Select Under the section POLICY LIST click the policy name. Click Editor → the tab 'Editor' on the left → open the tab Code* to review the policy code.
1) // SObject Type
Define an input object your policy will be checking (e.g. AWS EC2 instances)
2) // Output SObject Type
Select the output object type which will store the policy check results (e.g. CloudAware Policy Violation).
Note |
---|
You will not be able to make any changes to the input object and the output object type selected once the policy is deployed! As for other changes, you can make updates to unmanaged policies. Managed policies can be updated by Cloudaware only. |
3) // How many objects will be processed per job call
You can change the batch size (final Integer batchSize = ???
).
Note |
---|
Maximum size is 2000. If exceeded, you can receive the error "Apex CPU time limit exceeded". |
4) // Lifecycle configuration
Configure the lifecycle to define under what conditions the output objects are created or closed after evaluation of input objects (e.g. incomplianceСreates means means that the output object is created only in cases when an input object is incompliant).
Note |
---|
You can customize your policy either using pre-built lifecycles or writing a lifecycle of your own applying available methods. Use Use the following methods to define the conditions when an output object is created or closed: |
incomplianceCreates() - if an input object is considered to be incompliant based on evaluation in Process, the corresponding output object gets the status 'incompliant';
complianceCreates() - if an input object is considered to be compliant based on evaluation in Process, the corresponding output object gets the status 'compliant';
complianceCloses() - if an input object is recognized as compliant, the corresponding output object gets "Close Date" assigned;
incomplianceCloses() - if an input object is recognized as incompliant,
...
the corresponding output gets "Close Date" assigned;
inapplicabilityCreates() и inapplicabilityCloses() - if an input object is not assigned with any status except 'inapplicable' during Process, the corresponding output object is created or closed as inapplicable. (see 6);
scopeLossCloses() - if an input object is off the policy scope, e.g. it has been deleted, the corresponding output object gets "Close Date" assigned;
deleteAfterDays(Integer value) - this parameter defines the number of days before the deletion of the output object and should be used along with 1 condition
<...Closes()>
minimum for correct configuration.
updateField(String objectFieldName/SObjectField field, String outputKey) - this parameter allows to store data in corresponding fields of an output object and refer to input objects based on their master-detail relationship, lookups, text Ids, etc. For example, you can save ARN of AWS IAM User which is evaluated by the policy in the output object using
.updateField(CA10__CaBenchmarkCheck__c.CA10__awsIamUserArn__c, 'userArn'
in the Lifecycle;
externalIdField(SObjectField field) - use this parameter to define externalIdField.
5) // Start code
Use the variable variable context to to work with a policy context (global void start() {...
);
6) // SOQL Query
Define input objects that will enter the policy scope. You can make changes to SOQL query to define what objects will be evaluated and what will not.
7) // Process
Set up the logic your policy will use to check an input object for compliance and assign the corresponding statuses to output objects. Input objects are evaluated one-by-one.
The policy logic may be the following: For each AWS EC2 Instance with a value value A
in in <FIELD1> assign the status 'incompliant' to the output object. If <FIELD1> is is B
- assign the status 'compliant'.
Note |
---|
By default, every object which is evaluated in Process is considered Inapplicable. |
The policy logic may be customized any way you like, however, Salesforce limits must be observed. Keep in mind that you should re-configure output objects in the policy lifecycle in order they could be saved with the corresponding statuses (see step 3).
8) // Finish Code
Customize your policy. This part of the policy is run after all objects are evaluated.