AnsibleFest Policy Refactor

myapp.yml

- !policy
  id: myapp
  body:
  - &variables
    - !variable
      id: database/username
      annotations:
        description: Application database username
    - !variable
      id: database/password
      annotations:
        description: Application database password
    - !variable
      id: stripe/private_key
      annotations:
        description: Stripe API key

  - !layer
  
  - !group secrets-users
  - !group secrets-managers
  
  # secrets-managers has role secrets-users
  - !grant
    role: !group secrets-users
    member: !group secrets-managers
    
  # secrets-users can read and execute
  - !permit
    resource: *variables
    privileges: [ read, execute ]
    role: !group secrets-users

  # secrets-managers can update (and read and execute, via role grant)
  - !permit
    resource: *variables
    privileges: [ update ]
    role: !group secrets-managers

  # Application layer has the secrets-users role
  - !grant
    role: !group secrets-users
    member: !layer

policy.yml

# Top-level policy file
# Load with:
# conjur policy load --as-group security_admin policy.yml

# Define the global users
- !include users.yml

# Define "myapp" in staging, owned by the "developers" team
- !policy
  id: staging
  owner: !group developers
  body:
  - !include myapp.yml
 
# Define "myapp" in staging, owned by the "security_ops" team
- !policy
  id: production
  owner: !group security_ops
  body:
  - !include myapp.yml

# Grant the team_leads permission to read+write the "myapp" variables in production
- !grant
  role: !group production/myapp/secrets-manager
  members:
  - !group team_leads

users.yml

- !group security_ops

- !group team_leads

- !group developers

# Grant the less-powerful groups to the more-powerful groups

- !grant
  role: !group team_leads
  member: !group security_ops

- !grant
  role: !group developers
  member: !group team_leads