Updated OPA orchestration to show creation using variables

hyakuhei · Aug 12, 2021 · 0a29059 · 0a29059
1 parent eb2fccb
commit 0a29059
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 58 deletions.
diff --git a/example_OPA_orchestration.py b/example_OPA_orchestration.py
@@ -1,62 +1,64 @@
 from fluentm import Actor, Boundary, Process, DataFlow, TLS, HTTP, Internal, GIT, SSH
 from fluentm import report
 
-Process("Policy Repo").inBoundary(Boundary("Version Control"))
+# Example of a more code-oriented approach, using variables which will play
+# nicely with IDEs. It can be a faster way to write these.
 
-Boundary("New Kubernetes Cluster").inBoundary("New AWS Account")
+# Setup scenes here:
+scenes = {}
 
-scenes = {
-    "Developer requests a new cluster": [
-        DataFlow(
-            Actor("Developer"),
-            Process("Cluster Orchestrator").inBoundary(Boundary("Control Cluster")),
-            TLS(HTTP("Create cluster request")),
-        ),
-        DataFlow(
-            Process("Cluster Orchestrator"),
-            Process("Cluster Orchestrator"),
-            Internal("Validates user"),
-        ),
-        DataFlow(
-            Process("Cluster Orchestrator"),
-            Process("IAM").inBoundary("AWS"),
-            TLS(HTTP("Create new account")),
-            response=TLS(HTTP("Account Details")),
-        ),
-        DataFlow(
-            Process("Cluster Orchestrator"),
-            Process("EKS").inBoundary("AWS"),
-            TLS(HTTP("Create new cluster")),
-            response=TLS(HTTP("Cluster Details")),
-        ),
-        DataFlow(
-            Process("Cluster Orchestrator"),
-            Process("k8s API").inBoundary(Boundary("New Kubernetes Cluster")),
-            TLS(HTTP("Add default admission controller")),
-        ),
-    ],
-    "Developer creates a pod": [
-        DataFlow(Actor("Developer"), Process("k8s API"), TLS(HTTP("Create POD"))),
-        DataFlow(
-            Process("k8s API"),
-            Process("Admission Controller").inBoundary("Cluster Orchestrator"),
-            TLS(HTTP("Validate pod creation")),
-        ),
-        DataFlow(
-            Process("Admission Controller"),
-            Process("OPA").inBoundary("Cluster Orchestrator"),
-            HTTP("Validate pod creation.."),
-        ),
-        DataFlow(
-            Process("OPA"),
-            Process("Policy Repo"),
-            SSH(GIT("Get latest policy")),
-            response=SSH(GIT("Latest policy REGO")),
-        ),
-        DataFlow(Process("OPA"), Process("k8s API"), TLS(HTTP("Validation Decision"))),
-        DataFlow(Process("k8s API"), Actor("Developer"), TLS(HTTP("Approve/Denied"))),
-    ],
-}
+newK8sClusterBoundary = Boundary("New Kubernetes Cluster").inBoundary("New AWS Account")
+
+## Developer requests a new cluster
+# Participants
+developer = Actor("Developer")
+clusterOrchestrator = Process("Cluster Orchestrator").inBoundary(
+    Boundary("Control Cluster")
+)
+iam = Process("IAM").inBoundary("AWS")
+eks = Process("EKS").inBoundary("AWS")
+k8sApi = Process("k8s API").inBoundary(Boundary("New Kubernetes Cluster"))
+# Flows
+scenes["Developer requests a new cluster"] = [
+    DataFlow(developer, clusterOrchestrator, TLS(HTTP("Create cluster request"))),
+    DataFlow(clusterOrchestrator, clusterOrchestrator, Internal("Validates user")),
+    DataFlow(
+        clusterOrchestrator,
+        iam,
+        TLS(HTTP("Create new account")),
+        response=TLS(HTTP("Account Details")),
+    ),
+    DataFlow(
+        clusterOrchestrator,
+        eks,
+        TLS(HTTP("Create new cluster")),
+        response=TLS(HTTP("Cluster Details")),
+    ),
+    DataFlow(
+        clusterOrchestrator, k8sApi, TLS(HTTP("Add default admission controller"))
+    ),
+]
+
+## Developer creates a pod
+# New participants (not seen above)
+developer = Actor("Developer")
+admissionController = Process("Admission Controller").inBoundary("Cluster Orchestrator")
+policyRepo = Process("Policy Repo").inBoundary(Boundary("Version Control"))
+opa = Process("OPA")
+# DataFlows
+scenes["Developer creates a pod"] = [
+    DataFlow(developer, k8sApi, TLS(HTTP("Create POD"))),
+    DataFlow(k8sApi, admissionController, TLS(HTTP("Validate pod creation"))),
+    DataFlow(admissionController, opa, TLS(HTTP("Validate pod creation"))),
+    DataFlow(
+        opa,
+        policyRepo,
+        SSH(GIT("Get latest policy")),
+        response=SSH(GIT("Latest policy REGO")),
+    ),
+    DataFlow(opa, k8sApi, TLS(HTTP("Validation Decision"))),
+    DataFlow(k8sApi, developer, TLS(HTTP("Approve/Denied"))),
+]
 
