Compliance as Code

Linking Existing Resources

Create relationships between existing graph resources to enforce policies like centralized asset tracking.

Edit this page on GitHub

Linking Existing Resources

Use Case: Create a new relationship between existing resources to enforce a policy, such as forcing all applications and servers to be tracked by a central catalog or logging system.

When [control.target.resource] omits the name template but includes match_on rules, the engine searches the graph for an existing resource rather than creating a new one.

[[control]]
id = "DCS-06"
name = "Assets Cataloguing and Tracking"
description = """Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system."""
 
# This target ensures all system and application assets are tracked by Netbox.
[[control.target]]
description = "Ensure all application assets are tracked in the central inventory system (Netbox)."
# 1. Find all origin applications and servers.
origin_resource_types = [ "application", "server" ]

# 2. Find the single existing target resource to link to using match_on.
[control.target.resource]
type = "application"
match_on = [ { property = "name", value = "netbox" } ]

# 3. Define the new relation to create between them.
[control.target.relation]
type = "TRACKED_BY"
  • Result: Creates a TRACKED_BY relationship from every application and server to the netbox application.