Restrict Resource Class
Because CircleCI’s policy engine uses OPA’s rego, we can enforce restrictions on what resource classes can be used in a project.
This policy will produce a hard fail if a user attempts to use defined resource classes in defined project.
Utilizing a policy like this can provide a number of benefits such as:
- Controlling costs by locking larger resource classes to certain projects
- Controlling access to runner based resource classes for security (only certain networks should access certain projects)
- Limit the amount of resource available for use in certain projects
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
package org
# https://www.openpolicyagent.org/docs/latest/policy-language/#future-keywords
# new keywords are introduced and eventually become standard in rego
# until that point, imports (such as below) are needed to use them
# https://www.openpolicyagent.org/docs/latest/policy-language/#membership-and-iteration-in
# in lets you check if an element is part of an array, set or object and evaluates to true or false
import future.keywords.in
# https://www.openpolicyagent.org/docs/latest/policy-language/#futurekeywordscontains
# contains allows for expressive rules for partial rule sets; such as defining a value
import future.keywords.contains
# https://www.openpolicyagent.org/docs/latest/policy-language/#futurekeywordsif
# if allows for expressive rules; separates rule head from body and evaluates if condition is truthy
import future.keywords.if
# define policy name
policy_name contains "resource_class_restriction"
# define 1 or more project ids; the policy will apply to all listed projects
defined_project_id := "bcd0044-f895-4b99-ba3-41217fcea9"
# define 1 or more resource classes here; check_resource_class logic below will disallow use of these resources in specified projects
defined_resource_classes := {"namespace/resourceclass1", "namespace/resourceclass2", "namespace/resourceclass3"}
# https://www.openpolicyagent.org/docs/latest/policy-reference/#builtin-graph-walk
# walks values of configuration file from project to look for defined resource classes
# a count of resource_classes are kept and set to resources to check later
resources := {resource_class | walk(input, [path, value]); value[_] in defined_resource_classes; resource_class := value[_]}
# checks resources; if 1 or more resources that are not allowed are found, send message and hard fail
# if all resources used are valid, policy passes and pipeline will run
check_resource_class = reason if {
count(resources) > 0
not data.meta.project_id == defined_project_id
reason := sprintf("These resources are not allowed to be used in project %s", [data.meta.project_id])
}
# https://circleci.com/docs/config-policy-management-overview/#enablement
# enables a rule and sets enforcement to hard_fail
enable_hard contains "check_resource_class"
|