Add flag for setting Terraform Enterprise hostname

--tfe-hostname will allow for creating a .terraformrc file with a
different hostname than app.terraform.io

Author: lkysow

cmd/server.go

@@ -68,16 +68,19 @@ const (
 	SlackTokenFlag             = "slack-token"
 	SSLCertFileFlag            = "ssl-cert-file"
 	SSLKeyFileFlag             = "ssl-key-file"
+	TFEHostnameFlag            = "tfe-hostname"
 	TFETokenFlag               = "tfe-token"
 
 	// Flag defaults.
+	// NOTE: Must manually set these as defaults in the setDefaults function.
 	DefaultCheckoutStrategy = "branch"
 	DefaultBitbucketBaseURL = bitbucketcloud.BaseURL
 	DefaultDataDir          = "~/.atlantis"
 	DefaultGHHostname       = "github.com"
 	DefaultGitlabHostname   = "gitlab.com"
 	DefaultLogLevel         = "info"
 	DefaultPort             = 4141
+	DefaultTFEHostname      = "app.terraform.io"
 )
 
 var stringFlags = map[string]stringFlag{
@@ -175,9 +178,13 @@ var stringFlags = map[string]stringFlag{
 	SSLKeyFileFlag: {
 		description: fmt.Sprintf("File containing x509 private key matching --%s.", SSLCertFileFlag),
 	},
+	TFEHostnameFlag: {
+		description:  "Hostname of your Terraform Enterprise installation. If using Terraform Cloud no need to set.",
+		defaultValue: DefaultTFEHostname,
+	},
 	TFETokenFlag: {
-		description: "API token for Terraform Enterprise. This will be used to generate a ~/.terraformrc file." +
-			" Only set if using TFE as a backend." +
+		description: "API token for Terraform Cloud/Enterprise. This will be used to generate a ~/.terraformrc file." +
+			" Only set if using TFC/E as a remote backend." +
 			" Should be specified via the ATLANTIS_TFE_TOKEN environment variable for security.",
 	},
 	DefaultTFVersionFlag: {
@@ -418,6 +425,9 @@ func (s *ServerCmd) setDefaults(c *server.UserConfig) {
 	if c.Port == 0 {
 		c.Port = DefaultPort
 	}
+	if c.TFEHostname == "" {
+		c.TFEHostname = DefaultTFEHostname
+	}
 }
 
 func (s *ServerCmd) validate(userConfig server.UserConfig) error {
@@ -486,6 +496,10 @@ func (s *ServerCmd) validate(userConfig server.UserConfig) error {
 		}
 	}
 
+	if userConfig.TFEHostname != DefaultTFEHostname && userConfig.TFEToken == "" {
+		return fmt.Errorf("if setting --%s, must set --%s", TFEHostnameFlag, TFETokenFlag)
+	}
+
 	return nil
 }
 

cmd/server_test.go

@@ -362,6 +362,7 @@ func TestExecute_Defaults(t *testing.T) {
 	Equals(t, "", passedConfig.SlackToken)
 	Equals(t, "", passedConfig.SSLCertFile)
 	Equals(t, "", passedConfig.SSLKeyFile)
+	Equals(t, "app.terraform.io", passedConfig.TFEHostname)
 	Equals(t, "", passedConfig.TFEToken)
 }
 
@@ -466,6 +467,7 @@ func TestExecute_Flags(t *testing.T) {
 		cmd.SlackTokenFlag:             "slack-token",
 		cmd.SSLCertFileFlag:            "cert-file",
 		cmd.SSLKeyFileFlag:             "key-file",
+		cmd.TFEHostnameFlag:            "my-hostname",
 		cmd.TFETokenFlag:               "my-token",
 	})
 	err := c.Execute()
@@ -499,6 +501,7 @@ func TestExecute_Flags(t *testing.T) {
 	Equals(t, "slack-token", passedConfig.SlackToken)
 	Equals(t, "cert-file", passedConfig.SSLCertFile)
 	Equals(t, "key-file", passedConfig.SSLKeyFile)
+	Equals(t, "my-hostname", passedConfig.TFEHostname)
 	Equals(t, "my-token", passedConfig.TFEToken)
 }
 
