Ansible Automation Platform allows users to enforce policies at multiple enforcement points, including:
- Organization Level: Affects all job templates within an Organization.
- Inventory Level: Affects all jobs using a specified Inventory.
- Job Template Level: Affects jobs launched from a specific Job Template.
This example demonstrates how to prevent job execution using Open Policy Agent (OPA) and Ansible Automation Platform’s Policy as Code feature.
Example Policy aap_policy_examples/jt_naming_validation.rego:
The following policy (aap_policy_examples/allowed_false.rego) blocks job execution entirely unless the Job Template name matches our standards. In this particular rule will enforce the convention 'OrganizationName_ProjectName_JobTemplateName':
package aap_policy_examples
import rego.v1
# Default policy response indicating allowed status with no violations
default jt_naming_validation := {
"allowed": true,
"violations": [],
}
# Validate that job template name has correct organization and project name prefixes
jt_naming_validation := result if {
# Extract values from input
org_name := object.get(input, ["organization", "name"], "")
project_name := object.get(input, ["project", "name"], "")
jt_name := object.get(input, ["job_template", "name"], "")
# Construct the expected prefix
expected_prefix := concat("_", [org_name, project_name])
# Check if job template name starts with expected prefix
not startswith(jt_name, expected_prefix)
result := {
"allowed": false,
"violations": [sprintf("Job template naming for '%v' does not comply with standards", [jt_name])]
}
}When applied at different enforcement points, this policy prevents job execution accordingly:
- Job Template: All jobs launched from the template will ERROR, preventing playbook execution.
- Inventory: All jobs using the inventory will ERROR, preventing playbook, preventing playbook execution.
- Organization: All jobs launch from job template that belongs to the organization will ERROR, preventing playbook execution.
Take advantage of the Rego playground!
Real World Use Case: Use standard naming conventions for ease of identification and Configuration-as-Code initiatives
Without enforcing naming standards it will be hard to use initiatives such as Configuration-as-Code (CaC or CasC) to simply platform management and automation content seeding. It will also be much easier to identify content relevant to different environments such as Development or Production.
By applying the Block Policy, Ansible Automation Platform completely prevents automation execution at the specified enforcement points. This ensures that no changes can be made to critical environments during security incidents, audits, or compliance reviews.
Running an automation Job Template when this policy is in place will result in this type of error when an unapproved repo tries to be used:
This job cannot be executed due to a policy violation or error. See the following details:
{'Violations': {'Job template': ["Job template naming for 'PhilFooOrg Phils "
"Random Ansible Job Template with PaC' does "
'not comply with standards']}}