Open Policy Agent (OPA) Overview
ESH uses OPA to scan all Deployment plans for breaches of security policy. This provides a layer of security that is useful in order to know that what Template developers are creating and certifying meets the organizations security policy.
It is possible your organization already has OPA policies defined and they are already in use in pipelines, if so that is the right place to start securing your ESH Template deployments.
Learn about Open Policy Agent here.
Find policies to get you started here. You can copy these policies straight into the Policy Adinistration console.
Use the OPA playground to develop policies. Download Terraform plans from existing deployments in order to obtain data to test your policies against.
The OPA Policies console is used to manage policies. Check out Open Policy Agent Policy (OPA) for more information.
Check out Deployment Approval Overview for information on policy breaches are notified and if chosen, approved.