@@ -533,6 +536,7 @@ require-mergeable: true
 slack-token: slack-token
 ssl-cert-file: cert-file
 ssl-key-file: key-file
+tfe-hostname: my-hostname
 tfe-token: my-token
 `)
 	defer os.Remove(tmpFile) // nolint: errcheck
@@ -570,6 +574,7 @@ tfe-token: my-token
 	Equals(t, "slack-token", passedConfig.SlackToken)
 	Equals(t, "cert-file", passedConfig.SSLCertFile)
 	Equals(t, "key-file", passedConfig.SSLKeyFile)
+	Equals(t, "my-hostname", passedConfig.TFEHostname)
 	Equals(t, "my-token", passedConfig.TFEToken)
 }
 
@@ -603,6 +608,7 @@ require-approval: true
 slack-token: slack-token
 ssl-cert-file: cert-file
 ssl-key-file: key-file
+tfe-hostname: my-hostname
 tfe-token: my-token
 `)
 	defer os.Remove(tmpFile) // nolint: errcheck
@@ -637,6 +643,7 @@ tfe-token: my-token
 		"SLACK_TOKEN":              "override-slack-token",
 		"SSL_CERT_FILE":            "override-cert-file",
 		"SSL_KEY_FILE":             "override-key-file",
+		"TFE_HOSTNAME":             "override-my-hostname",
 		"TFE_TOKEN":                "override-my-token",
 	} {
 		os.Setenv("ATLANTIS_"+name, value) // nolint: errcheck
@@ -674,6 +681,7 @@ tfe-token: my-token
 	Equals(t, "override-slack-token", passedConfig.SlackToken)
 	Equals(t, "override-cert-file", passedConfig.SSLCertFile)
 	Equals(t, "override-key-file", passedConfig.SSLKeyFile)
+	Equals(t, "override-my-hostname", passedConfig.TFEHostname)
 	Equals(t, "override-my-token", passedConfig.TFEToken)
 }
 
@@ -708,6 +716,7 @@ require-mergeable: true
 slack-token: slack-token
 ssl-cert-file: cert-file
 ssl-key-file: key-file
+tfe-hostname: my-hostname
 tfe-token: my-token
 `)
 
@@ -741,6 +750,7 @@ tfe-token: my-token
 		cmd.SlackTokenFlag:             "override-slack-token",
 		cmd.SSLCertFileFlag:            "override-cert-file",
 		cmd.SSLKeyFileFlag:             "override-key-file",
+		cmd.TFEHostnameFlag:            "override-my-hostname",
 		cmd.TFETokenFlag:               "override-my-token",
 	})
 	err := c.Execute()
@@ -772,6 +782,7 @@ tfe-token: my-token
 	Equals(t, "override-slack-token", passedConfig.SlackToken)
 	Equals(t, "override-cert-file", passedConfig.SSLCertFile)
 	Equals(t, "override-key-file", passedConfig.SSLKeyFile)
+	Equals(t, "override-my-hostname", passedConfig.TFEHostname)
 	Equals(t, "override-my-token", passedConfig.TFEToken)
 
 }
@@ -808,6 +819,7 @@ func TestExecute_FlagEnvVarOverride(t *testing.T) {
 		"SLACK_TOKEN":              "slack-token",
 		"SSL_CERT_FILE":            "cert-file",
 		"SSL_KEY_FILE":             "key-file",
+		"TFE_HOSTNAME":             "my-hostname",
 		"TFE_TOKEN":                "my-token",
 	}
 	for name, value := range envVars {
@@ -849,6 +861,7 @@ func TestExecute_FlagEnvVarOverride(t *testing.T) {
 		cmd.SlackTokenFlag:             "override-slack-token",
 		cmd.SSLCertFileFlag:            "override-cert-file",
 		cmd.SSLKeyFileFlag:             "override-key-file",
+		cmd.TFEHostnameFlag:            "override-my-hostname",
 		cmd.TFETokenFlag:               "override-my-token",
 	})
 	err := c.Execute()
@@ -882,6 +895,7 @@ func TestExecute_FlagEnvVarOverride(t *testing.T) {
 	Equals(t, "override-slack-token", passedConfig.SlackToken)
 	Equals(t, "override-cert-file", passedConfig.SSLCertFile)
 	Equals(t, "override-key-file", passedConfig.SSLKeyFile)
+	Equals(t, "override-my-hostname", passedConfig.TFEHostname)
 	Equals(t, "override-my-token", passedConfig.TFEToken)
 }
 
