Skip to content

fix: ignore policies-passed requirement when validating plan command #5995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: ignore policies-passed requirement when validating plan command #5995

wants to merge 1 commit into from
+26 −1

Conversation

@nightmarlin-wise
Copy link

@nightmarlin-wise nightmarlin-wise commented Dec 2, 2025

what

This PR updates the plan command's validator to ignore the policies_passed requirement when present in ProjectContext.PlanRequirements.

This resolves issue #5993 introduced by #5851: When a policy check fails, the subsequent plan always fails. Plans run after this run as normal.

It seems that after a failure, atlantis updates its internal state to a point before the policy check - so any subsequent plan will succeed. An alternative solution could be to "pretend" the policy checks haven't run yet in the context of the plan.

Specifying repos[*].plan_requirements: [] in the server-side repos.yaml does not successfully work around the issue - the value seems to be overwritten somewhere.

why

This fixes an issue with the standard use case for policy checks. We want to upgrade to the latest atlantis version to make use of parallel plan & apply - but the additional friction caused by this (and potential contacts from teams not familiar with atlantis) means we cannot adopt this version.

I believe atlantis can only run policy checks after a plan is completed, so this small-scoped solution makes the most sense to me. If this assumption is wrong, I'd be happy to look into an alternative solution that fits a broader set of use cases!

tests

  • I have updated the relevant unit tests to account for this new test case

references

@dosubot dosubot bot added bug Something isn't working go Pull requests that update Go code labels Dec 2, 2025
@github-actions github-actions bot removed the bug Something isn't working label Dec 2, 2025
@nightmarlin-wise
fix(plan)[5993]: ignore policies-passed req when validating plan command
b513f8a 
> See runatlantis#5993

https://github.com/runatlantis/atlantis/pulls/5851 introduced a change to check the `policy_check` status before running a plan. if the policy checks had previously failed, the plan would fail.

When using policy checks, this requirement is always injected with no way to remove it.

> Specifying `repos[*].plan_requirements` does not work - the value seems to be overwritten somewhere.

This PR updates the validation to ignore that requirement when present in `ProjectContext.PlanRequirements`.

> It seems that after a failure, atlantis updates its internal state to a point _before_ the policy check - so any subsequent plan will succeed

Signed-off-by: Lewis W. Miller <[email protected]>
@nightmarlin-wise nightmarlin-wise force-pushed the fix/validation/i-5993-ignore-failed-policy-checks-on-plan branch from 123042d to b513f8a Compare December 2, 2025 17:47
@nightmarlin-wise nightmarlin-wise changed the title fix(plan)[5993]: ignore policies-passed req when validating plan command fix: ignore policies-passed requirement when validating plan command Dec 2, 2025
@nightmarlin-wise nightmarlin-wise mentioned this pull request Dec 2, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Plan fails if previous commit failed policy checks

1 participant

@nightmarlin-wise