Rick Craig RickCraig
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package pipeline | |
| deny[msg]{ | |
| input.pipeline.tags.release | |
| branch := input.pipeline.properties.ci.codebase.build.spec.branch | |
| not check_branch(branch) | |
| msg := sprintf("Branch %s is not allowed, please use Release/* or <+trigger.payload.branch>", [branch]) | |
| } | |
| check_branch(branch) { |
RickCraig
/ enforce_step_order_inc_parallels.rego
Created
May 4, 2023 09:26
Enforce Step Order, this one also takes into consideration parallel steps
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package pipeline | |
| step_order := ["TerraformPlan", "HarnessApproval", "TerraformApply"] | |
| # Deny a pipeline if steps do not execute in the | |
| # correct order, this will check the steps in every | |
| # stage, but not across stages | |
| deny[msg] { | |
| stage := input.pipeline.stages[_].stage |
RickCraig
/ bonus_deny_ci_stages.rego
Last active
May 9, 2023 16:44
Guide: How to deal with parallel pipeline stages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package pipeline | |
| # Check serial stages | |
| check_pipeline { | |
| stage := input.pipeline.stages[_].stage | |
| stage.type == "CI" | |
| } | |
| # Check parallel stages | |
| check_pipeline { |
RickCraig
/ ci_connector_check_parallel.rego
Created
May 3, 2023 08:06
Check the connector for ci_cluster on serial and paralllel CI stages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package pipeline | |
| # Ensure all CI stages in serial use the ci_cluster connector | |
| deny[msg] { | |
| stage := input.pipeline.stages[_].stage | |
| stage.type == "CI" | |
| stage.spec.infrastructure.spec.connector.identifier != "ci_cluster" | |
| msg := sprintf("CI stage '%s' is not using CI cluster", [stage.name]) | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package pipeline | |
| blocked_delegates := ["cti-shared-us-east-1-svc-eks-tfg7-swat", "my-other-delegate"] | |
| # block any pipeline which uses a particular delegate | |
| deny[msg] { | |
| # Get the stage | |
| stage := input.pipeline.stages[_].stage | |
| # Loop through blocked delegates |
RickCraig
/ check_required_steps.rego
Last active
May 9, 2023 16:45
This rego script checks all steps inside of targeted stage types (in this example, CI stages). It takes into consideration both serial and parallel stages, and all configurations of step (serial, stepgroups & parallels)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package pipeline | |
| # Stage Type to Check | |
| stage_type = "CI" | |
| # Steps that required in every "stage_type" stage | |
| required_steps = ["BuildAndPushDockerRegistry", "Run"] | |
| # Walks through a stage and return all step objects | |
| walk_steps(stage) = { value | |
RickCraig
/ disallow_environment.rego
Last active
May 9, 2023 16:45
Disallow environments by identifier
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package pipeline | |
| # Deny pipelines that use disallowed environments | |
| deny[msg] { | |
| # Find all deployment stages | |
| stage = input.pipeline.stages[_].stage | |
| stage.type == "Deployment" | |
| # ... where the environment is on the disallow list | |
| contains(disallowed_environments, stage.spec.infrastructure.environment.identifier) |
RickCraig
/ required_step.rego
Created
April 24, 2023 12:04
A rego script that checks for required steps in both serial and parallel stages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package pipeline | |
| # Steps that must be present in every deployment | |
| required_steps = ["BuildAndPushDockerRegistry"] | |
| # Stage Type to Check | |
| stage_type = "CI" | |
| # Checks the required step for non-parallel stages | |
| has_required_step[msg] { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package connector | |
| import future.keywords.in | |
| # Choose a connector type to check | |
| connectorType := "K8sCluster" | |
| # Choose one or more allowed auth types for the above connector type | |
| allowedAuthTypes := ["UsernamePassword"] | |
| deny[msg] { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package pipeline | |
| stage_order := ["OPA check", "deploy"] | |
| # Deny a pipeline if stages do not execute in the | |
| # correct order. This will check that the named stages | |
| # in the array above are in the right order, ignoring | |
| # other stages. | |
| deny[msg] { | |
| # Run through the order rules array |
NewerOlder