• Apollo
    • Search documentation
    karat

    +

    K

    ReferenceCEL policies specificationChange type API reference

    Change type API reference

    Every CEL policy evaluation receives a type field indicating the kind of change being evaluated. The type value determines what keys are available in referencedResources and request. Use type to guard a policy so it only runs for the change types it is designed to handle.

    For an Entity change that is part of a Module installation, referencedResources also includes module and moduleRelease keys for the associated Module.

    All change types populate request with type-specific fields. The available fields for each type are described below.

    Referenced resource fields

    All entries in referencedResources have the following four fields:

    FieldTypeDescription
    ridstringThe resource identifier (RID). Pass this to require_role() or require_operation() to gate approval on a user's permissions for this resource.
    namestringThe display name of the resource, such as an Environment name or Product ID.
    labelsmapLabels applied to the resource. Keys and values are strings. Empty if no labels are applied.
    authorRolessetRoles held by the change author on this resource. Each entry is a role ID string such as "entity:operator". Empty if the author holds no roles.

    Most entries also have a resource field containing the full resource object serialized as a map. Fields within resource vary by resource type. For example, referencedResources.artifactRegistry.resource.registryType holds the registry type for artifact registry entities. The resource field is empty for the following change types:

    • CREATE_PIPELINE
    • CREATE_TEAM
    • CREATE_EGRESS_POLICIES
    • DELETE_EGRESS_POLICIES
    • MODIFY_VULNERABILITY_SUPPRESSIONS
    • REMOVE_VULNERABILITY_SUPPRESSIONS
    • MODIFY_SPACE_SETTINGS
    • MODIFY_RESOURCE_OVERRIDE_SPACE_SETTINGS

    Entity changes

    CREATE_ENTITY

    Triggered when an Entity is added to an Environment.

    Available referencedResources keys: environment, product (if the Entity has a Product assigned)

    Available request fields:

    FieldTypeDescription
    apolloEntityIdstringUnique identifier for the Entity.
    apolloEntityTypestringEntity type, such as "service", "daemon", or "network-security".
    releaseChannelstringThe Release Channel assigned to this Entity. Absent if the Entity inherits the Environment default.
    configOverridesmapThe product-specific configuration for this Entity. Keys are version strings; values are the configuration map for that version.
    entitymapThe serialized entity settings. Present for Entities declared in deployment config (services, daemons, Helm charts, and similar); empty for tracked assets. See entity sub-fields.
    assetmapThe serialized asset settings. Present for tracked assets; empty for Entities declared in deployment config. See asset sub-fields.

    UPDATE_ENTITY

    Triggered when an Entity's application configuration is modified.

    Available referencedResources keys: environment, installation, product (if the Entity has a Product assigned)

    Available request fields:

    FieldTypeDescription
    apolloEntityIdstringUnique identifier for the Entity.
    apolloEntityTypestringEntity type, such as "service", "daemon", or "network-security".
    releaseChannelstringThe Release Channel assigned to this Entity. Absent if the Entity inherits the Environment default.
    configOverridesmapThe proposed product-specific configuration for this Entity after the update. Same structure as for CREATE_ENTITY. See network-security configOverrides for the network-security Entity type.
    entitymapThe serialized Entity settings. Present for Entities declared in deployment config; empty for tracked assets. See entity sub-fields.
    assetmapThe serialized asset settings. Present for tracked assets; empty for Entities declared in deployment config. See asset sub-fields.

    UPDATE_ENTITY_SETTINGS

    Triggered when an Entity's operational settings are modified, such as its Release Channel. Also produced when an Entity is marked for deletion.

    Available referencedResources keys: environment, installation, product (if the Entity has a Product assigned)

    Available request fields:

    FieldTypeDescription
    apolloEntityIdstringUnique identifier for the Entity.
    apolloEntityTypestringEntity type, such as "service", "daemon", or "network-security".
    releaseChannelstringThe Release Channel assigned to this Entity after the update. Absent if the Entity inherits the Environment default.
    configOverridesmapThe product-specific configuration for this Entity. Keys are version strings; values are the configuration map for that version.
    entitymapThe serialized entity settings. Present for Entities declared in deployment config; empty for tracked assets. See entity sub-fields.
    assetmapThe serialized asset settings. Present for tracked assets; empty for Entities declared in deployment config. See asset sub-fields.

