Digger supports granular policy-as-code governance via Open Policy Agent (OPA). You can specify policies at project as well as organisation level.

There are 2 types of policies in Digger:

  • Plan policies
  • Access policies

Plan policies

With plan policies you can check terraform plan output for compliance with your internal guidelines, for example limiting the kinds of resources that can be provisioned in a particular environment or team. Plan policy is checked after every plan, and before every apply.

Access policies

With access policies you can control which Digger operations are allowed at any given time based on various inputs. Access policy is checked before every plan and apply and is passed the following data:

  • user id (from github)
  • plan policy violations, if any
  • list of users who approved the PR

This way you can implement custom logic, for example allowing to apply a PR that has policy violations in case certain users approved it.

Ways to configure policies

In Digger there are 3 ways to use OPA policies:

  • via Management Repo (EE)
  • via (unofficial) Orchestrator API (CE)
  • inline via Conftest (CE)

See OPA policies for more detail