Anyone can approve custom policy exceptions

[Mezage]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

No matter what GHE teams or individuals I list in policy owners, anyone can approve our custom policysets.

Reproduction Steps

Seen this issue since v0.26.0 and have tried it up to the latest version to date.
1. atlantis plan
2. plan fails policy check
3. user not on policy owner list runs atlantis approve_policies
4. policy get exception

Environment details

• Atlantis version: v0.26.0-0.29.0

Repo atlantis.yaml file:

repos:
  - id: /.*/
    allowed_overrides: [workflow, custom_policy_check]
    apply_requirements: [undiverged, approved]
    allow_custom_workflows: false
    custom_policy_check: true
...
policies:
  owners:
    users:
	- user1
  policy_sets:
    - name: gcp_policies
      path: /policies/gcp_policies
      source: local
      owners:
        users:
          - users1
          - user2....etc

user3 would be able to approve anything even if he was not the PR owner

[dosubot]

I found a similar closed issue that might be relevant to your problem: Policy checks as a sets for different owners. This issue was closed by a pull request: feat(policies): Add granular policy_sets on April 21, 2023 ^[1].

To restrict the approval of custom policy exceptions to only the specified policy owners in Atlantis, you need to define the policy configuration in the server-side repo configuration. Here is an example configuration:

policies:
  owners:
    users:
      - nishkrishnan
  policy_sets:
    - name: deny_null_resource
      path: <CODE_DIRECTORY>/policies/deny_null_resource/
      source: local
    - name: deny_local_exec
      path: <CODE_DIRECTORY>/policies/deny_local_exec/
      source: local
      approve_count: 2
      owners:
        users:
          - pseudomorph

In this configuration:

• The owners field at the top level defines the users who can approve any policy.
• Each policy_set can have its own owners field to specify users who can approve that particular policy set.

By setting the owners field, you restrict the approval of policy exceptions to the specified users. If a user who is not listed as an owner attempts to approve a policy, they will encounter an error message similar to the following:

**Approve Policies Error**
1 error occurred:
	* policy set: test_policy user runatlantis is not a policy owner - please contact policy owners to approve failing policies

This ensures that only the designated policy owners can approve the exceptions, maintaining control and compliance ^[2][3].

To continue talking to Dosu, mention @dosu.

[Mezage]

I think this wan mentioned over in #4243 too