Add post-workflow hooks

[gezb]

This PR adds "post-workflow-hooks" my use case for these is they can be used to make sure files generated as part of a custom workflow get deleted even if the workflow fails

[gezb]

This was very much a copy and paste of the existing pre-workflow hook code and just calling it after the main workflow

[nishkrishnan]

Would love to hear more about your usecase first before reviewing this PR. This seems like something that can be done as part of the custom workflow as far as I can tell.

For example, always overwrite generated files so that you don't need to clean up after a single workflow since the next time you run the workflow it'll get replaced anyways.

[gezb]

For my current use case currently our custom workflow retrieves a SSH key from Vault and writes it to the checkout directory, this allows terraform init to checkout our custom modules from our private Bitbucket repo (by setting the GIT_SSH_COMMAND environment variable).
We have a step at the end of the custom workflow that removes this file, but if there is an error in the init/plan stages that command will not get run leaving the file on disk, hence why I wanted to move the clean-up to a post_workflow step.

The other example that comes to mind is for example if your terraform needs kubeconfig for the terraform provider this would not something you would want to leave on disk

[nishkrishnan]

For my current use case currently our custom workflow retrieves a SSH key from Vault and writes it to the checkout directory, this allows terraform init to checkout our custom modules from our private Bitbucket repo (by setting the GIT_SSH_COMMAND environment variable).
We have a step at the end of the custom workflow that removes this file, but if there is an error in the init/plan stages that command will not get run leaving the file on disk, hence why I wanted to move the clean-up to a post_workflow step.

So if it errors out is the assumption that the PR will be open forever? Because presumably you'd either close the PR which would unlock it and therefore clean up the data. Or you would keep trying until it's successful which eventually end up running your custom run step to delete it. So eventually it would always get deleted.

If the problem is that it's a greater security risk due to the amount of time that it's left on disk, I'd argue that the complexity of adding more custom knobs and functionality in the form of post-workflow hooks probably isn't worth it instead of solving the crux of the issue which is data isolation per process (something we'd eventually want for atlantis naturally).

[gezb]

Hi

It was the second case I wanted to try and fix with post workflow hooks, in that I did not want the SSH key left on disk in the event that the workflow errors

I have worked round this where I can by using env workflow steps to set things like access keys as environment variables so they are memory and not on disk, but as far as I'm aware this cannot be done with SSH keys

How would you suggest we approach this problem? maybe a per checkout temporary directory that always gets cleared at the end of a operation?

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.