Congress policies enables a user to define modification of an environment prior to its deployment. This includes:
Use cases examples:
These policies are evaluated over data in the form of tables that are Congress data structures. A deployed murano environment must be decomposed to Congress data structures. The further workflow is as follows:
The decomposed environment is sent to Congress for simulation.
Congress simulates whether the resulting state requires modification.
In case the modification of a deployed environment is required, Congress returns a list of actions in the YAML format to be performed on the environment prior to the deployment.
For example:
set-property: {object_id: c46770dec1db483ca2322914b842e50f, prop_name: keyname, value: production-key}
The example above sets the keyname property to the production-key value on the instance identified by object_id. An administrator can use it as an output of the Congress rules.
The action specification is parsed in murano. The given action class is loaded, and the action instance is created.
The parsed parameters are supplied to the action __init__ method.
The action is performed on a given environment (the modify method).
This example illustrates how to configure the rule enforcing all VM instances to deploy with a secure key pair. This may be required in a production environment.
Warning
Before you create rules, configure your OpenStack environment as described in Setting up policy enforcement.
Procedure:
To create the predeploy_modify rule, run:
congress policy rule create murano_system 'predeploy_modify(eid, obj_id, action):-murano:objects(obj_id, pid, type), murano_env_of_object(obj_id, eid), murano:properties(obj_id, "keyname", kn), concat("set-property: {object_id: ", obj_id, first_part), concat(first_part, ", prop_name: keyname, value: production-key}", action)'
The command above contains the following information:
predeploy_modify(eid, obj_id, action) :-
murano:objects(obj_id, pid, type),
murano:objects(eid, tid, "io.murano.Environment"),
murano:connected(eid, pid),
murano:properties(obj_id, "keyname", kn),
concat("set-property: {object_id: ", obj_id, first_part),
concat(first_part, ", prop_name: keyname, value: production-key}", action)
Policy validation engine checks the predeploy_modify rule. And the Congress engine evaluates the rules referenced inside this rule.
Note
The production-key key pair must already exist, though you can use any other existing key pair.
Deploy the environment.
Instances within the environment are deployed with the specified key pair.
See also