Policy Checks

The PolicyCheck resource

A Policy Check is the details of the policy check phase of a run in Scalr.

Policy check is performed immediately after Terraform plan and cost estimation have completed for every run in every workspace, including dry runs, where policies have been linked.

Key path

Description

type* (string)

Available values: policy-checks

id (string)

attributes.permissions (object)

attributes.result (object)

OPA policy decision.

attributes.result.advisory-failed (integer)

Number of policy checks that have failed with ‘advisory’ level.

attributes.result.duration-ms (integer)

Duration of the policy check operation.

attributes.result.hard-failed (integer)

Number of policy checks that have failed with “hard-mandatory” level.

attributes.result.passed (integer)

Number of policy checks that have passed.

attributes.result.policies (array)

List of policies that were checked.

attributes.result.result (boolean)

Indicates whether all policy checks have passed without failures.

attributes.result.soft-failed (integer)

Number of policy checks that have failed with “soft-mandatory” level.

attributes.result.total-failed (integer)

Total number of policy checks that have failed.

attributes.status (string)

Available values: pending, queued, passed, errored, hard_failed, soft_failed, overridden, unreachable, canceled

The Policy checks’s current status.

Transient states:

  • pending - The initial status of a policy check once it has been created.

  • queued - The policy check has been queued, awaiting backend service capacity to run terraform.

  • running - The policy check is running.

  • soft_failed Policy check has finished, and run hasn’t passed policy with the soft level. User having policy-checks:override permission can overide the policy check decision, and push this run next to apply.

Final states:

  • canceled - The policy check has been canceled.

  • errored - The policy check has finished with an error. Attribute error-message contains the details.

  • hard_failed - Run hasn’t passed policy with the hard level.

  • overridden - The policy check soft_failed status has been overriden.

  • passed - Run has successfully passed all configured policies.

  • unreachable - The policy check will not run.

attributes.status-timestamps (object)

Date/Time of transition to each status that has occurred.

links.output (string)

Link to download the policy check raw output.

Get a Policy Check

GET /api/iacp/v3/policy-checks/{policy_check}

Show details of a specific Terraform Policy Check stage.

Parameters
  • policy_check (string) – The ID of the policy check.

Example Request:

GET /api/iacp/v3/policy-checks/{policy_check} HTTP/1.1
Host: my.scalr.io
Prefer: profile=preview
Status Codes
  • 200 OK

    Success.

    Example Respone:

    HTTP/1.1 200 OK
    Content-Type: application/vnd.api+json
    Preference-Applied: profile=preview
    
    {
      "data": {
        "attributes": {
          "result": {
            "advisory-failed": 1,
            "duration-ms": 74,
            "hard-failed": 0,
            "passed": 2,
            "policies": [
              {
                "messages": [
                  "Plan is too expensive: $733.35, while up to $500 is allowed"
                ],
                "name": "cost-check",
                "result": "advisory_failed"
              },
              {
                "messages": [],
                "name": "credential-limit",
                "result": "passed"
              },
              {
                "messages": [],
                "name": "instance_types",
                "result": "passed"
              }
            ],
            "result": false,
            "soft-failed": 0,
            "total-failed": 1
          },
          "status": "passed",
          "status-timestamps": {
            "passed-at": "2020-11-06T16:37:40Z",
            "pending-at": "2020-11-06T16:37:00Z",
            "queued-at": "2020-11-06T16:37:39Z"
          }
        },
        "id": "pchk-t61g5rsa61i18c8",
        "links": {
          "output": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8/output",
          "self": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8"
        },
        "relationships": {},
        "type": "policy-checks"
      },
      "included": null,
      "meta": null
    }
    

  • 403 Forbidden – Policy check not found or user unauthorized to perform action.

  • 4XX – Client error.

  • 5XX – Server error.

Override Policy

POST /api/iacp/v3/policy-checks/{policy_check}/actions/override

This endpoint overrides a soft-mandatory policy.

Parameters
  • policy_check (string) – The ID of the policy check to override.

Status Codes
  • 200 OK

    Success.

