Policies with YAML array data

Overview

While many Turbot policies are defined as fixed values or simple strings, some Turbot policies accept flexible data definitions in the form of a YAML array. This allows for more flexible and powerful policy definitions.

This guide will introduce some common capabilities and tips for using these data types.

It’s just a YAML Array

These policies are always, very simply, parsed as a YAML array. If it parses as a YAML array, it should work for the policy.

Simple list

The simplest case is a basic list of strings.

- us-east-1
- eu-west-1

Comments

# US regions only
- us-east-1 # Virginia
- us-east-2 # Ohio
- us-west-1
- us-west-2

Empty list

YAML allows an empty list to be defined with square braces:

[]

List of objects

Some policies accept a more complex list of object types:

- us:
    - us-east-1
    - us-east-2
    - us-west-1
    - us-west-2
- eu:
    - eu-west-1
    - eu-west-2
    - eu-central-1

Policy Inheritence

Turbot policies follow a hierarchy. In some cases we wish to extend the higher level policy with extra settings at the lower level. For example, define a list of allowed ports at the Cluster level and add a specific extra port to that list at the Account level.

Turbot allows lower level policies to inherit and extend higher level policies through the use of the Turbot::Inherited keyword.

# Include items defined on the parent resource
- Turbot::Inherited
# Add policies for the current level
- ap-south-1

If the parent resource defined the policy to be:

- us-east-1
- eu-west-1

Then the resulting value is the union of both lists:

- us-east-1
- eu-west-1
- ap-south-1

Policy Inclusion

Policies can include items from another named policy, provided that policy is also visible to that resource.

For example, if AWS has a policy called AWS > Regions set to:

- us-east-1
- us-west-1

Then, a second policy, defined for S3 Buckets called Approved Regions can include the first policy:

- Turbot::Include: AWS:Regions

In this case the Approved Regions exactly matches the value of the first policy.

Kitchen Sink

All of these concepts can be combined into a single list. Turbot will simply create a union of the values.

- ap-southeast-1
- Turbot::Inherited
- Turbot::Include: AWS:Regions
- ap-south-2
Was this article helpful?
0 out of 0 found this helpful