From 38e07e97dca95b58a1a65f54dd2df478f24d633f Mon Sep 17 00:00:00 2001 From: Yagyansh Bhatia Date: Tue, 6 Jun 2023 14:48:37 +0530 Subject: [PATCH] bug: [OPA-1381]: Improve terraform documentation for policy and policyset (#569) --- .changelog/569.txt | 4 +++ docs/data-sources/platform_policyset.md | 2 +- docs/resources/platform_policy.md | 27 ++++++++++++++++--- docs/resources/platform_policyset.md | 2 +- .../harness_platform_policy/resource.tf | 27 ++++++++++++++++--- .../policyset/data_source_policyset.go | 2 +- .../platform/policyset/resource_policyset.go | 2 +- 7 files changed, 56 insertions(+), 10 deletions(-) create mode 100644 .changelog/569.txt diff --git a/.changelog/569.txt b/.changelog/569.txt new file mode 100644 index 000000000..e67e22e69 --- /dev/null +++ b/.changelog/569.txt @@ -0,0 +1,4 @@ +```release-note:enhancement +resource/harness_platform_policyset: correct description for 'severity' for policy. +resource/harness_platform_policy: Enhance example to showcase how to add policy with Rego spanning over multiple lines. +``` diff --git a/docs/data-sources/platform_policyset.md b/docs/data-sources/platform_policyset.md index bf453cd6d..5121ecf18 100644 --- a/docs/data-sources/platform_policyset.md +++ b/docs/data-sources/platform_policyset.md @@ -55,6 +55,6 @@ data "harness_platform_policyset" "test" { Required: - `identifier` (String) Account Identifier of the account -- `severity` (String) Organization Identifier +- `severity` (String) Policy failure response - 'warning' for continuation, 'error' for exit diff --git a/docs/resources/platform_policy.md b/docs/resources/platform_policy.md index ddcdb42fe..0e4d7191b 100644 --- a/docs/resources/platform_policy.md +++ b/docs/resources/platform_policy.md @@ -14,9 +14,30 @@ Resource for creating a Harness Policy. ```terraform resource "harness_platform_policy" "test" { - identifier = harness_platform_policy.test.identifier - name = harness_platform_policy.test.name - rego = "package test" + identifier = harness_platform_policy.test.identifier + name = harness_platform_policy.test.name + description = harness_platform_policy.test.description + rego = <<-REGO + package pipeline + + # Deny pipelines that don't have an approval step + # NOTE: Try removing the HarnessApproval step from your input to see the policy fail + deny[msg] { + # Find all stages that are Deployments ... + input.pipeline.stages[i].stage.type == "Approval" + + # ... that are not in the set of stages with HarnessApproval steps + not stages_with_approval[i] + + # Show a human-friendly error message + msg := sprintf("Approval stage '%s' does not have a HarnessApproval step", [input.pipeline.stages[i].stage.name]) + } + + # Find the set of stages that contain a HarnessApproval step + stages_with_approval[i] { + input.pipeline.stages[i].stage.spec.execution.steps[_].step.type == "HarnessApproval" + } +REGO } ``` diff --git a/docs/resources/platform_policyset.md b/docs/resources/platform_policyset.md index cab1d91ae..c69716fc0 100644 --- a/docs/resources/platform_policyset.md +++ b/docs/resources/platform_policyset.md @@ -74,7 +74,7 @@ resource "harness_platform_policyset" "test" { Required: - `identifier` (String) Account Identifier of the account -- `severity` (String) Organization Identifier +- `severity` (String) Policy failure response - 'warning' for continuation, 'error' for exit ## Import diff --git a/examples/resources/harness_platform_policy/resource.tf b/examples/resources/harness_platform_policy/resource.tf index b1c212a8c..654b0bd5b 100644 --- a/examples/resources/harness_platform_policy/resource.tf +++ b/examples/resources/harness_platform_policy/resource.tf @@ -1,5 +1,26 @@ resource "harness_platform_policy" "test" { - identifier = harness_platform_policy.test.identifier - name = harness_platform_policy.test.name - rego = "package test" + identifier = harness_platform_policy.test.identifier + name = harness_platform_policy.test.name + description = harness_platform_policy.test.description + rego = <<-REGO + package pipeline + + # Deny pipelines that don't have an approval step + # NOTE: Try removing the HarnessApproval step from your input to see the policy fail + deny[msg] { + # Find all stages that are Deployments ... + input.pipeline.stages[i].stage.type == "Approval" + + # ... that are not in the set of stages with HarnessApproval steps + not stages_with_approval[i] + + # Show a human-friendly error message + msg := sprintf("Approval stage '%s' does not have a HarnessApproval step", [input.pipeline.stages[i].stage.name]) + } + + # Find the set of stages that contain a HarnessApproval step + stages_with_approval[i] { + input.pipeline.stages[i].stage.spec.execution.steps[_].step.type == "HarnessApproval" + } +REGO } diff --git a/internal/service/platform/policyset/data_source_policyset.go b/internal/service/platform/policyset/data_source_policyset.go index 64e0b6eee..a8b57676d 100644 --- a/internal/service/platform/policyset/data_source_policyset.go +++ b/internal/service/platform/policyset/data_source_policyset.go @@ -57,7 +57,7 @@ func DataSourcePolicyset() *schema.Resource { Required: true, }, "severity": { - Description: "Organization Identifier", + Description: "Policy failure response - 'warning' for continuation, 'error' for exit", Type: schema.TypeString, Optional: false, Required: true, diff --git a/internal/service/platform/policyset/resource_policyset.go b/internal/service/platform/policyset/resource_policyset.go index 1169330be..2e6d73a72 100644 --- a/internal/service/platform/policyset/resource_policyset.go +++ b/internal/service/platform/policyset/resource_policyset.go @@ -58,7 +58,7 @@ func ResourcePolicyset() *schema.Resource { Required: true, }, "severity": { - Description: "Organization Identifier", + Description: "Policy failure response - 'warning' for continuation, 'error' for exit", Type: schema.TypeString, Optional: false, Required: true,