A tool that implements mandatory approvals for Atlantis workflows in GitLab Community Edition (CE) using emoji reactions as an approval mechanism.
GitLab CE doesn't support mandatory merge request approvals, which limits Atlantis workflow capabilities. While this feature is available in Premium/Ultimate editions, CE users need an alternative solution.
This tool integrates with Atlantis and GitLab CE to:
- Use emoji reactions as a lightweight approval mechanism
- Enforce mandatory reviews (from codeowners) before Terraform changes can be applied
- Maintain security controls without requiring Premium features
graph LR
subgraph "Open & Plan"
A[MR is Opened] --> B[Atlantis plan is triggered]
B --> C[Atlantis adds comment to MR with details]
end
subgraph "Validation"
C --> D[User validates the result]
D --> E[User adds comment: atlantis apply]
end
subgraph "Apply"
E --> F[Atlantis runs atlantis-emoji-gate]
F --> G{Code owner added required emoji?}
G -->|Yes| H[Apply happens]
G -->|No| I[Apply is aborted]
end
%% Style the nodes
style A fill:#EEF3FF,stroke:#8892FF,stroke-width:1px,color:#000
style B fill:#EEF3FF,stroke:#8892FF,stroke-width:1px,color:#000
style C fill:#EEF3FF,stroke:#8892FF,stroke-width:1px,color:#000
style D fill:#FFFFEE,stroke:#D4C200,stroke-width:1px,color:#000
style E fill:#FFFFEE,stroke:#D4C200,stroke-width:1px,color:#000
style F fill:#EEFFFF,stroke:#00C2D4,stroke-width:1px,color:#000
style G fill:#FFFFEE,stroke:#D4C200,stroke-width:2px,color:#000
style H fill:#DDFFDD,stroke:#09A009,stroke-width:2px,color:#000
style I fill:#FFDADA,stroke:#CC0000,stroke-width:2px,color:#000
%% Style specific links (6 and 7 from the original diagram)
linkStyle 6 stroke:green,stroke-width:2px
linkStyle 7 stroke:red,stroke-width:2px
Pre-built Docker images are available - you don't need to build your own custom Atlantis image. You can use the image from this GitHub Container Registry.
docker pull ghcr.io/shini4i/atlantis:v0.32.0
atlantis-emoji-gate is configured using environment variables. The following variables are available:
| Variable | Description | Default | Optional |
|---|---|---|---|
APPROVE_EMOJI |
The emoji that must be present on the MR for atlantis apply to be allowed to run |
thumbsup |
No |
CODEOWNERS_PATH |
The path to the CODEOWNERS file in the repository | CODEOWNERS |
No |
CODEOWNERS_REPO |
The repository to check for CODEOWNERS file | Yes | |
INSECURE |
If MR author is allowed to approve their own MR | false |
No |
The remaining environment variables are set dynamically by Atlantis and should not be set manually.
Given that we have the following repository structure:
.
├── CODEOWNERS
├── other_file.txt
└── terraform
├── deploy
│ └── main.tf
└── provision
└── main.tf
CODEOWNERS file example:
* @username1
/terraform @username4
/terraform/provision @username2
/terraform/deploy @username3
Where:
@username1would be able to approve any MR@username2would be able to approve MRs that change files in the/terraform/provisiondirectory@username3would be able to approve MRs that change files in the/terraform/deploydirectory@username4would be able to approve MRs that change files in both/terraform/provisionand/terraform/deploydirectories
workflows:
default:
plan:
steps:
- init
- plan
apply:
steps:
- run: atlantis-emoji-gate
- applyPull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.