Conditionally Skip Approval Steps
In this guide, you'll learn how you can configure a Grant Kit to have multiple review steps. Each step will contain a list of reviewers required to approve or deny an access request. One of these steps will be skipped based on a condition we define in a policy.
We will be using the Using Multiple Approval Steps as a base and modify it to this use case.
Step 1. Add a Policy to Skip a Step
Let's make the second step skippable. We may want to do this for many reasons. Here are some ideas:
Skip a step if someone has a privilege, for example, they're on-call.
Skip a step if someone belongs to a privileged team, for example, if they're an account manager.
Skip a step if someone is above a certain level in their organization.
For this example, let's skip the last step if someone is on-call, as determined by PagerDuty.
resource "abbey_grant_kit" "null_grant" {
...
workflow = {
steps = [
{
reviewers = {
one_of = ["alice@example.com"]
}
}
},
{
reviewers = {
one_of = ["bob@example.com", "carol@example.com"]
}
}
},
{
reviewers = {
all_of = ["dan@example.com", "eve@example.com", "frank@example.com"]
}
+ skip_if = [
+ { bundle = "github://example-org/example-repo/policies/on-call" }
+ ]
+ }
]
}
...
}Note: This github repo should be the same as the repo defined in your Outputs
We added a Policy Bundle that contains rules for skipping if someone is on-call. This bundle was prebuilt using Open Policy Agent and exists within the same repo as the main.tf file.
To get a sense of the logic, take a look at the policy:
package pagerduty
skip[msg] {
user.pagerduty.isoncall == true
msg := "skipping review step for on-calls"
}Last updated