Update the doc link and add the example link to the cutom policy guide

Signed-off-by: Ramya Bangera <bangerar@vmware.com>
vmware · Feb 6, 2024 · b2e1a59 · b2e1a59
1 parent cb65605
commit b2e1a59
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 4 deletions.
diff --git a/docs/guides/tanzu-mission-control_policy.md b/docs/guides/tanzu-mission-control_policy.md
@@ -211,7 +211,7 @@ resource "tanzu-mission-control_iam_policy" "namespace_scoped_iam_policy" {
 }
 ```
 
-## Custom Policy on a CLuster Group
+## Custom Policy on a Cluster Group
 
 ```terraform
 /*
@@ -278,5 +278,82 @@ resource "tanzu-mission-control_custom_policy" "cluster_group_scoped_tmc-block-r
 ## Custom Template and Custom Policy
 
 Template provides a declarative definition of a policy, which can be used to apply custom constraints on managed kubernetes resources.
-Custom policy consumes these declared custom templates to enforce specific policies. One must create the custom template before consuming it the custom policy.
+Custom policy consumes these declared custom templates to enforce specific policies. One must create the [custom template][custom-policy-template] before consuming it in the custom policy.
 Please refer to custom policy template and custom policy terraform scripts within examples.
+
+[custom-policy-template]: https://docs.vmware.com/en/VMware-Tanzu-Mission-Control/services/tanzumc-using/GUID-F147492B-04FD-4CFD-8D1F-66E36D40D49C.html
+
+```terraform
+resource "tanzu-mission-control_custom_policy_template" "sample" {
+  name = "tf-custom-template-test"
+
+  spec {
+    object_type   = "ConstraintTemplate"
+    template_type = "OPAGatekeeper"
+
+    data_inventory {
+      kind    = "ConfigMap"
+      group   = "admissionregistration.k8s.io"
+      version = "v1"
+    }
+
+    data_inventory {
+      kind    = "Deployment"
+      group   = "extensions"
+      version = "v1"
+    }
+
+    template_manifest = <<YAML
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: tf-custom-template-test
+  annotations:
+    description: Requires Pods to have readiness and/or liveness probes.
+spec:
+  crd:
+    spec:
+      names:
+        kind: tf-custom-template-test
+      validation:
+        openAPIV3Schema:
+          properties:
+            probes:
+              type: array
+              items:
+                type: string
+            probeTypes:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredprobes
+        probe_type_set = probe_types {
+          probe_types := {type | type := input.parameters.probeTypes[_]}
+        }
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          probe := input.parameters.probes[_]
+          probe_is_missing(container, probe)
+          msg := get_violation_message(container, input.review, probe)
+        }
+        probe_is_missing(ctr, probe) = true {
+          not ctr[probe]
+        }
+        probe_is_missing(ctr, probe) = true {
+          probe_field_empty(ctr, probe)
+        }
+        probe_field_empty(ctr, probe) = true {
+          probe_fields := {field | ctr[probe][field]}
+          diff_fields := probe_type_set - probe_fields
+          count(diff_fields) == count(probe_type_set)
+        }
+        get_violation_message(container, review, probe) = msg {
+          msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe])
+        }
+YAML
+  }
+}
+```
diff --git a/templates/guides/tanzu-mission-control_policy.md.tmpl b/templates/guides/tanzu-mission-control_policy.md.tmpl
@@ -37,12 +37,16 @@ In the following example, there are multiple dependencies shown.
 
 {{ tffile "examples/usecases/access_policy_usecase.tf" }}
 
-## Custom Policy on a CLuster Group
+## Custom Policy on a Cluster Group
 
 {{ tffile "examples/usecases/custom_policy_usecase.tf" }}
 
 ## Custom Template and Custom Policy
 
 Template provides a declarative definition of a policy, which can be used to apply custom constraints on managed kubernetes resources.
-Custom policy consumes these declared custom templates to enforce specific policies. One must create the custom template before consuming it the custom policy.
+Custom policy consumes these declared custom templates to enforce specific policies. One must create the [custom template][custom-policy-template] before consuming it in the custom policy.
 Please refer to custom policy template and custom policy terraform scripts within examples.
+
+[custom-policy-template]: https://docs.vmware.com/en/VMware-Tanzu-Mission-Control/services/tanzumc-using/GUID-F147492B-04FD-4CFD-8D1F-66E36D40D49C.html
+
+{{ tffile "examples/resources/custom_policy_template/resource_custom_policy_template.tf" }}