mirror of https://github.com/ansible/example-opa-policy-for-aap synced 2026-04-05 19:30:58 +00:00

No description

Open Policy Agent 66.5%
Python 18.4%
Makefile 10.9%
Jinja 4.2%

Find a file

Jiří Jeřábek (Jiri Jerabek) 8dad3022d5 Make the policy output more consistent (#22 )		2025-05-12 09:35:31 -04:00
.github/workflows	Add github action to validate the example policies	2025-03-31 12:40:51 -04:00
aap_policy_examples	Extra use case examples inc. SCM and naming standards rules (#21 )	2025-04-10 15:32:35 -04:00
ansible	Add playbook to load policies	2025-04-09 23:02:26 -04:00
docs	Edits to Associating policy with AAP resources for clarity (#20 )	2025-04-08 17:03:02 -04:00
openshift	Add make target for deploying OPA server on OCP	2025-03-31 21:33:35 -04:00
test_aap_policy_examples	Change from whitelist to allowlist	2025-04-07 15:24:13 -04:00
tools	Add tool to sync embedded policy in doc	2025-03-31 22:09:18 -04:00
.gitignore	Add ansible playbook to deploy OPA server w mTLS	2025-04-09 22:26:34 -04:00
1.Prevent job execution at different policy enforcement points.md	Remove Rego playground links	2025-04-08 16:24:29 -04:00
2.Prevent job execution by platform admin.md	Make the policy output more consistent (#22 )	2025-05-12 09:35:31 -04:00
3.Prevent job execution during maintenance window.md	Remove Rego playground links	2025-04-08 16:24:29 -04:00
4.Prevent job execution using credential with no Organization.md	Remove Rego playground links	2025-04-08 16:24:29 -04:00
5.Prevent job execution using mismatching resources.md	Remove Rego playground links	2025-04-08 16:24:29 -04:00
6a.Prevent job execution using extra_vars with non approved keys.md	Remove Rego playground links	2025-04-08 16:24:29 -04:00
6b.Prevent job execution using extra_vars with non approved values.md	Remove Rego playground links	2025-04-08 16:24:29 -04:00
6c.Prevent job execution based on user limitations for extra vars.md	Remove Rego playground links	2025-04-08 16:24:29 -04:00
7a.Only allow approved Github repos.md	Extra use case examples inc. SCM and naming standards rules (#21 )	2025-04-10 15:32:35 -04:00
7b.Only allow certain Git branches.md	Extra use case examples inc. SCM and naming standards rules (#21 )	2025-04-10 15:32:35 -04:00
8.Enforce Job Template Naming Standards.md	Extra use case examples inc. SCM and naming standards rules (#21 )	2025-04-10 15:32:35 -04:00
9.Restrict Inventory use to an organization.md	Extra use case examples inc. SCM and naming standards rules (#21 )	2025-04-10 15:32:35 -04:00
LICENSE	Add LICENSE and improve README	2025-03-31 21:45:38 -04:00
Makefile	Add tool to sync embedded policy in doc	2025-03-31 22:09:18 -04:00
POLICY_INPUT_DATA.md	Update POLICY_INPUT_DATA.md	2025-03-19 15:26:26 -04:00
POLICY_OUTPUT_DATA.md	Add make target for deploying OPA server on OCP	2025-03-31 21:33:35 -04:00
README.md	Extra use case examples inc. SCM and naming standards rules (#21 )	2025-04-10 15:32:35 -04:00

README.md

Example OPA Policies for Ansible Automation Platform

This repository contains example policies and use cases demonstrating how to use Policy as Code feature in Ansible Automation Platform (AAP). These examples will guide you through implementing various policy enforcement scenarios using Open Policy Agent (OPA).

Overview

Policy as Code allows you to define and enforce policies across your Ansible Automation Platform using OPA and the Rego language. This repository provides practical examples of common policy enforcement scenarios.

Prerequisites

Ansible Automation Platform 2.5 or later with the FEATURE_POLICY_AS_CODE_ENABLED feature flag set to True
- see Enabling Policy as Code Feature for more information
An OPA server that's reachable from your AAP deployment
- See Deploy OPA server on OpenShift for development and testing setup
- See Deploy OPA server with Podman for development and testing setup
Configured AAP with settings required for connecting to your OPA server
- see Configuring OPA Server Connection for more information
General knowledge around OPA and the Rego language
- see Official OPA Documentation for more information

For detailed setup instructions, see "Setting up Policy as Code for Ansible Automation Platform" in the official documentation.

Repository Structure

.
├── aap_policy_examples/     # Example policy implementations
├── example_input_data/     # Sample input data for testing
├── test_aap_policy_examples/ # Test cases and validation
├── openshift/             # OpenShift-specific configurations
├── tools/                # Utility scripts and tools
├── bin/                  # Binary and executable files
├── .github/             # GitHub-specific configurations
├── POLICY_INPUT_DATA.md # Documentation of input data structure
└── POLICY_OUTPUT_DATA.md # Documentation of output data structure

Example Policies

The repository includes several example policies demonstrating different use cases:

Prevent job execution at various policy enforcement points
Prevent job execution by platform admin
Prevent job execution during maintenance window
Prevent job execution using credential with no Organization
Prevent job execution using mismatching resources
Enforce extra_vars based policies
- Prevent job execution using extra vars with non approved vars - Validate keys for extra_vars
- Prevent job execution using extra vars with non approved values - Validate values for extra_vars
- Prevent job execution based on user limitations for extra vars - Team-based access control on extra_vars
Source code controls
- Only allow approved Github source repos - Only allow approved source repos
- Only allow approved Github source repo branches - Only allow approved source repo branches
Enforce Naming Standards - ensure Job Template name conforms to our standards
Restrict usage of an Inventory to an Organization - restrict inventory usage by organization

Each policy example includes:

Detailed explanation of the use case
Example Rego policy implementation
Sample input and output data
Testing instructions

Getting Started

Clone this repository
Review the example policies in the aap_policy_examples/ directory
Use the provided test cases in test_aap_policy_examples/ to validate your policies
Customize the policies according to your needs

Testing

The repository includes test cases and example input data to help you validate your policies. See the test_aap_policy_examples/ directory for more details.

Documentation

POLICY_INPUT_DATA.md: Contains detailed information about the input data structure used by the policies
POLICY_OUTPUT_DATA.md: Contains detailed information about the output data structure
Associating Policies with AAP Resources: Guide on how to associate OPA policies with AAP resources

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is dedicated to the public domain under The Unlicense. See the LICENSE file for details.

The Unlicense is a template for disclaiming copyright monopoly interest in software you've written; in other words, it is a template for dedicating your software to the public domain.