forked from ansible/example-opa-policy-for-aap
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmaintenance_window.rego
More file actions
32 lines (24 loc) · 832 Bytes
/
maintenance_window.rego
File metadata and controls
32 lines (24 loc) · 832 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
package aap_policy_examples
# Define maintenance window in UTC
maintenance_start_hour := 12 # 12:00 UTC (5 PM EST)
maintenance_end_hour := 4 # 04:00 UTC (9 AM EST)
# Extract the job creation timestamp (which is in UTC)
created_clock := time.clock(time.parse_rfc3339_ns(input.created)) # returns [hour, minute, second]
created_hour_utc := created_clock[0]
# Check if job was created within the maintenance window (UTC)
is_maintenance_time if {
created_hour_utc >= maintenance_start_hour # After 12:00 UTC
}
is_maintenance_time if {
created_hour_utc <= maintenance_end_hour # Before or at 04:00 UTC
}
default maintenance_window := {
"allowed": true,
"violations": [],
}
maintenance_window := {
"allowed": false,
"violations": ["No job execution allowed outside of maintenance window"],
} if {
not is_maintenance_time
}