bug: [OPA-1381]: Improve terraform documentation for policy and polic…

…yset (#569)
harness · Jun 6, 2023 · 38e07e9 · 38e07e9
1 parent 8521317
commit 38e07e9
Show file tree

Hide file tree

Showing 7 changed files with 56 additions and 10 deletions.
diff --git a/.changelog/569.txt b/.changelog/569.txt
@@ -0,0 +1,4 @@
+```release-note:enhancement
+resource/harness_platform_policyset: correct description for 'severity' for policy.
+resource/harness_platform_policy: Enhance example to showcase how to add policy with Rego spanning over multiple lines.
+```
diff --git a/docs/data-sources/platform_policyset.md b/docs/data-sources/platform_policyset.md
@@ -55,6 +55,6 @@ data "harness_platform_policyset" "test" {
 Required:
 
 - `identifier` (String) Account Identifier of the account
-- `severity` (String) Organization Identifier
+- `severity` (String) Policy failure response - 'warning' for continuation, 'error' for exit
 
 
diff --git a/docs/resources/platform_policy.md b/docs/resources/platform_policy.md
@@ -14,9 +14,30 @@ Resource for creating a Harness Policy.
 
 ```terraform
 resource "harness_platform_policy" "test" {
-  identifier = harness_platform_policy.test.identifier
-  name       = harness_platform_policy.test.name
-  rego       = "package test"
+  identifier  = harness_platform_policy.test.identifier
+  name        = harness_platform_policy.test.name
+  description = harness_platform_policy.test.description
+  rego        = <<-REGO
+    package pipeline
+
+    # Deny pipelines that don't have an approval step
+    # NOTE: Try removing the HarnessApproval step from your input to see the policy fail
+    deny[msg] {
+        # Find all stages that are Deployments ...
+        input.pipeline.stages[i].stage.type == "Approval"
+
+        # ... that are not in the set of stages with HarnessApproval steps
+        not stages_with_approval[i]
+
+        # Show a human-friendly error message
+        msg := sprintf("Approval stage '%s' does not have a HarnessApproval step", [input.pipeline.stages[i].stage.name])
+    }
+
+    # Find the set of stages that contain a HarnessApproval step
+    stages_with_approval[i] {
+        input.pipeline.stages[i].stage.spec.execution.steps[_].step.type == "HarnessApproval"
+    }
+REGO
 }
 ```
 

diff --git a/docs/resources/platform_policyset.md b/docs/resources/platform_policyset.md
@@ -74,7 +74,7 @@ resource "harness_platform_policyset" "test" {
 Required:
 
 - `identifier` (String) Account Identifier of the account
-- `severity` (String) Organization Identifier
+- `severity` (String) Policy failure response - 'warning' for continuation, 'error' for exit
 
 ## Import
 

diff --git a/examples/resources/harness_platform_policy/resource.tf b/examples/resources/harness_platform_policy/resource.tf
@@ -1,5 +1,26 @@
 resource "harness_platform_policy" "test" {
-  identifier = harness_platform_policy.test.identifier
-  name       = harness_platform_policy.test.name
-  rego       = "package test"
+  identifier  = harness_platform_policy.test.identifier
+  name        = harness_platform_policy.test.name
+  description = harness_platform_policy.test.description
+  rego        = <<-REGO
+    package pipeline
+
+    # Deny pipelines that don't have an approval step
+    # NOTE: Try removing the HarnessApproval step from your input to see the policy fail
+    deny[msg] {
+        # Find all stages that are Deployments ...
+        input.pipeline.stages[i].stage.type == "Approval"
+
+        # ... that are not in the set of stages with HarnessApproval steps
+        not stages_with_approval[i]
+
+        # Show a human-friendly error message
+        msg := sprintf("Approval stage '%s' does not have a HarnessApproval step", [input.pipeline.stages[i].stage.name])
+    }
+
+    # Find the set of stages that contain a HarnessApproval step
+    stages_with_approval[i] {
+        input.pipeline.stages[i].stage.spec.execution.steps[_].step.type == "HarnessApproval"
+    }
+REGO
 }
diff --git a/internal/service/platform/policyset/data_source_policyset.go b/internal/service/platform/policyset/data_source_policyset.go
@@ -57,7 +57,7 @@ func DataSourcePolicyset() *schema.Resource {
 							Required:    true,
 						},
 						"severity": {
-							Description: "Organization Identifier",
+							Description: "Policy failure response - 'warning' for continuation, 'error' for exit",
 							Type:        schema.TypeString,
 							Optional:    false,
 							Required:    true,

diff --git a/internal/service/platform/policyset/resource_policyset.go b/internal/service/platform/policyset/resource_policyset.go
@@ -58,7 +58,7 @@ func ResourcePolicyset() *schema.Resource {
 							Required:    true,
 						},
 						"severity": {
-							Description: "Organization Identifier",
+							Description: "Policy failure response - 'warning' for continuation, 'error' for exit",
 							Type:        schema.TypeString,
 							Optional:    false,
 							Required:    true,