Option to auto run apply upon approval of PR

[MattPumphrey]

As part of the workflow we would like to see, when a PR has been reviewed, we would like the apply step to automatically pick up the fact that it has been reviewed and is good to go then to auto perform the apply step.

If changes are required on the PR, do not apply automatically once approved, but once all issues with the PR have been resolved. I believe this workflow would also work with alot of cases.

Currently with the action of having to have to enter the apply steps will be an organizational learning experience we would rather not have to teach Devs the complete in and outs of Terraform right off the bat.

[lkysow]

Hi Matt, I think this workflow would be great and something that should be added to Atlantis via configuration. To clarify the workflow:

1. Pull request is opened
2. Plan is run automatically
3. Pull request is approved
4. Apply is run for all plans

If changes are required on the PR, do not apply automatically once approved.

Can you clarify this a bit more, why would someone approve a PR if there were changes required? Also which VCS host are you using? Thanks!

[MattPumphrey]

Hello, currently we are using Github, we are planning a migration to Bitbucket either next quarter or the quarter after that. Your workflow that you have listed above is what we are trying to achieve. However, if there are changes required due to formatting, bad versions selected where we have commented to have them correct the issues, we do not want them to approve it uncorrected, but basically once it has been approved to have Atlantis go forth and do its due diligence. As our ultimate goal is to open up terraform beyond just our team, and allow them to submit jobs and build their process with this.

Our goal is to make this process as simple as possible for our teams as once we get closer to having a broader scope on things like this that would be great.

[majormoses]

One of the challenges is that not all reviews are equal, depending on your branch protections you could require say two approvals before applying and the first approval may not be a CODEOWNER I think looking at the mergable state of the PR is a pre-requisite to this for more info on why see #43 and #308

[nikovirtala]

Now that #43 is closed, and we have a mergeable requirement for apply available, I'd like to see also this auto apply topic moving forward.

From the workflow perspective, I am looking for roughly something like this: https://bit.ly/2WlmEFj

[barundel]

any update on this one? would love to see this feature.

[nchicong]

This is essential for automation, the latest successful plan should be auto applied if it's merge-able and has enough number of approvals.

[nikovirtala]

This is essential for automation, the latest successful plan should be auto applied if it's merge-able and has enough number of approvals.

Auto apply is against the Terraform Core Workflow principles, "it's important for the team to review the final concrete plan". In the other hand I fully understand the need and find the auto apply as an advantage but to be success it would require automation/tooling that would check the plan against the code changes and would approve the plan only if the resources are planned to change only in a way that is described in code. - So, far I haven't found such a tool. If you know one, I am happy to give it a try. :)

[redbelow]

Hi, is this still in the works? I'd argue that at least this should be an option for those who choose to implement. Also I'd argue that two approvals post-plan is already a valid check against the plan and code changes. If you require plan and (for us two ) approvals, the auto-apply reduces the workflow. Currently the apply is just someone having to type yet another comment after approvals are already met (apply_requirements already provide the security for this).. that extra comment adds a lot of delay to a process that's already pretty repetitive and time-consuming if you're working on new terraform changes that are complex. If someone didn't like or want to use the feature they could choose not to, of course. This is for people who want more automation.

[gutmensch]

I would like to second the points made here. Even if you would argue to require another additional action after approvals and mergeability checks have been done (which I can follow) - typing again atlantis apply + parameters is still very far from a desired one-click, final step, "run now"-solution and does not really support iterative development IMO. Another option for us could be e.g. to get this "Run Now" button in Slack with limited people to run it but still a lot of usability improvement over the current way.

[Vlaaaaaaad]

We are using a GitHub Action that checks the approval status( + plan check + other compliance checks) and that comments attlantis apply on the PR when all requirements are met 🙂

It works well for us and could be a good workaround.

[nikovirtala]

We are using a GitHub Action that checks the approval status( + plan check + other compliance checks) and that comments attlantis apply on the PR when all requirements are met 🙂

We have some workflows where this could work. Are you interested in sharing the GitHub Action code you use?

[Vlaaaaaaad]

@nikovirtala: it's a messy script that I am not allowed to share 😞

I can share that we're looking to move to using Open Policy Agent for auto-approvals and auto-applies( see "Terraform Code Reviews: Supercharged with Conftest" talk from HashiTalks 2020, with code at Blokje5/validating-terraform-with-conftest).
OPA tests pass or OPA validates module version usage => atlantis apply is commented. This will work nicely with Dependabot for Terraform when it's launched( or maybe with the temporary alternative until then?).

Also, check out the actions in sdras/awesome-actions, especially:

• https://github.com/WyriHaximus/github-action-wait-for-status to wait for a status
• https://github.com/peter-evans/create-or-update-comment to post a comment

I do have a plan to write all this up and open-source it, but I have no idea when I'll get to it.

[nikovirtala]

@Vlaaaaaaad No worries! – It will be a fun task to pull those strings together 😄

We are heavy users of Dependabot and applying pre-approved modules is one of those workflows where I miss the auto-apply.