Here's a story about another RFE. One of our customers wants to be able to enforce naming rules. For example, all prod inventories, credentials and job templates must be prefixed with prod_, and only things with the same prefix can be used together.
This is a very reasonable and straightforward request, and a simple way to reduce user error, like using prod inventory on a job template intended for dev.
Currently Ansible Automation Platform cannot enforce a naming convention check. With the Policy as Code feature, this is simple.
Example policy aap_policy_examples/mismatch_prefix_allowed_false.rego:
package aap_policy_examples
prefix_delimiter := " "
# job_template_prefix extracts the substring before the first prefix_delimiter in `input.job_template.name`.
job_template_prefix := jtp if {
parts := split(input.job_template.name, prefix_delimiter)
jtp := parts[0]
}
# inventory_prefix extracts the substring before the first prefix_delimiter in `input.inventory.name`.
inventory_prefix := inv_pref if {
parts := split(input.inventory.name, prefix_delimiter)
inv_pref := parts[0]
}
# project_prefix extracts the substring before the first prefix_delimiter in `input.project.name`.
project_prefix := proj_pref if {
parts := split(input.project.name, prefix_delimiter)
proj_pref := parts[0]
}
# credentials_prefixes is a list of prefix values from each credential's name.
credentials_prefixes := [cprefix |
cred := input.credentials[_] # iterate over credentials
parts := split(cred.name, prefix_delimiter) # split name
cprefix := parts[0] # grab the first part
]
# mismatch is true if either:
# 1. The project prefix != job template prefix, OR
# 2. The inventory prefix != job template prefix OR
# 3. Any credential's prefix != job template prefix.
mismatch if {
project_prefix != job_template_prefix
}
mismatch if {
inventory_prefix != job_template_prefix
}
mismatch if {
some cp in credentials_prefixes
cp != job_template_prefix
}
default mismatch_prefix_allowed_false := {
"allowed": true,
"violations": [],
}
mismatch_prefix_allowed_false := {
"allowed": false,
"violations": ["Mismatch prefix between Inventory, Credentials and Project detected."],
} if {
mismatch
}Example input:
{
"id": 785,
"name": "demo_Job Template",
"credentials": [
{
"name": "demo_Credential",
"description": "",
"organization": null,
"credential_type": 1,
"managed": false,
"inputs": {
"username": "admin"
},
"kind": "ssh",
"cloud": false,
"kubernetes": false
}
],
"project": {
"id": 6,
"name": "demo_Project",
"status": "successful",
"scm_type": "git",
"scm_url": "https://github.com/ansible/ansible-tower-samples",
"scm_branch": "",
"scm_refspec": "",
"scm_clean": false,
"scm_track_submodules": false,
"scm_delete_on_update": false
},
"inventory": {
"name": "prod_Inventory",
"description": "",
"has_active_failures": false,
"total_hosts": 1,
"hosts_with_active_failures": 0,
"total_groups": 0,
"has_inventory_sources": false,
"total_inventory_sources": 0,
"kind": ""
},
}Example output:
{
"allowed": false,
"violations": [
"Mismatch prefix between Inventory, Credentials and Project detected."
]
}Rego playground: https://play.openpolicyagent.org/p/uRhKroGcTy