In this example, we'll demonstrate how to use Ansible Automation Platform to create a policy that makes decisions based on when a job is launched, specifically blocking execution if it is initiated during a timeframe, e.g. 5PM to 9AM EST.
Example Policy aap_policy_examples/maintenance_window.rego:
The following policy (aap_policy_examples/maintenance_window.rego) prevents users from launching a job during restricted hours:
package aap_policy_examples
# Define maintenance window in UTC
maintenance_start_hour := 12 # 12:00 UTC (5 PM EST)
maintenance_end_hour := 4 # 04:00 UTC (9 AM EST)
# Extract the job creation timestamp (which is in UTC)
created_clock := time.clock(time.parse_rfc3339_ns(input.created)) # returns [hour, minute, second]
created_hour_utc := created_clock[0]
# Check if job was created within the maintenance window (UTC)
is_maintenance_time if {
created_hour_utc >= maintenance_start_hour # After 12:00 UTC
}
is_maintenance_time if {
created_hour_utc <= maintenance_end_hour # Before or at 04:00 UTC
}
default maintenance_window := {
"allowed": true,
"violations": [],
}
maintenance_window := {
"allowed": false,
"violations": ["No job execution allowed outside of maintenance window"],
} if {
not is_maintenance_time
}The output of this policy checks whether the job was initiated during a maintenance window and returns "allowed": false with a violation message.
Example output from policy query:
{
"allowed": false,
"violations": [
"No job execution allowed outside of maintenance window"
]
}This policy uses the is_maintenance_time function to determine whether job execution is allowed. If a job is created outside the defined maintenance window, the job will result in an error, preventing playbook execution.
In production environments, it's often necessary to limit when automation can be run. For example, jobs that restart services, deploy updates, or perform infrastructure changes could impact system stability during business hours.
Organizations may enforce maintenance windows to reduce risk and ensure proper change control. This policy supports that operational model by automatically blocking job execution outside defined timeframes.
By enforcing maintenance windows, teams can avoid unintentional disruptions and align automation workflows within acceptable timeframes.
This policy adds an automated safeguard that blocks jobs launched outside of an approved time window. When applied to a Job Template, it ensures that playbooks only run during designated maintenance hours.
If a user attempts to launch a job outside the approved timeframe, the job will ERROR, and provide a message that the job execution was attempted during a maintenance window.
- Ensures jobs only run during approved timeframes.
- Prevents accidental job launches during business critical periods.
- Helps maintain service uptime and user confidence in automation reliability.