feat: Added support for GitHub app #276
Conversation
|
Thanks for the PR @abalcobia - since GitHub apps are more secure and the recommended way to provide access, lets update the |
antonbabenko
changed the title
|
Regarding the updates and the docs on examples, I will work on that in the next days. Thanks! |
|
@bryantbiggs @antonbabenko I've helped @abalcobia with the latest changes. Can you guys review please? |
examples/github-complete/main.tf
Outdated
| @@ -73,10 +73,26 @@ module "atlantis" { | |||
| # Trusted roles | |||
| trusted_principals = ["ssm.amazonaws.com"] | |||
|
|
|||
| # Atlantis | |||
| # Atlantis w/ GitHub user | |||
|
|
|||
| atlantis_github_user = var.github_user | |||
There was a problem hiding this comment.
Lets remove this - I don't think it would be correct to have both user based auth and app based
|
Thanks for the review @bryantbiggs! we'll make the requested changes asap 👍 |
|
Hello @bryantbiggs! Just a question to clarify the approach, is it only supposed to remove the user and token variables, and respective dependencies, in the folder examples or throughout the entire repo? |
|
@abalcobia - correct, just remove those from the example. It doesn't make a lot of sense to have two authentication routes for one example, I don't even know if this works, so lets just show the "preferred" way which is to use the GitHub app authentication route in the example. Does that make sense? The user/token authentication route will still exist in the module itself, we're just changing the example to show using the GitHub app route. |
|
@bryantbiggs - yes, makes sense, thanks. We get the idea and throughout the day we will update the README.md file only in the examples folder. |
|
@bryantbiggs we've included instructions on how to generate a github app. We've also added a note stating that using GitHub PATs is no longer recommended (despite being still supported). Let us know if you need any more changes. |
|
@bryantbiggs we've updated the PR with the latest changes from the Can we get this merged on the master, or is something missing? |
|
Hello @bryantbiggs @antonbabenko If you feel that any more changes need to be made please let us know. Thanks. |
|
I will test this today |
|
@bryantbiggs sorry to bother, but do you have any updates on this? We've updated the branch to the latest commit on master... |
|
This PR has been automatically marked as stale because it has been open 30 days |
|
Commenting to keep open |
|
rebased and squashed the commit history |
|
apologies for the delay - just getting back around to this. I'm a bit confused: what is the benefit here for GitHub app support if GitHub PAT is still required? |
|
This PR was automatically closed because of stale in 10 days |
|
Can we reopen this and get it merged? |
|
@dynamike Please take a look at this if you have time/wish/knowledge/interest... |
|
I've rebased the branch so that you can review it properly. |
examples/github-complete/README.md
Outdated
| GitHub's personal access token can be generated at https://github.com/settings/tokens | ||
| The GitHub App can be generated using multiple methods: | ||
|
|
||
| - You can follow Atlantis instructions depicted [here](https://www.runatlantis.io/docs/access-credentials.html#github-app). The Atlantis method mostly automates the GitHub App generation using [GitHub App Manifest](https://docs.github.com/en/developers/apps/building-github-apps/creating-a-github-app-from-a-manifest), but you need an exposed endpoint to complete the process. |
There was a problem hiding this comment.
This option doesn't seem possible because as you've mentioned you need an exposed endpoint to be able to setup the GitHub App. How would one go about doing that? Should I -
- Spin up a version of the
github-completeexample without a validgithub_app_id,github_app_key, andgithub_webhook_secret - Register the GitHub app via the exposed endpoint
- Re-run terraform with the GitHub app values?
More detail here is needed if this is the preferred path.
There was a problem hiding this comment.
I understand your pain... it's not very easy to bootstrap Atlantis using the official documentation.
What the Atlantis team did, was to try to ease the process of setting up the GitHub App by using the GitHub App manifest configuration method - this 'manifest' method, involves the Atlantis runtime to provide all the requirements for GitHub to create the app on Atlantis behalf. Of course, this raises security concerns:
- GitHub needs to trust the exposed endpoint (this means not only being exposed, but needs to have a valid SSL certificate)
- You need to expose your app to the internet and follow the 'one-time' setup procedure to get the required secrets
github_app_id,github_app_key, andgithub_webhook_secret. - This method not only provides you the secrets, but also configures the GitHub App with the required permissions as depicted by the Atlantis team.
TL;DR: The steps you mentioned are correct. That's what you need to do in order to setup the GitHub App according to Atlantis official documentation.
examples/github-complete/README.md
Outdated
| The GitHub App can be generated using multiple methods: | ||
|
|
||
| - You can follow Atlantis instructions depicted [here](https://www.runatlantis.io/docs/access-credentials.html#github-app). The Atlantis method mostly automates the GitHub App generation using [GitHub App Manifest](https://docs.github.com/en/developers/apps/building-github-apps/creating-a-github-app-from-a-manifest), but you need an exposed endpoint to complete the process. | ||
| - The other method is to manually create the GitHub App as instructed [here](https://docs.github.com/en/developers/apps/building-github-apps/creating-a-github-app). |
There was a problem hiding this comment.
