This repository contains example policies and use cases demonstrating how to use Policy as Code feature in Ansible Automation Platform (AAP). These examples will guide you through implementing various policy enforcement scenarios using Open Policy Agent (OPA).
Policy as Code allows you to define and enforce policies across your Ansible Automation Platform using OPA and the Rego language. This repository provides practical examples of common policy enforcement scenarios.
- Ansible Automation Platform 2.5 or later with the
FEATURE_POLICY_AS_CODE_ENABLEDfeature flag set toTrue- see Enabling Policy as Code Feature for more information
- An OPA server that's reachable from your AAP deployment
- See Deploy OPA server on OpenShift for development and testing setup
- See Deploy OPA server with Podman for development and testing setup
- Configured AAP with settings required for connecting to your OPA server
- see Configuring OPA Server Connection for more information
- General knowledge around OPA and the Rego language
- see Official OPA Documentation for more information
For detailed setup instructions, see "Setting up Policy as Code for Ansible Automation Platform" in the official documentation.
.
├── aap_policy_examples/ # Example policy implementations
├── example_input_data/ # Sample input data for testing
├── test_aap_policy_examples/ # Test cases and validation
├── openshift/ # OpenShift-specific configurations
├── tools/ # Utility scripts and tools
├── bin/ # Binary and executable files
├── .github/ # GitHub-specific configurations
├── POLICY_INPUT_DATA.md # Documentation of input data structure
└── POLICY_OUTPUT_DATA.md # Documentation of output data structure
The repository includes several example policies demonstrating different use cases:
- Prevent job execution at various policy enforcement points
- Prevent job execution by platform admin
- Prevent job execution during maintenance window
- Prevent job execution using credential with no Organization
- Prevent job execution using mismatching resources
- Enforce extra_vars based policies
- Prevent job execution using extra vars with non approved vars - Validate keys for extra_vars
- Prevent job execution using extra vars with non approved values - Validate values for extra_vars
- Prevent job execution based on user limitations for extra vars - Team-based access control on extra_vars
- Source code controls
- Only allow approved Github source repos - Only allow approved source repos
- Only allow approved Github source repo branches - Only allow approved source repo branches
- Enforce Naming Standards - ensure Job Template name conforms to our standards
- Restrict usage of an Inventory to an Organization - restrict inventory usage by organization
Each policy example includes:
- Detailed explanation of the use case
- Example Rego policy implementation
- Sample input and output data
- Testing instructions
- Clone this repository
- Review the example policies in the
aap_policy_examples/directory - Use the provided test cases in
test_aap_policy_examples/to validate your policies - Customize the policies according to your needs
The repository includes test cases and example input data to help you validate your policies. See the test_aap_policy_examples/ directory for more details.
- POLICY_INPUT_DATA.md: Contains detailed information about the input data structure used by the policies
- POLICY_OUTPUT_DATA.md: Contains detailed information about the output data structure
- Associating Policies with AAP Resources: Guide on how to associate OPA policies with AAP resources
Contributions are welcome! Please feel free to submit a Pull Request.
This project is dedicated to the public domain under The Unlicense. See the LICENSE file for details.
The Unlicense is a template for disclaiming copyright monopoly interest in software you've written; in other words, it is a template for dedicating your software to the public domain.