Links
Comment on page

Quickstart

In this Quickstart, you'll learn how to set up and use Abbey.
Abbey helps you manage the workflows for access requests and approvals, making it easier for people to get access to Resources.
We allow engineers to integrate these workflows directly into the Infrastructure provisioning process. Since you are already using an Infrastructure as Code (IaC) tool like Terraform, Abbey extends your IaC deployment through a Grant Kit.
A resource can be a production database or a cloud IAM role. In this Quickstart we will use the Abbey Demo Site as a resource example.
Go to Abbey Demo Site, login, and you'll find that you don't have access. That's expected! This Quickstart will allow you to configure a Grant Kit for the "Demo Site" so you can request and approve access.

Before you start

  1. 1.
    Create an Abbey Account
  2. 2.
    Install Terraform locally
  3. 3.
    Log into your GitHub account
💻
If you'd like to try out our new CLI setup wizard, head over to our github at abbeylabs/cli and follow the instructions in the README. Otherwise continue with the below steps

Step 1: Clone this Repo in Git

Clone abbeylabs/abbey-starter-kit-quickstart into your local development environment by following the instructions in Get a Starter Kit.

Step 2: Configure GitHub

Follow the instructions in Connect a Repo to connect Abbey to your GitHub account.

Step 3: Configure Your Grant Kit

A Grant Kit has three components:
  1. 1.
    Workflow to configure how someone should get access.
  2. 2.
    Policies to configure if someone should get access.
  3. 3.
    Output to configure how and where Grants should materialize.
We will first update main.tf by defining the approval steps. Add yourself as the reviewer by adding the email you use to sign-in to Abbey with.
main.tf
1
resource "abbey_grant_kit" "abbey_demo" {
2
name = "Abbey_Demo_Site"
3
...
4
workflow = {
5
steps = [
6
{
7
reviewers = {
8
- one_of = ["[email protected]"] # CHANGEME
9
+ one_of = ["[email protected]"]
Policies are rules that govern whether someone should have access. Abbey allows any engineer to write arbitrary rules via it's support of Open Policy Agent.
In this quickstart, we'll reference a policy bundle, which is a collection of rules that can be used across Grant Kits. Update the location with your GitHub repo name.
main.tf
1
resource "abbey_grant_kit" "abbey_demo" {
2
...
3
policies = [
4
- { bundle = "github://replace-me-with-organization/replace-me-with-repo/policies" } # CHANGEME
5
+ { bundle = "github://replace-me-with-organization/replace-me-with-repo/policies" } # Use your own organization and repo
One type of policy is the automatic revocation of access, which Abbey supports via Time-based Access.
Update the policy in policies/common/common.rego so that access to the Demo Site expires after 5 minutes, not 0.
common.rego
1
allow[msg] {
2
- functions.expire_after("0m")
3
+ functions.expire_after("5m")
4
- msg := "granting access for 0 minutes"
5
+ msg := "granting access for 5 minutes"
6
}
Now, we will configure the Output, which is the materialized change in Terraform-native code. On approval, the user is granted read_write access to our demo site.
The email field below is an example for how you can reference variables, like identities and associated metadata that are derived from different systems (like an on-call schedule in PagerDuty). You can then use these data to help build better workflows and policies.
main.tf
1
resource "abbey_grant_kit" "abbey_demo" {
2
...
3
output = {
4
# Replace with your own path pointing to where you want your access changes to manifest.
5
# Path is an RFC 3986 URI, such as `github://{organization}/{repo}/path/to/file.tf`.
6
- location = "github://replace-me-with-organization/replace-me-with-repo/access.tf" # CHANGEME
7
+ location = "github://replace-me-with-organization/replace-me-with-repo/access.tf" # Use your own organization and repo.
8
append = <<-EOT
9
resource "abbey_demo" "grant_read_write_access" {
10
permission = "read_write"
11
email = "{{ .data.system.abbey.abbey_identity }}"

Step 4: Deploy Your Starter Kit

To deploy your Starter Kit, follow instructions from Deploy Your Grant Kit.

Step 5: Make a Request

Visit the Abbey web application, click on Resources, and click Request next to the Demo resource. There are detailed instructions in Request Access doc.
Since all changes are backed by Git, you will see a PR get created in your repo with comments that outline the requested change in permissions.

Step 6: Approve the Request

To make things simple, we have set ourselves as the Approver. Click the Approvals tab and click Approve. See Approve or Deny Access Requests for detailed instructions.
You'll (eventually) see that the PR in GitHub was merged.

Step 7: Access the Demo Site

Now let's go back to the Abbey Demo Site.
🎉
Congrats! You should now have access.
🎉

Next Steps

To learn more about what Resources you can configure, try one of our Tutorials.