-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathrequire-approval-from-security-team.rego
More file actions
76 lines (60 loc) · 2 KB
/
require-approval-from-security-team.rego
File metadata and controls
76 lines (60 loc) · 2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package spacelift
# This import is required for Rego v0 compatibility and can be removed if you are only using Rego v1.
import rego.v1
# This policy approves any runs when someone from Security team approves the changes to the resources in the list,
# and rejects any runs when someone from other teams tries to approve the changes.
# This policy can be combined with automatic policy attachment (https://docs.spacelift.io/concepts/policy#automatically)
# to automatically enforce it across stacks.
approval_list := [
"aws_iam_access_key",
"aws_security_group",
"aws_security_group_rule",
"aws_network_acl",
"aws_iam_policy",
"aws_iam_role",
"aws_iam_user_policy",
]
requires_approval if {
# Loop over each resource change in the plan
resource := input.run.changes[_]
# Check if any of the actions on the resource is "added"
action := resource.actions[_]
action == "added"
resource.entity.type in approval_list
}
requires_approval if {
# Loop over each resource change in the plan
resource := input.run.changes[_]
# Check if any of the actions on the resource is "changed"
action := resource.actions[_]
action == "changed"
resource.entity.type in approval_list
}
requires_approval if {
# Loop over each resource change in the plan
resource := input.run.changes[_]
# Check if any of the actions on the resource is "deleted"
action := resource.actions[_]
action == "deleted"
resource.entity.type in approval_list
}
approvals := input.reviews.current.approvals
# Let's define what it means to be approved by Security team.
security_approval if {
"Security" in approvals[_].session.teams
}
approve if {
input.run.state != "UNCONFIRMED"
}
# Approve when Security team approve and Require at least 1 approval:
approve if {
security_approval
count(input.reviews.current.approvals) > 0
}
# Require at least 1 rejection
reject if {
count(input.reviews.current.rejections) > 0
}
# Learn more about sampling policy evaluations here:
# https://docs.spacelift.io/concepts/policy#sampling-policy-inputs
sample := true