Skip to main content

Module Restrictions

You can control the source of the terraform modules permitted to run through the Policy resource. The following policy enforces that only modules sourced from the Appvia Github Organization can be used.

info

This control is applied to the primary module (i.e. spec.module) inside the Configuration CRD. Modules that incorporate other modules are not enforced.

apiVersion: terraform.appvia.io/v1alpha1
kind: Policy
metadata:
name: permitted-modules
spec:
constraints:
modules:
selector:
namespace:
matchLabels: {}
matchExpressions: []
resource:
matchLabels: {}
matchExpressions: []
allowed:
- "https://github.com/appvia/.*"

The allowed list (spec.constraints.modules.allowed) is a collection of Golang regexes which a Configuration must match at least one.

The policy may also include an optional selector (spec.constraints.modules.selector) that can be used to match against namespace and resource labels of the Configuration. As with all selectors in the controller, leaving this field empty implies you want to match against all. You can take advantage of the selectors by providing overrides.

Lets use the following requirements.

  1. Create the default policy (i.e no selector)
apiVersion: terraform.appvia.io/v1alpha1
kind: Policy
metadata:
name: default
spec:
constraints:
modules:
allowed:
- "https://github.com/appvia/.*"
  1. Create the additional policy for namespace infra and ci.
apiVersion: terraform.appvia.io/v1alpha1
kind: Policy
metadata:
name: default
spec:
constraints:
modules:
selector:
namespace:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values: [infra, ci]
allowed:
- "https://github.com/elsewhere/.*"