Issue restricting what workflows each repo has access to

[nw-code]

Version: 0.16.0

Hi, firstly thanks for an awesome project.

I'm interested in implementing the use case detailed here. Namely, I'd like to be able to define all of my custom workflows server-side and then restrict which of these workflows are available to repos (using the allowed_workflows key).

This is my atlantis.yaml config:

version: 3
projects:
- autoplan:
    enabled: false
    when_modified:
    - "*" 
  dir: terraform/tg_demo/pg_db/user
  terraform_version: v0.14.4
  workflow: terragrunt

And the corresponding server-side config (I'm using Jsonnet - the following object is eventually rendered, converted to a string and exposed as the ATLANTIS_REPO_CONFIG_JSON env var in the StatefulSet):

  atlantis_repo_config_json: {
    repos: [
      {
        id: '/.*/',
        apply_requirements: [
          'approved',
          'mergeable',
        ],
        allowed_overrides: [
          'workflow',
        ],
        allowed_workflows: [
          'terragrunt',
        ],
      },
    ],
    workflows: {
      terragrunt: {
        plan: {
          steps: [
            {
              env: {
                name: 'TERRAGRUNT_TFPATH',
                command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"',
              },
            },
            {
              run: 'terragrunt plan -no-color -out $PLANFILE',
            },
          ],
        },
        apply: {
          steps: [
            {
              env: {
                name: 'TERRAGRUNT_TFPATH',
                command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"',
              },
            },
            {
              run: 'terragrunt apply -no-color $PLANFILE',
            },
          ],
        },
      },
    },
  },

So, based on my understanding of the doco this should satisfy my use case. However, I'm seeing the following error in the logs:

2021/01/21 01:03:14+0000 [EROR] command_runner.go:535 foo/devops/cluster/gitlab#1: Parsing atlantis.yaml: workflow 'terragrunt' is not allowed for this repo

I had a bit of a dig through the code and found what I believe is the issue. If I add the following item to my server-side config, I no longer encounter the problem:

allow_custom_workflows: true

However, this then permits a user to redefine in atlantis.yaml the definition of any workflow defined in allowed_workflows (e.g. terragrunt in this case) which seems to violate the purpose of allowed_workflows.

Would appreciate any feedback re this.

[netguino]

The intent of the feature is exactly as you are interpreting it. The idea was to allow projects to specify a couple of server side defined pre-approved workflows.

I need to look into it a little bit, but you're correct, this needs to work without allow_custom_workflows.

[netguino]

yes, this is wrong:
if !sliceContainsF(allowedWorkflows, name) || !allowCustomWorkflows {

[netguino]

Just to give you a quick update!

Work got on the way, but I have a fix ready, I just need to test it a bit to make sure it behaves as expected. I also added a new test to verify that it verifies correctly without allow_custom_workflows.

[nw-code]

Awesome, thanks @netguino for the speedy response on this. Much appreciated 👍