What are Availabilities?

Availabilities are used in Common Fate to inform the policy engine what role to be attached to a set of resources identified by a selector. Avilabilities reference a Selector which determines which targets should be available for what role.

Creating an Availability

There are availabilities for each of the supported resources in Common Fate.

Below is an example of a GCP Availability:

workflow.tf
resource "commonfate_gcp_project_availabilities" "availability-demo" {
  workflow_id = commonfate_access_workflow.workflow-demo.id
  gcp_role = "roles/owner"
  gcp_project_selector_id = commonfate_gcp_project_selector.selector-demo.id
  google_workspace_customer_id = commonfate_gcp_project_integration.main.google_workspace_customer_id
  role_priority = 1
}

This Availability tells Common Fate to handle any project resource selected by selector “sel_123” to be accessed with the “roles/owner” with the access workflow “wrk_123”.

This is the configuration aspect of access completed. The next component is creating the rules of who can access what resources based on actions. For this we use Cedar Policies

The role_priority field can be used customize which role is suggested to end users in the UI. Consider the following scenerio:

workflow.tf
resource "commonfate_gcp_project_availabilities" "availability-demo" {
  workflow_id = commonfate_access_workflow.workflow-demo.id
  gcp_role = "roles/owner"
  gcp_project_selector_id = commonfate_gcp_project_selector.selector-demo.id
  google_workspace_customer_id = commonfate_gcp_project_integration.main.google_workspace_customer_id
  role_priority = 1
}
resource "commonfate_gcp_project_availabilities" "availability-demo" {
  workflow_id = commonfate_access_workflow.workflow-demo.id
  gcp_role = "roles/viewer"
  gcp_project_selector_id = commonfate_gcp_project_selector.selector-demo.id
  google_workspace_customer_id = commonfate_gcp_project_integration.main.google_workspace_customer_id
  role_priority = 2
}

When availabilities are created from these availability specs, roles/viewer will be used as the suggested role for availability made by these availability specs.