This is a bugfix release containing an important fix to how Atlantis executes Terraform. A bug was introduced in v0.4.14 that causes Atlantis to hang indefinitely when executing Terraform when there is a lot of output from Terraform.
In addition, there's a fix to automerge when you require rebasing or commit squashing in GitHub and a fix for the mergeability check if you're requiring the Atlantis status to pass in GitHub.
Diff: https://github.com/runatlantis/atlantis/compare/v0.4.14...v0.4.15
None – this is a bugfix release.
- Atlantis hangs on large plans. (Fixes #452)
- Automerge now works on GitHub if you require a rebase or squash merge. (#466)
- Automerge now works on Bitbucket if previously you were getting XSRF errors. (Fixes #465)
- Requiring
mergeable
now works on GitHub if you are also requiring the Atlantis status to pass before merging. (Fixes #453)
None
WARNING: This release contains a bug that causes Terraform execution to stall on large infrastructures. Please use v0.4.15 instead.
This release contains two big new features: Automerge and Checkout Strategy.
Automerge is a much asked for feature that allows Atlantis to automatically
merge your pull requests if all plans have been applied successfully.
It can be enabled via the --automerge
flag, or via an atlantis.yaml
setting:
version: 2
automerge: true
projects:
- ...
Checkout Strategy allows you to choose if Atlantis checks out the exact branch
from the pull request or what the destination branch will look like once the pull
request is merged. You can choose your checkout strategy via the --checkout-strategy
flag which supports branch
(the default) or merge
.
Diff: https://github.com/runatlantis/atlantis/compare/v0.4.13...v0.4.14
- Can now be configured to automatically merge pull requests after all plans have been applied. See https://www.runatlantis.io/docs/automerging.html. (Fixes #186)
- New
--checkout-strategy
flag which supports checking out the code as it will look once the pull request was merged. Previously we only supported checking out the pull request branch which might be out of date with the destination branch and so cause Terraform to delete resources that have already been applied. See https://www.runatlantis.io/docs/checkout-strategy.html. (Fixes #35 - Support Terraform 0.12 by version detection and then changing how Atlantis runs its Terraform commands. (#419)
- New
--tfe-token
flag to support using Terraform Enterprise's Free Remote State Storage. (#419)
- Run plan in directory when file is moved. (Fixes #413)
- Fix bug where when Terraform crashed, Atlantis would hang indefinitely. (#421)
None
The release downloads have been deleted because this release contains a critical bug
The release downloads have been deleted because this release contains a critical bug
This release is focused on quick-wins, bugfixes and one new feature that allows
users to require pull requests be "mergeable", before allowing for atlantis apply
.
The mergeable apply requirement is very useful for GitHub users where it allows them to require pull requests be approved by specific users or require certain status checks to pass. See https://www.runatlantis.io/docs/apply-requirements.html#mergeable for more information.
Diff: https://github.com/runatlantis/atlantis/compare/v0.4.12...v0.4.13
-
Introduce a new (optional)
mergeable
apply requirement that requires pull requests to be mergeable prior to allowingapply
to run. (Fixes #43) -
If users have workspaces configured for a directory via an
atlantis.yaml
file, only allow commands to be run on those workspaces. All commands attempted to be run on different workspaces will error out.For example, if I have an
atlantis.yaml
file:version: 2 projects: - dir: mydir workspace: default - dir: mydir workspace: staging
Then I can run
atlantis apply -d mydir -w default
andatlantis apply -d mydir -w staging
but I will receive an error if I runatlantis apply -d mydir -w somethingelse
. -
If users are setting the
name
key for their projects inatlantis.yaml
, then include the project name in the comment output so it's easier to identify which plan/apply output is for which project. (Fixes #353)) -
Bump the Terraform version in the Docker image to
0.11.11
. -
Tweak logging to add timezone to the timestamp and make the output more readable. (#402)
-
Warn users if running
atlantis apply -- -target=myresource
because-target
can only be specified duringatlantis plan
. (Fixes #399)
- If
terraform plan
returns an error, print the error to the pull request. (#381) - Split Bitbucket Server comments into multiple comments if over the max size. (Fixes #280)
- Fix issue where if users specified
--gitlab-hostname
without a scheme then Atlantis wouldn't parse the URL correctly. (#377) - Give better error message if GitLab users are commenting on commits instead of a merge request. (Fixes #150, #390)
- If an error occurs early in request processing, comment that error back on the pull request. Previously, we were commenting back on errors but not for errors very early in the processing. (Fixes #398)
-
The version of Terraform installed in the
runatlantis/atlantis
Docker image is now0.11.11
. Previously it was0.11.10
. -
If you are a) using an
atlantis.yaml
file and b) defining Terraform workspaces and c) running plan and apply against workspaces that were not defined in theatlantis.yaml
file, then this no longer works.You will now need to define all the workspaces in the
atlantis.yaml
file. For example, say you had the following config:version: 2 projects: - dir: mydir workspace: production
And you used to run:
atlantis plan -d mydir -w anotherworkspace atlantis apply -d mydir -w anotherworkspace
For this to work now, you need to add the
anotherworkspace
workspace to youratlantis.yaml
file:version: 2 projects: - dir: mydir workspace: production - dir: mydir workspace: anotherworkspace
Small feature and bug fix release. If you're using GitLab <11.1 then your comment formatting is fixed!