@@ -941,6 +955,18 @@ func TestExecute_RepoCfgFlags(t *testing.T) {
 	ErrEquals(t, "cannot use --repo-config and --repo-config-json at the same time", err)
 }
 
+// Can't use both --tfe-hostname flag without --tfe-token.
+func TestExecute_TFEHostnameOnly(t *testing.T) {
+	c := setup(map[string]interface{}{
+		cmd.GHUserFlag:        "user",
+		cmd.GHTokenFlag:       "token",
+		cmd.RepoWhitelistFlag: "github.com",
+		cmd.TFEHostnameFlag:   "not-app.terraform.io",
+	})
+	err := c.Execute()
+	ErrEquals(t, "if setting --tfe-hostname, must set --tfe-token", err)
+}
+
 func setup(flags map[string]interface{}) *cobra.Command {
 	vipr := viper.New()
 	for k, v := range flags {

runatlantis.io/docs/server-configuration.md

@@ -385,6 +385,15 @@ Values are chosen in this order:
   atlantis server --ssl-cert-file="/etc/ssl/private/my-cert.key"
   ```
   File containing x509 private key matching `--ssl-cert-file`.
+ 
+* ### `--tfe-hostname`
+  ```bash
+  atlantis server --tfe-hostname="my-terraform-enterprise.company.com"
+  ```
+  Hostname of your Terraform Enterprise installation to be used in conjunction with
+  `--tfe-token`. See [Terraform Cloud](terraform-cloud.html) for more details.
+  If using Terraform Cloud (i.e. you don't have your own Terraform Enterprise installation)
+  no need to set since it defaults to `app.terraform.io`.
 
 * ### `--tfe-token`
   ```bash

runatlantis.io/docs/terraform-cloud.md

@@ -1,13 +1,14 @@
-# Terraform Cloud
+# Terraform Cloud/Enterprise
 
-::: tip
-Terraform Enterprise was [recently renamed](https://www.hashicorp.com/blog/introducing-terraform-cloud-remote-state-management) Terraform Cloud.
+::: tip NOTE
+Terraform Enterprise was [recently renamed](https://www.hashicorp.com/blog/introducing-terraform-cloud-remote-state-management) Terraform Cloud
+and Private Terraform Enteprise was renamed Terraform Enterprise.
 :::
 
-Atlantis integrates seamlessly with Terraform Cloud, whether you're using:
+Atlantis integrates seamlessly with Terraform Cloud and Terraform Enterprise, whether you're using:
 * [Free Remote State Management](https://app.terraform.io/signup)
 * Terraform Cloud Paid Tiers
-* Private Terraform Enterprise
+* A Private Installation of Terraform Enterprise
 
 Read the docs below :point_down: depending on your use-case.
 [[toc]]
@@ -16,20 +17,21 @@ Read the docs below :point_down: depending on your use-case.
 To use Atlantis with Free Remote State Storage, you need to:
 1. Migrate your state to Terraform Cloud. See [Getting Started with the Terraform Cloud Free Tier](https://www.terraform.io/docs/enterprise/free/index.html#enable-remote-state-in-terraform-configurations)
 1. Update any projects that are referencing the state you migrated to use the new location
-1. [Generate a Terraform Cloud Token](#generating-a-terraform-cloud-token)
+1. [Generate a Terraform Cloud/Enterprise Token](#generating-a-terraform-cloud-enterprise-token)
 1. [Pass the token to Atlantis](#passing-the-token-to-atlantis)
 
 That's it! Atlantis will run as normal and your state will be stored in Terraform
 Cloud.
 
