Module Restrictions
You can control the source of the terraform modules permitted to run through the Policy resource. The following policy enforces that only modules sourced from the Appvia Github Organization can be used.
This control is applied to the primary module (i.e. spec.module) inside the Configuration CRD. Modules that incorporate other modules are not enforced.
apiVersion: terraform.appvia.io/v1alpha1
kind: Policy
metadata:
name: permitted-modules
spec:
constraints:
modules:
selector:
namespace:
matchLabels: {}
matchExpressions: []
resource:
matchLabels: {}
matchExpressions: []
allowed:
- "https://github.com/appvia/.*"
The allowed list (spec.constraints.modules.allowed) is a collection of Golang regexes which a Configuration must match at least one.
The policy may also include an optional selector (spec.constraints.modules.selector) that can be used to match against namespace and resource labels of the Configuration. As with all selectors in the controller, leaving this field empty implies you want to match against all. You can take advantage of the selectors by providing overrides.
Lets use the following requirements.
- All teams may use terraform from the companies Github repositories at https://github.com/appvia
- The teams using namespace
infraandcican use additional modules from https://github.com/elsewhere
- Create the default policy (i.e no selector)
apiVersion: terraform.appvia.io/v1alpha1
kind: Policy
metadata:
name: default
spec:
constraints:
modules:
allowed:
- "https://github.com/appvia/.*"
- Create the additional policy for namespace
infraandci.
apiVersion: terraform.appvia.io/v1alpha1
kind: Policy
metadata:
name: default
spec:
constraints:
modules:
selector:
namespace:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values: [infra, ci]
allowed:
- "https://github.com/elsewhere/.*"