Skip to main content

Harness OPA using Scorecards

info

This feature is currently behind the Feature Flag IDP_ENABLED FF. Please contact Harness Support to enable it in your account.

Harness Policy As Code uses Open Policy Agent (OPA) as the central service to store and enforce policies for the different entities and processes across the Harness platform. For more information about Harness Policy as Code, go to Harness Governance Overview and Harness Governance Quickstart.

You can centrally define and store policies and then select where (which entities) and when (which events) they will be applied.

Policies use OPA authoring language Rego. For more information, go to OPA Policy Authoring.

Examples with Harness OPA using Scorecards

There are two sets of OPA policies that you can apply to any CD pipeline.

When a Pipeline is saved, the service used in the pipeline should have a score more than the set limit, before being able to save the pipeline.

package pipeline

# Deny pipelines that are configured for service name 'orderService'
# ... and score of 'Service Maturity' scorecard is less than 50.
# Absence of either of these will not halt the pipeline execution
deny[msg] {
    stage = input.pipeline.stages[_].stage      # Find all stages ...
    stage.type == "Deployment"                  # ... that are deployments

    scorecard := stage.spec.idpScorecard.orderService[_]
    scorecard.name == "Service Maturity"
    scorecard.score < 50

    msg := sprintf("orderService has score less than 50, current score: '%v'", [scorecard.score])
}

In the REGO script we use stage.spec.idpScorecard.orderService[_] to fetch the Harness service ID mentioned in the annotation harness.io/cd-serviceId: <SERVICE_IDENTIFIER>. If you have followed the onboarding guide then this annotation is auto ingested in your catalog-info.yaml or-else you have to manually add it.

  • Success: Check the Score for the service you're using in your pipeline to be above the set limit so that when you save the Pipeline, the policy rule is evaluated and returns success.
  • Warning: A warning message appears: Your Score for the service used needs to be more than 50. If you save the Pipeline and deploy, Harness will throw an error.
  • Failure: You configure a Pipeline with a Deploy stage that deploys to a prod environment with a service having Score less than the set limit. When you save the Pipeline, Harness throws an error message indicating the rule was enforced and the Pipeline fails validation.

Tutorial - Harness Policy As Code for Services using Scorecards

This tutorial explains how you can create a policy and apply it to all services in your account. The policy is evaluated on the service-level based on the score fetched from scorecards and the conditions set by users. The policy triggers on pipeline events, such as saving a pipeline, which occurs during Connector Creation and Updates.

  1. Go to Account Setting under Administrative Settings.

  2. Select Policies under Security and Governance.

  3. Go to the Policies tab and select New Policy.

  4. Add a name to your policy and then select Apply.

  5. On the Library, select IDP Scorecard and select Use this Sample.

  6. Test and save the policy.

  7. Go to Policy Sets and select New Policy Set.

  8. Enter a Name, select the Entity to apply it to, and select the event for which it should be evaluated.

  9. Add the policy you created previously, and then change the type to Warn & Continue. Then select Apply.

  10. Finish and save your policy set. You can now use this policy set in your CD pipelines.