    DELETE_ENTITY

    Triggered when an Entity is removed from the deployment configuration.

    Available referencedResources keys: environment, installation, product (if the Entity has a Product assigned)

    Available request fields:

    FieldTypeDescription
    apolloEntityIdstringUnique identifier for the Entity being deleted.
    apolloEntityTypestringEntity type, such as "service" or "daemon".

    entity sub-fields

    The entity field is a map containing the serialized entity settings. It is present for Entities declared in deployment config (services, daemons, Helm charts, and similar) and empty for tracked assets.

    FieldTypeDescription
    entityLocatorobjectEntity-type-specific locator identifying the Entity within its Environment.
    releaseChannelstringThe Entity's Release Channel. Absent if the Entity inherits the Environment default.
    maintenanceWindowsobjectMaintenance window schedule configured on this Entity. Absent if not set.
    dependencyStackOverridesmapPer-dependency configuration overrides, keyed by Product ID.
    ignoredDependenciessetProduct IDs of dependencies that Apollo should ignore for this Entity.
    rolloutStrategyobjectRollout strategy override. Absent if using the default.
    trackssetAsset tracks. Applicable to tracked assets only.
    productstringProduct ID explicitly set on this Entity. Absent if not overridden.
    targetInfrastructureTypestringInfrastructure type override. Absent if not set.
    markedForDeletionbooleanWhether this Entity is marked for deletion. Absent if not marked.
    markedForUninstallationobjectConfiguration for uninstalling this Entity. Absent if not set.
    helmReleaseNamestringHelm release name. Applicable to Helm chart Entities only.
    k8sNamespacestringKubernetes namespace. Applicable to Helm chart Entities only.
    accountIdstringAWS account ID. Applicable to Terraform module Entities only.
    foundrySpacestringFoundry space. Applicable to Foundry product Entities only.
    dependencyGroupssetDependency groups. Applicable to Helm charts, Terraform modules, and Foundry products.
    dependencyGroupOverridesmapDependency group overrides, keyed by Product ID.

    asset sub-fields

    The asset field is a map containing the serialized asset settings. It is present for tracked assets and empty for Entities declared in deployment config.

    FieldTypeDescription
    locatorstringProduct ID of the tracked asset.
    dependencyStackOverridesmapPer-dependency configuration overrides, keyed by Product ID.
    ignoredDependenciessetProduct IDs of dependencies that Apollo should ignore for this asset.
    markedForDeletionbooleanWhether this asset is marked for deletion. Absent if not marked.
    markedForUninstallationobjectConfiguration for uninstalling this asset. Absent if not set.

    network-security configOverrides

    For network-security entities, configOverrides is not a version-keyed map. It is the serialized declared state of the network security rule, structured as a union with a type discriminator field. The only current variant is "v1".

    FieldTypeDescription
    typestringThe rule variant. Currently always "v1".
    v1objectThe rule contents. See sub-fields below.

    v1 sub-fields:

    FieldTypeDescription
    descriptionstringA human-readable description of the rule.
    ruleDetailsobjectThe rule type and configuration. Has a type field identifying the variant. Access the variant as v1.ruleDetails.<type>, for example v1.ruleDetails.egressRule.
    quarantinedBooleanIf true, the rule is treated as withdrawn. Absent if not set.

    ruleDetails variants:

