feat: Allow failed on additional requirement in policy workflow

[singhvikash11]

Summary We can add additional requirements in policy workflow and currently if these requirements failed to get approved then the original appeal also fails. We can add allow_failed as a configuration in the policy requirements flow to handle failure and continue with the original appeal., and not block the main appeal because of additional appeal failure.

Proposed solution Add config allow_failed like:

id: bigquery_approval
version: 1
requirements:
  - appeals:
      - policy:
          id: auto_approval
          version: 1
+        allowed_failed: true
        resource:
          provider_type: gcloud_iam
          provider_urn: sample_provider_urn
          type: project
          urn: projects/sample_provider_urn
        role: roles/bigquery.jobUser
    "on":
      provider_type: bigquery
      role: writer

[mabdh]

@singhvikash11 can you please explain the scenario of it? when we need to do such case?

[singhvikash11]

@mabdh we have configured an additional policy for data access with role data-retrieval in case, someone raises an access request to a dataset with a role viewer. However, the additional appeal could fail for many reasons like:

• the resource/role doesn't exist specified as an additional appeal
• duration does not match with the policy associated with additional appeal
• additional appeal could have manual workflow and an approver reject the additional appeal

In all such cases where additional appeals fail, people can't get an original request as well

[singhvikash11]

@mabdh even we can think something of like a skip or removing the dependency on additional appeal. This will be useful if an additional appeal has a manual approver and the original appeal should not wait for a manual approver for the additional appeal.

[ravisuhag]

Based on discussion this will not be needed anymore.