Policy Checks

The PolicyCheck resource

A policy check contains the details of the policy check phase of a run in Scalr.

Policy check is performed immediately after Terraform plan and cost estimation have completed for every run in every workspace, including dry runs, where policies have been linked.

Key path	Description
type* (string) Available values: policy-checks
id (string)
attributes.permissions (object)
attributes.result (object)	OPA policy decision.
attributes.result.advisory-failed (integer)	Number of policy checks that have failed with ‘advisory’ level.
attributes.result.duration-ms (integer)	Duration of the policy check operation.
attributes.result.hard-failed (integer)	Number of policy checks that have failed with “hard-mandatory” level.
attributes.result.passed (integer)	Number of policy checks that have passed.
attributes.result.policies (array)	List of policies that were checked.
attributes.result.result (boolean)	Indicates whether all policy checks have passed without failures.
attributes.result.soft-failed (integer)	Number of policy checks that have failed with “soft-mandatory” level.
attributes.result.total-failed (integer)	Total number of policy checks that have failed.
attributes.status (string) Available values: pending, queued, passed, errored, hard_failed, soft_failed, overridden, unreachable, canceled	The Policy checks’s current status. Transient states: pending - The initial status of a policy check once it has been created. queued - The policy check has been queued, awaiting backend service capacity to run terraform. running - The policy check is running. soft_failed Policy check has finished, and run hasn’t passed policy with the soft level. User having policy-checks:override permission can overide the policy check decision, and push this run next to apply. Final states: canceled - The policy check has been canceled. errored - The policy check has finished with an error. Attribute error-message contains the details. hard_failed - Run hasn’t passed policy with the hard level. overridden - The policy check soft_failed status has been overriden. passed - Run has successfully passed all configured policies. unreachable - The policy check will not run.
attributes.status-timestamps (object)	Date/Time of transition to each status that has occurred.
links.output (string)	Link to download the policy check raw output.

Get a Policy Check

GET /policy-checks/{policy_check}

Show details of a specific Terraform policy check stage.

Parameters

• policy_check (string) – The ID of the policy check.

Example Request:

GET /policy-checks/{policy_check} HTTP/1.1
Host: my.scalr.io
Prefer: profile=preview

Status Codes

• 200 OK –

  Success.

  Example Respone:

  HTTP/1.1 200 OK
  Content-Type: application/vnd.api+json
  Preference-Applied: profile=preview
  
  {
    "data": {
      "attributes": {
        "result": {
          "advisory-failed": 1,
          "duration-ms": 74,
          "hard-failed": 0,
          "passed": 2,
          "policies": [
            {
              "messages": [
                "Plan is too expensive: $733.35, while up to $500 is allowed"
              ],
              "name": "cost-check",
              "result": "advisory_failed"
            },
            {
              "messages": [],
              "name": "credential-limit",
              "result": "passed"
            },
            {
              "messages": [],
              "name": "instance_types",
              "result": "passed"
            }
          ],
          "result": false,
          "soft-failed": 0,
          "total-failed": 1
        },
        "status": "passed",
        "status-timestamps": {
          "passed-at": "2020-11-06T16:37:40Z",
          "pending-at": "2020-11-06T16:37:00Z",
          "queued-at": "2020-11-06T16:37:39Z"
        }
      },
      "id": "pchk-t61g5rsa61i18c8",
      "links": {
        "output": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8/output",
        "self": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8"
      },
      "relationships": {},
      "type": "policy-checks"
    },
    "included": null,
    "meta": null
  }
  

• 403 Forbidden – Policy check not found or user unauthorized to perform action.

• 4XX – Client error.

• 5XX – Server error.

Request Headers

• Prefer – Specifies the API profile that server should use to handle this request. For the list of supported profiles check out the Scalr documentation. (Required)

Override Policy

POST /policy-checks/{policy_check}/actions/override

This endpoint overrides a soft-mandatory policy.

Parameters

• policy_check (string) – The ID of the policy check to override.

Status Codes

• 200 OK –

  Success.

