Skip to content

Instantly share code, notes, and snippets.

@kgilpin kgilpin/bastion-policy.rb
Last active Oct 28, 2015

Embed
What would you like to do?
DSL Tutorial
# Defines a Bastion server layer.
#
# Usage:
# conjur policy load --as-group ops bastion-policy.rb
policy "bastion" do
# Members of this group will be able to adminsiter the bastion.
admins = group "admins"
# Members of this group will be able to login to the bastion
# with a regular, non-privileged account.
users = group "users"
# The bastion hosts will be in this layer.
layer do |layer|
add_member "use_host", users
add_member "admin_host", admins
# The host factory is used to provision the bastion hosts automatically
# through automation technology such as CloudFormation.
host_factory layers: [ layer ]
end
end
# Usage:
# conjur script execute global-entitlements.rb
%w(dev ops ci).each do |gname|
api.group(gname).add_member group("#{gname}-admin"), admin_option: true
end
# Usage:
# conjur script execute --as-group security_admin global.rb
group "dev"
group "dev-admin"
group "ops"
group "ops-admin"
group "ci"
group "ci-admin"
# Usage:
# conjur policy load --as-group ops paas-service-policy.rb
policy "myapp-service" do
variables = [
variable "ssl_cert", kind: "SSL certificate", mime_type: "application/x-pem-file",
variable "ssl_private_key", kind: "SSL private key", mime_type: "application/x-pem-file"
]
group "secrets-managers" do
variables.each do |var|
can "read", var
can "execute", var
can "update", var
end
end
layer do
variables.each do |var|
can "read", var
can "execute", var
end
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.