How to create OPA Policy on Artifact connector such that no user can create an artifact connector other than the mentioned artifact connector.
Usecase:
- Is to apply OPA Policy on Artifact connector such that no user can create an artifact connector in that project other than Jfrog and only allow particular repo in artifactory
As part of this article, we will answer how to achieve this usecase:
- Option 1: is a blanket ban on anything but Artifactory Connectors, which means if you need to create a connector for Github to get code out, for example, it would throw up a warning or error (based on what you chose in the Policy set)
package connector
# Block saves on any connector, but Artifactory
deny[msg] {
# Check that the type is artifactory
input.entity.type != "Artifactory"
# Show a human-friendly error message
msg := sprintf("Artifactory is the only connector allowed, you have tried to create %s", [input.entity.type])
}
- Option 2: Block any connector under the ‘Artifact Repositories’ section in the connectors UI. You can add and remove types from the array at the bottom, just in case you want to add Gitlab from your example.
package connector
# Deny any connectors that fall into the list of not_allowed
deny[msg] {
# If the connector type matches anything in our list... deny
contains(not_allowed, input.entity.type)
# Show a human-friendly error message
msg := sprintf("%s is not allowed, please use Artifactory only", [input.entity.type])
}
# All of the blocked connector types
not_allowed = ["Jenkins", "DockerRegistry", "HttpHelmRepo", "Nexus", "OciHelmRepo"]
contains(arr, elem) {
arr[_] = elem
}
This is how you can achieve your usecase of creating an OPA Policy on the Artifact connector such that no user can create an artifact connector other than the mentioned artifact connector in Harness.
To find more on Harness Policy As Code Overview, please review our docs here: Harness Policy As Code Overview | Harness Developer Hub.