Skip to content

7a.Only allow approved Github repos.md

Latest commit

 

History

History
83 lines (57 loc) · 3.19 KB

7a.Only allow approved Github repos.md

File metadata and controls

83 lines (57 loc) · 3.19 KB

7a. Only allow approved Github source repositories

Overview

This example demonstrates how to prevent the use of unapproved Github repos for AAP Project automation content.

Example Policy aap_policy_examples/github_repo_validation.rego:

The following policy (github_repo_validation.rego) blocks job execution and is best applied to the Organization policy level:

package aap_policy_examples

import rego.v1

# Define list of allowed GitHub repositories
allowed_github_repos := [
    "organization/repo1",
    "organization/repo2"
]

# Default policy response indicating allowed status with no violations
default github_repo_validation := {
    "allowed": true,
    "violations": [],
}

# Validate that the GitHub repository is in the whitelist
github_repo_validation := result if {
    # Extract SCM URL from input
    scm_url := object.get(input, ["project", "scm_url"], "")

    # Extract repository path from URL
    parts := split(scm_url, "/")
    count_parts := count(parts)
    org := parts[count_parts-2]
    repo_name := trim_suffix(parts[count_parts-1], ".git")
    repo_path := concat("/", [org, repo_name])

    # Check if repo path is not in the whitelist
    not repo_path in allowed_github_repos

    result := {
        "allowed": false,
        "violations": [sprintf("Repository '%v' is not in the allowed list", [repo_path])],
    }
}

Enforcement Behavior

When applied at different enforcement points, this policy prevents job execution accordingly:

  • Job Template: All jobs launched from the template will ERROR, preventing playbook execution.
  • Inventory: All jobs using the inventory will ERROR, preventing playbook, preventing playbook execution.
  • Organization: All jobs launch from job template that belongs to the organization will ERROR, preventing playbook execution.

It is recommended to use this at the Organization policy enforcement point.

Try It Yourself

Take advantage of the Rego playground!

Real World Use Case: Blocking Unapproved Automation Content / Untrusted Automation Supply Chain

Scenario

Your company policy mandates the use of only certain approved Github repos as these are validated using SDLC controls and mechanisms. Personal Github accounts may not be allowed as they do not undergone the same stringent checks. This policy allows you to police where automation content can be pulled from.

Impact of Policy Enforcement in Ansible Automation Platform

By applying the Block Policy, Ansible Automation Platform completely prevents automation execution at the specified enforcement points. This ensures that no changes can be made to critical environments during security incidents, audits, or compliance reviews.

How AAP Enforces the Policy

Running an automation Job Template when this policy is in place will result in this type of error when an unapproved repo tries to be used:

This job cannot be executed due to a policy violation or error. See the following details:
{'Violations': {'Organization': ["Repository 'ansible/ansible-tower-samples' is not in the "
                                 'allowed list']}}