Skip to content

Instantly share code, notes, and snippets.

@kgilpin kgilpin/myapp.yml
Created Sep 1, 2017

Embed
What would you like to do?
AnsibleFest Policy Refactor
- !policy
id: myapp
body:
- &variables
- !variable
id: database/username
annotations:
description: Application database username
- !variable
id: database/password
annotations:
description: Application database password
- !variable
id: stripe/private_key
annotations:
description: Stripe API key
- !layer
- !group secrets-users
- !group secrets-managers
# secrets-managers has role secrets-users
- !grant
role: !group secrets-users
member: !group secrets-managers
# secrets-users can read and execute
- !permit
resource: *variables
privileges: [ read, execute ]
role: !group secrets-users
# secrets-managers can update (and read and execute, via role grant)
- !permit
resource: *variables
privileges: [ update ]
role: !group secrets-managers
# Application layer has the secrets-users role
- !grant
role: !group secrets-users
member: !layer
# Top-level policy file
# Load with:
# conjur policy load --as-group security_admin policy.yml
# Define the global users
- !include users.yml
# Define "myapp" in staging, owned by the "developers" team
- !policy
id: staging
owner: !group developers
body:
- !include myapp.yml
# Define "myapp" in staging, owned by the "security_ops" team
- !policy
id: production
owner: !group security_ops
body:
- !include myapp.yml
# Grant the team_leads permission to read+write the "myapp" variables in production
- !grant
role: !group production/myapp/secrets-manager
members:
- !group team_leads
- !group security_ops
- !group team_leads
- !group developers
# Grant the less-powerful groups to the more-powerful groups
- !grant
role: !group team_leads
member: !group security_ops
- !grant
role: !group developers
member: !group team_leads
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.