Multi-Target Constraint Framework

[maxsmythe]

Per Tom McKay's suggestion, I'm adding this design doc discussed in this week's Gatekeeper community meeting into a GitHub discussion.

Parallel to writing Gatekeeper, the project also wrote the Constraint Framework, which forms the logical "core" of Gatekeeper. It defines the rough shape of what constraints and templates are and how they behave.

The goal of the Constraint Framework was to have something platform and enforcement-point neutral that could be used to bring the same policy primitives to other realms (e.g. Terraform, GCP, Azure, etc.) and other enforcement points (e.g. GitOps), without the need to rewrite the same policy multiple times to support the format drift between these environments.

This doc looks at the policy space for cloud overall and tries to slot the Constraint Framework into a unique spot in that ecosystem.

One of the conclusions is that some amount of language agnosticism is needed for maximum portability, at least in the short term. I'd love to follow through with this design, but there may be some resistance to having a non-Rego-specific offering in the OPA org.

What are people's opinions?