I also ran into a wall with this method. The Github docs on setting up a Github App are very generic and doesn't explain how I should put values in for sections like Identifying and authorizing users or Webhook URL to work with Atlantis. So I'm left without a path forward to test this out.
There was a problem hiding this comment.
I understand the confusion. This is an advanced setup which requires the user to be comfortable with GitHub Apps, hence the above recommended path depicted by the Atlantis team.
Let me try and make this clearer:
- You create a GitHub App and give it a name - that name must be unique across the world (you can change it later).
- Provide a valid Homepage URL (this can be the atlantis server url, for instance
https://atlantis.mydomain.com) - Provide a valid Webhook URL. The Atlantis webhook server path is located by default at
https://atlantis.mydomain.com/events - Generate a Webhook Secret - this is used for Atlantis to trust the deliveries. This is your
github_webhook_secret. - Generate a Private Key - this is your
github_app_key - On the App's settings page (at the top) you find the App ID. This is your
github_app_id - On the Permissions & Events you need to setup all the permissions and events according to Atlantis documentation
Now you need to Install the App on your organization.
A self-provisioned GitHub App usually has two parts: the App and the Installation.
- The App part is the first step and its where you setup all the requirements, such as authentication, webhook, permissions, etc...
- The Installation part is where you add the created App to an organization/personal-account. It is on the installation page where you setup which repositories the application can access and receive events from.
There was a problem hiding this comment.
All of this is great info to add to the module docs for users
examples/github-complete/README.md
Outdated
|
|
||
| ## GitHub Personal Access Token (PAT) is no longer recommended | ||
|
|
||
| While still supported, the use of GitHub Personal Access Token (PAT) is no longer the recommended method in favor of GitHub App. |
There was a problem hiding this comment.
I think it makes sense to support both the Github App and the Personal Access Token (PAT) method in this module. While it's true you get fine grained access with Github Apps, there is a GitHub beta feature to allow you to created PATs with fine grained access. So the benefit of a Github App vs a PAT become less clear.
There was a problem hiding this comment.
Note that despite the PAT's new features, you still require a valid user to create the PAT for. This means consuming an additional license for certain organizations and using an authentication mechanism whose purpose is for users and not apps/services.
Apart from fine grained access, there are multiple advantages by using a GitHub App, one of them being the extensive webhook configuration options, among other things.
Since Atlantis is an app, it fits the GitHub App's purpose.
There was a problem hiding this comment.
I'd like to add that if your organization has an SSO, using a PAT is a bit cumbersome.
…docs to the main README
There was a problem hiding this comment.
I was able to get this working using the method in the Atlantis documentation, but I had to make some changes to the github-complete example for it to work correctly. You can see the changes I made over at https://github.com/nosportugal/terraform-aws-atlantis/compare/github-app-support...dynamike:terraform-aws-atlantis:github-app-support?expand=1 as I don't really have a way to incorporate those changes in this PR.
Looks great! |
Add bootstrap option for github-complete example and move Github App …
There was a problem hiding this comment.
@antonbabenko I think this is ready to go. I've confirmed there aren't breaking changes which means using a traditional webhook or a Github App both work. The github-complete example is also functional using the Github App method.
The one thing that I would note is that ATLANTIS_WRITE_GIT_CREDS is now defaulted to true because it is required if you are using the GitHub App method, but this will also enable the flag for folks not using the Github App.
Co-authored-by: Anton Babenko <[email protected]>
|
@calexandre Fixes for the tflint warnings are in https://github.com/nosportugal/terraform-aws-atlantis/pull/7 |
fix terraform_deprecated_index warnings from tflint
|
@antonbabenko I think this one is ready to merge when you're able. Thanks! |
## [3.23.0](v3.22.1...v3.23.0) (2022-10-31) ### Features * Added support for GitHub app ([#276](#276)) ([27def83](27def83))
|
This PR is included in version 3.23.0 🎉 |
|
Thanks for getting this over the finish line everyone! |
|
Thank you to everyone involved for the effort made to get the PR integrated! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
Allow users to utilize the GitHub App instead of a personal access token to execute Atlantis.
Motivation and Context
Enable the use of a GitHub App with Atlantis. In this PR, four variables were added to the module and their dependencies:
var.atlantis_github_app_keyvar.atlantis_github_app_key_ssm_parameter_namevar.atlantis_write_git_credsvar.atlantis_github_app_idNote: It is not necessary to create a specific variable for the webhook secret in the GitHub App, the existing one can be used.
ref:https://www.runatlantis.io/docs/access-credentials.html#generating-an-access-token (GitHub App section)
Breaking Changes
None
How Has This Been Tested?
pre-commit run -aon my pull requestInitially, a github app was created and consequently a private key and a secret webhook were associated with
it. Posteriorly, a test repo was used with the inputs (atlantis_github_app_id, atlantis_github_app_key & atlantis_github_webhook_secret) from the github app to guarantee the communication between Atlantis and the GitHub app at the level of webhooks and comments and it was possible to guarantee this communication with success as well as the provisioning of resources.