CircleCI Field Guide
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Introduction
  2. /
  3. Enforcing Policy
  4. /
  5. Restrict Resource Class
Edit page

Restrict Resource Class

Because CircleCI’s policy engine uses OPA’s rego, we can enforce restrictions on what resource classes can be used in a project.

Code Samples

resource_class policy

This policy will produce a hard fail if a user attempts to use defined resource classes in defined project.

Utilizing a policy like this can provide a number of benefits such as:

  • Controlling costs by locking larger resource classes to certain projects
  • Controlling access to runner based resource classes for security (only certain networks should access certain projects)
  • Limit the amount of resource available for use in certain projects
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

package org

# https://www.openpolicyagent.org/docs/latest/policy-language/#future-keywords
# new keywords are introduced and eventually become standard in rego
# until that point, imports (such as below) are needed to use them

# https://www.openpolicyagent.org/docs/latest/policy-language/#membership-and-iteration-in
# in lets you check if an element is part of an array, set or object and evaluates to true or false
import future.keywords.in

# https://www.openpolicyagent.org/docs/latest/policy-language/#futurekeywordscontains
# contains allows for expressive rules for partial rule sets; such as defining a value
import future.keywords.contains

# https://www.openpolicyagent.org/docs/latest/policy-language/#futurekeywordsif
# if allows for expressive rules; separates rule head from body and evaluates if condition is truthy
import future.keywords.if

# define policy name
policy_name contains "resource_class_restriction"

# define 1 or more project ids; the policy will apply to all listed projects
defined_project_id := "bcd0044-f895-4b99-ba3-41217fcea9"

# define 1 or more resource classes here; check_resource_class logic below will disallow use of these resources in specified projects
defined_resource_classes := {"namespace/resourceclass1", "namespace/resourceclass2", "namespace/resourceclass3"}

# https://www.openpolicyagent.org/docs/latest/policy-reference/#builtin-graph-walk
# walks values of configuration file from project to look for defined resource classes
# a count of resource_classes are kept and set to resources to check later
resources := {resource_class | walk(input, [path, value]); value[_] in defined_resource_classes; resource_class := value[_]}

# checks resources; if 1 or more resources that are not allowed are found, send message and hard fail
# if all resources used are valid, policy passes and pipeline will run
check_resource_class = reason if {
	count(resources) > 0
	not data.meta.project_id == defined_project_id
	reason := sprintf("These resources are not allowed to be used in project %s", [data.meta.project_id])
}

# https://circleci.com/docs/config-policy-management-overview/#enablement
# enables a rule and sets enforcement to hard_fail
enable_hard contains "check_resource_class"