Eval example #32
Eval example #32
Conversation
management/instance_types/main.tf
Outdated
|
|
||
| backend "remote" { | ||
| hostname = "scalr-customer-success.scalr.io" | ||
| organization = "env-t3qeqbo97mdot6o" |
There was a problem hiding this comment.
Not sure how to handle this.
Cant use variables and a backend config is needed to generate the plan. I guess I can commit an example file rather than the one that works.
There was a problem hiding this comment.
You can use -backend-config=KEY=VALUE when running terraform locally.
But I need to understand - this main.tf should work only for us, or be also a working example for the community? If latter - then we need to extract all deployment-specific and make a README.
There was a problem hiding this comment.
@maratkomarov Just to let you know I am thinking about this. Not sure I have figured out exactly what the dev workflow is for policies yet. I think it is something like this
- Identify Policy requirement
- Generate mock data from a terraform configuration (Question here is do the do this via CLI or VCS, or do we care?)
- Develop and test locally.
- Extract mock data from existing real deployments
- re-test policy
- Commit and PR
- Monitor policy group checks in Scalr
- Merge to live
So in the context of pulling from our library of policies, does the example terraform config serve any purpose other than as complete proof of our testing? In other words would a customer even use example for anything? Are they more likely to pull the example and test against their own mocks (with or with modifying the policy)? I think that is most likely, in which case the template does not need a backend config, but, as you said, we simply provide a README to explain how to use the example in the library.
Thoughts?
There was a problem hiding this comment.
@maratkomarov Pushed some changes which in include a README and a script to simplify testing. I'm now seeing the flow as this. Two phases
Clone and test:
- Clone this repo
- Edit policy to for customer requirements
- Add Terraform config for customers own use case (replaces config in this repo)
- Configure the backend stuff
- Use the supplied
generate_plan.shto runterraform planand download the mock - Run
opa eval
Add to Policy Group:
When tested customer adds policy to existing PG or creates a new one.
The README file guides them through all of this.
management/instance_types/main.tf
Outdated
|
|
||
| provider "google" { | ||
| project = "customer-success-261820" |
There was a problem hiding this comment.
Is it? Can anyone use that information for anything?
@maratkomarov Example using
opa evalinmanagement/instance_typesmain.tf- generates policy mockinstance_types.input.json- Policy mock downloaded from Scalrinstance_types.rego- Policy file (Note this is modified from original to cater for multiple attribute names in Azure)eval.output- Expected output from runningopa eval -f pretty --data ${POL}.rego -i ${POL}.input.json data.terraform.deny