Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/spacelift-io/spacelift-policies-example-library

A library of example Spacelift policies
https://github.com/spacelift-io/spacelift-policies-example-library

examples opa policies spacelift

Last synced: about 1 month ago
JSON representation

A library of example Spacelift policies

Host: GitHub
URL: https://github.com/spacelift-io/spacelift-policies-example-library
Owner: spacelift-io
License: mit
Created: 2022-03-18T16:48:55.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-02-16T18:12:03.000Z (5 months ago)
Last Synced: 2024-02-16T19:29:19.536Z (5 months ago)
Topics: examples, opa, policies, spacelift
Language: Open Policy Agent
Homepage: https://docs.spacelift.io/concepts/policy
Size: 107 KB
Stars: 40
Watchers: 11
Forks: 9
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

my-awesome-stars - spacelift-policies-example-library - io | 34 | (Open Policy Agent)
awesome-stars - spacelift-io/spacelift-policies-example-library - A library of example Spacelift policies (others)

README

        # Spacelift Policies Example Library

This repository contains a collection of Spacelift Policy examples that can be re-purposed (if needed), and used with [Spacelift](https://spacelift.io/). Spacelift Policies use the Open Policy Agent, which are written in the rego language. As you'll find in this repository, there are various types of Spacelift Policies - which allow for a lot of flexibility and customization. For more information on Spacelift Policies please refer to the [documentation](https://docs.spacelift.io/concepts/policy).

## Useful resources

- [Spacelift Policies](https://docs.spacelift.io/concepts/policy): You can find information about all available Spacelift Policy types here.

- [Open Policy Agent](https://www.openpolicyagent.org/docs/latest/policy-language/): Spacelift Policies utilize the Open Policy Agent, which uses the Rego language.

- [Spacelift Policy Workbench](https://docs.spacelift.io/concepts/policy#policy-workbench): Use the Spacelift Policy Workbench to debug your policies using sample policy inputs.

- [Testing Policies](https://docs.spacelift.io/concepts/policy#testing-policies): Learn about creating test cases for your Spacelift Policies.

## Policy Examples by Type

Policy Types Currently In This Library are below. Feel free to click on a given policy type to be taken to examples for that policy type.

| Policy Type                      | Description                                                                       |

| -------------------------------- | --------------------------------------------------------------------------------- |

| [ACCESS](./access/) (Deprecated) | Define who gets to access individual Stacks and with what level of access.        |

| [APPROVAL](./approval)           | Define who can approve or reject a run/task and how a run/task can be approved.   |

| [LOGIN](./login)                 | Define who gets to login to your Spacelift account and with what level of access. |

| [PLAN](./plan)                   | Define which changes can be applied.                                              |

| [PUSH](./push/)                  | Define how git push events are interpreted.                                       |

| [TRIGGER](./trigger)             | Define what happens when blocking runs terminate.                                 |

## All Policy Examples

### Access Policy

_Access policies have been deprecated. Please [read this](./access/README.md) for details._

- [Engineering Team Access](./access/engineering-team-access.rego)

- [Downgrade access after hours](./access/downgrade-access-after-hours.rego)

- [Label Based Team Access](./access/label-based-team-access.rego)

- [Protect Administrative Stacks](./access/protect-administrative-stacks.rego)

- [Slack Channel Access](./access/slack-channel-access.rego)

- [Who When Where Access Restrictions](./access/who-when-where-access-restrictions.rego)

### Approval Policy

- [Allowlist Task Commands](./approval/allowlist-task-commands.rego)

- [Approval needed outside working hours](./approval/approval-outside-working-hours.rego)

- [Require private worker](./approval/require-private-worker.rego)

- [Role-based Approval](./approval/role-based-approval.rego)

- [Require Approval from Security Team for certain resources](./approval/require-approval-from-security-team.rego)

- [Task and Run Approvals](./approval/task-and-run-approvals.rego)

- [Two Approvals Two Rejections](./approval/two-approvals-two-rejections.rego)

- [Two Approvals Two Rejections](./approval/two-approvals-two-rejections.rego)

### Login Policy

- External Contributor Access:

  - [GitHub](./login/external-contributor-access-github.rego)

  - [Google](./login/external-contributor-access-google.rego)

- [Managing access levels within an organization](./login/access-levels-within-an-organization.rego)

- [Readers Writers Admins Teams](./login/readers-writers-admins-teams.rego)

- [Rewriting User Teams](./login/rewriting-user-teams.rego)

- [Who When Where Login Restrictions](./login/who-when-where-login-restrictions.rego)

### Notification Policy

- [Drift Detection with changes](./notification/drift-detection-with-changes.rego)

- [Slack Channels set with labels](./notification/slack-channels-with-labels.rego)

- [Notification for link to failure logs](./notification/notification-failure.rego)

### Plan Policy

- [Check blast radius](./plan/check-blast-radius.rego)

- [Check sanitized value](./plan/check-sanitized-value.rego)

- [Checkov failed checks](./plan/checkov-failed-checks.rego)

- [Deny on proposed runs but warn on tracked runs](./plan/deny-proposed-runs-warn-track-runs.rego)

- [Do not delete stateful resources](./plan/do-not-delete-stateful-resources.rego)

- [Don't Allow Resource Type](./plan/dont-allow-resource-type.rego)

- [Enforce cloud provider](./plan/enforce-cloud-provider.rego)

- [Enforce Instance Type List](./plan/enforce-instance-type-list.rego)

- [Enforce module use policy](./plan/enforce-module-use-policy.rego)

- [Enforce Password Length](./plan/enforce-password-length.rego)

- [Enforce Google Cloud SQL Instance Networks](./plan/enforce-sqlinstance-network.rego)

- [Enforce Tags on Resources](./plan/enforce-tags-on-resources.rego)

- [Enforce Terraform version list](./plan/enforce-terraform-version-list.rego)

- [Ensure resource creation before deletion](./plan/ensure-resource-creation-before-deletion.rego)

- [Infracost Monthly Cost Restriction](./plan/infracost-monthly-cost-restriction.rego)

- [Kics severity counter](./plan/kics-severity-counter.rego)

- [Mandatory and Acceptable Labels for GCP resources](./plan/mandatory-and-acceptable-labels-gcp.rego)

- [Mandatory and required labels for stacks](./plan/mandatory-and-acceptable-labels-stack.rego)

- [Require human review for drift detection reconciliation](./plan/require-human-review-for-drift-detection-reconciliation.rego)

- [Require human review for unreachable Ansible hosts](./plan/require-human-review-for-unreachable-ansible-hosts.rego)

- [Require human review for resource update and deletion](./plan/require-human-review-for-update-deletion.rego)

- [Require reasonable commit size](./plan/require-reasonable-commit-size.rego)

- [Trusted engineers bypass review](./plan/trusted-engineers-bypass-review.rego)

- [Terrascan violated policies](./plan/terrascan-violated-policies.rego)

- [Tfsec high severity issues](./plan/tfsec-high-severity-issues.rego)

- [Warn On Change To Sensitive Resources](./plan/warn-on-change-senstitive-resources.rego)

### Push Policy

- [Allow forks](./push/allow-forks.rego)

- [Cancel In Progress Runs](./push/cancel-in-progress-runs.rego)

- [Create Proposed Run From PR Label](./push/create-proposed-run-from-env-pr-labels.rego)

- [Deploy with Git tag](./push/deploy-with-git-tag.rego)

- [Deploy with PR label](./push/deploy-with-pr-label.rego)

- [Ignore Changes Outside Root](./push/ignore-changes-outside-root.rego)

- [Terragrunt Monorepo Ignore Changes Outside Root](./push/terragrunt-monorepo-ignore-changes-outside-root.rego)

- [Lock button pauses runs by push events](/push/lock-button-pauses-runs-by-pushes.rego)

- [PR comment-driven actions](./push/pr-comment-driven-actions.rego)

- [PR comment-driven user specific actions](./push/pr-comment-driven-user.rego)

- [PRs Only](./push/prs-only.rego)

- [Set head commit but don't trigger run](./push/set-head-commit-no-trigger.rego)

- [Tag-driven Terraform module release flow](./push/tag-driven-tf-module-release-flow.rego)

- [Track using labels](./push/track-using-labels.rego)

### Trigger Policy

- [Automated Retries](./trigger/automated-retries.rego)

- [Trigger Dependencies via Labels](./trigger/trigger-dependencies-via-labels.rego)

- [Trigger Dependencies via Labels, with state](./trigger/trigger-dependencies-via-labels-with-state.rego)

- [Trigger hardcoded dependencies](./trigger/trigger-harcoded-dependencies.rego)

## Policy Tests

Tests can be added for policies using the convention `_test.rego`. For example

if you have a policy called `plan.rego`, you can create a test file called `plan_test.rego`.

You can use the following command to run all policy tests:

```shell

./run_policy_tests.sh

```