-
Notifications
You must be signed in to change notification settings - Fork 4
/
automation-on-off.yaml
65 lines (62 loc) · 2.1 KB
/
automation-on-off.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
APIVersion: 1
label: recipe:testing:on-and-off-automation
data:
recipes:
- name: Periodically block all traffic
label: recipe:testing:on-and-off-automation
propagate: true
metadata:
- "@aporeto:author=aporeto"
targetIdentities:
- automation
- networkaccesspolicy
description: Block all traffic every 10th minute. Why not?
longDescription: |-
### On and Off Traffic
This recipe creates a deny all policy that will block all traffic
from and to all processing units and external networks and an Automation
that will switch the policy on and off every 10m.
This is mostly a toy testing policy
template: |-
{{`
APIVersion: 1
data:
networkaccesspolicies:
- name: "[test:on-and-off] deny all"
description: denies all traffic to/from all pus
action: Reject
logsEnabled: true
disabled: true
object:
- - $identity=processingunit
- - $identity=externalnetwork
subject:
- - $identity=processingunit
- - $identity=externalnetwork
associatedTags:
- policy:on-and-off:target=deny-policy
automations:
- name: "[test:on-and-off] switch deny all regularly"
description: Turns the target policy on and off every 10m
trigger: Time
schedule: "@every 10m"
entitlements:
networkaccesspolicy:
- update
- retrieve-many
actions:
- |-
function then(api, params, payload) {
pol = api.RetrieveMany('networkaccesspolicy', null, 'associatedtags contains "policy:on-and-off:target=deny-policy"')[0];
pol.disabled = !pol.disabled;
api.Update('networkaccesspolicy', pol);
console.log("policy updated! disabled:", pol.disabled)
}
condition: |-
function when(api, params) {
return {
continue: true,
payload: null,
}
}
`}}