Created
September 1, 2017 13:53
-
-
Save kgilpin/4b209f90742378c7a637999e04b31eb7 to your computer and use it in GitHub Desktop.
AnsibleFest Policy Refactor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- !policy | |
id: myapp | |
body: | |
- &variables | |
- !variable | |
id: database/username | |
annotations: | |
description: Application database username | |
- !variable | |
id: database/password | |
annotations: | |
description: Application database password | |
- !variable | |
id: stripe/private_key | |
annotations: | |
description: Stripe API key | |
- !layer | |
- !group secrets-users | |
- !group secrets-managers | |
# secrets-managers has role secrets-users | |
- !grant | |
role: !group secrets-users | |
member: !group secrets-managers | |
# secrets-users can read and execute | |
- !permit | |
resource: *variables | |
privileges: [ read, execute ] | |
role: !group secrets-users | |
# secrets-managers can update (and read and execute, via role grant) | |
- !permit | |
resource: *variables | |
privileges: [ update ] | |
role: !group secrets-managers | |
# Application layer has the secrets-users role | |
- !grant | |
role: !group secrets-users | |
member: !layer | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Top-level policy file | |
# Load with: | |
# conjur policy load --as-group security_admin policy.yml | |
# Define the global users | |
- !include users.yml | |
# Define "myapp" in staging, owned by the "developers" team | |
- !policy | |
id: staging | |
owner: !group developers | |
body: | |
- !include myapp.yml | |
# Define "myapp" in staging, owned by the "security_ops" team | |
- !policy | |
id: production | |
owner: !group security_ops | |
body: | |
- !include myapp.yml | |
# Grant the team_leads permission to read+write the "myapp" variables in production | |
- !grant | |
role: !group production/myapp/secrets-manager | |
members: | |
- !group team_leads | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- !group security_ops | |
- !group team_leads | |
- !group developers | |
# Grant the less-powerful groups to the more-powerful groups | |
- !grant | |
role: !group team_leads | |
member: !group security_ops | |
- !grant | |
role: !group developers | |
member: !group team_leads |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment