-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implement plan-all command #2694
Conversation
We were talking about this earlier and this could potentially be pretty dangerous if a person is allowed to plan on all projects and some show secrets on the plan, and I think if you plan all projects you can then run one apply and will apply all by default, no? |
@secustor thank you for your hardwork. At the very least, could you add a new flag to enable this and set that flag to false as this is a bit of a security risk. As pepe already mentioned, we're already dealing with an issue #1508 and we'd like to reduce that blast radius. I'd be more inclined to approving if there is a flag to gate this. |
@@ -608,6 +608,160 @@ projects: | |||
} | |||
} | |||
|
|||
func TestDefaultProjectCommandBuilder_BuildPlanAllCommands(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice test! Could you also create a separate test for the new function shouldUpdateRepo
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The outer scope tests this already, but I will add additional tests to cover this.
I'm new to the code base and usage of Atlantis, but how would this expose more things than opening a PR with changes to the
I would prefer not to hide this behind a flag, but would this PR ( #2696 ) clear up your reservations if it is merged? That way users/admins can set |
Usually we gate new features behind a feature flag until it's been tested enough. Some users may like this but others may not and it would be good to be able to enable it with a default of disabled. Eventually if most people enable it then we can discuss removing the need for a flag. I do not think PR #2696 would relieve my reservations but I'm open to changing my mind. cc: @runatlantis/maintainers thoughts? |
I agree with @nitrocode, this can be enabled by default, and it should be enabled by default and enabled explicitly. |
@jamengual mentioned that there is also this flag E.g.
The regexp command may be sufficient enough to not need a |
From what I can deduct from the docs this should work. I will try to confirm this on our instance and close this if it solves my problem. |
I converted this to a draft for now. Please let us know if the --enable-regexp-cmd flag works for you or if you want to repurpose this to allow -d to work with a regex |
The |
Closes #254
This PR implement a
plan-all
command which will trigger plans for all defined projects regardless if they have been modified or not.E2E tested on this repo https://github.com/secustor/renovate_terraform_lock_in_subdirectory/pull/12