Continuous Integration
Validate authorization policies automatically in your CI platform.
Validating policies in your CI workflows allows you to check for potential policy issues each time a change is made to your policy source code. Common Fate policy validation can be run in CI platforms such as GitHub Actions, GitLab, and BuildKite.
An example policy validation check in GitHub Actions.
If you use GitHub Actions, our Cedar Policy Validation Action will show annotations on Pull Requests, indicating where issues are in your policy source code.
Annotations in GitHub Actions showing where issues are.
Prerequisites
If you’re running a BYOC (“Bring-Your-Own-Cloud”) deployment of Common Fate in your own AWS account, you’ll need to be on v1.31.0
or later of the common-fate/common-fate-deployment/aws
Terraform module.
Policy validation in CI
Choose a tab below based on your CI provider.
To validate policies using GitHub actions, you can use the Install Common Fate CLI Action to install the cf
CLI, and then run cf authz policyset validate
to validate policies.
Here’s an example workflow.
name: Test
on:
push:
jobs:
cedar:
name: Cedar
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download Cedar Schema
uses: common-fate/download-cedar-schema-action@v1
with:
deployment-url: https://commonfate.example.com # replace this with your Common Fate API URL
oidc-client-id: abcdefGHIJKL12345678 # replace this with your Client ID
oidc-client-secret: ${{ secrets.CF_OIDC_CLIENT_SECRET }}
oidc-issuer: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdeFGH # replace this with your Issuer
save-schema-file-to: common-fate.cedarschema.json
- name: Validate Policies
uses: common-fate/cedar-validate-action@v1
with:
schema-file: common-fate.cedarschema.json
policy-files: "**/*.cedar"
As shown above, the workflow requires a few configuration variables to tell the CLI where Common Fate is running (api-url
), and how to authenticate to it (oidc-client-id
, oidc-client-secret
, oidc-issuer
). You can obtain these from your Terraform provider configuration block:
provider "commonfate" {
api_url = "https://commonfate.example.com" # corresponds to 'deployment-url' in the workflow
oidc_client_id = "7qf6ncnf0qudvpgp93l96397uk" # corresponds to 'oidc-client-id' in the workflow
oidc_issuer = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdeFGH" # corresponds to 'oidc-issuer' in the workflow
}
You can look up the Terraform OIDC client secret by finding it in the deployment outputs following our guide here. Save the OIDC client secret as a GitHub Actions Secret with the name CF_OIDC_CLIENT_SECRET
to keep it out of your source code.
Store the OIDC Client Secret as a secret, with the key CF_OIDC_CLIENT_SECRET