-## Using Atlantis With Terraform Cloud Paid Tiers
-Atlantis integrates with the full version of Terraform Cloud via its [remote backend](https://www.terraform.io/docs/backends/types/remote.html).
+## Using Atlantis With Terraform Cloud Remote Operations or Terraform Enterprise
+Atlantis integrates with the full version of Terraform Cloud and Terraform Enterprise
+via the [remote backend](https://www.terraform.io/docs/backends/types/remote.html).
 
 Atlantis will run `terraform` commands as usual, however those commands will
-actually be executed *remotely* in Terraform Cloud.
+actually be executed *remotely* in Terraform Cloud or Terraform Enterprise.
 
 ### Why?
-Using Atlantis with Terraform Cloud gives you access to features like:
+Using Atlantis with Terraform Cloud or Terraform Enterprise gives you access to features like:
 * Real-time streaming output
 * Ability to cancel in-progress commands
 * Secret variables
@@ -38,14 +40,14 @@ Using Atlantis with Terraform Cloud gives you access to features like:
 **Without** having to change your pull request workflow.
 
 ### Getting Started
-To use Atlantis with Terraform Cloud Paid Tiers, you need to:
-1. Migrate your state to Terraform Cloud. See [Migrating State from Terraform Open Source](https://www.terraform.io/docs/enterprise/migrate/index.html)
+To use Atlantis with Terraform Cloud Remote Operations or Terraform Enterprise, you need to:
+1. Migrate your state to Terraform Cloud/Enterprise. See [Migrating State from Terraform Open Source](https://www.terraform.io/docs/enterprise/migrate/index.html)
 1. Update any projects that are referencing the state you migrated to use the new location
-1. [Generate a Terraform Cloud Token](#generating-a-terraform-cloud-token)
+1. [Generate a Terraform Cloud/Enterprise Token](#generating-a-terraform-cloud-enterprise-token)
 1. [Pass the token to Atlantis](#passing-the-token-to-atlantis)
 
-## Generating a Terraform Cloud Token
-Atlantis needs a Terraform Cloud Token that it will use to access the API.
+## Generating a Terraform Cloud/Enterprise Token
+Atlantis needs a Terraform Cloud/Enterprise Token that it will use to access the API.
 Using a **Team Token is recommended**, however you can also use a User Token.
 
 ### Team Token
@@ -62,9 +64,18 @@ The token can be passed to Atlantis via the `ATLANTIS_TFE_TOKEN` environment var
 You can also use the `--tfe-token` flag, however your token would then be easily
 viewable in the process list.
 
-That's it! Atlantis should be able to perform Terraform operations using Terraform Cloud's
+If you're hosting your own Terraform Enterprise installation, set the `--tfe-hostname`
+flag to its hostname.
+
+That's it! Atlantis should be able to perform Terraform operations using Terraform Cloud/Enterprise's
 remote state backend now.
 
+:::warning
+The Terraform Cloud/Enterprise integration only works with the built-in
+`plan` and `apply` steps. It does not work with custom `run` steps that replace
+plan or apply.
+:::
+
 :::tip NOTE
 Under the hood, Atlantis is generating a `~/.terraformrc` file.
 If you already had a `~/.terraformrc` file where Atlantis is running,

server/events/terraform/terraform_client.go

@@ -97,7 +97,14 @@ var versionRegex = regexp.MustCompile("Terraform v(.*?)(\\s.*)?\n")
 // version.
 // tfDownloader is used to download terraform versions.
 // Will asynchronously download the required version if it doesn't exist already.
-func NewClient(log *logging.SimpleLogger, dataDir string, tfeToken string, defaultVersionStr string, defaultVersionFlagName string, tfDownloader Downloader) (*DefaultClient, error) {
+func NewClient(
+	log *logging.SimpleLogger,
+	dataDir string,
+	tfeToken string,
+	tfeHostname string,
+	defaultVersionStr string,
+	defaultVersionFlagName string,
+	tfDownloader Downloader) (*DefaultClient, error) {
 	var finalDefaultVersion *version.Version
 	var localVersion *version.Version
 	versions := make(map[string]string)
@@ -149,7 +156,7 @@ func NewClient(log *logging.SimpleLogger, dataDir string, tfeToken string, defau
 		if err != nil {
 			return nil, errors.Wrap(err, "getting home dir to write ~/.terraformrc file")
 		}
-		if err := generateRCFile(tfeToken, home); err != nil {
+		if err := generateRCFile(tfeToken, tfeHostname, home); err != nil {
 			return nil, err
 		}
 	}
@@ -383,12 +390,13 @@ func ensureVersion(log *logging.SimpleLogger, dl Downloader, versions map[string
 	return dest, nil
 }
 
