully ran \"atlantis_hooks pre-init\" in \"/home/user/.atlantis/repos/analytics/terraform/my-project/3323/default/environments/prod\"","json":{"repo":"analytics/terraform/my-project","pull":"3323","duration":5.265528997}}
Mar 13 175053 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175053.290Z","caller":"events/events_controller.go:620","msg":"identified event as type \"updated\"","json":{}}
Mar 13 175053 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175053.509Z","caller":"events/working_dir.go:239","msg":"creating dir \"/home/user/.atlantis/repos/analytics/terraform/my-project/3323/default\"","json":{}}
Mar 13 175054 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175054.514Z","caller":"events/project_command_builder.go:427","msg":"successfully parsed atlantis.yaml file","json":{"repo":"analytics/terraform/my-project","pull":"3323"}}
Mar 13 175054 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175054.514Z","caller":"events/project_command_builder.go:467","msg":"1 projects are to be planned based on their when_modified config","json":{"repo":"analytics/terraform/my-project","pull":"3323"}}
Mar 13 175054 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175054.535Z","caller":"terraform/terraform_client.go:362","msg":"Detected module requires version: 1.7.4","json":{"repo":"analytics/terraform/my-project","pull":"3323"}}
Mar 13 175055 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"info","ts":"2024-03-13T175055.175Z","caller":"events/project_locker.go:86","msg":"acquired lock with id \"analytics/terraform/my-project/environments/prod/default\"","json":{"repo":"analytics/terraform/my-project","pull":"3323"}}
Mar 13 175055 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"error","ts":"2024-03-13T175055.445Z","caller":"events/instrumented_project_command_runner.go:78","msg":"Error running plan operation: the default workspace at path environments/prod is currently locked by another command that is running for this pull request.\nWait until the previous command is complete and try again","json":{"repo":"analytics/terraform/my-project","pull":"3323"},"stacktrace":"github.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\t/home/runner/work/atlantis/atlantis/server/events/instrumented_project_command_runner.go:78\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).Plan\n\t/home/runner/work/atlantis/atlantis/server/events/instrumented_project_command_runner.go38\ngithub.com/runatlantis/atlantis/server/events.runProjectCmds\n\t/home/runner/work/atlantis/atlantis/server/events/project command pool executor.go48\ngithub.com/runatlantis/atlantis/server/events.(*PlanCommandRunner).runAutoplan\n\t/home/runner/work/atlantis/atlantis/server/events/plan_command_runner.go:135\ngithub.com/runatlantis/atlantis/server/events.(*PlanCommandRunner).Run\n\t/home/runner/work/atlantis/atlantis/server/events/plan_command_runner.go:304\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunAutoplanCommand\n\t/home/runner/work/atlantis/atlantis/server/events/command_runner.go:221"}
Mar 13 175059 ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal env[4657]: {"level":"error","ts":"2024-03-13T175059.923Z","caller":"models/shell_command_runner.go:158","msg":"running \"atlantis_hooks init\" in \"/home/user/.atlantis/repos/analytics/terraform/my-project/3323/default/environments/prod\": exit status 1","json":{"repo":"analytics/terraform/my-project","pull":"3323","duration":22.52887278},"stacktrace":"<http://github.com/runatlantis/atlantis/server/core/runtime/models.(*ShellCommandRunner).RunCommandAsync.func1|gith…
runatlantis/atlantisGitHub
03/18/2024, 5:06 PM{
"remote_plan_format": 1,
"run_id": "run-XXXXXXXXXXXXXXXXX",
"hostname": "<http://app.terraform.io|app.terraform.io>"
}
Given the difference in file, one possible work around to this limitation with Hashicorp would be to check if TFE is being used and if the saved plan is a json. Extract the run_id
and use the TFE_TOKEN to poke the API: <https://app.terraform.io/api/v2/runs/run-XXXXXXXXXXXXXXXXX>
JSON Output from <https://app.terraform.io/api/v2/runs/run-XXXXXXXXXXXXXXXXX>
