Thank you for your contribution and Welcome to our Open Source Community!

To make sure your pull request is accepted successfully, we ask all our open source contributors to sign a Contributor License Agreement.

Having reviewed our contributor list, we require a CLA for the following people : (@leefaus).

If you need help obtaining a CLA, please read the Requirements for Contributions section of our CLA wiki or email help@finos.org with your questions.

Thanks once again for your contribution. Let us work with you to make the CLA process quick, easy and efficient so we can move forward with reviewing and accepting your pull request.

cc @finos-admin

This is really cool @leefaus & @eddie-knight !

Is it be possible to link each test case to the policies written in the Service Approval Accelerator in some way, so that you can have traceability of the whole flow from policy to test execution?

Hi @leefaus - Thanks for sending across your signed FINOS ICLA. I have been advised to pursue a FINOS CCLA with Armory and have sent you a response via email. It would be great to catch up to discuss.

@alfredtommy and @pudern,

During the last Cloud Service Certification meeting #89, @leefaus advised we should get the GCP IaC contributors together to run through the GCP Service Accelerator Template and IaC to build the BDD OPA testing requirements.

We are now really close to closing the loop on the first GCP GKE user journey and would really appreciate your input, help and support.

Many thanks,

James 🚀

@danizheleva - I have been thinking about this. The company backing the Open Policy Agent, Styra, have been in communication with me about this. We are talking through a few solutions.

@danizheleva - I have been thinking about this. The company backing the Open Policy Agent, Styra, have been in communication with me about this. We are talking through a few solutions.

Awesome, thanks for the update Lee. Interested to hear what you come up with

A working group session has been scheduled to discuss and prioritise actions related to testing certified cloud services.

Cloud Service Certification - Automated Testing Group Session

Tuesday 2nd March @ 9am ET / 2pm UK

• Webex Meeting
  • https://finos.webex.com/finos/j.php?MTID=mde2b0097f96de8ae7681d9f10a870f25
• Access Code
  • 127 808 0473
• Join by Phone
  • +1-415-655-0003 US Toll
  • +44-20319-88141 UK Toll
• Global call-in numbers
  • https://finos.webex.com/finos/globalcallin.php?MTID=mad965d209ac36dda9c3a680d2078d560

Related issues ... #84 (comment), #62

One of my gripes with conftest is that it doesn't tell you what policies were actually evaluated, it just tracks the number of policies that have been successfully evaluated. This makes generating an audit and managing provenance tricky. That said, it's really easy to write policies and unit test them, so there's definitely value in conftest in developing and testing policies but I feel that we need something more explicit when using the policies against real life deployments.

In Probr we've created some OPA-oriented "probes". For these we have used individual Rego functions, which return an explicit true or false.
https://github.com/citihub/probr-pack-aks/blob/main/internal/common/aks.rego

...which we call from Cucumber statements, like these
https://github.com/citihub/probr-pack-aks/blob/main/internal/azure/aks/aks.feature

The code to add a new rego function is quick to add, using a common helper function we've written -
https://github.com/citihub/probr-pack-aks/blob/5476874eaeba4e3d5e90f0ac5db708652c046ef4/internal/azure/aks/scenarios.go#L17

Perhaps we could restructure the Rego, so that the deny[msg] conftest functions call a specific rego function, allowing the user to use either conftest or Probr-wrapped OPA according to their requirements?

Any chance we can have a dedicated call to go over this pull request?

Hi @leefaus,

I have extended CSC Sprint 2 until 17th June '21 due to team member annual leave and have added this item to the #127 agenda to discuss in relation to completion and Sprint 3.

FYI, I am working with the Armory team on completing the CCLA so your pull requests can be accepted and merged. I have a meeting with the team on Monday 14th June to step through the LF EasyCLA process.

Cheers,

James 🚀

@leefaus - The Armory CCLA is now signed and you have been added to the FINOS CLA Bot. You are also free to move forward according to the following comment ... #119 (comment)

@leefaus - The CSC project moved to backlog at the end of Sprint 3 #131

@leefaus to decide whether to bring into Sprint 4 https://github.com/orgs/finos/projects/1#column-15157368

@leefaus , we'll need a run-down session on the files involved in this pull request.

@leefaus @eddie-knight and @peter-thomas-db - I have closed this PR as we can now refer to the awesome work done by @leefaus as we move forward with OC-CDMC and Probr.

Thanks @leefaus for your awesome contrib to the project ❤️