    VariantDescription
    egressRuleOutbound traffic rule. Has dest (a union with type of "cidrs" or "domain"; access the value as dest.cidrs (set of CIDR strings) or dest.domain (string)), ports (a set of port entries, each with type of "port" or "portRange"; access as port (integer) or portRange.start/portRange.end), and namespaces (set of strings).
    httpsIngressRuleHTTPS ingress rule by domain. Has domain (string), allowedCidrs (set of objects with justification (string) and cidrs (set of strings)), and allowedCountryCodes (set of objects with justification (string) and countryCodes (set of strings)).
    httpsPortIngressRuleHTTPS ingress rule by port. Has port (integer), allowedCidrs, and allowedCountryCodes. Same structure as httpsIngressRule.
    tcpIngressRuleTCP ingress rule. Has ports (set of integers) and allowedCidrs.
    udpIngressRuleUDP ingress rule. Has ports (set of integers) and allowedCidrs.

    Entity maintenance windows

    SET_ENTITY_MAINTENANCE_WINDOWS

    Triggered when maintenance windows are set on a standard Entity type such as a service or daemon.

    Available referencedResources keys: environment, installation, product (if applicable)

    Available request fields:

    FieldTypeDescription
    entitystringUnique identifier for the Entity.
    downtimeWindowssetDowntime maintenance windows being set. Each entry has schedule (a cron expression string), zoneId (timezone string), duration (ISO-8601 duration string), and description (string).
    noDowntimeWindowssetNo-downtime maintenance windows being set. Same structure as downtimeWindows.
    existingRevisionNumberintegerRevision number for conflict detection. Absent when creating maintenance windows for the first time.

    REMOVE_ENTITY_MAINTENANCE_WINDOWS

    Triggered when maintenance windows are removed from a standard Entity type.

    Available referencedResources keys: environment, installation, product (if applicable)

    Available request fields:

    FieldTypeDescription
    entitystringUnique identifier for the Entity.

    CREATE_ENTITY_MAINTENANCE_WINDOW_OVERRIDE

    Triggered when a maintenance window override is created for a standard Entity type.

    Available referencedResources keys: environment, installation, product (if applicable)

    Available request fields:

    FieldTypeDescription
    entitystringUnique identifier for the Entity.
    startTimetimestampStart time of the override window.
    endTimetimestampEnd time of the override window.
    typestringWindow type: "DOWNTIME" or "NO_DOWNTIME".

    SET_GENERIC_ENTITY_MAINTENANCE_WINDOWS

    Triggered when maintenance windows are set on a generic Entity type such as a network security configuration.

    Available referencedResources keys: environment, installation

    Available request fields:

    FieldTypeDescription
    entitystringUnique identifier for the Entity.
    downtimeWindowssetDowntime maintenance windows being set. Each entry has schedule (a cron expression string), zoneId (timezone string), duration (ISO-8601 duration string), and description (string).
    noDowntimeWindowssetNo-downtime maintenance windows being set. Same structure as downtimeWindows.
    existingRevisionNumberintegerRevision number for conflict detection. Absent when creating maintenance windows for the first time.

    REMOVE_GENERIC_ENTITY_MAINTENANCE_WINDOWS

    Triggered when maintenance windows are removed from a generic Entity type.

    Available referencedResources keys: environment, installation

    Available request fields:

    FieldTypeDescription
    entitystringUnique identifier for the Entity.

    CREATE_GENERIC_ENTITY_MAINTENANCE_WINDOW_OVERRIDE

    Triggered when a maintenance window override is created for a generic Entity type.

    Available referencedResources keys: environment, installation

    Available request fields:

    FieldTypeDescription
    entitystringUnique identifier for the Entity.
    startTimetimestampStart time of the override window.
    endTimetimestampEnd time of the override window.
    typestringWindow type: "DOWNTIME" or "NO_DOWNTIME".

    Environment changes

    UPDATE_ENVIRONMENT_SETTINGS

    Triggered when Environment-level settings are modified, such as the default Release Channel.

    Available referencedResources keys: environment

    Available request fields:

    FieldTypeDescription
    deploymentIdstringThe Environment ID.
    settingsmapThe Environment-level operational settings after the change. Includes the default Release Channel, maintenance windows, and ownership settings, but not Entity entries.

