To add a layer of governance to deployment requests before they are run, you can create an approval policy using the Service Broker Policies API. The policy controls who must agree to a deployment or Day 2 action before a request is provisioned.

You create an approval policy based on certain deployment criteria, such as deployments created from a specific cloud template. For example, if you specify a cloud template ID, you can create a policy that requires a specified level of approval for deployments created from that cloud template.

The following procedure shows how to use the Approval API to get the cloud template ID and list approval actions for a deployment before creating the approval policy using the Policy API.

Prerequisites

  • Verify that general prerequisites have been satisfied. See Prerequisites for Creating Policies.
  • Assign an API version variable for the Approval API.
    api_version_approval='2020-11-01'
    Note: The Approval API and Policy API have different API version values. You set the API version value for the Policy API when you satisfied the general prerequisites.
  • Verify that you know the name of the Cloud Template to which you want to apply the approval policy.

Procedure

  1. List the cloud templates.
    curl -X GET \
      $url/approval/api/policy/data/blueprints?apiVersion=$api_version_approval \
      -H "Authorization: Bearer $access_token" | jq "."
  2. Examine the response to find the ID of the cloud template for the approval policy.
  3. Assign the cloud template variable.
    cloudtemplateId = "<your_cloud_template_ID>"
  4. (Optional) If you do not know the actions to specify in the policy, list the IDs of deployment actions.
    curl -X GET \
      $url/approval/api/policy/data/actions?apiVersion=$api_version_approval&search=Deployment \
      -H "Authorization: Bearer $access_token" | jq "."
    Note the action IDs.
  5. Create an approval policy with hard enforcement that is applied to deployments created from the cloud template with cloudtemplateId.
    • For an approval policy, you specify "typeId": "com.vmware.policy.approval"
    • autoApprovalExpiry specifies the number of days that the approvers have to act before triggering the autoApprovalDecision
    • level specifies the order in which the policy is applied with values 1-99. For example, level 1 approvals are applied first, followed by level 2 approvals and so forth.
    curl -X POST \
      $url/policy/api/policies?apiVersion=$api_version \
      -H "Authorization: Bearer $access_token" \
      -H 'Content-Type: application/json' \
      -d '{
        "name": "<your_approval_policy_name>",
        "enforcementType": "HARD",
        "typeId": "com.vmware.policy.approval"
        "definition": {
          "level": <policy_level>,
          "approverType": "USER",
          "approvalMode": "ALL_OF",
          "autoApprovalDecision": "APPROVE",
          "approvers": [
              "USER:<approver1_ID>",
              "USER:<approver2_ID>"
          ],
          "autoApprovalExpiry": <number_of_days>,
          "actions": [
              "<actionID_1>",
              "<actionID_2",
              "<actionID_3>"
          ]     
        },
        "criteria": {
          "matchExpression": [
            {
               "key": "blueprintId",
               "operator": "eq",
               "value": "'$cloudtemplateId'"
            }
          ]
        }
      }' | jq "."

Example: Create an approval policy

Create a policy named Sample Approval Policy to apply to deployments created from a cloud template named template-1.

Assign variables.

$ url='https://appliance.domain.com'
$ api_version='2020-08-25'
$ api_version_approval='2020-11-01'

List the cloud templates.

curl -X GET \
  $url/approval/api/policy/data/blueprints?apiVersion=$api_version_approval \
  -H "Authorization: Bearer $access_token" | jq "."

Examine the response to find the cloud template named template-1.

...      
   {
      "id": "77265efc-6d06-428e-9fad-3ad8f31441f3",
      "name": "template-1",
      "description": ""
    }
...

Assign the cloud template ID variable.

$ cloudtemplateId = "77265efc-6d06-428e-9fad-3ad8f31441f3"

List the deployment actions.

curl -X GET \
  $url/approval/api/policy/data/actions?apiVersion=$api_version_approval&search=Deployment \
  -H "Authorization: Bearer $access_token" | jq "."

Examine the response to find the IDs of the deployment actions that you want to specify in your approval policy.

...          
   {
      "id": "Deployment.Create",
      "name": "Create",
      "description": "Create a deployment",
      "resourceType": "Deployment"
    },
...
   {
      "id": "Cloud.Azure.Machine.PowerOn",
      "name": "Power On",
      "description": "Power on a machine",
      "resourceType": "Cloud.Azure.Machine"
    },
...
   {
      "id": "Cloud.Azure.Machine.PowerOff",
      "name": "Power Off",
      "description": "Power off a machine",
      "resourceType": "Cloud.Azure.Machine"
    },
...

Use the cloud template ID to create the approval policy of level 2 with hard enforcement named Sample Approval Policy. When a deployment is requested, users listed will act as approvers for the actions: provision, power on, and power off an Azure machine. If approvers do not act within three days, then the deployment actions are automatically approved.

$ curl -X POST \
  $url/policy/api/policies?apiVersion=$api_version \
  -H "Authorization: Bearer $access_token" \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "Sample Approval Policy",
    "enforcementType": "HARD",
    "typeId": "com.vmware.policy.approval"
    "definition": {
      "level": 2,
      "approverType": "USER",
      "approvalMode": "ALL_OF",
      "autoApprovalDecision": "APPROVE",
      "approvers": [
          "USER:[email protected]",
          "USER:[email protected]"
       ],
      "autoApprovalExpiry": 3,
      "actions": [
          "Deployment.Create",
          "Cloud.Azure.Machine.PowerOn",
          "Cloud.Azure.Machine.PowerOff"
       ]
    },
    "criteria": {
      "matchExpression": [
        {
          "key": "blueprintId",
          "operator": "eq",
          "value": "'$cloudtemplateId'"
        }
      ]
    }
  }' | jq "."

The response shows the approval policy.

{
  "id": "62ad2f02-0b2a-4ed8-a739-a6c40d761e49",
  "name": "Sample Approval Policy",
  "typeId": "com.vmware.policy.approval",
  "enforcementType": "HARD",
  "orgId": "d2994f92-bd52-45b1-9220-686b20944c2c",
  "definition": {
    "level": 2,
    "approverType": "USER",
    "approvalMode": "ALL_OF",
    "autoApprovalDecision": "APPROVE",
    "approvers": [
        "USER:[email protected]",
        "USER:[email protected]"
     ],
    "autoApprovalExpiry": 3,
    "actions": [
        "Deployment.Create",
        "Cloud.Azure.Machine.PowerOn",
        "Cloud.Azure.Machine.PowerOff"
    ]     
  },
  "criteria": {
    "matchExpression": [
      {
        "key": "blueprintId",
        "operator": "eq",
        "value": "77265efc-6d06-428e-9fad-3ad8f31441f3"
      }
    ]
  },
  "createdAt": "2021-11-08T09:45:38.108885Z",
  "createdBy": "[email protected]",
  "lastUpdatedAt": "2021-11-08T09:45:38.108885Z",
  "lastUpdatedBy": "[email protected]"
}