runatlantis · nitrocode · Dec 9, 2022 · Aug 11, 2022 · Nov 14, 2022 · Nov 14, 2022
@@ -101,6 +101,7 @@ const (
 	SlackTokenFlag             = "slack-token"
 	SSLCertFileFlag            = "ssl-cert-file"
 	SSLKeyFileFlag             = "ssl-key-file"
+	StrictPlanFileList         = "strict-plan-file-list"
 	TFDownloadURLFlag          = "tf-download-url"
 	VarFileAllowlistFlag       = "var-file-allowlist"
 	VCSStatusName              = "vcs-status-name"
@@ -435,6 +436,10 @@ var boolFlags = map[string]boolFlag{
 		description:  "Switches on or off the Basic Authentication on the HTTP Middleware interface",
 		defaultValue: DefaultWebBasicAuth,
 	},
+	StrictPlanFileList: {
+		description:  "Block plan requests from projects outside the files modified in the pull request.",
+		defaultValue: false,
+	},
 }
 var intFlags = map[string]intFlag{
 	ParallelPoolSize: {

@@ -100,6 +100,7 @@ var testFlags = map[string]interface{}{
 	SlackTokenFlag:             "slack-token",
 	SSLCertFileFlag:            "cert-file",
 	SSLKeyFileFlag:             "key-file",
+	StrictPlanFileList:         false,
 	TFDownloadURLFlag:          "https://my-hostname.com",
 	TFEHostnameFlag:            "my-hostname",
 	TFELocalExecutionModeFlag:  true,

@@ -603,6 +603,12 @@ Values are chosen in this order:
   ```
   File containing x509 private key matching `--ssl-cert-file`.
 
+* ### `--strict-plan-file-list`
+  ```bash
+  atlantis server --strict-plan-file-list
+  ```
+  `--strict-plan-file-list` will block plan requests from projects outside the files modified in the pull request.
+
 * ### `--stats-namespace`
   ```bash
   atlantis server --stats-namespace="myatlantis"

@@ -933,6 +933,7 @@ func setupE2E(t *testing.T, repoDir string) (events_controllers.VCSEventsControl
 		false,
 		false,
 		"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+		false,
 		statsScope,
 		logger,
 	)

@@ -3,6 +3,7 @@ package events
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"sort"
 
 	"github.com/runatlantis/atlantis/server/core/config/valid"
@@ -45,6 +46,7 @@ func NewInstrumentedProjectCommandBuilder(
 	skipCloneNoChanges bool,
 	EnableRegExpCmd bool,
 	AutoplanFileList string,
+	StrictPlanFileList bool,
 	scope tally.Scope,
 	logger logging.SimpleLogging,
 ) *InstrumentedProjectCommandBuilder {
@@ -62,6 +64,7 @@ func NewInstrumentedProjectCommandBuilder(
 			skipCloneNoChanges,
 			EnableRegExpCmd,
 			AutoplanFileList,
+			StrictPlanFileList,
 			scope,
 			logger,
 		),
@@ -82,6 +85,7 @@ func NewProjectCommandBuilder(
 	skipCloneNoChanges bool,
 	EnableRegExpCmd bool,
 	AutoplanFileList string,
+	StrictPlanFileList bool,
 	scope tally.Scope,
 	logger logging.SimpleLogging,
 ) *DefaultProjectCommandBuilder {
@@ -96,6 +100,7 @@ func NewProjectCommandBuilder(
 		SkipCloneNoChanges: skipCloneNoChanges,
 		EnableRegExpCmd:    EnableRegExpCmd,
 		AutoplanFileList:   AutoplanFileList,
+		StrictPlanFileList: StrictPlanFileList,
 		ProjectCommandContextBuilder: NewProjectCommandContextBuilder(
 			policyChecksSupported,
 			commentBuilder,
@@ -159,6 +164,7 @@ type DefaultProjectCommandBuilder struct {
 	EnableRegExpCmd              bool
 	AutoplanFileList             string
 	EnableDiffMarkdownFormat     bool
+	StrictPlanFileList           bool
 }
 
 // See ProjectCommandBuilder.BuildAutoplanCommands.
@@ -345,6 +351,27 @@ func (p *DefaultProjectCommandBuilder) buildProjectPlanCommand(ctx *command.Cont
 		workspace = cmd.Workspace
 	}
 
