Enable --auto-approve for Policy checks on Remote Backend (Terraform Cloud) (#27804)

* Fix auto-approve for soft-policy
* Update error handling
* update testing string for consistency
This commit is contained in:
Omar Ismail 2021-03-01 08:54:30 -05:00 committed by GitHub
parent b5adc33075
commit e9c7f37b8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 54 additions and 45 deletions

View File

@ -1151,6 +1151,7 @@ func TestRemote_applyPolicySoftFail(t *testing.T) {
"approve": "yes",
})
op.AutoApprove = false
op.UIIn = input
op.UIOut = b.CLI
op.Workspace = backend.DefaultStateName
@ -1187,16 +1188,14 @@ func TestRemote_applyPolicySoftFail(t *testing.T) {
}
}
func TestRemote_applyPolicySoftFailAutoApprove(t *testing.T) {
func TestRemote_applyPolicySoftFailAutoApproveSuccess(t *testing.T) {
b, bCleanup := testBackendDefault(t)
defer bCleanup()
op, configCleanup, done := testOperationApply(t, "./testdata/apply-policy-soft-failed")
defer configCleanup()
input := testInput(t, map[string]string{
"override": "override",
})
input := testInput(t, map[string]string{})
op.AutoApprove = true
op.UIIn = input
@ -1210,34 +1209,33 @@ func TestRemote_applyPolicySoftFailAutoApprove(t *testing.T) {
<-run.Done()
viewOutput := done(t)
if run.Result == backend.OperationSuccess {
t.Fatal("expected apply operation to fail")
}
if !run.PlanEmpty {
t.Fatalf("expected plan to be empty")
if run.Result != backend.OperationSuccess {
t.Fatal("expected apply operation to success due to auto-approve")
}
if len(input.answers) != 1 {
t.Fatalf("expected an unused answers, got: %v", input.answers)
if run.PlanEmpty {
t.Fatalf("expected plan to not be empty, plan opertion completed without error")
}
if len(input.answers) != 0 {
t.Fatalf("expected no answers, got: %v", input.answers)
}
errOutput := viewOutput.Stderr()
if !strings.Contains(errOutput, "soft failed") {
t.Fatalf("expected a policy check error, got: %v", errOutput)
if strings.Contains(errOutput, "soft failed") {
t.Fatalf("expected no policy check errors, instead got: %v", errOutput)
}
output := b.CLI.(*cli.MockUi).OutputWriter.String()
if !strings.Contains(output, "Running apply in the remote backend") {
t.Fatalf("expected remote backend header in output: %s", output)
}
if !strings.Contains(output, "1 to add, 0 to change, 0 to destroy") {
t.Fatalf("expected plan summery in output: %s", output)
}
if !strings.Contains(output, "Sentinel Result: false") {
t.Fatalf("expected policy check result in output: %s", output)
t.Fatalf("expected policy check to be false, insead got: %s", output)
}
if strings.Contains(output, "1 added, 0 changed, 0 destroyed") {
t.Fatalf("unexpected apply summery in output: %s", output)
if !strings.Contains(output, "Apply complete!") {
t.Fatalf("expected apply to be complete, instead got: %s", output)
}
if !strings.Contains(output, "Resources: 1 added, 0 changed, 0 destroyed") {
t.Fatalf("expected resources, instead got: %s", output)
}
}

View File

@ -414,34 +414,45 @@ func (b *Remote) checkPolicy(stopCtx, cancelCtx context.Context, op *backend.Ope
case tfe.PolicyHardFailed:
return fmt.Errorf(msgPrefix + " hard failed.")
case tfe.PolicySoftFailed:
runUrl := fmt.Sprintf(runHeader, b.hostname, b.organization, op.Workspace, r.ID)
if op.Type == backend.OperationTypePlan || op.UIOut == nil || op.UIIn == nil ||
op.AutoApprove || !pc.Actions.IsOverridable || !pc.Permissions.CanOverride {
return fmt.Errorf(msgPrefix + " soft failed.")
}
default:
return fmt.Errorf("Unknown or unexpected policy state: %s", pc.Status)
!pc.Actions.IsOverridable || !pc.Permissions.CanOverride {
return fmt.Errorf(msgPrefix + " soft failed.\n" + runUrl)
}
if op.AutoApprove {
if _, err = b.client.PolicyChecks.Override(stopCtx, pc.ID); err != nil {
return generalError(fmt.Sprintf("Failed to override policy check.\n%s", runUrl), err)
}
} else {
opts := &terraform.InputOpts{
Id: "override",
Query: "\nDo you want to override the soft failed policy check?",
Description: "Only 'override' will be accepted to override.",
}
err = b.confirm(stopCtx, op, opts, r, "override")
if err != nil && err != errRunOverridden {
return err
return fmt.Errorf(
fmt.Sprintf("Failed to override: %s\n%s\n", err.Error(), runUrl),
)
}
if err != errRunOverridden {
if _, err = b.client.PolicyChecks.Override(stopCtx, pc.ID); err != nil {
return generalError("Failed to override policy check", err)
return generalError(fmt.Sprintf("Failed to override policy check.\n%s", runUrl), err)
}
} else {
b.CLI.Output(fmt.Sprintf("The run needs to be manually overridden or discarded.\n%s\n", runUrl))
}
}
if b.CLI != nil {
b.CLI.Output("------------------------------------------------------------------------")
}
default:
return fmt.Errorf("Unknown or unexpected policy state: %s", pc.Status)
}
}
return nil