Plan and Apply from PR comments

Invoking environment deployment flows directly from Pull Requests' comments.

As software developers, we all use a Version Control System (VCS) as the main tool in our process. With env0 you can also manage your Infrastructure as Code (IaC) deployments directly from your VCS provider.
By commenting with env0 commands on a pull request, it is possible to interact with your env0 environments without the need to log in to the env0 platform.

Configuration

In order to configure this feature, you will have to set an alias for your environment. This can be done in Environments > Settings > Run PR Comments Commands using an Alias.
You need to set an alias for each environment in which you would like to enable this feature. This alias will be used to uniquely identify the environment when running a command from your VCS provider.
Environment alias may only contain letters, numbers, _, and -.

ā—ļø

Role Based Access

Pay attention that when enabling this feature, anyone that can comment on the pull request can trigger a plan and an apply command, regardless of their role and access level in env0, making your VCS provider determine the RBAC in this case.

If you want to enforce PR commenter permissions based on env0 user permissions, jump to the Enforce PR commenter permissions section.

šŸš§

VCS provider support

We currently support the following VCS providers:

  1. GitHub
  2. Bitbucket Cloud
  3. Bitbucket Server
  4. GitLab Enterprise
  5. Azure DevOps

For Bitbucket Server and GitLab Enterprise, in order to enable this feature, make sure your VCS Webhook is configured to send pr comments events.

Supported env0 commands:

env0 help command

ā„¹ļø Ā  env0 help - lists all available commands.

env0 list command

šŸ”¢ Ā  env0 list - returns a list of all available environments and their aliases you can plan and apply in env0.

env0 plan command

šŸ”‚ Ā  env0 plan -e {environments aliases} [-v {name=value}] - runs plan on a set of provided env0 environment aliases (comma-separated).

env0 apply command

āÆļø env0 apply -e {environments aliases} [-v {name=value}] - runs apply on a set of provided env0 environment aliases (comma-separated).

šŸ“˜

Environment Variable Support

For running plan and apply commands you can specify a list of environment variables using the -v {name=value}

When specifying more than 1 variable please use -v {name=value} -v {name=value}

This can be useful if you like to add specific Terraform environment variables. For example, you can Target Resources using ENV0_TERRAFORM_TARGET described in our Additional Controls page.

Apply Requirements

The apply command also verifies that the pull request has the following requirements:

  1. GitHub - We won't run the apply command if you have a protected branch in place and all the requirements are not met. You can read more about protected branch here.
  2. Bitbucket / Bitbucket Server - We verify that at least one person who isn't the author of the PR approved the pull request, and none of the participants requested changes. You can learn more about reviewing a pull request in bitbucket and declining a pull request.
  3. Azure DevOps - We won't run the apply command if you have required branch policies checks that failed.

Enforce PR commenter permissions on env0

With env0, you can restrict your users' permissions through role-based access controls. One drawback of using PR Comment Plan and Apply is that the VCS provider determines your user's permissions. By default, anyone with comment permission on your repository can run a Plan or an Apply on your environments.

The "Enforce PR commenter permissions on env0" organizational policy lets you apply your env0 permissions to your VCS provider users. When turned on, env0 will validate that a user trying to run PR Comment Commands have adequate permissions.

Turning on the policy for your organization

Navigate to Organization Settings > Policies and check Enforce commenter permissions on env0

Map VCS provider user

Now that the feature is turned on, it is mandatory for every user across the organization who would like to use the PR comments flow, to set up a mapping of their VCS provider user.
First of all, you will need to get your VCS provider user id from one of the supported VCS providers.

Setting your VCS user in env0

Now that you have your VCS provider user id, head to your env0 account, click on the avatar image in the top right corner, and click on Personal Settings to enter your profile page.
In the Profile tab, enter the id you got from the previous step in the VSC Provider User ID textbox and click on the Save button.

GitHub

While logged in to your GitHub account, click on your profile image in the right top corner of the page and copy your username.

Bitbucket

While logged in to your Bitbucket user, visit this url from your browser. you will receive a JSON from which you will need to extract the accound_id field.

Bitbucket Server

While logged into your Bitbucket Server account, go to your profile, and find the username near your avatar.

GitLab Enterprise Edition

While logged into your GitLab account, navigate to Profile > Main Settings section.

Azure DevOps

While logged in to your Azure DevOps account, click on your profile image in the right top corner of the page and copy your user's unique id.

šŸ“

Additional Content