Diff: https://github.com/runatlantis/atlantis/compare/v0.4.11...v0.4.12
- Atlantis can now be hosted behind a path-based router and its UI will still
render correctly. For example, you could host atlantis at mydomain.com/mypath,
then run
atlantis server --atlantis-url https://mydomain.com/mypath
and when atlantis renders its UI, all the URLs will have the/mypath
prefix so the UI renders properly. (Fixes #213) - Log warning if GitLab hostname isn't resolvable. (Fixes #359)
- Support running our official Docker image
runatlantis/atlantis
on OpenShift. OpenShift runs images with random uids so we needed to build in support for that. (Fixes #345)
- If the output is too long for a single GitHub comment, maintain formatting when splitting into multiple comments. (Fixes #111)
- Fix bug with using the pagination API in BitBucket. (#354)
- If using GitLab < 11.1 then don't use expandable markdown comments. (Fixes #315)
- Fix output from custom steps that came before the plan step from being removed. (#367)
We made changes to the base image (runatlantis/atlantis-base
) that
runatlantis/atlantis
is built off of. These changes should not affect your
running of atlantis unless you're building your own custom images and were relying
on specific user permissions. Even then we don't anticipate any problems.
These are the changes in detail:
-
Previously, the permissions of
/home/atlantis
were:$ ls -la /home/atlantis/ drwxr-sr-x 2 atlantis atlantis 4096 Sep 13 22:49 .
Now they are:
$ ls -la /home/atlantis/ drwxrwxr-x 2 atlantis root 4096 Nov 28 21:22 .
- The directory is now owned by the
root
group. - Its group permissions now include
w
andx
.
This was needed because OpenShift runs Docker images as random uid's under the root group and so now those random uid's can use
/home/atlantis
as their data directory. - The directory is now owned by the
-
Previously, the
atlantis
user was only part of its own group:$ gosu atlantis sh $ whoami atlantis $ groups atlantis
Now it's also part of the
root
group:$ gosu atlantis sh $ groups atlantis root
-
Previously, the permissions for
/etc/passwd
were:$ ls -la /etc/passwd -rw-r--r-- 1 root root 1284 Sep 13 22:49 /etc/passwd
Now the permissions are:
$ ls -la /etc/passwd -rw-rw-r-- 1 root root 1284 Nov 28 21:22 /etc/passwd
The
w
group permission was added so that in OpenShift, the random uid can write their own login entry (https://github.com/runatlantis/atlantis/blob/master/docker-entrypoint.sh#L28) which is required becauseterraform
expects the running user to have an entry in/etc/passwd
.
Medium sized release that updates the Terraform version and makes terraform plan
output smaller by removing the Refreshing...
output.
