feat: add bitbucket cloud api-user flag (#5940)

Signed-off-by: jeronimo-caylent <[email protected]>

Author: jeronimo-caylent

cmd/server.go

@@ -64,6 +64,7 @@ const (
 	AutoplanModules                  = "autoplan-modules"
 	AutoplanModulesFromProjects      = "autoplan-modules-from-projects"
 	AutoplanFileListFlag             = "autoplan-file-list"
+	BitbucketApiUserFlag             = "bitbucket-api-user"
 	BitbucketBaseURLFlag             = "bitbucket-base-url"
 	BitbucketTokenFlag               = "bitbucket-token"
 	BitbucketUserFlag                = "bitbucket-user"
@@ -250,8 +251,11 @@ var stringFlags = map[string]stringFlag{
 			" A custom Workflow that uses autoplan 'when_modified' will ignore this value.",
 		defaultValue: DefaultAutoplanFileList,
 	},
+	BitbucketApiUserFlag: {
+		description: "Bitbucket username for API calls. If not set, defaults to bitbucket-user for backward compatibility. Can also be specified via the ATLANTIS_BITBUCKET_API_USER environment variable.",
+	},
 	BitbucketUserFlag: {
-		description: "Bitbucket username of API user.",
+		description: "Bitbucket username for git operations.",
 	},
 	BitbucketTokenFlag: {
 		description: "Bitbucket app password of API user. Can also be specified via the ATLANTIS_BITBUCKET_TOKEN environment variable.",

cmd/server_test.go

@@ -69,6 +69,7 @@ var testFlags = map[string]interface{}{
 	AutoDiscoverModeFlag:             "auto",
 	AutomergeFlag:                    true,
 	AutoplanFileListFlag:             "**/*.tf,**/*.yml",
+	BitbucketApiUserFlag:             "bitbucket-api-user",
 	BitbucketBaseURLFlag:             "https://bitbucket-base-url.com",
 	BitbucketTokenFlag:               "bitbucket-token",
 	BitbucketUserFlag:                "bitbucket-user",

runatlantis.io/docs/server-configuration.md

@@ -304,6 +304,30 @@ ATLANTIS_AZUREDEVOPS_WEBHOOK_USER="[email protected]"
 
 Azure DevOps basic authentication username for inbound webhooks.
 
+### `--bitbucket-api-user` <Badge text="v0.36.0+" type="info"/>
+
+```bash
+atlantis server --bitbucket-api-user="[email protected]"
+# or
+ATLANTIS_BITBUCKET_API_USER="[email protected]"
+```
+
+Bitbucket username (usually an email) used for API authentication with Bitbucket Cloud. This is used for API calls only. If not specified, Atlantis will use the value of `--bitbucket-user` for API authentication to maintain backward compatibility.
+
+**Note:**
+
+- The backward compatibility is for supporting the existing Bitbucket APP Passwords that are still valid until June 2026(see [here](https://www.atlassian.com/blog/bitbucket/bitbucket-cloud-transitions-to-api-tokens-enhancing-security-with-app-password-deprecation)).
+
+**Config file key:**
+
+```yaml
+bitbucket-api-user: [email protected]
+```
+
+**Environment variable:** `ATLANTIS_BITBUCKET_API_USER`
+
+**Note:** This flag is only relevant for Bitbucket Cloud (bitbucket.org) integrations.
+
 ### `--bitbucket-base-url` <Badge text="v0.36.0+" type="info"/>
 
 ```bash
@@ -334,7 +358,7 @@ atlantis server --bitbucket-user="myuser"
 ATLANTIS_BITBUCKET_USER="myuser"
 ```
 
-Bitbucket username of API user.
+Bitbucket username used for git operations. For Bitbucket Cloud, if `--bitbucket-api-user` is not specified, this value will also be used for API authentication.
 
 ### `--bitbucket-webhook-secret` <Badge text="v0.36.0+" type="info"/>
 

server/events/vcs/bitbucketcloud/client.go

@@ -17,7 +17,8 @@ import (
 
 type Client struct {
 	HTTPClient  *http.Client
-	Username    string
+	Username    string // Used for git operations
+	ApiUser     string // Used for API calls (Basic Auth)
 	Password    string
 	BaseURL     string
 	AtlantisURL string
@@ -27,13 +28,20 @@ type Client struct {
 // URL for Atlantis that will be linked to from the build status icons. This
 // linking is annoying because we don't have anywhere good to link but a URL is
 // required.
-func NewClient(httpClient *http.Client, username string, password string, atlantisURL string) *Client {
+// username is used for git operations, apiUser is used for API authentication (Basic Auth).
+// If apiUser is empty, it will default to username for backward compatibility.
+func NewClient(httpClient *http.Client, username string, password string, apiUser string, atlantisURL string) *Client {
 	if httpClient == nil {
 		httpClient = http.DefaultClient
 	}
+	// Use apiUser for API calls if provided, otherwise fall back to username for backward compatibility
+	if apiUser == "" {
+		apiUser = username
+	}
 	return &Client{
 		HTTPClient:  httpClient,
 		Username:    username,
+		ApiUser:     apiUser,
 		Password:    password,
 		BaseURL:     BaseURL,
 		AtlantisURL: atlantisURL,
@@ -316,7 +324,8 @@ func (b *Client) prepRequest(method string, path string, body io.Reader) (*http.
 	if err != nil {
 		return nil, err
 	}
-	req.SetBasicAuth(b.Username, b.Password)
+	// Use ApiUser for API authentication, Username is for git operations
+	req.SetBasicAuth(b.ApiUser, b.Password)
 	if body != nil {
 		req.Header.Add("Content-Type", "application/json")
 	}

