Config policy reference
On This Page
- CircleCI config helpers
- orbs
- Definition
- Usage
- ban_orbs
- Definition
- Usage
- ban_orbs_version
- Definition
- Usage
- resource_class_by_project
- Definition
- Usage
- contexts_allowed_by_project_ids
- Definition
- Usage
- contexts_blocked_by_project_ids
- Definition
- Usage
- contexts_reserved_by_project_ids
- Definition
- Usage
- contexts_reserved_by_branches
- Definition
- Usage
- CircleCI utility helpers
- is_parameterized_expression
- Definition
- Usage
- get_element_name
- Definition
- Usage
- to_array
- Definition
- Usage
- to_set
- Definition
- Usage
| The config policies feature is available on the Scale Plan and from CircleCI server v4.2. |
This reference page lists a selection of helpers, or CircleCI-specific functions that are likely to be useful for you when you are writing your policies. These helpers will lead to cleaner policies with less boilerplate.
The circle-policy-agent package includes built-in functions for common config policy use cases. All policies evaluated by the policy-service, the circle-cli, or the circle-policy-agent will be able to access these functions. This also means the package names circleci.config and circleci.utils are reserved.
CircleCI config helpers
The following helpers are imported using import data.circleci.config
orbs
orbs is a Rego object containing orbs and versions present in the given config file. It can be utilized by policies related to orbs.
Definition
orbs[string] = stringExample orbs object:
{
"circleci/security": "1.2.3",
"circleci/foo": "3.2.1"
}Usage
package org
import data.circleci.config
policy_name["example"]
my_orbs := config.orbsban_orbs
This function violates a policy if a config includes orbs based on the orb name. Versions should not be included in the provided list of orbs.
Definition
ban_orbs([string])
returns { string: string }Usage
package org
import data.circleci.config
policy_name["example"]
ban_orbs = config.ban_orbs(["evilcorp/evil"])
enable_hard["ban_orbs"]ban_orbs_version
This function violates a policy if a config includes orbs based on the orb name and version.
Definition
ban_orbs_version([string])
returns { string: string }Usage
package org
import data.circleci.config
policy_name["example"]
ban_orbs_versioned = config.ban_orbs_version(["evilcorp/evil@1.2.3", "foo/bar@4.5.6"])
enable_hard["ban_orbs_versioned"]resource_class_by_project
This function accepts a resource class to project IDs set mapping. The resource classes defined in the mapping will be reserved for its associated projects. Resource classes not included in the mapping will still be available for use by any project.
Definition
resource_class_by_project({
"$RESOURCE_CLASS": {$PROJECT_IDS...},
...
})
returns { ...reasons: string }Usage
package org
import future.keywords
import data.circleci.config
policy_name["example"]
check_resource_class = config.resource_class_by_project({
"large": {"$PROJECT_UUID_A","$PROJECT_UUID_B"},
})
enable_hard["check_resource_class"]contexts_allowed_by_project_ids
This function accepts project ids (PROJECTS) and context names (ALLOWED_CONTEXTS) as one of the following types:
-
string
-
set of strings
-
array of strings
It prevents the usage of any context not in ALLOWED_CONTEXTS for all projects that are in PROJECTS.
Definition
contexts_allowed_by_project_ids(
PROJECTS: string | Array<string> | Set<string>
ALLOWED_CONTEXTS: string | Array<string> | Set<string>
)
returns reason <type string>Usage
package org
import future.keywords
import data.circleci.config
policy_name["a_unique_policy_name"]
rule_contexts_allowed_by_project_ids = config.contexts_allowed_by_project_ids(
["${PROJECT_1_UUID}","${PROJECT_2_UUID}"],
["${ALLOWED_CONTEXT_NAME_1}","${ALLOWED_CONTEXT_NAME_2}"]
)
enable_hard["rule_contexts_allowed_by_project_ids"]contexts_blocked_by_project_ids
This function accepts project IDs (PROJECTS) and context names (BLOCKED_CONTEXTS) as one of the following types:
-
string
-
set of strings
-
array of strings
It blocks the usage of any context in BLOCKED_CONTEXTS for all projects in PROJECTS.