Diff: https://github.com/runatlantis/atlantis/compare/v0.4.10...v0.4.11
- Upgraded Docker image to use Terraform 0.11.10
terraform plan
output is shorter now thanks to remove theRefreshing...
output (#339)- Project names specified in
atlantis.yaml
can now contain/
's. This is useful if you want to name your projects similar to the directories they're in. (Fixes #253) - Added new flag
--silence-whitelist-errors
which prevents Atlantis from comment back on pull requests from non-whitelisted repos. This is useful if you want to add the Atlantis webhook to a whole organization and then control which repos are actioned on via the whitelist. (Fixes #312) - The message when the project is locked is now more helpful. (#336)
- Run
terraform plan
with-var atlantis_repo_owner=runatlantis -var atlantis_repo_name=atlantis -var atlantis_pull_num=10
(if the repo was runatlantis/atlantis) (#300)
- Quote plan filenames so that Bitbucket projects with spaces in their names still work (Fixes #302)
-
Atlantis now runs
terraform plan
with-var atlantis_repo_owner=runatlantis \ -var atlantis_repo_name=atlantis \ -var atlantis_pull_num=10
(in this example the repo that Atlantis is running on is runatlantis/atlantis).
If you were using those variables in your terraform code:
variable "atlantis_repo_owner" { default = "my_default" }
Then Atlantis will be overriding those variables with its own values. To prevent this, you need to rename your variables.
If you aren't using those variables then this change won't affect you.
Small bugfix release to fix issues with new comment format.
Diff: https://github.com/runatlantis/atlantis/compare/v0.4.9...v0.4.10
None
- Fix bad comment rendering (#294)
- Fix
plan
not working on Bitbucket Server when repo owner contains spaces (#290)
None
This release is mostly focused on changing how comments look. Terraform output is now automatically hidden if it's over 12 lines long: Also the red and green highlighting for added and removed resources is fixed:
Diff: https://github.com/runatlantis/atlantis/compare/v0.4.8...v0.4.9
- Terraform output over 12 lines is hidden in comment until expanded
terraform plan
output is highlighted correctly- Terraform is now executed with
-var atlantis_repo={repo name} -var atlantis_pull_num {pull num}
. This will allow users to trace Atlantisterraform
executions in CloudTrail back to a specific user and pull request if using assume role by creating a specific name for the session Terraform initiates.
provider "aws" {
assume_role {
role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
session_name = "${var.atlantis_user}-${var.atlantis_repo}-${var.atlantis_pull_num}"
}
}
- Run terraform with
-input=false
(#268).
- We set two new Terraform variables:
atlantis_repo
andatlantis_pull_num
. If you were using variables with those names in your code you will need to rename them in your code.
Security release to upgrade the Docker image to the latest version of Alpine linux that fixes this bug: https://justi.cz/security/2018/09/13/alpine-apk-rce.html
Diff: https://github.com/runatlantis/atlantis/compare/v0.4.7...v0.4.8
None
- Change server startup message to INFO from WARN level.
None
Support GitLab repos nested under multiple levels and use the latest version of Terraform: 0.11.8!
- Support GitLab groups which allow repos to be nested under multiple levels,
ex.
gitlab.com/owner/group/subgroup/subsubgroup/repo
- Use latest version of Terraform: 0.11.8 in Docker image
- When running with
TF_LOG
set, Atlantis will start normally. Previously it would error out due to attempting to parse the stderr output of theterraform version
command.
None
Just a small bugfix release.
None
- If
terraform init
fails, include the failure logs in the comment posted back to the PR.
None
atlantis apply
now applies all unapplied plans instead of just the plan in the root directory. (#169)atlantis plan
now plans all modified projects instead of just the root directory.- Plan comments now contain instructions for how to run apply or re-run plan.
- Ignore approvals from the pull request author (Bitbucket Cloud only). Fixes (#201)
- When double clicking on a GitHub comment, ex.
GitHub would add two newlines to the end. If this was then pasted into a new comment, Atlantis would accept it because of the extra newlines. This has been fixed and the comment with two newlines will be accepted.
atlantis apply
atlantis apply
now applies all unapplied plans. Previously it would only apply the plan in the root directory and default workspace.atlantis plan
now plans all modified projects. Previously it would only run plan in the root directory and default workspace.
- Supports Bitbucket Server (#190).
