Expire After a Duration

PreviousTime-Based Access NextExpire At a Specific Time

Last updated 1 year ago

Expire After a Duration

In this guide, you'll learn how you can configure a Grant Kit to automatically revoke access to a grant after some duration. You'll do this by importing and using an expiration policy Abbey provides out-of-the-box.

We will be using the as a base and modify it to this use case.

Step 1: Add a Directory for Your Policy

In your repo, add a directory to put your policies.

.github/
+ policies/
+   .manifest
+   common.rego
.gitignore
.terraform.lock.hcl
LICENSE
README.md
access.tf
main.tf
outputs.tf
variables.tf

Abbey will automatically build your policies for you using the standard Open Policy Agent (OPA) CLI via opa build.

Step 2: Configure Your Manifest and Policy

First, configure your Manifest in your .manifest file. This will tell the Policy Engine where your policy file is located.

+ {"roots": ["common"]}

Next, write your policy using Abbey's expiration helper functions.

common.rego

package common

import data.abbey.functions

allow[msg] {
  functions.expire_after("24h")
  msg := "granting access for 24 hours."
}

Abbey revokes grants in realtime. When 24 hours has passed, the grant will be revoked immediately.

Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

Step 3: Add Your Policy

Now that you have your policy set up, you can add it to your Grant Kit.

main.tf

resource "abbey_grant_kit" "null_grant" {
  ...
  
+  policies = [
+    {
+      bundle = "github://example-org/example-repo/policies"
+    }
+  ]

  ...
}

PreviousTime-Based Access NextExpire At a Specific Time

Last updated 1 year ago