Definition
contexts_blocked_by_project_ids(
PROJECTS: string | Array<string> | Set<string>
BLOCKED_CONTEXTS: string | Array<string> | Set<string>
)
returns reason: stringUsage
package org
import future.keywords
import data.circleci.config
policy_name["a_unique_policy_name"]
rule_contexts_blocked_by_project_ids = config.contexts_blocked_by_project_ids(
["${PROJECT_1_UUID}","${PROJECT_2_UUID}"],
["${BLOCKED_CONTEXT_1}","${BLOCKED_CONTEXT_2}"]
)
enable_hard["rule_contexts_blocked_by_project_ids"]contexts_reserved_by_project_ids
This function accepts project ids (PROJECTS) and context names (RESERVED_CONTEXTS) as one of the following types:
-
string
-
set of strings
-
array-of-strings
It blocks the usage of any context in RESERVED_CONTEXTS for all projects not in PROJECTS.
Definition
contexts_reserved_by_project_ids(
PROJECTS: string | Array<string> | Set<string>
RESERVED_CONTEXTS: string | Array<string> | Set<string>
)
returns reason: stringUsage
package org
import future.keywords
import data.circleci.config
policy_name["a_unique_policy_name"]
rule_contexts_reserved_by_project_ids = config.contexts_reserved_by_project_ids(
["${PROJECT_1_UUID}","${PROJECT_2_UUID}"],
["${RESERVED_CONTEXT_1}","${RESERVED_CONTEXT_2}"]
)
enable_hard["rule_contexts_reserved_by_project_ids"]contexts_reserved_by_branches
This function accepts VCS branch names (BRANCHES) and context names (RESERVED_CONTEXTS) as one of the following types:
-
string
-
set-of-strings
-
array-of-strings
Branch names not in BRANCHES are not allowed to use the contexts in RESERVED_CONTEXTS, however, other contexts may be used.
Definition
contexts_reserved_by_branches(
BRANCHES: string | Array<string> | Set<string>
CONTEXT_LIST: string | Array<string> | Set<string>
)
returns reason: stringUsage
package org
import future.keywords
import data.circleci.config
policy_name["a_unique_policy_name"]
rule_contexts_reserved_by_branches = config.contexts_reserved_by_branches(
["${BRANCH_1}, "${BRANCH_2}", "${BRANCH_3}"]",
["${RESERVED_CONTEXT_1}","${RESERVED_CONTEXT_2}"]
)
enable_hard["rule_contexts_reserved_by_branches"]CircleCI utility helpers
The following helpers are imported using import data.circleci.utils
is_parameterized_expression
This function checks any value and returns true if it is a string that contains a parameter expression, otherwise it returns false.
Definition
is_parameterized_expression(value)
return booleanUsage
is_parameterized_expression("hello world") # false
is_parameterized_expression(42) # false
is_parameterized_expression("release-<<parameters.version>>") # trueget_element_name
This function retrieves the name of an element in a config file. You can use it to retrieve the name of jobs in workflows, steps in jobs, etc. If the element is an object, this function will return the object’s key.
Definition
get_element_name(input.<config_key>)
returns stringUsage
package org
import data.circleci.utils
policy_name["example"]
job_name1 = utils.get_element_name(input.jobs[0])
job_name2 = utils.get_element_name(input.jobs[1])Consider the following config.yml:
workflows:
main:
jobs:
- lint
- test:
context: test-varsIn the policy example above, job_name1 would equal lint and job_name2 would equal test.
to_array
This function casts a value to an array. Array values are left as is and are not cast to Array<Array>.
Definition
to_array(value)
returns arrayUsage
package org
import data.circleci.utils
policy_name["example"]
a = utils.to_array("element") # a is ["element"]
b = utils.to_array(["element"]) # b is ["element"]to_set
This function casts a value to a set. Array values are cast to a set and deduplicated. Set values are left as is and are not cast to Set<Set>.
Definition
to_set(value)
returns setUsage
package org
import data.circleci.utils
policy_name["example"]
a = utils.to_set("element") # a is {"element"}
b = utils.to_set(["one", "one", "two", "three"]) # b is {"one", "two", "three"}
c = utils.to_set({"element"}) # c is {"element"}