{"id":16840224,"url":"https://github.com/thisisshi/safe-policy-rollout-gitops","last_synced_at":"2026-05-18T03:10:44.334Z","repository":{"id":92638137,"uuid":"411758515","full_name":"thisisshi/safe-policy-rollout-gitops","owner":"thisisshi","description":"Safe Policy Rollouts with GitOps (Kubecon NA 2021)","archived":false,"fork":false,"pushed_at":"2021-10-12T16:08:02.000Z","size":1022,"stargazers_count":3,"open_issues_count":2,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-10-03T14:57:47.446Z","etag":null,"topics":["aws","azure","c7n","cloud-custodian","cloud-governance","cloud-native","compliance","gcp","gitops"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thisisshi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-29T16:56:25.000Z","updated_at":"2021-10-14T03:43:05.000Z","dependencies_parsed_at":"2023-03-13T17:27:15.209Z","dependency_job_id":null,"html_url":"https://github.com/thisisshi/safe-policy-rollout-gitops","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/thisisshi/safe-policy-rollout-gitops","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thisisshi%2Fsafe-policy-rollout-gitops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thisisshi%2Fsafe-policy-rollout-gitops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thisisshi%2Fsafe-policy-rollout-gitops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thisisshi%2Fsafe-policy-rollout-gitops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thisisshi","download_url":"https://codeload.github.com/thisisshi/safe-policy-rollout-gitops/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thisisshi%2Fsafe-policy-rollout-gitops/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33163438,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-17T22:39:12.733Z","status":"online","status_checked_at":"2026-05-18T02:00:06.436Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","azure","c7n","cloud-custodian","cloud-governance","cloud-native","compliance","gcp","gitops"],"created_at":"2024-10-13T12:35:51.981Z","updated_at":"2026-05-18T03:10:44.316Z","avatar_url":"https://github.com/thisisshi.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Safe Policy Rollouts with GitOps\nKubeCon 2021 - Governance as Code Day with Cloud Custodian hosted by Stacklet\n\n![Example](example.png)\n\n## Installation\n\nBefore starting, create a Github personal access token and keep it handy while you\ncreate the rest of the resources.\n\nThen, create a c7n-org `accounts.yaml` file. This file will determine what accounts and\nregions your policies will run against. For more details on how to create an `accounts.yaml`\nfile, click [here](https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens.html).\n\nExample `accounts.yaml`:\n\n```yaml\naccounts:\n  - name: \"Sandbox\"\n    account_id: \"123456789012\"\n    role: \"arn:aws:iam::123456789012:role/C7NPolicyCIRole\"\n    regions:\n      - \"us-east-1\"\n      - \"us-west-2\"\n  - name: \"Sandbox2\"\n    account_id: \"98765432101\"\n    role: \"arn:aws:iam::98765432101:role/C7NPolicyCIRole\"\n    regions:\n      - \"us-east-1\"\n      - \"us-west-2\"\n```\n\nTo install, reference the projects/ci directory. There you will see an example `main.tf`\nthat you can use to create your own c7n ci CodeBuild Job.\n\n```bash\ncd projects/ci\nterraform init\ncp settings.tfvars.example settings.tfvars\n# Edit the settings.tfvars file, all vars can be found in deploy/vars.tf\nterraform apply -var-file=settings.tfvars\n```\n\nOnce this has completed, navigate to the CodeBuild console in AWS and set up the OAuth\nconnection between AWS and Github. This is necessary to enable Webhooks to trigger CodeBuild\njobs when Pull Requests are created/updated.\n\nTo set up OAuth:\n\n1. Navigate to the CodeBuild console\n2. Click on your Project\n3. Click Edit\n4. Click Source\n5. Click Connect to GitHub\n6. Follow the Steps on the pop-up window\n7. Click Update Source\n\nThis project uses [c7n-policystream](https://cloudcustodian.io/docs/tools/c7n-policystream.html)\nto detect changes between your commit and the base branch, as defined by `base_branch`. The\nCodeBuild job then runs the changed policies as well as the original ones from `base_branch`\nand compares the results of the two. You can also specify thresholds for the job to fail on,\nwith values for both total number of resources (e.g. if the delta is 5 resources for a given\npolicy, fail) or for a percentage (e.g. if the delta in percentage is greater than 50% fail).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthisisshi%2Fsafe-policy-rollout-gitops","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthisisshi%2Fsafe-policy-rollout-gitops","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthisisshi%2Fsafe-policy-rollout-gitops/lists"}