Create an Approval Policy
To add a layer of governance to deployment requests before they are run, you can
create an approval policy using the Policies API. The policy controls who must agree to a
deployment or Day 2 action before a request is provisioned.
- Verify that all general prerequisites and prerequisites for theAutomation Service BrokerPolicies service have been satisfied. See Prerequisites for API Use Case Examples.
- Assign an API version variable for the Approvals API.api_version_approval='2020-11-01'The Approvals APIs and Policies APIs have different API version values. You set the API version value for the Policies APIs when you satisfied the general prerequisites.
- Verify that you know the name of the Cloud Template to which you want to apply the approval policy.
You create an approval policy
based on certain deployment criteria, such as deployments created from a specific cloud
template. For example, if you specify a cloud template ID, you can create a policy that
requires a specified level of approval for deployments created from that cloud template.
The following procedure shows how to use the
Approval API to get the cloud template ID and list approval actions for a deployment before
creating the approval policy using the Policy API.
- List the cloud templates.curl -X GET \ $url/approval/api/policy/data/blueprints?apiVersion=$api_version_approval \ -H "Authorization: Bearer $access_token" | jq "."
- Examine the response to find the ID of the cloud template for the approval policy.
- Assign the cloud template variable.cloudtemplateId = "<your_cloud_template_ID>"
- If you do not know the actions to specify in the policy, list the IDs of deployment actions.curl -X GET \ $url/approval/api/policy/data/actions?apiVersion=$api_version_approval&search=Deployment \ -H "Authorization: Bearer $access_token" | jq "."Note the action IDs.
- Create an approval policy with hard enforcement that is applied to deployments created from the cloud template withcloudtemplateId.
- For an approval policy, you specify"typeId": "com.vmware.policy.approval"
- autoApprovalExpiryspecifies the number of days that the approvers have to act before triggering theautoApprovalDecision
- levelspecifies the order in which the policy is applied with values 1-99. For example, level 1 approvals are applied first, followed by level 2 approvals and so forth.
curl -X POST \ $url/policy/api/policies?apiVersion=$api_version \ -H "Authorization: Bearer $access_token" \ -H 'Content-Type: application/json' \ -d '{ "name": "<your_approval_policy_name>", "enforcementType": "HARD", "typeId": "com.vmware.policy.approval" "definition": { "level": <policy_level>, "approverType": "USER", "approvalMode": "ALL_OF", "autoApprovalDecision": "APPROVE", "approvers": [ "USER:<approver1_ID>", "USER:<approver2_ID>" ], "autoApprovalExpiry": <number_of_days>, "actions": [ "<actionID_1>", "<actionID_2", "<actionID_3>" ] }, "criteria": { "matchExpression": [ { "key": "blueprintId", "operator": "eq", "value": "'$cloudtemplateId'" } ] } }' | jq "."
Create an approval policy
Create a policy named
Sample
Approval Policy
to apply to deployments created from a cloud template named
template-1
.Assign variables.
$ url='https://appliance.domain.com' $ api_version='2020-08-25' $ api_version_approval='2020-11-01'
List the cloud templates.
curl -X GET \ $url/approval/api/policy/data/blueprints?apiVersion=$api_version_approval \ -H "Authorization: Bearer $access_token" | jq "."
Examine the response to find the cloud
template named
template-1
.... { "id": "77265efc-6d06-428e-9fad-3ad8f31441f3", "name": "template-1", "description": "" } ...
Assign the cloud template ID
variable.
$ cloudtemplateId = "77265efc-6d06-428e-9fad-3ad8f31441f3"
List the deployment actions.
curl -X GET \ $url/approval/api/policy/data/actions?apiVersion=$api_version_approval&search=Deployment \ -H "Authorization: Bearer $access_token" | jq "."
Examine the response to find the IDs of the
deployment actions that you want to specify in your approval policy.
... { "id": "Deployment.Create", "name": "Create", "description": "Create a deployment", "resourceType": "Deployment" }, ... { "id": "Cloud.Azure.Machine.PowerOn", "name": "Power On", "description": "Power on a machine", "resourceType": "Cloud.Azure.Machine" }, ... { "id": "Cloud.Azure.Machine.PowerOff", "name": "Power Off", "description": "Power off a machine", "resourceType": "Cloud.Azure.Machine" }, ...
Use the cloud template ID to create the
approval policy of level 2 with hard enforcement named
Sample Approval
Policy
. When a deployment is requested, users listed will act as approvers for
the actions: provision, power on, and power off an Azure machine. If approvers do not act
within three days, then the deployment actions are automatically approved. $ curl -X POST \ $url/policy/api/policies?apiVersion=$api_version \ -H "Authorization: Bearer $access_token" \ -H 'Content-Type: application/json' \ -d '{ "name": "Sample Approval Policy", "enforcementType": "HARD", "typeId": "com.vmware.policy.approval" "definition": { "level": 2, "approverType": "USER", "approvalMode": "ALL_OF", "autoApprovalDecision": "APPROVE", "approvers": [ "USER:mary@mycompany.com", "USER:susan@mycompany.com" ], "autoApprovalExpiry": 3, "actions": [ "Deployment.Create", "Cloud.Azure.Machine.PowerOn", "Cloud.Azure.Machine.PowerOff" ] }, "criteria": { "matchExpression": [ { "key": "blueprintId", "operator": "eq", "value": "'$cloudtemplateId'" } ] } }' | jq "."
The response shows the approval
policy.
{ "id": "62ad2f02-0b2a-4ed8-a739-a6c40d761e49", "name": "Sample Approval Policy", "typeId": "com.vmware.policy.approval", "enforcementType": "HARD", "orgId": "d2994f92-bd52-45b1-9220-686b20944c2c", "definition": { "level": 2, "approverType": "USER", "approvalMode": "ALL_OF", "autoApprovalDecision": "APPROVE", "approvers": [ "USER:mary@mycompany.com", "USER:susan@mycompany.com" ], "autoApprovalExpiry": 3, "actions": [ "Deployment.Create", "Cloud.Azure.Machine.PowerOn", "Cloud.Azure.Machine.PowerOff" ] }, "criteria": { "matchExpression": [ { "key": "blueprintId", "operator": "eq", "value": "77265efc-6d06-428e-9fad-3ad8f31441f3" } ] }, "createdAt": "2021-11-08T09:45:38.108885Z", "createdBy": "admin@mycompany.com", "lastUpdatedAt": "2021-11-08T09:45:38.108885Z", "lastUpdatedBy": "admin@mycompany.com" }