Conditionally Skip Approval Steps

In this guide, you'll learn how you can configure a Grant Kit to have multiple review steps. Each step will contain a list of reviewers required to approve or deny an access request. One of these steps will be skipped based on a condition we define in a policy.

We will be using the Using Multiple Approval Steps as a base and modify it to this use case.

Step 1. Add a Policy to Skip a Step

Let's make the second step skippable. We may want to do this for many reasons. Here are some ideas:

  1. Skip a step if someone has a privilege, for example, they're on-call.

  2. Skip a step if someone belongs to a privileged team, for example, if they're an account manager.

  3. Skip a step if someone is above a certain level in their organization.

For this example, let's skip the last step if someone is on-call, as determined by PagerDuty.

main.tf
resource "abbey_grant_kit" "null_grant" {
  ...

  workflow = {
    steps = [
      {
        reviewers = {
          one_of = ["alice@example.com"]
        }
      }
      },
      {
        reviewers = {
          one_of = ["bob@example.com", "carol@example.com"]
        }
      }
      },
      {
        reviewers = {
          all_of = ["dan@example.com", "eve@example.com", "frank@example.com"]
        }
+        skip_if = [
+          { bundle = "github://example-org/example-repo/policies/on-call" }
+        ]
+      }
    ]
  }

  ...
}

Note: This github repo should be the same as the repo defined in your Outputs

We added a Policy Bundle that contains rules for skipping if someone is on-call. This bundle was prebuilt using Open Policy Agent and exists within the same repo as the main.tf file.

To get a sense of the logic, take a look at the policy:

policies/on-call/pagerduty.rego
package pagerduty

skip[msg] {
  user.pagerduty.isoncall == true
  msg := "skipping review step for on-calls"
}
PreviousUsing Multiple Approval StepsNextUser Roles

Last updated