Policy Checks¶
The PolicyCheck resource¶
A policy check contains the details of the policy check phase of a run in Scalr.
Policy check is performed immediately after Terraform plan and cost estimation have completed for every run in every workspace, including dry runs, where policies have been linked.
Key path
Description
type* (string)
Available values:policy-checks
id (string)
attributes.permissions (object)
attributes.result (object)
OPA policy decision.
attributes.result.advisory-failed (integer)
Number of policy checks that have failed with ‘advisory’ level.
attributes.result.duration-ms (integer)
Duration of the policy check operation.
attributes.result.hard-failed (integer)
Number of policy checks that have failed with “hard-mandatory” level.
attributes.result.passed (integer)
Number of policy checks that have passed.
attributes.result.policies (array)
List of policies that were checked.
attributes.result.result (boolean)
Indicates whether all policy checks have passed without failures.
attributes.result.soft-failed (integer)
Number of policy checks that have failed with “soft-mandatory” level.
attributes.result.total-failed (integer)
Total number of policy checks that have failed.
attributes.status (string)
Available values:pending
,queued
,passed
,errored
,hard_failed
,soft_failed
,overridden
,unreachable
,canceled
The Policy checks’s current status.
Transient states:
pending
- The initial status of a policy check once it has been created.
queued
- The policy check has been queued, awaiting backend service capacity to run terraform.
running
- The policy check is running.
soft_failed
Policy check has finished, and run hasn’t passed policy with thesoft
level. User havingpolicy-checks:override
permission can overide the policy check decision, and push this run next to apply.Final states:
canceled
- The policy check has been canceled.
errored
- The policy check has finished with an error. Attributeerror-message
contains the details.
hard_failed
- Run hasn’t passed policy with thehard
level.
overridden
- The policy checksoft_failed
status has been overriden.
passed
- Run has successfully passed all configured policies.
unreachable
- The policy check will not run.attributes.status-timestamps (object)
Date/Time of transition to each status that has occurred.
links.output (string)
Link to download the policy check raw output.
Get a Policy Check¶
-
GET
/api/iacp/v3/policy-checks/{policy_check}
¶ Show details of a specific Terraform policy check stage.
- Parameters
policy_check (string) – The ID of the policy check.
Example Request:
GET /api/iacp/v3/policy-checks/{policy_check} HTTP/1.1 Host: my.scalr.io Prefer: profile=preview
- Status Codes
200 OK –
Success.
Example Respone:
HTTP/1.1 200 OK Content-Type: application/vnd.api+json Preference-Applied: profile=preview { "data": { "attributes": { "result": { "advisory-failed": 1, "duration-ms": 74, "hard-failed": 0, "passed": 2, "policies": [ { "messages": [ "Plan is too expensive: $733.35, while up to $500 is allowed" ], "name": "cost-check", "result": "advisory_failed" }, { "messages": [], "name": "credential-limit", "result": "passed" }, { "messages": [], "name": "instance_types", "result": "passed" } ], "result": false, "soft-failed": 0, "total-failed": 1 }, "status": "passed", "status-timestamps": { "passed-at": "2020-11-06T16:37:40Z", "pending-at": "2020-11-06T16:37:00Z", "queued-at": "2020-11-06T16:37:39Z" } }, "id": "pchk-t61g5rsa61i18c8", "links": { "output": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8/output", "self": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8" }, "relationships": {}, "type": "policy-checks" }, "included": null, "meta": null }
403 Forbidden – Policy check not found or user unauthorized to perform action.
4XX – Client error.
5XX – Server error.
Override Policy¶
-
POST
/api/iacp/v3/policy-checks/{policy_check}/actions/override
¶ This endpoint overrides a soft-mandatory policy.
- Parameters
policy_check (string) – The ID of the policy check to override.
- Status Codes
200 OK –
Success.
