API Governance

Author: Tanisha Khandelwal

This blog serves as a guide to provide organizations with practical insights on implementing automatic governance checks throughout the API development lifecycle, with specific focus on the development and cataloging phases. It also highlights strategies for ensuring that each API complies with security and best practices requirements on the API Governance Console.

About API GOVERNANCE

Anypoint API Governance, a vital component of the Anypoint Platform, enables organizations to enforce governance rules throughout the API lifecycle, ensuring consistent API quality and security from design to development and deployment stages.

With API Governance you can:

• Enhancing API Quality through Conformance Identification: Utilize the API Governance Console to identify conformance issues within published API specifications.
• Sharing Governance Best Practices through Anypoint Exchange: Leverage the power of Anypoint Exchange to share governance rulesets with other developers in your organization by publishing governance rulesets to exchange
• Applying Consistent Rules at Design Time with Anypoint API Designer:: With the API Governance Console, you can apply governance rulesets directly at the design stage using Anypoint API Designer.
• Enforcing Governance within your DevOps Pipeline: Integrate the API Governance Console into your DevOps practices by automating the application of governance standards to your API contracts and specifications within your CI/CD pipeline.

Governance Console

Within the API Governance Console, you can incorporate governance rulesets into governance profiles, allowing you to apply these rulesets to multiple APIs across your organization. By doing so, the API Governance Console offers a comprehensive overview of conformance for all validated APIs. This enables you to monitor the conformance of your APIs and proactively notify developers, facilitating improvements in adherence to governance standards.

Governance in Exchange and Design Center

API Governance is integrated with the Exchange and Design Center.

• Within the Anypoint Exchange, developers have the capability to access comprehensive conformance status details of published APIs. They can also explore the available rulesets provided by the platform and even publish their own custom rulesets.
• In the Design Center, developers and architects have the ability to validate API conformance during the design phase. They can achieve this by directly incorporating governance rulesets into API specifications as dependencies.

Walkthrough

Let us see how to achieve conformance with different steps in this walkthrough.

Step 1: Achieving conformance in Design center.

1. To begin, you need a RAML in the Design center.

2. Go to dependencies and then click on ‘+’ icon to add the suitable rulesets that you wish to apply to the RAML. In this walkthrough, let us add ‘HTTPS Enforcement’ ruleset to the RAML.

3. After applying the rulesets, the rulesets will be evaluated against the RAML and warnings are displayed in the ‘Project Errors’ section at the bottom of the RAML as shown below.

4. The ruleset ‘HTTPS Enforcement’ evaluates the RAML against three rules. They are:

1. Using HTTPS in urls
2. Using HTTPS in callbacks
3. Using HTTPS protocol

5. Here in the above example, the protocol is ‘HTTP’, hence after applying the ‘HTTP Enforcement’ ruleset, the warning for protocol is displayed in the console.
6. To achieve conformance, change the protocol from ‘HTTP’ to ‘HTTPS’ and see the warning disappear.

7. This way we can make sure that the RAML is conformant in the design stage.
8. Once the ruleset is followed, you will be able to publish the API.

Step 2: Achieving conformance through ‘Governance Profile’.

1. To begin, you need an API published in Exchange.
2. In the published API below, we can see on the right-hand side of the page that the API is not validated.
3. In this walkthrough, let us create a governance profile that will validate the API against the ‘HTTPS Enforcement’ ruleset and display the governance status as conformant or non-conformant.

4. Go to ‘API Governance’ Tab in Anypoint Platform.
5. Click on the button ‘+ New Profile’.

6. Enter the general information about the Governance profile like the name and description and click on ‘Next’.

7. Search the rulesets that need to be included in the Governance profile in the search bar and select the required rulesets.

8. Apply the required filter criteria to include only the required APIs from the exchange in the Governance profile and click on Next.

9. Provide the recipient details where the notifications will be sent based on the governance status and click on ‘Next’.

10. Review all the entered information and click on ‘Create’.

11. The governance profile will be created and will start validating the APIs against the rulesets selected.
12. The governance profile then displays the governance and conformance status in the dashboard.

13. You can now go to the exchange, open the API included in the governance profile and see the Conformance status as ‘Conformant’ in the right hand side of the page as the API is following all the rules being validated in ‘HTTPS Enforcement’ rulesets.