{
"data": {
"id": "run-XXXXXXXXXXXXXXXXX",
"type": "runs",
"attributes": {
"actions": {
"is-cancelable": false,
"is-confirmable": false,
"is-discardable": false,
"is-force-cancelable": false
},
"allow-config-generation": false,
"allow-empty-apply": false,
"auto-apply": false,
"canceled-at": null,
"created-at": "2024-03-14T21: 46: 22.145Z",
"has-changes": false,
"is-destroy": false,
"message": "Triggered via CLI",
"plan-only": false,
"refresh": true,
"refresh-only": false,
"replace-addrs": null,
"save-plan": true,
"source": "terraform+cloud",
"status-timestamps": {
"planned-at": "2024-03-14T21: 46: 30+00: 00",
"queuing-at": "2024-03-14T21: 46: 22+00: 00",
"planning-at": "2024-03-14T21: 46: 26+00: 00",
"plan-queued-at": "2024-03-14T21: 46: 22+00: 00",
"cost-estimated-at": "2024-03-14T21: 46: 31+00: 00",
"plan-queueable-at": "2024-03-14T21: 46: 22+00: 00",
"cost-estimating-at": "2024-03-14T21: 46: 30+00: 00",
"planned-and-saved-at": "2024-03-14T21: 46: 31+00: 00",
"planned-and-finished-at": "2024-03-14T21: 46: 31+00: 00"
},
"status": "planned_and_finished",
"target-addrs": null,
"trigger-reason": "manual",
"terraform-version": "1.7.4",
"permissions": {
"can-apply": true,
"can-cancel": true,
"can-comment": true,
"can-discard": true,
"can-force-execute": true,
"can-force-cancel": true,
"can-override-policy-check": true
},
"variables": []
}
}
}
I trimmed some of the output from the api response to avoid leaking any identifiable information, but the takeaway is if the data.attributes.status
is "planned_and_finished"
and data.attributes.has-changes
is false
the apply will fail. If Atlantis was to sniff this out (either pre-apply, or after apply - if errored) when doing a TFE project it could report a clean OK status and proceed instead of erroring out as it currently does with the following message:
╷
│ Error: Saved plan has no changes
│
│ The given plan file contains no changes, so it cannot be applied. For more details, view this run in a browser at:
│ <https://app.terraform.io/app/[tf-org]/[tf-workspace]/runs/[run-id]>
╵
Reproduction Steps
terraform {
required_version = ">= 1.3.0"
cloud {
organization = "atlantis-test"
workspaces {
name = "dev-testing-terraform-test"
}
}
}
Create a PR with this in a project, plan will execute with no changes planned, apply will fail. Compared with
terraform {
required_version = ">= 1.3.0"
}
Which plans the same, but applies with no error.
Logs
Environment details
• Atlantis version: v0.27.2 (commit: 2991920) (build date: 2024-03-08T21:57:57.207Z)
• Deployment method: terraform-aws-modules/atlantis/aws
• Atlantis flags:
• atlantis-url: [redacted]
• autoplan-modules: true
• automerge: true
• gh-installation-id: [redacted]
• gh-org: [gh-org-redacted]
• gh-app-id: [redacted]
• gh-app-key: [redacted]
• gh-allow-mergable-bypass-apply: true
• gh-webhook-secret: [redacted]
• locking-db-type: redis
• port: 4141
• redis-tls-enabled: true
• redis-port: 6379
• redis-host: [redacted].serverless.[redacted].cache.amazonaws.com
• repo-allowlist: github.com/[gh-org-redacted]/*
• redis-password: [redacted]
• tfe-token: [redacted]
• write-git-creds: true
Atlantis server-side config file:
repos:
- id: /.*/
plan_requirements: []
apply_requirements: [approved, mergeable]
allowed_overrides: [plan_requirements, apply_requirements, import_requirements]
delete_source_branch_on_merge: true
Repo atlantis.yaml
file:
version: 3
autodiscover:
mode: "enabled"
parallel_plan: true
parallel_apply: true
projects:
- name: apps
dir: apps
workspace: [redacted]
autoplan: &autoplan
when_modified: ["../modules/**/*.tf", "*.tf*", ".terraform.lock.hcl", "*.yml"]
Fargate, ECS, EFS, Elasticache Redis Serverless
Additional Context
We're reaching out to Hashicorp to see if this can be addressed on their end, in the meantime I'm opening an issue here for exposure and possible workaround.
runatlantis/atlantisGitHub
03/19/2024, 1:13 AMGitHub
03/19/2024, 1:57 AMatlantis apply
is ran. I want the ability to prevent merge requests from being able to be merged without atlantis apply
completing successfully.