  Example Respone:

  HTTP/1.1 200 OK
  Content-Type: application/vnd.api+json
  Preference-Applied: profile=preview
  
  {
    "data": {
      "attributes": {
        "result": {
          "advisory-failed": 0,
          "duration-ms": 81,
          "hard-failed": 0,
          "passed": 2,
          "policies": [
            {
              "messages": [],
              "name": "cost-check",
              "result": "passed"
            },
            {
              "messages": [],
              "name": "credential-limit",
              "result": "passed"
            },
            {
              "messages": [
                "aws_instance.default: instance type t2.2xlarge is not allowed. T2 instance types are considered deprecated, please rewrite your templates to use T3/T4 instance types"
              ],
              "name": "instance_types",
              "result": "soft_failed"
            }
          ],
          "result": false,
          "soft-failed": 1,
          "total-failed": 1
        },
        "status": "overridden",
        "status-timestamps": {
          "overridden-at": "2020-11-06T17:01:47Z",
          "pending-at": "2020-11-06T16:42:18Z",
          "queued-at": "2020-11-06T16:42:55Z",
          "soft-failed-at": "2020-11-06T16:42:56Z"
        }
      },
      "id": "pchk-t61gbtus33m5eu8",
      "links": {
        "output": "https://scalr.io/api/iacp/v3/policy-checks/pchk-t61gbtus33m5eu8/output",
        "self": "https://scalr.io/api/iacp/v3/policy-checks/pchk-t61gbtus33m5eu8"
      },
      "relationships": {},
      "type": "policy-checks"
    },
    "included": null,
    "meta": null
  }
  

• 404 Not Found – Policy check not found or user unauthorized to perform action.

• 409 Conflict – Override is not possible in a current policy-check or run status.

• 4XX – Client error.

• 5XX – Server error.

Request Headers

• Prefer – Specifies the API profile that server should use to handle this request. For the list of supported profiles check out the Scalr documentation. (Required)

Policy Check Log

GET /policy-checks/{policy_check}/output

Download the raw output of the OPA policy check stage.

Parameters

• policy_check (string) – The ID of the policy check. Obtain it from the Get a Workspace endpoint.

Example Request:

GET /policy-checks/{policy_check}/output HTTP/1.1
Host: my.scalr.io
Prefer: profile=preview

Status Codes

• 302 Found – The location of the temporary download link.

• 404 Not Found – Policy check not found or user unauthorized to perform action.

• 4XX – Client error.

• 5XX – Server error.

Request Headers

• Prefer – Specifies the API profile that server should use to handle this request. For the list of supported profiles check out the Scalr documentation. (Required)

List Policy Checks

GET /runs/{run}/policy-checks

List policy checks for a specific run.

Parameters

• run (string) – The ID of the run.

Example Request:

GET /runs/{run}/policy-checks HTTP/1.1
Host: my.scalr.io
Prefer: profile=preview

Status Codes

• 200 OK –

  Success.

  Example Respone:

  HTTP/1.1 200 OK
  Content-Type: application/vnd.api+json
  Preference-Applied: profile=preview
  
  {
    "data": [
      {
        "attributes": {
          "result": {
            "advisory-failed": 1,
            "duration-ms": 74,
            "hard-failed": 0,
            "passed": 2,
            "policies": [
              {
                "messages": [
                  "Plan is too expensive: $733.35, while up to $500 is allowed"
                ],
                "name": "cost-check",
                "result": "advisory_failed"
              },
              {
                "messages": [],
                "name": "credential-limit",
                "result": "passed"
              },
              {
                "messages": [],
                "name": "instance_types",
                "result": "passed"
              }
            ],
            "result": false,
            "soft-failed": 0,
            "total-failed": 1
          },
          "status": "passed",
          "status-timestamps": {
            "passed-at": "2020-11-06T16:37:40Z",
            "pending-at": "2020-11-06T16:37:00Z",
            "queued-at": "2020-11-06T16:37:39Z"
          }
        },
        "id": "pchk-t61g5rsa61i18c8",
        "links": {
          "output": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8/output",
          "self": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8"
        },
        "relationships": {},
        "type": "policy-checks"
      }
    ],
    "included": null,
    "links": {
      "first": "https://my.scalr.io/api/iacp/v3/runs/run-t61g5rlk9qbudh0/policy-checks?page%5Bnumber%5D=1&page%5Bsize%5D=20",
      "last": "https://my.scalr.io/api/iacp/v3/runs/run-t61g5rlk9qbudh0/policy-checks?page%5Bnumber%5D=1&page%5Bsize%5D=20",
      "next": null,
      "prev": null,
      "self": "https://my.scalr.io/api/iacp/v3/runs/run-t61g5rlk9qbudh0/policy-checks?page%5Bnumber%5D=1&page%5Bsize%5D=20"
    },
    "meta": {
      "pagination": {
        "current-page": 1,
        "next-page": null,
        "prev-page": null,
        "total-count": 0,
        "total-pages": 1
      }
    }
  }
  

• 403 Forbidden – Plan not found or user unauthorized to perform action.

• 4XX – Client error.

• 5XX – Server error.

Request Headers

• Prefer – Specifies the API profile that server should use to handle this request. For the list of supported profiles check out the Scalr documentation. (Required)