    UPDATE_ENVIRONMENT_CONFIG

    Triggered when the Environment configuration file is modified.

    Available referencedResources keys: environment

    Available request fields:

    FieldTypeDescription
    configmapThe full Environment configuration file contents after the change.

    UPDATE_EXTERNAL_DEPENDENCIES

    Triggered when external dependency configuration is modified.

    Available referencedResources keys: environment

    Available request fields:

    FieldTypeDescription
    configmapThe full external dependencies configuration file contents after the change.

    UPDATE_ENVIRONMENT_PROPERTIES

    Triggered when Environment operational properties are modified, such as ownership, accreditation level, or operational responsibility settings.

    Available referencedResources keys: environment

    Available request fields:

    FieldTypeDescription
    deploymentIdstringThe Environment ID.
    ownerstringThe owner team RID. Absent if not being changed.
    enableOperationalResponsibilitybooleanWhether operational responsibility is enabled for this Environment.
    coOwnersetRIDs of co-owner teams.
    accreditationstringThe Environment accreditation level, such as "STANDARD" or "FEDRAMP_HIGH".
    registerToNamespacessetNamespace IDs the Environment is registered to.
    supportOverridestringSupport override level. Absent if not set.

    DELETE_ENVIRONMENT

    Triggered when an Environment is deleted.

    Available referencedResources keys: environment

    Available request fields:

    FieldTypeDescription
    deploymentstringThe Environment ID being deleted.
    namespacessetNamespace IDs the Environment is being unregistered from.

    EXIT_BOOTSTRAP_MODE

    Triggered when an Environment exits bootstrap mode.

    Available referencedResources keys: environment

    Available request fields: None. Use referencedResources.environment to access the Environment.

    Space settings

    MODIFY_SPACE_SETTINGS

    Triggered when space-level settings are modified.

    Available referencedResources keys: Varies by setting; keyed by the resource being changed.

    Available request fields:

    FieldTypeDescription
    settingNamestringThe identifier of the space setting being modified, such as "allow-upgrades". Use this to scope a policy to a specific setting.

    MODIFY_RESOURCE_OVERRIDE_SPACE_SETTINGS

    Triggered when resource-level overrides for space settings are modified.

    Available referencedResources keys: Varies by setting; keyed by the resource being changed.

    Available request fields:

    FieldTypeDescription
    settingNamestringThe identifier of the space setting override being modified. Use this to scope a policy to a specific setting.

    Pipeline changes

    CREATE_PIPELINE

    Triggered when a new pipeline is created.

    Available referencedResources keys: pipelineRoot

    Available request fields:

    FieldTypeDescription
    settingsmapThe pipeline settings. Sub-fields are described below.

    settings sub-fields:

    FieldTypeDescription
    idstringThe pipeline name, unique within the space.
    descriptionstringThe pipeline description.
    scheduleobjectWhen bundles are created. Has a type field such as "never" or "cron". Schedules of type "cron" also include a cron sub-field.
    transferMechanismstringThe mechanism used to transfer bundles, such as "diode".
    connectionsmapTransfer targets connected to this pipeline. Keys are transfer target IDs; values are sets of connection type strings.
    globalSelectorsobjectResource selectors specifying what is included in bundles produced by this pipeline.

    UPDATE_PIPELINE

    Triggered when an existing pipeline's settings are modified.

    Available referencedResources keys: bundlingpipeline

    Available request fields:

    FieldTypeDescription
    pipelineRidstringThe RID of the pipeline being updated.
    settingsmapThe proposed pipeline settings after the update. Sub-fields are the same as for CREATE_PIPELINE.

    UPDATE_PIPELINE_TRANSFER_TARGET

    Triggered when a pipeline's transfer target connections are modified.

    Available referencedResources keys: transferTarget (always); bundlingpipeline (only when an existing pipeline's connections are being updated, not when a new pipeline is being created with connections)

    Available request fields: None. Transfer target details are available in referencedResources.transferTarget.

    DELETE_PIPELINE

    Triggered when a pipeline is deleted.

