To add a layer of governance to deployment requests before they are run, you can create an approval policy using the Service Broker Policies API. The policy controls who must agree to a deployment or Day 2 action before a request is provisioned.
The following procedure shows how to use the Approval API to get the cloud template ID and list approval actions for a deployment before creating the approval policy using the Policy API.
Prerequisites
- Verify that general prerequisites have been satisfied. See Prerequisites for Creating Policies.
- Assign an API version variable for the Approval API.
api_version_approval='2020-11-01'
Note: The Approval API and Policy API have different API version values. You set the API version value for the Policy API when you satisfied the general prerequisites. - Verify that you know the name of the Cloud Template to which you want to apply the approval policy.
Procedure
Example: Create an approval policy
Create a policy named Sample Approval Policy to apply to deployments created from a cloud template named template-1.
Assign variables.
$ url='https://appliance.domain.com' $ api_version='2020-08-25' $ api_version_approval='2020-11-01'
List the cloud templates.
curl -X GET \ $url/approval/api/policy/data/blueprints?apiVersion=$api_version_approval \ -H "Authorization: Bearer $access_token" | jq "."
Examine the response to find the cloud template named template-1.
... { "id": "77265efc-6d06-428e-9fad-3ad8f31441f3", "name": "template-1", "description": "" } ...
Assign the cloud template ID variable.
$ cloudtemplateId = "77265efc-6d06-428e-9fad-3ad8f31441f3"
List the deployment actions.
curl -X GET \ $url/approval/api/policy/data/actions?apiVersion=$api_version_approval&search=Deployment \ -H "Authorization: Bearer $access_token" | jq "."
Examine the response to find the IDs of the deployment actions that you want to specify in your approval policy.
... { "id": "Deployment.Create", "name": "Create", "description": "Create a deployment", "resourceType": "Deployment" }, ... { "id": "Cloud.Azure.Machine.PowerOn", "name": "Power On", "description": "Power on a machine", "resourceType": "Cloud.Azure.Machine" }, ... { "id": "Cloud.Azure.Machine.PowerOff", "name": "Power Off", "description": "Power off a machine", "resourceType": "Cloud.Azure.Machine" }, ...
Use the cloud template ID to create the approval policy of level 2 with hard enforcement named Sample Approval Policy. When a deployment is requested, users listed will act as approvers for the actions: provision, power on, and power off an Azure machine. If approvers do not act within three days, then the deployment actions are automatically approved.
$ curl -X POST \ $url/policy/api/policies?apiVersion=$api_version \ -H "Authorization: Bearer $access_token" \ -H 'Content-Type: application/json' \ -d '{ "name": "Sample Approval Policy", "enforcementType": "HARD", "typeId": "com.vmware.policy.approval" "definition": { "level": 2, "approverType": "USER", "approvalMode": "ALL_OF", "autoApprovalDecision": "APPROVE", "approvers": [ "USER:[email protected]", "USER:[email protected]" ], "autoApprovalExpiry": 3, "actions": [ "Deployment.Create", "Cloud.Azure.Machine.PowerOn", "Cloud.Azure.Machine.PowerOff" ] }, "criteria": { "matchExpression": [ { "key": "blueprintId", "operator": "eq", "value": "'$cloudtemplateId'" } ] } }' | jq "."
The response shows the approval policy.
{ "id": "62ad2f02-0b2a-4ed8-a739-a6c40d761e49", "name": "Sample Approval Policy", "typeId": "com.vmware.policy.approval", "enforcementType": "HARD", "orgId": "d2994f92-bd52-45b1-9220-686b20944c2c", "definition": { "level": 2, "approverType": "USER", "approvalMode": "ALL_OF", "autoApprovalDecision": "APPROVE", "approvers": [ "USER:[email protected]", "USER:[email protected]" ], "autoApprovalExpiry": 3, "actions": [ "Deployment.Create", "Cloud.Azure.Machine.PowerOn", "Cloud.Azure.Machine.PowerOff" ] }, "criteria": { "matchExpression": [ { "key": "blueprintId", "operator": "eq", "value": "77265efc-6d06-428e-9fad-3ad8f31441f3" } ] }, "createdAt": "2021-11-08T09:45:38.108885Z", "createdBy": "[email protected]", "lastUpdatedAt": "2021-11-08T09:45:38.108885Z", "lastUpdatedBy": "[email protected]" }