Validating policies in your CI workflows allows you to check for potential policy issues each time a change is made to your policy source code. Common Fate policy validation can be run in CI platforms such as GitHub Actions, GitLab, and BuildKite.

An example policy validation check in GitHub Actions.

If you use GitHub Actions, our Cedar Policy Validation Action will show annotations on Pull Requests, indicating where issues are in your policy source code.

Annotations in GitHub Actions showing where issues are.

Prerequisites

If you’re running a BYOC (“Bring-Your-Own-Cloud”) deployment of Common Fate in your own AWS account, you’ll need to be on v1.31.0 or later of the common-fate/common-fate-deployment/aws Terraform module.

Policy validation in CI

Choose a tab below based on your CI provider.

To validate policies using GitHub actions, you can use the Install Common Fate CLI Action to install the cf CLI, and then run cf authz policyset validate to validate policies.

Here’s an example workflow.

name: Test

on:
  push:

jobs:
  cedar:
    name: Cedar
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Download Cedar Schema
        uses: common-fate/download-cedar-schema-action@v1
        with:
          deployment-url: https://commonfate.example.com # replace this with your Common Fate API URL
          oidc-client-id: abcdefGHIJKL12345678 # replace this with your Client ID
          oidc-client-secret: ${{ secrets.CF_OIDC_CLIENT_SECRET }}
          oidc-issuer: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdeFGH # replace this with your Issuer
          save-schema-file-to: common-fate.cedarschema.json

      - name: Validate Policies
        uses: common-fate/cedar-validate-action@v1
        with:
          schema-file: common-fate.cedarschema.json
          policy-files: "**/*.cedar"

As shown above, the workflow requires a few configuration variables to tell the CLI where Common Fate is running (api-url), and how to authenticate to it (oidc-client-id, oidc-client-secret, oidc-issuer). You can obtain these from your Terraform provider configuration block:

provider "commonfate" {
  api_url            = "https://commonfate.example.com" # corresponds to 'deployment-url' in the workflow
  oidc_client_id     = "7qf6ncnf0qudvpgp93l96397uk"  # corresponds to 'oidc-client-id' in the workflow
  oidc_issuer        = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdeFGH"  # corresponds to 'oidc-issuer' in the workflow
}

You can look up the Terraform OIDC client secret by finding it in the deployment outputs following our guide here. Save the OIDC client secret as a GitHub Actions Secret with the name CF_OIDC_CLIENT_SECRET to keep it out of your source code.

Store the OIDC Client Secret as a secret, with the key CF_OIDC_CLIENT_SECRET

Developing with Visual Studio CodeEvents