+	if p.StrictPlanFileList {
+		modifiedFiles, err := p.VCSClient.GetModifiedFiles(ctx.Pull.BaseRepo, ctx.Pull)
+		if err != nil {
+			return nil, err
+		}
+
+		if cmd.RepoRelDir != "" {
+			foundDir := false
+
+			for _, f := range modifiedFiles {
+				if filepath.Dir(f) == cmd.RepoRelDir {
+					foundDir = true
+				}
+			}
+
+			if !foundDir {
+				return nil, fmt.Errorf("the dir \"%s\" is not in the plan list of this pull request", cmd.RepoRelDir)
+			}
+		}
+	}
+
 	var pcc []command.ProjectContext
 	ctx.Log.Debug("building plan command")
 	unlockFn, err := p.WorkingDirLocker.TryLock(ctx.Pull.BaseRepo.FullName, ctx.Pull.Num, workspace, DefaultRepoRelDir)

@@ -626,6 +626,7 @@ projects:
 				false,
 				false,
 				"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+				false,
 				statsScope,
 				logger,
 			)
@@ -828,6 +829,7 @@ projects:
 				false,
 				true,
 				"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+				false,
 				statsScope,
 				logger,
 			)
@@ -1058,6 +1060,7 @@ workflows:
 				false,
 				false,
 				"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+				false,
 				statsScope,
 				logger,
 			)

@@ -159,6 +159,7 @@ projects:
 				false,
 				false,
 				"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+				false,
 				scope,
 				logger,
 			)
@@ -427,6 +428,7 @@ projects:
 					false,
 					true,
 					"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+					false,
 					scope,
 					logger,
 				)
@@ -582,6 +584,7 @@ projects:
 				false,
 				false,
 				"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+				false,
 				scope,
 				logger,
 			)
@@ -673,6 +676,7 @@ func TestDefaultProjectCommandBuilder_BuildMultiApply(t *testing.T) {
 		false,
 		false,
 		"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+		false,
 		scope,
 		logger,
 	)
@@ -758,6 +762,7 @@ projects:
 		false,
 		false,
 		"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+		false,
 		scope,
 		logger,
 	)
@@ -837,6 +842,7 @@ func TestDefaultProjectCommandBuilder_EscapeArgs(t *testing.T) {
 				false,
 				false,
 				"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+				false,
 				scope,
 				logger,
 			)
@@ -1020,6 +1026,7 @@ projects:
 				false,
 				false,
 				"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+				false,
 				scope,
 				logger,
 			)
@@ -1087,6 +1094,7 @@ projects:
 		true,
 		false,
 		"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+		false,
 		scope,
 		logger,
 	)
@@ -1145,6 +1153,7 @@ func TestDefaultProjectCommandBuilder_WithPolicyCheckEnabled_BuildAutoplanComman
 		false,
 		false,
 		"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+		false,
 		scope,
 		logger,
 	)
@@ -1227,6 +1236,7 @@ func TestDefaultProjectCommandBuilder_BuildVersionCommand(t *testing.T) {
 		false,
 		false,
 		"**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl",
+		false,
 		scope,
 		logger,
 	)

@@ -507,6 +507,7 @@ func NewServer(userConfig UserConfig, config Config) (*Server, error) {
 		userConfig.SkipCloneNoChanges,
 		userConfig.EnableRegExpCmd,
 		userConfig.AutoplanFileList,
+		userConfig.StrictPlanFileList,
 		statsScope,
 		logger,
 	)

@@ -84,6 +84,7 @@ type UserConfig struct {
 	SlackToken             string          `mapstructure:"slack-token"`
 	SSLCertFile            string          `mapstructure:"ssl-cert-file"`
 	SSLKeyFile             string          `mapstructure:"ssl-key-file"`
+	StrictPlanFileList     bool            `mapstructure:"strict-plan-file-list"`
 	TFDownloadURL          string          `mapstructure:"tf-download-url"`
 	TFEHostname            string          `mapstructure:"tfe-hostname"`
 	TFELocalExecutionMode  bool            `mapstructure:"tfe-local-execution-mode"`