The resources section defines selector-based mappings from resource MRNs to resource groups. This feature was introduced in v1alpha4.
Resources allow you to define patterns that match resource MRNs and route them to specific resource groups. This provides a more dynamic way to assign resources to groups compared to embedding the group reference directly in the PORC.
When a resource MRN is resolved:
resources selector matches the MRNresources:
- name: string # Required: Identifier for this resource mapping
description: string # Optional: Human-readable description
selector: # Required: Array of regex patterns
- "pattern1"
- "pattern2"
group: string # Required: Reference to a resource-group MRN
annotations: # Optional: Key-value metadata
- name: string
value: string # JSON-encoded value
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Unique identifier for this resource mapping |
description | string | No | Human-readable description |
selector | string[] | Yes | Array of regex patterns to match resource MRNs |
group | string | Yes | MRN of the resource group to assign |
annotations | Annotation[] | No | Additional metadata for matched resources |
Selectors use regular expressions to match resource MRNs:
.* as a catch-all patternselector:
- "mrn:data:sensitive:.*" # Matches mrn:data:sensitive:doc123
- "mrn:secret:.*" # Matches mrn:secret:api-key
- "mrn:vault:.*:credential:.*" # Matches mrn:vault:prod:credential:db
Annotations are key-value pairs with JSON-encoded values:
annotations:
- name: classification
value: "\"HIGH\"" # String value
- name: audit_required
value: "true" # Boolean value
- name: retention_days
value: "365" # Number value
- name: tags
value: "[\"pii\", \"financial\"]" # Array value
apiVersion: iamlite.manetu.io/v1alpha4
kind: PolicyDomain
metadata:
name: resource-routing-example
spec:
policies:
- mrn: &operation-default "mrn:iam:policy:operation-default"
name: operation-default
rego: |
package authz
default allow = 0 # Tri-level: negative=DENY, 0=GRANT, positive=GRANT Override
- mrn: &allow-all "mrn:iam:policy:allow-all"
name: allow-all
rego: |
package authz
default allow = true
- mrn: &read-only "mrn:iam:policy:read-only"
name: read-only
rego: |
package authz
default allow = false
allow { input.operation == "read" }
- mrn: &no-access "mrn:iam:policy:no-access"
name: no-access
rego: |
package authz
default allow = false
resource-groups:
- mrn: &rg-public "mrn:iam:resource-group:public"
name: public
default: true # Fallback for unmatched resources
policy: *allow-all
- mrn: &rg-internal "mrn:iam:resource-group:internal"
name: internal
policy: *read-only
- mrn: &rg-restricted "mrn:iam:resource-group:restricted"
name: restricted
policy: *no-access
resources:
# Internal company documents
- name: internal-docs
description: "Internal documentation accessible read-only"
selector:
- "mrn:docs:internal:.*"
- "mrn:wiki:company:.*"
group: *rg-internal
# Sensitive secrets and credentials
- name: secrets
description: "Secrets and credentials with no external access"
selector:
- "mrn:secret:.*"
- "mrn:vault:.*:credential:.*"
- "mrn:config:.*:apikey:.*"
group: *rg-restricted
annotations:
- name: classification
value: "\"MAXIMUM\""
- name: audit_required
value: "true"
# PII data
- name: pii-data
description: "Personally identifiable information"
selector:
- "mrn:data:pii:.*"
- "mrn:customer:.*:profile:.*"
group: *rg-restricted
annotations:
- name: classification
value: "\"HIGH\""
- name: data_type
value: "\"pii\""
operations:
- name: all
selector:
- ".*"
policy: *operation-default
flowchart TB
MRN["Resource MRN:<br/>mrn:secret:api-key"]
Check["Check Resources Selectors<br/>(in order)"]
Match["Match found:<br/><i>mrn:secret:.*</i>"]
Result["Return Resource with:<br/>• ID: mrn:secret:api-key<br/>• Group: rg-restricted<br/>• Annotations from match"]
MRN --> Check
Check --> Match
Match --> Result
style MRN fill:#1a145f,stroke:#03a3ed,color:#fff
style Check fill:#03a3ed,stroke:#0282bd,color:#fff
style Match fill:#38a169,stroke:#2f855a,color:#fff
style Result fill:#1a145f,stroke:#38a169,color:#fff
flowchart TB
MRN["Resource MRN:<br/>mrn:app:public:item"]
Check["Check Resources Selectors<br/>(in order)"]
NoMatch["No match found"]
Result["Return Resource with:<br/>• ID: mrn:app:public:item<br/>• Group: default RG<br/>• No annotations"]
MRN --> Check
Check --> NoMatch
NoMatch --> Result
style MRN fill:#1a145f,stroke:#03a3ed,color:#fff
style Check fill:#03a3ed,stroke:#0282bd,color:#fff
style NoMatch fill:#e53e3e,stroke:#c53030,color:#fff
style Result fill:#1a145f,stroke:#718096,color:#fff
default: true as a fallback| Aspect | Resource Groups | Resources |
|---|---|---|
| Assignment | Explicit in PORC | Pattern-based |
| Flexibility | Static | Dynamic |
| Schema Version | v1alpha3+ | v1alpha4+ |
| Use Case | Known resources | Pattern matching |
Use resource-groups when:
Use resources when:
Can you improve this documentation?Edit on GitHub
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |