OPA policies
Digger supports granular policy-as-code governance via Open Policy Agent (OPA). You can specify policies at project as well as organisation level.
There are 2 types of policies in Digger:
- Plan policies
- Access policies
Plan policies
With plan policies you can check terraform plan output for compliance with your internal guidelines, for example limiting the kinds of resources that can be provisioned in a particular environment or team. Plan policy is checked after every plan, and before every apply.
Access policies
With access policies you can control which Digger operations are allowed at any given time based on various inputs. Access policy is checked before every plan and apply and is passed the following data:
- user id (from github)
- plan policy violations, if any
- list of users who approved the PR
This way you can implement custom logic, for example allowing to apply a PR that has policy violations in case certain users approved it.