Ansible Automation Platform allows users to enforce policies at multiple enforcement points, including:
- Organization Level: Affects all job templates within an Organization.
- Inventory Level: Affects all jobs using a specified Inventory.
- Job Template Level: Affects jobs launched from a specific Job Template.
This example demonstrates how to prevent job execution using Open Policy Agent (OPA) and Ansible Automation Platform’s Policy as Code feature.
Example Policy aap_policy_examples/allowed_false.rego:
The following policy (aap_policy_examples/allowed_false.rego) blocks job execution entirely:
package aap_policy_examples
import rego.v1
allowed_false := {
"allowed": false,
"violations": ["No job execution is allowed"],
}This policy does not take any input. It simply returns "allowed": false with a violation message explaining why the job is blocked.
{
"allowed": false,
"violations": ["No job execution is allowed"]
}When applied at different enforcement points, this policy prevents job execution accordingly:
- Job Template: All jobs launched from the template will ERROR, preventing playbook execution.
- Inventory: All jobs using the inventory will ERROR, preventing playbook, preventing playbook execution.
- Organization: All jobs launch from job template that belongs to the organization will ERROR, preventing playbook execution.
Take advantage of the Rego playground!
A security team’s monitoring tool has detected unusual access patterns within their production systems. While the security team investigated the matter, they applied the Block Policy to all their Ansible Job Templates. This prevented any automated changes from being made on their systems that could have worsened the situation.
By applying the Block Policy, Ansible Automation Platform completely prevents automation execution at the specified enforcement points. This ensures that no changes can be made to critical environments during security incidents, audits, or compliance reviews.
When the Block Policy (allowed_false.rego) is enforced:
- 🚫 Job Templates Fail Immediately – Any playbook execution triggered by an affected job template will ERROR.
- 🚫 Inventories Cannot Be Used – Jobs attempting to use an affected inventory will be blocked and ERROR.
- 🚫 Organization-Level Restrictions Apply – All jobs launched from job templates that belongs to a restricted organization will ERROR.
- Rapid Response: Teams can enforce immediate security controls to their automation jobs.
- Security & Compliance: Prevent unauthorized automation during incidents or policy violations.
- Flexibility: Policies can be applied, updated, and revoked based on security requirements.
With Ansible Automation Platform's Policy as Code, organizations can ensure that automation doesn’t become a liability during critical incidents, instead, it works in tandem with your policies to protect infrastructure from unintended or malicious changes.