There has been previous attempts for example #2053 introduced this behavior but was rolled back because of workflows that are dependent on all CI jobs being completed.
#3378 (unintentionally?) introduced this behavior again, then was reverted in #3747.
#2436 (comment) describes the behavior I expect using Github.
Using 0.27.2, when I open a merge request that creates new resources. (I’m using resource "terraform_data" "example" {}
)
Atlantis autoplans, creating an external stage with the following jobs.
image
I expect there to be a pending atlantis/apply
job to prevent the merge request from being merged as my repo require CI to be passing. If I revert https://github.com/runatlantis/atlantis/pull/3747/files#diff-6583ec7260b28e573c74e18e783ee24ba8dce7d0a2e6929c105cc7e74d3d9c6fL318-R319 from #3747, I get the behavior I expect.
image
Then after a successful atlantis apply
, the atlantis/apply
job and atlantis/apply: <project>
succeed and I can merge the merge request.
image
Are there other Gitlab users who have similar requirements? Am I missing something(e.g a flag?) that makes this possible?
I'm open to other methods of preventing merging without successful `atlantis apply`'s. Happy to contribute any patches that support this workflow.
Reproduction Steps
Logs
Environment details
• Atlantis version: 0.27.2
• Deployment method: helm
• Atlantis flags:
- --automerge
- --default-tf-version=v1.5.7
- --enable-policy-checks
Atlantis server-side config file:
---
repos:
- id: /.*/
plan_requirements: [undiverged]
apply_requirements: [approved, mergeable, undiverged]
import_requirements: [approved, mergeable, undiverged]
workflow: terragrunt
policies:
owners:
users:
- tiago.meireles
policy_sets:
- name: standard
path: /home/atlantis/policies/
source: local
workflows:
terragrunt:
plan:
steps:
- env:
name: TERRAGRUNT_TFPATH
command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
- env:
# Reduce Terraform suggestion output
name: TF_IN_AUTOMATION
value: 'true'
- run:
# Allow for targetted plans/applies as not supported for Terraform wrappers by default
command: terragrunt plan -input=false $(printf '%s' $COMMENT_ARGS | sed 's/,/ /g' | tr -d '\\') -no-color -out $PLANFILE
output: hide
- run: terragrunt show $PLANFILE
- run: terragrunt show -no-color -json $PLANFILE > $SHOWFILE
apply:
steps:
- env:
name: TERRAGRUNT_TFPATH
command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
- env:
# Reduce Terraform suggestion output
name: TF_IN_AUTOMATION
value: 'true'
- run: terragrunt apply -input=false $PLANFILE
import:
steps:
- env:
name: TERRAGRUNT_TFPATH
command: 'echo "terraform${DEFAULT_TERRAFORM_VERSION}"'
- env:
name: TF_VAR_author
command: 'git show -s --format="%ae" $HEAD_COMMIT'
# Allow for imports as not supported for Terraform wrappers by default
- run: terragrunt import -input=false $(printf '%s' $COMMENT_ARGS | sed 's/,/ /' | tr -d '\\')
state_rm:
steps:
- env:
name: TERRAGRUNT_TFPATH
command: 'echo "terraform${DEFAULT_TERRAFORM_VERSION}"'
# Allow for state removals as not supported for Terraform wrappers by default
- run: terragrunt state rm $(printf '%s' $COMMENT_ARGS | sed 's/,/ /' | tr -d '\\')
policy_check:
steps:
- env:
name: TERRAGRUNT_TFPATH
command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
- env:
# Reduce Terraform suggestion output
name: TF_IN_AUTOMATION
value: 'true'
- run: terragrunt show -no-color -json $PLANFILE > $SHOWFILE
- policy_check:
extra_args: ["-p", "/home/atlantis/policies/", "--all-namespaces", "--parser=json", "--no-color"]
Repo atlantis.yaml
f…
runatlantis/atlantis