server/events/vcs/bitbucketcloud/client_test.go

@@ -75,7 +75,7 @@ func TestClient_GetModifiedFilesPagination(t *testing.T) {
 	defer testServer.Close()
 
 	serverURL = testServer.URL
-	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "runatlantis.io")
+	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "", "runatlantis.io")
 	client.BaseURL = testServer.URL
 
 	files, err := client.GetModifiedFiles(
@@ -139,7 +139,7 @@ func TestClient_GetModifiedFilesOldNil(t *testing.T) {
 	}))
 	defer testServer.Close()
 
-	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "runatlantis.io")
+	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "", "runatlantis.io")
 	client.BaseURL = testServer.URL
 
 	files, err := client.GetModifiedFiles(
@@ -208,7 +208,7 @@ func TestClient_PullIsApproved(t *testing.T) {
 			}))
 			defer testServer.Close()
 
-			client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "runatlantis.io")
+			client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "", "runatlantis.io")
 			client.BaseURL = testServer.URL
 
 			repo, err := models.NewRepo(models.BitbucketServer, "owner/repo", "https://bitbucket.org/owner/repo.git", "user", "token")
@@ -342,7 +342,7 @@ func TestClient_PullIsMergeable(t *testing.T) {
 			}))
 			defer testServer.Close()
 
-			client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "runatlantis.io")
+			client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "", "runatlantis.io")
 			client.BaseURL = testServer.URL
 
 			actMergeable, err := client.PullIsMergeable(
@@ -368,7 +368,7 @@ func TestClient_PullIsMergeable(t *testing.T) {
 }
 
 func TestClient_MarkdownPullLink(t *testing.T) {
-	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "runatlantis.io")
+	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "", "runatlantis.io")
 	pull := models.PullRequest{Num: 1}
 	s, _ := client.MarkdownPullLink(pull)
 	exp := "#1"
@@ -392,7 +392,7 @@ func TestClient_GetMyUUID(t *testing.T) {
 	}))
 	defer testServer.Close()
 
-	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "runatlantis.io")
+	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "", "runatlantis.io")
 	client.BaseURL = testServer.URL
 	v, _ := client.GetMyUUID()
 	Equals(t, v, "{00000000-0000-0000-0000-000000000001}")
@@ -415,7 +415,7 @@ func TestClient_GetComment(t *testing.T) {
 	}))
 	defer testServer.Close()
 
-	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "runatlantis.io")
+	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "", "runatlantis.io")
 	client.BaseURL = testServer.URL
 	v, _ := client.GetPullRequestComments(
 		models.Repo{
@@ -451,7 +451,7 @@ func TestClient_DeleteComment(t *testing.T) {
 	}))
 	defer testServer.Close()
 
-	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "runatlantis.io")
+	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "", "runatlantis.io")
 	client.BaseURL = testServer.URL
 	err := client.DeletePullRequestComment(
 		models.Repo{
@@ -513,7 +513,7 @@ func TestClient_HidePRComments(t *testing.T) {
 	}))
 	defer testServer.Close()
 
-	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "runatlantis.io")
+	client := bitbucketcloud.NewClient(http.DefaultClient, "user", "pass", "", "runatlantis.io")
 	client.BaseURL = testServer.URL
 	err = client.HidePrevCommandComments(logger,
 		models.Repo{

server/server.go

@@ -300,6 +300,7 @@ func NewServer(userConfig UserConfig, config Config) (*Server, error) {
 				http.DefaultClient,
 				userConfig.BitbucketUser,
 				userConfig.BitbucketToken,
+				userConfig.BitbucketApiUser,
 				userConfig.AtlantisURL)
 		} else {
 			supportedVCSHosts = append(supportedVCSHosts, models.BitbucketServer)

server/user_config.go

@@ -27,6 +27,7 @@ type UserConfig struct {
 	AzureDevopsWebhookPassword  string `mapstructure:"azuredevops-webhook-password"`
 	AzureDevopsWebhookUser      string `mapstructure:"azuredevops-webhook-user"`
 	AzureDevOpsHostname         string `mapstructure:"azuredevops-hostname"`
+	BitbucketApiUser            string `mapstructure:"bitbucket-api-user"`
 	BitbucketBaseURL            string `mapstructure:"bitbucket-base-url"`
 	BitbucketToken              string `mapstructure:"bitbucket-token"`
 	BitbucketUser               string `mapstructure:"bitbucket-user"`