This library provides prescriptive OPA policies that can be used to establish well managed Terraform configuration for Confluent resources. This library can be used to establish an initial policy-as-code framework as you onboard new and additional use-cases in Confluent.
The policies primarily resources created and managed by the Confluent Provider.
NOTE:
This Policy Library is not an exhaustive list of all of possible policies for Confluent configuration. If you have questions, comments, or have identified ways for us to improve this library, please create a new GitHub issue.
We also welcome any contributions that improve the quality of this library! To learn more about contributing and suggesting changes to this library, refer to the contributing guide.
- All new API Keys should be owned by Service Accounts, not Users (docs | OPA)
- API Keys should have a valid name (docs | OPA)
- Only approved RBAC Roles may be assigned (docs | OPA)
- Only approved resources may be provisioned (docs | OPA)
- New clusters should only be created in specified cloud providers (docs | OPA)
- New clusters should only be created in specified cloud regions (docs | OPA)
- Only specified Connectors may be provisioned (docs | OPA)
- All new Service Accounts should have a valid and descriptive name (docs | OPA)
- Topics should have a partition count in a specified range (docs | OPA)
- Topics should have a
retention.ms
of a speficied range (docs | OPA) - Topics should have a
retention.bytes
of a specified range (docs | OPA) - Topic names should follow an appropriate standard (docs | OPA)
- Brokers may not create topics automatically,
auto.create.topics.enable
should befalse
(docs | OPA) - Prevent the creation of Dedicated clusters, only Basic or Standard clusters (docs | OPA)
- Prevent the deletion of topics (docs | OPA)