Example Respone:
HTTP/1.1 200 OK Content-Type: application/vnd.api+json Preference-Applied: profile=preview { "data": { "attributes": { "result": { "advisory-failed": 0, "duration-ms": 81, "hard-failed": 0, "passed": 2, "policies": [ { "messages": [], "name": "cost-check", "result": "passed" }, { "messages": [], "name": "credential-limit", "result": "passed" }, { "messages": [ "aws_instance.default: instance type t2.2xlarge is not allowed. T2 instance types are considered deprecated, please rewrite your templates to use T3/T4 instance types" ], "name": "instance_types", "result": "soft_failed" } ], "result": false, "soft-failed": 1, "total-failed": 1 }, "status": "overridden", "status-timestamps": { "overridden-at": "2020-11-06T17:01:47Z", "pending-at": "2020-11-06T16:42:18Z", "queued-at": "2020-11-06T16:42:55Z", "soft-failed-at": "2020-11-06T16:42:56Z" } }, "id": "pchk-t61gbtus33m5eu8", "links": { "output": "https://scalr.io/api/iacp/v3/policy-checks/pchk-t61gbtus33m5eu8/output", "self": "https://scalr.io/api/iacp/v3/policy-checks/pchk-t61gbtus33m5eu8" }, "relationships": {}, "type": "policy-checks" }, "included": null, "meta": null }
404 Not Found – Policy check not found or user unauthorized to perform action.
409 Conflict – Override is not possible in a current policy-check or run status.
4XX – Client error.
5XX – Server error.
Policy Check Log¶
-
GET
/api/iacp/v3/policy-checks/{policy_check}/output
¶ Download the raw output of the OPA policy check stage.
- Parameters
policy_check (string) – The ID of the policy check. Obtain it from the Get a Workspace endpoint.
Example Request:
GET /api/iacp/v3/policy-checks/{policy_check}/output HTTP/1.1 Host: my.scalr.io Prefer: profile=preview
- Status Codes
302 Found – The location of the temporary download link.
404 Not Found – Policy check not found or user unauthorized to perform action.
4XX – Client error.
5XX – Server error.
List Policy Checks¶
-
GET
/api/iacp/v3/runs/{run}/policy-checks
¶ List policy checks for a specific run.
- Parameters
run (string) – The ID of the run.
Example Request:
GET /api/iacp/v3/runs/{run}/policy-checks HTTP/1.1 Host: my.scalr.io Prefer: profile=preview
- Status Codes
200 OK –
Success.
Example Respone:
HTTP/1.1 200 OK Content-Type: application/vnd.api+json Preference-Applied: profile=preview { "data": [ { "attributes": { "result": { "advisory-failed": 1, "duration-ms": 74, "hard-failed": 0, "passed": 2, "policies": [ { "messages": [ "Plan is too expensive: $733.35, while up to $500 is allowed" ], "name": "cost-check", "result": "advisory_failed" }, { "messages": [], "name": "credential-limit", "result": "passed" }, { "messages": [], "name": "instance_types", "result": "passed" } ], "result": false, "soft-failed": 0, "total-failed": 1 }, "status": "passed", "status-timestamps": { "passed-at": "2020-11-06T16:37:40Z", "pending-at": "2020-11-06T16:37:00Z", "queued-at": "2020-11-06T16:37:39Z" } }, "id": "pchk-t61g5rsa61i18c8", "links": { "output": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8/output", "self": "https://my.scalr.io/api/iacp/v3/policy-checks/pchk-t61g5rsa61i18c8" }, "relationships": {}, "type": "policy-checks" } ], "included": null, "links": { "first": "https://my.scalr.io/api/iacp/v3/runs/run-t61g5rlk9qbudh0/policy-checks?page%5Bnumber%5D=1&page%5Bsize%5D=20", "last": "https://my.scalr.io/api/iacp/v3/runs/run-t61g5rlk9qbudh0/policy-checks?page%5Bnumber%5D=1&page%5Bsize%5D=20", "next": null, "prev": null, "self": "https://my.scalr.io/api/iacp/v3/runs/run-t61g5rlk9qbudh0/policy-checks?page%5Bnumber%5D=1&page%5Bsize%5D=20" }, "meta": { "pagination": { "current-page": 1, "next-page": null, "prev-page": null, "total-count": 0, "total-pages": 1 } } }
403 Forbidden – Plan not found or user unauthorized to perform action.
4XX – Client error.
5XX – Server error.