You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: jekyll/_cci2/config-policy-management-overview.adoc
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -377,7 +377,7 @@ Writing policies for CircleCI `version 2.1` configuration introduces some challe
377
377
378
378
Before executing any pipelines, config `version 2.1` is compiled into config `version 2.0`. This compilation expands all parameters and reusable config blocks (jobs, executors, commands, orbs) into workflows and jobs.
379
379
380
-
To write highly effective policies, it is essential to reference the _compiled_ version of the config (`input.compiled`).
380
+
To write highly effective policies, it is essential to reference the _compiled_ version of the config (`++input._compiled_++`).
381
381
382
382
[#example]
383
383
=== Example
@@ -463,13 +463,13 @@ To resolve both of these issues, it is important to acknowledge that we want to
463
463
----
464
464
# check all jobs in the compiled config and if any use a resource_class equal to "large" return a violation message.
465
465
enforce_not_large_resource[reason] {
466
-
some job_name, job in input.compiled.jobs
466
+
some job_name, job in input._compiled_.jobs
467
467
job.resource_class == "large"
468
468
reason = sprintf("job %s using banned large resource class", [job_name])
469
469
}
470
470
----
471
471
472
-
Notice the rule now validates `input.compiled.jobs`. Regardless of parameters or reusable blocks (executors in this example), the policy is applied to all compiled jobs and functions as intended.
472
+
Notice the rule now validates `++input._compiled_.jobs++`. Regardless of parameters or reusable blocks (executors in this example), the policy is applied to all compiled jobs and functions as intended.
473
473
474
474
[#policing-config-constructs]
475
475
=== Policing config 2.1 constructs
@@ -512,7 +512,7 @@ orbs:
512
512
513
513
In the above example, the rule does not raise a violation because the string `<< pipeline.parameters.evil_orb >>` does not have the `bad/` prefix that the policy aims to detect.
514
514
515
-
We cannot rely on `input.compiled` because orbs are compiled away at that stage.
515
+
We cannot rely on `++input._compiled_++` because orbs are compiled away at that stage.
516
516
517
517
The best approach here is to detect if an orb reference is a parameterized expression and raise a violation accordingly. To do this we can use the `is_parameterized_expression` xref:config-policy-reference#is_parameterized_expression[helper].
518
518
@@ -549,13 +549,13 @@ Policies and their rules can be categorized into two main types:
549
549
550
550
When working with configuration `version 2.1` constructs and parameterization, it is crucial to understand how these two rule types interact with your policies.
551
551
552
-
* **Banlist** rules are susceptible to being bypassed using parameterization and reusable constructs. This is because the literal parameter value is unlikely to match the banned value, and during config compilation, the values intended to be banned can be reintroduced. All parameterization examples provided above fall into this category. To address this, you can either utilize `input.compiled` or detect parameterization and handle it appropriately.
552
+
* **Banlist** rules are susceptible to being bypassed using parameterization and reusable constructs. This is because the literal parameter value is unlikely to match the banned value, and during config compilation, the values intended to be banned can be reintroduced. All parameterization examples provided above fall into this category. To address this, you can either utilize `++input._compiled_++` or detect parameterization and handle it appropriately.
553
553
554
554
* **Allowlist** rules are incompatible with parameterization. They reject configurations that could otherwise be considered valid but do not cause invalid configurations to pass.
555
555
556
556
Consider an example to illustrate this:
557
557
558
-
NOTE: This example is artificial and for illustration purposes only. The appropriate policy for enforcing job resource classes should target the compiled input (`input.compiled`). This ensures proper validation against the resolved values.
558
+
NOTE: This example is artificial and for illustration purposes only. The appropriate policy for enforcing job resource classes should target the compiled input (`++input._compiled_++`). This ensures proper validation against the resolved values.
559
559
560
560
**Policy using an allowlist to restrict resource classes**
0 commit comments