- Fix
/etc/hosts
not being respected (#196).
None
- Supports Bitbucket Cloud (bitbucket.org) (#30).
None
None
- Don't comment on pull request if autoplan determines there are no projects to plan in. This was getting very noisy for users who use their repos for more than just Terraform (#183).
None
None
- Add new
/healthz
endpoint for health checking in Kubernetes (#102) - Set
$PLANFILE
environment variable to expected location of plan file when running custom steps (#168)- This enables overriding the command Atlantis uses to
plan
and substituting your own or piping through a custom script.
- This enables overriding the command Atlantis uses to
- Changed default pattern to detect changed files to
*.tf*
from*.tf
in order to trigger on.tfvars
files.
None
None
- Autoplanning - Atlantis will automatically run
plan
on new pull requests and when new commits are pushed to the pull request. - New repository
atlantis.yaml
format that supports:- Complete customization of plans run
- Single config file for whole repository
- Controlling autoplanning
- Moved docs to standalone website from the README.
- Fixes:
- The old
atlantis.yaml
config file format is not supported. You will need to migrate to the new config format, see: https://www.runatlantis.io/docs/upgrading-atlantis-yaml-to-version-2.html - To use the new config file, you must run Atlantis with
--allow-repo-config
. - Atlantis will now try to automatically plan. To disable this, you'll need to create an
atlantis.yaml
file as follows:
version: 2
projects:
- dir: mydir
autoplan:
enabled: false
atlantis apply
no longer applies all un-applied plans but instead applies only the plan in the root directory and default workspace. This will be reverted in an upcoming releaseatlantis plan
no longer plans in all modified projects but instead runs plan only in the root directory and default workspace. This will be reverted in an upcoming release.
None
- If the
TF_LOG
environment variable is set, should still be able to start. Previouslyatlantis server
would exit immediately because it couldn't parse the output ofterraform version
.
None
- Rename
atlantis bootstrap
toatlantis testdrive
to make it clearer that it doesn't set up Atlantis for you. Fixes (#129). - Atlantis will now comment on a pull request when a plan/lock is discarded from the Atlantis UI. Fixes (#27).
- Fix issue during
atlantis bootstrap
where ngrok tunnel took a long time to start. Atlantis will now wait until it sees the expected log entry before continuing. Fixes (#92). - Fix missing error checking during
atlantis bootstrap
. (#130).
atlantis bootstrap
renamed toatlantis testdrive
- None
- Fix GitLab approvals not actually checking approval (#114)
- None
- Terraform 0.11.7 in Docker image
- Docker build now verifies terraform install via checksum
- None
- None
--repo-whitelist
is now case insensitive. Fixes (#95).
- None
atlantis server -h
has newlines between flags so it's easier to read (#91).
atlantis bootstrap
uses a custom ngrok config file so it should work even if the user is already running another ngrok tunnel (#93).
- None
- Log a warning if unable to update commit status. (#84)
- None
This release delivers some speed improvements through caching plugins and
not running terraform workspace select
unnecessarily. In my testing it saves ~20s per run.
- All config flags can now be specified by environment variables. Fixes (#38).
- Completed thanks to @psalaberria002!
- Run terraform with the
TF_PLUGIN_CACHE_DIR
env var set. Fixes (#34).- This will cache plugins and make
terraform init
faster. Terraform will still download new versions of plugins. See https://www.terraform.io/docs/configuration/providers.html#provider-plugin-cache for more details. - In my testing this saves >10s per run.
- This will cache plugins and make
- Run terraform with
TF_IN_AUTOMATION=true
so the output won't contain suggestions to run commands that you can't run via Atlantis. (#82). - Don't run
terraform workspace select
unless we actually need to switch workspaces. (#82).- In my testing this saves ~10s.
- Validate that workspace doesn't contain a path when running ex.
atlantis plan -w /jdlkj
. This was already not a valid workspace name according to Terraform. (#78). - Error out if
ngrok
is already running when runningatlantis bootstrap
(#81).
- None
- Atlantis version shown in footer of web UI. Fixes (#33).
- GitHub comments greater than the max length will be split into multiple comments. Fixes (#55).
