Using Gitlab teams for policy approvals is broken

[dorian-tsorfy]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

I'm trying to configure Atlantis for my Gitlab environment and I'm having difficulties in setting GitLab teams as policy approvals. Here is a snippet of my Atlantis server configuration that fails -

repoConfig: |
  ---
  repos:
  - id: /.*/
    apply_requirements: [approved, undiverged]
    workflow: custom
    allow_custom_workflows: true
    policy_check: true
    custom_policy_check: true

  policies:
    owners:
      teams:
        - production-engineers
    policy_sets:
      - name: Custom
        source: local

Well, I tried some other verses of the group name, such as -

• Adding quotes - "production-engineers"
• Using the group id - 41

Needles to say that I'm the user (dorian.ts) who tries to run approve-policies and I'm a maintainer in the production-engineers team. The only configuration that worked was setting a static users list like that -

policies:
    owners:
      users:
        - dorian.ts
        - dan.dan

Apparently I'm not the only one that having that issue as seen in the Slack community, see this thread about the same issue.

I dug a bit in Atlantis code and I saw these pieces of code that might help understand what's the problem -

• The GetTeamNamesForUser function inside gitlab_client.go file - It should retrieve the Gitlab team of the user that tried to run approve-policies.
• The IsOwner function inside policies.go file - It should iterate the user teams and compare between them and the list of allowed Gitlab teams in the configuration.

Reproduction Steps

1. Deploy Atlantis with some policy checks
2. Create a GitLab Webhook to start interacting with your Atlantis deployment
3. Use the above configuration to set the owner teams for policy approvals
4. Create a repo and upload a a new simple Terraform state into a branch.
5. Create an MR and wait for the plan and policy check to happen. Make sure the policy check fails on something
6. Try to run atlantis approve-policies

Logs

I'm dorian.ts and I'm part of the group production-engineers. I put a comment atlantis approve_policies in my MR. I'll share here screenshot of Atlantis response + corresponding logs from Atlantis server.

atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:127","msg":"handling GitLab post","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:598","msg":"request valid","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:602","msg":"handling as comment event","json":{}}
atlantis-staging-0 atlantis {"level":"info","ts":"2024-07-31T08:36:41.153Z","caller":"events/events_controller.go:656","msg":"parsed comment as command=\"approve_policies\" verbose=false dir=\"\" workspace=\"\" project=\"\" policyset=\"\", clear-policy-approval=false, flags=\"\"","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.153Z","caller":"vcs/gitlab_client.go:195","msg":"Adding reaction 'thumbsup' to comment 1021490 on GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"vcs/gitlab_client.go:198","msg":"POST /projects/dorian.ts/terraform-atlantis/merge_requests/9/notes/1021490/award_emoji returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"info","ts":"2024-07-31T08:36:41.264Z","caller":"events/events_controller.go:699","msg":"Running comment command 'approve_policies' on repo 'dorian.ts/terraform-atlantis', pull request: 9 for user 'dorian.ts'.","json":{"repo":"dorian.ts/terraform-atlantis","pull":9}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"events/events_controller.go:858","msg":"Processing...","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"server/middleware.go:72","msg":"POST /events – respond HTTP 200","json":{}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.264Z","caller":"vcs/gitlab_client.go:504","msg":"Getting GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.507Z","caller":"vcs/gitlab_client.go:507","msg":"GET /projects/dorian.ts/terraform-atlantis/merge_requests/9 returned: 200","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.507Z","caller":"vcs/gitlab_client.go:398","msg":"Updating GitLab commit status for 'atlantis/policy_check' to 'pending'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.507Z","caller":"vcs/gitlab_client.go:504","msg":"Getting GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.708Z","caller":"vcs/gitlab_client.go:507","msg":"GET /projects/dorian.ts/terraform-atlantis/merge_requests/9 returned: 200","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.708Z","caller":"vcs/gitlab_client.go:426","msg":"Head pipeline found for merge request 9, source 'external'. refTarget 'testing-7'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.822Z","caller":"vcs/gitlab_client.go:468","msg":"POST /projects/dorian.ts/terraform-atlantis/statuses/f1b246066a0465323158044a2fc917ccdf021d3f returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9","attempt":1,"max_attempts":10,"repo":"dorian.ts/terraform-atlantis","commit":"f1b246066a0465323158044a2fc917ccdf021d3f","state":"pending"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:425","msg":"building config based on server-side config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting custom_policy_check: true from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting plan_requirements: [policies_passed] from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting import_requirements: [policies_passed] from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting delete_source_branch_on_merge: false from default server config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting allow_custom_workflows: true from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting repo_locks: this is a bug from default server config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting policy_check: true from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting apply_requirements: [approved,mergeable,undiverged,policies_passed] from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting workflow: \"custom\" from repos[1], id: /.*/","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"valid/global_cfg.go:682","msg":"setting allowed_overrides: [] from default server config","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.823Z","caller":"events/project_command_context_builder.go:171","msg":"PolicyChecks are enabled","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.824Z","caller":"terraform/terraform_client.go:309","msg":"Found required_version setting of \">= 0.13\"","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis 2024/07/31 08:36:41 [DEBUG] GET https://releases.hashicorp.com/terraform/index.json
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:41.962Z","caller":"events/project_command_context_builder.go:98","msg":"Building project command context for approve_policies","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"info","ts":"2024-07-31T08:36:42.058Z","caller":"events/project_locker.go:86","msg":"acquired lock with id \"dorian.ts/terraform-atlantis/states/tf-buckets/default\"","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.058Z","caller":"events/project_command_runner.go:332","msg":"acquired lock for project","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"error","ts":"2024-07-31T08:36:42.058Z","caller":"events/instrumented_project_command_runner.go:78","msg":"Error running approve_policies operation: 1 error occurred:\n\t* policy set: Custom user dorian.ts is not a policy owner - please contact policy owners to approve failing policies\n\n","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"},"stacktrace":"github.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:78\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).ApprovePolicies\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:50\ngithub.com/runatlantis/atlantis/server/events.runProjectCmds\n\tgithub.com/runatlantis/atlantis/server/events/project_command_pool_executor.go:48\ngithub.com/runatlantis/atlantis/server/events.(*ApprovePoliciesCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/approve_policies_command_runner.go:75\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:367"}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.059Z","caller":"vcs/gitlab_client.go:175","msg":"Creating comment on GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.229Z","caller":"vcs/gitlab_client.go:184","msg":"POST /projects/dorian.ts/terraform-atlantis/merge_requests/9/notes returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.229Z","caller":"events/db_updater.go:25","msg":"updating DB with pull results","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.231Z","caller":"vcs/gitlab_client.go:398","msg":"Updating GitLab commit status for 'atlantis/policy_check' to 'failed'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.231Z","caller":"vcs/gitlab_client.go:504","msg":"Getting GitLab merge request 9","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.439Z","caller":"vcs/gitlab_client.go:507","msg":"GET /projects/dorian.ts/terraform-atlantis/merge_requests/9 returned: 200","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.439Z","caller":"vcs/gitlab_client.go:426","msg":"Head pipeline found for merge request 9, source 'external'. refTarget 'testing-7'","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9"}}
atlantis-staging-0 atlantis {"level":"debug","ts":"2024-07-31T08:36:42.546Z","caller":"vcs/gitlab_client.go:468","msg":"POST /projects/dorian.ts/terraform-atlantis/statuses/f1b246066a0465323158044a2fc917ccdf021d3f returned: 201","json":{"repo":"dorian.ts/terraform-atlantis","pull":"9","attempt":1,"max_attempts":10,"repo":"dorian.ts/terraform-atlantis","commit":"f1b246066a0465323158044a2fc917ccdf021d3f","state":"failed"}}

Environment details

• Atlantis version: atlantis v0.28.5 (commit: 92d10ec) (build date: 2024-07-17T17:07:30.148Z)
• Deployment method: Helm

[dorian-tsorfy]

I saw there is an open PR about exactly that.
#4001

[peikk0]

The PR has been merged, I think this can be closed.

[dorian-tsorfy]

Thanks for your contribution @peikk0 !