    Available referencedResources keys: bundlingpipeline

    Available request fields:

    FieldTypeDescription
    pipelineRidstringThe RID of the pipeline being deleted.

    ARCHIVE_PIPELINE

    Triggered when a pipeline is archived.

    Available referencedResources keys: bundlingpipeline

    Available request fields:

    FieldTypeDescription
    pipelineRidstringThe RID of the pipeline being archived.

    UNARCHIVE_PIPELINE

    Triggered when a pipeline is unarchived.

    Available referencedResources keys: bundlingpipeline

    Available request fields:

    FieldTypeDescription
    pipelineRidstringThe RID of the pipeline being unarchived.

    Team changes

    CREATE_TEAM

    Triggered when a new team is created.

    Available referencedResources keys: teamRoot

    Available request fields:

    FieldTypeDescription
    namestringThe immutable team slug, unique within the space.
    adminssetAdmin group locators. Each entry has name (string) and realm (string).
    memberssetMember group locators. Each entry has name (string) and realm (string).
    adminUserssetAdmin user locators. Each entry has name (string) and realm (string).
    memberUserssetMember user locators. Each entry has name (string) and realm (string).

    UPDATE_TEAM

    Triggered when a team's membership or settings are modified.

    Available referencedResources keys: team

    Available request fields:

    FieldTypeDescription
    teamRidstringThe RID of the team being updated.
    adminssetUpdated admin group locators. Each entry has name (string) and realm (string).
    memberssetUpdated member group locators. Each entry has name (string) and realm (string).
    adminUserssetUpdated admin user locators. Each entry has name (string) and realm (string).
    memberUserssetUpdated member user locators. Each entry has name (string) and realm (string).

    DELETE_TEAM

    Triggered when a team is deleted.

    Available referencedResources keys: team

    Available request fields:

    FieldTypeDescription
    teamRidstringThe RID of the team being deleted.

    Product settings

    CREATE_PRODUCT_SETTINGS

    Triggered when Product settings are created for a Product.

    Available referencedResources keys: product

    Available request fields:

    FieldTypeDescription
    productIdstringThe Product ID these settings are for.
    orTeamstringThe owner and operational responsibility team RID.
    operationalResponsibilityExcludedEnvironmentssetEnvironment IDs excluded from operational responsibility for this Product.

    UPDATE_PRODUCT_SETTINGS

    Triggered when existing Product settings are modified.

    Available referencedResources keys: product

    Available request fields:

    FieldTypeDescription
    productIdstringThe Product ID whose settings are being updated.
    orTeamstringThe owner and operational responsibility team RID.
    operationalResponsibilityExcludedEnvironmentssetEnvironment IDs excluded from operational responsibility for this Product.

    DELETE_PRODUCT_SETTINGS

    Triggered when Product settings are deleted.

    Available referencedResources keys: product

    Available request fields:

    FieldTypeDescription
    productstringThe Product ID whose settings are being deleted.

    Security changes

    CREATE_EGRESS_POLICIES

    Triggered when egress policies are created.

    Available referencedResources keys: egressPolicyRoot

    Available request fields:

    FieldTypeDescription
    datalistThe egress policies being created. Each entry has the fields described in the table below.

    Each entry in data has the following fields:

    FieldTypeDescription
    addressobjectThe destination network address. Has a type field ("dns" or "cidr"). For DNS entries, access the hostname as address.dns (a string). For CIDR entries, access the block as address.cidr (a string).
    portobjectThe port configuration. Has a port field (integer). Optionally has portRangeEnd (integer) if specifying a port range.
    transportProtocolstringThe transport protocol, such as "TLS", "TCP", or "HTTP".
    networkobjectThe network routing type. Has a type field such as "direct", "privateLink", "secureTunnels", "agent", "bucketEndpoint", "catalogBucket", or "bcap".
    descriptionstringAn optional description of the policy. Absent if not provided.

    DELETE_EGRESS_POLICIES

    Triggered when egress policies are deleted.

