template governance

template.rego

package template

import future.keywords.in

required_tags = {"ci", "cd", "db"}
any_required_tag_exists(map) {
    some key in required_tags
    
    _ = map[key] 
}

# Deny if any template does not have at least one of the required tags
deny[msg] {
    not any_required_tag_exists(input.template.tags)
    msg = sprintf("Template must have one of required tags: %s", [required_tags])

}

# Only allow changes to the templates with ci tag by users in the ci group
deny[msg] {
    # Define the tags and approved group which can modify them
		approved_tag = "ci"
    approved_group := "ci"

    # If template has tag
    _ = input.template.tags[approved_tag]

    # If user does not have target group
    some i
    group := input.metadata.userGroups[i]
    group.identifier != approved_group

    # Compose the deny message
		msg = sprintf("User %s not in %s group", [input.metadata.user.name, approved_group])
}

# Only allow changes to the templates with cd tag by users in the cd group
deny[msg] {
    # Define the tags and approved group which can modify them
		approved_tag = "cd"
    approved_group := "cd"

    # If template has tag
    _ = input.template.tags[approved_tag]

    # If user does not have target group
    some i
    group := input.metadata.userGroups[i]
    group.identifier != approved_group

    # Compose the deny message
		msg = sprintf("User %s not in %s group", [input.metadata.user.name, approved_group])
}

# Only allow changes to the templates with db tag by users in the db group
deny[msg] {
    # Define the tags and approved group which can modify them
		approved_tag = "db"
    approved_group := "db"

    # If template has tag
    _ = input.template.tags[approved_tag]

    # If user does not have target group
    some i
    group := input.metadata.userGroups[i]
    group.identifier != approved_group

    # Compose the deny message
		msg = sprintf("User %s not in %s group", [input.metadata.user.name, approved_group])
}