-// generateRCFile generates a .terraformrc file containing config for tfeToken.
+// generateRCFile generates a .terraformrc file containing config for tfeToken
+// and hostname tfeHostname.
 // It will create the file in home/.terraformrc.
-func generateRCFile(tfeToken string, home string) error {
+func generateRCFile(tfeToken string, tfeHostname string, home string) error {
 	const rcFilename = ".terraformrc"
 	rcFile := filepath.Join(home, rcFilename)
-	config := fmt.Sprintf(rcFileContents, tfeToken)
+	config := fmt.Sprintf(rcFileContents, tfeHostname, tfeToken)
 
 	// If there is already a .terraformrc file and its contents aren't exactly
 	// what we would have written to it, then we error out because we don't
@@ -428,7 +436,7 @@ func getVersion(tfBinary string) (*version.Version, error) {
 // rcFileContents is a format string to be used with Sprintf that can be used
 // to generate the contents of a ~/.terraformrc file for authenticating with
 // Terraform Enterprise.
-var rcFileContents = `credentials "app.terraform.io" {
+var rcFileContents = `credentials "%s" {
   token = %q
 }`
 

server/events/terraform/terraform_client_internal_test.go

@@ -18,10 +18,10 @@ func TestGenerateRCFile_WritesFile(t *testing.T) {
 	tmp, cleanup := TempDir(t)
 	defer cleanup()
 
-	err := generateRCFile("token", tmp)
+	err := generateRCFile("token", "hostname", tmp)
 	Ok(t, err)
 
-	expContents := `credentials "app.terraform.io" {
+	expContents := `credentials "hostname" {
   token = "token"
 }`
 	actContents, err := ioutil.ReadFile(filepath.Join(tmp, ".terraformrc"))
@@ -39,7 +39,7 @@ func TestGenerateRCFile_WillNotOverwrite(t *testing.T) {
 	err := ioutil.WriteFile(rcFile, []byte("contents"), 0600)
 	Ok(t, err)
 
-	actErr := generateRCFile("token", tmp)
+	actErr := generateRCFile("token", "hostname", tmp)
 	expErr := fmt.Sprintf("can't write TFE token to %s because that file has contents that would be overwritten", tmp+"/.terraformrc")
 	ErrEquals(t, expErr, actErr)
 }
@@ -57,7 +57,7 @@ func TestGenerateRCFile_NoErrIfContentsSame(t *testing.T) {
 	err := ioutil.WriteFile(rcFile, []byte(contents), 0600)
 	Ok(t, err)
 
-	err = generateRCFile("token", tmp)
+	err = generateRCFile("token", "app.terraform.io", tmp)
 	Ok(t, err)
 }
 
@@ -72,15 +72,15 @@ func TestGenerateRCFile_ErrIfCannotRead(t *testing.T) {
 	Ok(t, err)
 
 	expErr := fmt.Sprintf("trying to read %s to ensure we're not overwriting it: open %s: permission denied", rcFile, rcFile)
-	actErr := generateRCFile("token", tmp)
+	actErr := generateRCFile("token", "hostname", tmp)
 	ErrEquals(t, expErr, actErr)
 }
 
 // Test that if we can't write, we error out.
 func TestGenerateRCFile_ErrIfCannotWrite(t *testing.T) {
 	rcFile := "/this/dir/does/not/exist/.terraformrc"
 	expErr := fmt.Sprintf("writing generated .terraformrc file with TFE token to %s: open %s: no such file or directory", rcFile, rcFile)
-	actErr := generateRCFile("token", "/this/dir/does/not/exist")
+	actErr := generateRCFile("token", "hostname", "/this/dir/does/not/exist")
 	ErrEquals(t, expErr, actErr)
 }