- None
This release focused on some security issues reported by @eriksw, thanks Erik! By default, Atlantis will be more secure now and you'll have to specify which repositories you want it to work on.
- New flag
--allow-fork-prs
added toatlantis server
controls whether Atlantis will operate on pull requests from forks. Defaults tofalse
. This flag was added because on a public repository anyone could open up a pull request to your repo and use your Atlantis install. - New mandatory flag
--repo-whitelist
added toatlantis server
controls which repos Atlantis will operate on. This flag was added so that if a webhook secret is compromised (or you're not using webhook secrets) Atlantis won't be used on repos you don't control. - Warn if running
atlantis server
without any webhook secrets set. This is dangerous because without a webhook secret, an attacker could spoof requests to Atlantis. - Make CLI output more readable by setting a fixed column width.
- None
- Must set
--allow-fork-prs
now if you want to run Atlantis on pull requests from forked repos. - Must set
--repo-whitelist
in order to startatlantis server
. Seeatlantis server --help
for how that flag works.
- None
- Run apply in correct directory when using
-d
flag. Fixes (#22)
- None
- Fix security issue where Atlantis wasn't escaping the optional "extra args" that could be appended to comments (#16)
- example exploit:
atlantis plan ; cat /etc/passwd
- example exploit:
- Atlantis moved to new repo:
atlantisrun/atlantis
. Read why here - New -w/--workspace and -d/--dir flags in comments (#14)
- You can now specify which directory to plan/apply in, ex.
atlantis plan -d dir1/dir2
- You can now specify which directory to plan/apply in, ex.
- Better feedback from atlantis when asking for help via comments, ex.
atlantis plan -h
- Convert
--data-dir
paths to absolute from relative. Fixes (#245) - Don't run plan in the parent of
modules/
unless there's amain.tf
present. Fixes (#12)
- You must use the
-w
flag to specify a workspace when commenting now- Previously:
atlantis plan staging
, now:atlantis plan -w staging
- Previously:
- You must use a double-dash between Atlantis flags and extra args to be appended to the terraform command
- Previously:
atlantis plan -target=resource
, now:atlantis plan -- -target=resource
- Previously:
- Atlantis will no longer run
plan
in the parent directory ofmodules/
unless there is amain.tf
in that directory.
- SSL support added (#233)
- GitLab custom URL for GitLab Enterprise installations now works (#231)
None
None
- Use
env
instead ofworkspace
for Terraform 0.9.*
None
None
- The environment variables available when executing commands have changed:
WORKSPACE
=>DIR
- this is the absolute path to the project directory on diskENVIRONMENT
=>WORKSPACE
- this is the name of the Terraform workspace that we're running in (ex. default)
- The schema for storing locks changed. Any old locks will still be held but you will be unable to discard them in the UI.
To fix this, either merge all the open pull requests before upgrading OR delete the
~/.atlantis/atlantis.db
file. This is safe to do because you'll just need to re-runplan
to get your plan back.
- Don't ignore changes in
modules
directories anymore. (#211)
- Don't set
as_user
to true for Slack webhooks so we can integrate as a workspace app. (#206)
None
None
None
- Environment variables are passed through to
extra_arguments
. (#150) - Tested hundreds of lines of code. Test coverage now at 60%. (https://codecov.io/gh/hootsuite/atlantis)
- Modules in list of changed files weren't being filtered. (#193)
- Nil pointer error in bootstrap mode. (#181)
None
- all flags passed to
atlantis plan
oratlantis apply
will now be passed through toterraform
. (#131)
- Fix command parsing when comment ends with newline. (#131)
- Plan and Apply outputs are shown in new line. (#132)
--aws-assume-role-arn
and--aws-region
flags removed. Instead, to name the assume role session with the GitHub username of the user running the Atlantis command use theatlantis_user
terraform variable alongside Terraform's built-in support for assume role (see https://github.com/runatlantis/atlantis/blob/master/README.md#assume-role-session-names)- Atlantis has a docker image now (#123). Here is how you can try it out:
docker run runatlantis/atlantis:v0.1.1 server --gh-user=GITHUB_USERNAME --gh-token=GITHUB_TOKEN