We are looking to centralize custom IAM policy checks in Terraform and CFT deployments. As I learn about Atlantis, conceptually Atlantis looks like a "proxy" that intercepts/listens to various GitHub actions and there is natural place where we can inject our custom policy checking and manifest the results into the daily workflows of a developer and their toolchains. Our policies would include checking for authorized IAM Role grants, detecting Risky Roles and mapping Roles to cloud services and cloud data stores. With that baseline, we can track and govern IAM drift between cloud accounts. I would love to get feedback on whether Atlantis is designed for this type of transparent interception whether folks have tried similar approaches - thanks Venkat.

Atlantis is a gitops tool

Got it. Thank you. If I understand you correctly every developer pipeline has to be configured to use Atlantis. But we can still consistently enforce policies on Terraform workflows?

yes, you can use contest or run a custom workflow to run other type of policies