    Example Respone:

    HTTP/1.1 200 OK
    Content-Type: application/vnd.api+json
    Preference-Applied: profile=preview
    
    {
      "data": {
        "attributes": {
          "result": {
            "advisory-failed": 0,
            "duration-ms": 81,
            "hard-failed": 0,
            "passed": 2,
            "policies": [
              {
                "messages": [],
                "name": "cost-check",
                "result": "passed"
              },
              {
                "messages": [],
                "name": "credential-limit",
                "result": "passed"
              },
              {
                "messages": [
                  "aws_instance.default: instance type t2.2xlarge is not allowed. T2 instance types are considered deprecated, please rewrite your templates to use T3/T4 instance types"
                ],
                "name": "instance_types",
                "result": "soft_failed"
              }
            ],
            "result": false,
            "soft-failed": 1,
            "total-failed": 1
          },
          "status": "overridden",
          "status-timestamps": {
            "overridden-at": "2020-11-06T17:01:47Z",
            "pending-at": "2020-11-06T16:42:18Z",
            "queued-at": "2020-11-06T16:42:55Z",
            "soft-failed-at": "2020-11-06T16:42:56Z"
          }
        },
        "id": "pchk-t61gbtus33m5eu8",
        "links": {
          "output": "https://scalr.io/api/iacp/v3/policy-checks/pchk-t61gbtus33m5eu8/output",
          "self": "https://scalr.io/api/iacp/v3/policy-checks/pchk-t61gbtus33m5eu8"
        },
        "relationships": {},
        "type": "policy-checks"
      },
      "included": null,
      "meta": null
    }
    

  • 404 Not Found – Policy check not found or user unauthorized to perform action.

  • 409 Conflict – Override is not possible in a current policy-check or run status.

  • 4XX – Client error.

  • 5XX – Server error.

Policy Check Log

GET /api/iacp/v3/policy-checks/{policy_check}/output

Download the raw output of the OPA policy check stage.

Parameters
  • policy_check (string) – The ID of the policy check. Obtain it from the Get a Workspace endpoint.

Example Request:

GET /api/iacp/v3/policy-checks/{policy_check}/output HTTP/1.1
Host: my.scalr.io
Prefer: profile=preview
Status Codes
  • 302 Found – The location of the temporary download link.

  • 404 Not Found – Policy check not found or user unauthorized to perform action.

  • 4XX – Client error.

  • 5XX – Server error.

List Policy Checks

GET /api/iacp/v3/runs/{run}/policy-checks

List policy checks for a specific run.

Parameters
  • run (string) – The ID of the run.

Example Request:

GET /api/iacp/v3/runs/{run}/policy-checks HTTP/1.1
Host: my.scalr.io
Prefer: profile=preview
Status Codes
  • 200 OK

    Success.

    Example Respone:

    HTTP/1.1 200 OK
    Content-Type: application/vnd.api+json
    Preference-Applied: profile=preview
    
    {
      "data": [
        {
          "attributes": {
            "result": {
              "advisory-failed": 1,
              "duration-ms": 74,
              "hard-failed": 0,
              "passed": 2,
              "policies": [
                {
                  "messages": [
                    "Plan is too expensive: $733.35, while up to $500 is allowed"
                  ],
                  "name": "cost-check",
                  "result": "advisory_failed"
                },
                {
                  "messages": [],
                  "name": "credential-limit",
                  "result": "passed"
                },
                {
                  "messages": [],
                  "name": "instance_types",
                  "result": "passed"
                }
              ],
              "result": false,
              "soft-failed": 0,
              "total-failed": 1
            },
            "status": "passed",
            "status-timestamps": {
              "passed-at": "2020-11-06T16:37:40Z",
              "pending-at": "2020-11-06T16:37:00Z",
              "queued-at": "2020-11-06T16:37:39Z"
            }
          },
          "id": "pchk-t61g5rsa61i18c8",
          "links": {
            "output": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8/output",
            "self": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8"
          },
          "relationships": {},
          "type": "policy-checks"
        }
      ],
      "included": null,
      "links": {
        "first": "https://my.scalr.io/api/iacp/v3/runs/run-t61g5rlk9qbudh0/policy-checks?page%5Bnumber%5D=1&page%5Bsize%5D=20",
        "last": "https://my.scalr.io/api/iacp/v3/runs/run-t61g5rlk9qbudh0/policy-checks?page%5Bnumber%5D=1&page%5Bsize%5D=20",
        "next": null,
        "prev": null,
        "self": "https://my.scalr.io/api/iacp/v3/runs/run-t61g5rlk9qbudh0/policy-checks?page%5Bnumber%5D=1&page%5Bsize%5D=20"
      },
      "meta": {
        "pagination": {
          "current-page": 1,
          "next-page": null,
          "prev-page": null,
          "total-count": 0,
          "total-pages": 1
        }
      }
    }
    

  • 403 Forbidden – Plan not found or user unauthorized to perform action.

  • 4XX – Client error.

  • 5XX – Server error.