Skip to content

7b.Only allow certain Git branches.md

Latest commit

 

History

History
79 lines (53 loc) · 3.11 KB

7b.Only allow certain Git branches.md

File metadata and controls

79 lines (53 loc) · 3.11 KB

7a. Only allow approved Github source branches

Overview

This example demonstrates how to prevent the use of unapproved Github repo branches for AAP Project automation content.

Example Policy aap_policy_examples/project_scm_branch.rego:

The following policy (project_scm_branch.rego) blocks job execution and is best applied to the Organization policy level:

package aap_policy_examples

import rego.v1

# Define allowed values for project.scm_branch
valid_project_scm_branch_values := ["main", "v1"]

# Default policy response indicating allowed status with no violations
default project_scm_branch_validation := {
	"allowed": true,
	"violations": [],
}

# Evaluate branch_validation to check if project.scm_branch value is allowed
project_scm_branch_validation := result if {
	# Extract project.scm_branch from input
	branch := object.get(input, ["project", "scm_branch"], "")

	# Check if branch value is not in the allowed list
	not allowed_branch(branch)

	result := {
		"allowed": false,
		"violations": [sprintf("Invalid branch: %v. Only named 'main' or 'v1' branches are allowed.", [branch])],
	}
}

# Check if a given branch value is allowed
allowed_branch(branch) if {
	some allowed_value in valid_project_scm_branch_values
	branch == allowed_value
}

Enforcement Behavior

When applied at different enforcement points, this policy prevents job execution accordingly:

  • Job Template: All jobs launched from the template will ERROR, preventing playbook execution.
  • Inventory: All jobs using the inventory will ERROR, preventing playbook, preventing playbook execution.
  • Organization: All jobs launch from job template that belongs to the organization will ERROR, preventing playbook execution.

It is recommended to use this at the Organization policy enforcement point.

Try It Yourself

Take advantage of the Rego playground!

Real World Use Case: Blocking Unapproved Automation Content / Untrusted Automation Supply Chain

Scenario

Your company policy mandates the use of only certain approved Github repo branches as these are validated using SDLC controls and mechanisms. This could be used to stop the use of 'devel' and other branches not suitable for Production environments. This policy allows you to police where automation content can be pulled from.

Impact of Policy Enforcement in Ansible Automation Platform

By applying the Block Policy, Ansible Automation Platform completely prevents automation execution at the specified enforcement points. This ensures that no changes can be made to critical environments during security incidents, audits, or compliance reviews.

How AAP Enforces the Policy

Running an automation Job Template when this policy is in place will result in this type of error when an unapproved repo tries to be used:

This job cannot be executed due to a policy violation or error. See the following details:
{'Violations': {'Organization': ["Invalid branch: . Only named 'main' or 'v1' "
                                 'branches are allowed.']}}