Each policy definition has a SCAN script for the life cycle stage to assess the compliance state of a deployment. Application Services calls the policy scan action script prior to performing operations, except the teardown process, on the deployment or when a user explicitly initiates a policy scan on the deployment.

About this task

The scan action script includes a model of deployment as defined in Application Services REST API specification. The scan action script also receives additional components used in blueprint for the deployment.

You must create policy instances in specific deployment environments to enable policies. If a policy violation occurs during deployment, it is flagged and you can view the violation details in the compliance view summary page.

Note:

Java Script is the only supported language for authoring policy definition scripts.

Policy properties defined in a policy definition are supplied to the script as individual variables. The script can access them by declaring a variable with same name as the property name.

Script Input Variable

Description

var min_cpu_count

Corresponds to min_cpu_count property and the value for the script is set to consume.

eventPayload

Includes the details of the deployment assessed for policy compliance.

For regular properties, var eventPayload must be added to access the eventPayload object.

The policy script might regard the eventPayload variable as a java object with the following properties:

deploymentProfile of type DeploymentProfile as defined in V2 API

Represents the deployment profile capturing latest details of deployment. In the case of updates, this includes all of the changes that are part of update profile.

blueprint of type Blueprint as defined in V2 API

Represents the actual blueprint object that's referenced from deploymentProfile.

logicalTemplates of type ListLogicalTemplate where LogicalTemplate is as defined in V2 API

Represents the list of logical templates referenced from various nodes inside the application blueprint.

serviceVersions of type ListServiceVersion where ServiceVersion is as defined in V2 API

Represents the list of service versions references from various nodes inside the application blueprint.

Policy scripts are expected to output the following properties to communicate the result of the compliance assessment. Scripts must declare them as variables.

Script Output Variable

Description

complianceResult

Type of string that is mandatory. If script fails to set it then the compliance result is assumed as an Error.

The valid values for the variable are:

Compliant

Indicates that a deployment is compliant against the policy being assessed.

Non_Compliant

Indicates that a deployment violates the policy being assessed.

Error

Indicates failure to produce an assessment result.

complianceMessage

Type of string.

This optional value provides a high-level summary of the reason behind policy violation. Value can be any string with less than 2048 characters.

The scripts can create log messages with the standard println function available in Java Script. The log is captured by Application Services, which is useful to diagnose errors in policy scripts or provide details for a policy assessment result.

Prerequisites

  • Log in to Application Services as an application cloud administrator and an application publisher and deployer.

  • Verify that at least one policy is created in the library. See Add a Policy to the Library.

Procedure

  1. On the Application Services title bar, click the drop-down menu and select Library > Policies.
  2. Open a policy to add a policy definition script.
  3. In the Script column, click the hyperlink to open the Edit Script dialog box.

    You can refer to the existing predefined policy definitions and create a script in the dialog box.

  4. Click OK.

What to do next

Specifying a policy definition has no impact on deployments unless you create a policy instance in a deployment environment to enable that policy definition on all of the deployments under the deployment environment. See Create a Policy Instance.