    Available referencedResources keys: egressPolicyRoot

    Available request fields:

    FieldTypeDescription
    datasetThe RIDs of the egress policies being deleted. Each entry is a string.

    CREATE_TERMINAL_ACCESS_GRANT

    Triggered when a terminal access grant is created.

    Available referencedResources keys: environment

    Available request fields:

    FieldTypeDescription
    environmentstringThe Environment ID for which terminal access is being requested.
    datamapThe terminal access grant details. Contents vary by grant type.

    MODIFY_VULNERABILITY_SUPPRESSIONS

    Triggered when vulnerability suppressions are added or modified.

    Available referencedResources keys: vulnerabilitySuppression

    Available request fields:

    FieldTypeDescription
    spaceRidstringThe RID of the space.
    vulnerabilitySuppressionslistCVE-based suppressions being added or modified. Each entry has the fields described below.
    scannerSuppressionsmapSuppressions keyed by scanner name. Values are lists of suppression entries (same structure as vulnerabilitySuppressions entries).
    imageNameVulnerabilitySuppressionsmapSuppressions keyed by exact image name. Values are lists of suppression entries.
    imagePrefixVulnerabilitySuppressionsmapSuppressions keyed by image name prefix. Values are lists of suppression entries.
    productIdVulnerabilitySuppressionsmapSuppressions keyed by Product ID. Values are lists of suppression entries.
    imageEndOfSupportLifeSuppressionsmapEnd-of-support-life suppressions keyed by image name. Values are suppression objects (same suppression structure as below, without vulnerabilitiesToSuppress).

    Each entry in vulnerabilitySuppressions (and the other suppression lists) has the following fields:

    FieldTypeDescription
    suppressionobjectThe suppression metadata. Has rationale (string), category (string), and validUntil (timestamp).
    vulnerabilitiesToSuppresssetCVE IDs covered by this suppression entry. Each entry is a string such as "CVE-2021-44228".

    REMOVE_VULNERABILITY_SUPPRESSIONS

    Triggered when vulnerability suppressions are removed.

    Available referencedResources keys: vulnerabilitySuppression

    Available request fields:

    FieldTypeDescription
    spaceRidstringThe RID of the space.
    vulnerabilitySuppressionssetCVE IDs being removed. Each entry is a string such as "CVE-2021-44228".
    scannerSuppressionsmapScanner suppressions being removed. Keys are scanner names; values are sets of CVE ID strings.
    imageNameVulnerabilitySuppressionsmapImage name suppressions being removed. Keys are image names; values are sets of CVE ID strings.
    imagePrefixVulnerabilitySuppressionsmapImage prefix suppressions being removed. Keys are image name prefixes; values are sets of CVE ID strings.
    productIdVulnerabilitySuppressionsmapProduct suppressions being removed. Keys are Product IDs; values are sets of CVE ID strings.
    imageEndOfSupportLifeSuppressionssetImage names whose end-of-support-life suppressions are being removed.

    Management overrides

    CREATE_MANAGEMENT_OVERRIDE

    Triggered when a management override is created.

    Available referencedResources keys: None

    Available request fields:

    FieldTypeDescription
    namestringThe unique management override identifier.
    ownerstringThe RID of the team that will own this override.
    productssetProduct IDs covered by this override.
    servicessetService locators covered by this override. Each entry has stack (string) and serviceName (string).

    UPDATE_MANAGEMENT_OVERRIDE

    Triggered when a management override is modified.

    Available referencedResources keys: None

    Available request fields:

    FieldTypeDescription
    namestringThe management override identifier being updated.
    ownerstringThe RID of the team that owns this override.
    productssetUpdated product IDs covered by this override.
    servicessetUpdated service locators covered by this override. Each entry has stack (string) and serviceName (string).

    DELETE_MANAGEMENT_OVERRIDE

    Triggered when a management override is deleted.

    Available referencedResources keys: None

    Available request fields:

    FieldTypeDescription
    namestringThe management override identifier being deleted.