 if __name__ == "__main__":
     r = report(scenes, outputDir="examples/OPA_orchestration", dfdLabels=True)
diff --git a/examples/OPA_orchestration/AggregatedDfd-dfd b/examples/OPA_orchestration/AggregatedDfd-dfd
@@ -3,6 +3,7 @@ digraph all {
 	node [fontname=Arial fontsize=11 shape=box style=rounded]
 	edge [fontname=Arial fontsize=11]
 	Developer
+	OPA
 	subgraph "cluster_Control Cluster" {
 		graph [color=red fontname=Arial fontsize=11 label="Control Cluster" style=dashed]
 		"Cluster Orchestrator"
@@ -22,7 +23,6 @@ digraph all {
 	subgraph "cluster_Cluster Orchestrator" {
 		graph [color=red fontname=Arial fontsize=11 label="Cluster Orchestrator" style=dashed]
 		"Admission Controller"
-		OPA
 	}
 	subgraph "cluster_Version Control" {
 		graph [color=red fontname=Arial fontsize=11 label="Version Control" style=dashed]

diff --git a/examples/OPA_orchestration/AggregatedDfd-dfd.png b/examples/OPA_orchestration/AggregatedDfd-dfd.png
diff --git a/examples/OPA_orchestration/Developer creates a pod-dfd b/examples/OPA_orchestration/Developer creates a pod-dfd
@@ -3,6 +3,7 @@ digraph "Developer creates a pod" {
 	node [fontname=Arial fontsize=11 shape=box style=rounded]
 	edge [fontname=Arial fontsize=11]
 	Developer
+	OPA
 	subgraph "cluster_New AWS Account" {
 		graph [color=red fontname=Arial fontsize=11 label="New AWS Account" style=dashed]
 		subgraph "cluster_New Kubernetes Cluster" {
@@ -13,15 +14,14 @@ digraph "Developer creates a pod" {
 	subgraph "cluster_Cluster Orchestrator" {
 		graph [color=red fontname=Arial fontsize=11 label="Cluster Orchestrator" style=dashed]
 		"Admission Controller"
-		OPA
 	}
 	subgraph "cluster_Version Control" {
 		graph [color=red fontname=Arial fontsize=11 label="Version Control" style=dashed]
 		"Policy Repo"
 	}
 	Developer -> "k8s API" [label="(1) Create POD"]
 	"k8s API" -> "Admission Controller" [label="(2) Validate pod creation"]
-	"Admission Controller" -> OPA [label="(3) Validate pod creation.."]
+	"Admission Controller" -> OPA [label="(3) Validate pod creation"]
 	OPA -> "Policy Repo" [label="(4) Get latest policy"]
 	"Policy Repo" -> OPA [label="(5) Latest policy REGO"]
 	OPA -> "k8s API" [label="(6) Validation Decision"]

diff --git a/examples/OPA_orchestration/Developer creates a pod-dfd.png b/examples/OPA_orchestration/Developer creates a pod-dfd.png
diff --git a/examples/OPA_orchestration/flow-Developer creates a pod-3 b/examples/OPA_orchestration/flow-Developer creates a pod-3
@@ -1,5 +1,5 @@
 digraph {
 	graph [bgcolor=transparent fontsize=11 fontstyle=Arial]
 	node [fontsize=11 fontstyle=Arial shape=plaintext]
-	struct [label="HTTP|{Validate pod creation..}" shape=record]
+	struct [label="TLS|HTTP|{Validate pod creation}" shape=record]
 }
diff --git a/examples/OPA_orchestration/flow-Developer creates a pod-3.png b/examples/OPA_orchestration/flow-Developer creates a pod-3.png