This message was deleted.

I agree this can be a bit of a grey zone in terms of risk. If I’m not mistaken, by default Atlantis needs a

plan

operation before it can run

apply

. You can take advantage of that and dismiss all approvals after every new plan; I don’t think Atlantis provides a flag for that but you could do it either with a custom workflow or even with a GHA action (that looks for new

plan

comments and removes all approvals) Then, any changes upstream will be noticed in the new plan and require a new approval before an apply is possible. PS: That relies on the assumption that Atlantis uses plans when applying and does not replan from scratch. You need to doublecheck that. We use it in a way that does not use plans unfortunately so that wouldn’t work for us PS2: But then you’d hope whoever is changing upstream would want to at least run a plan prior to apply to see the diff. Then dismissing approvals after every plan would solve your problem

It’s hard to implement a real word working setup like this as you don’t want to dismiss all plans, as it adds a lot of dead time to team members when an apply times out from different reasons, error out because of a lock or because of a token expiration and you just need to hit plan and apply again. I considered that option first but we had a lot of dead time added and also my team got used to just hit approve without looking on most of the projects, because you know how it is when you get used with something…

plans are reused, they get only discarded if you push files to the PR