0

I'm working on a Rego/OPA policy, specifically for checking azure resources diagnostic settings compliant based on specified parameters. However, I'm having several issues when trying to compile my policy to WASM. When I run it in the Rego Playground it works.

Rego Policy

package azure_resources_diagnostic_settings
default compliant = false
# logs
# description: Checks whether if logs configuration matches against the provided configuration. If no log configuration is provided, then the resource is considered compliant by default.
# parameters:
#   - Diagnostic Setting Logs to be evaluated.
#   - Configuration against which it must be compared.
# output:
#   true:
#     - No Logs configuration is provided.
#     - Diagnostic Setting Logs configuration matches with the one on the provided configuration.
#   false: At least one log setting doesn't matches when comparing it against the provided configuration.
logs(logsSettings, configuration) = true
{
  object.get(configuration, "logs", null) == null
}
else = true
{
  enabled = [temp | temp := logsSettings[_]; temp.enabled == true]
  object.get(configuration, "logs", null) != null
  object.get(configuration.logs, "categoryGroups", null) != null
  count([temp | temp := enabled[_]; lower(temp.categoryGroup) == lower(configuration.logs.categoryGroups[_])]) == count(configuration.logs.categoryGroups)
}
else = true
{
  enabled = [temp | temp := logsSettings[_]; temp.enabled == true]
  object.get(configuration, "logs", null) != null
  object.get(configuration.logs, "categories", null) != null
  count([temp | temp := enabled[_]; lower(temp.category) == lower(configuration.logs.categories[_])]) == count(configuration.logs.categories)
}
# evaluate
# description: Checks whether the diagnostic setting configuration of the specified Azure Resource matches against the provided configuration.
# parameters:
#   - Diagnostic Setting to be evaluated.
#   - Configuration against which it must be compared.
# output:
#   true: Diagnostic Setting configuration matches with the one on the provided configuration.
#   false: At least one setting doesn't matches when comparing it against the provided configuration.
evaluate(diagnosticSetting, configuration) = true
{
  object.get(diagnosticSetting.properties, configuration.destinationDetails, null) != null
  count([temp | temp := logs(diagnosticSetting.properties.logs, configuration)]) != 0
}
# main
# description: Checks whether the diagnostic settings configuration of the specified Azure Resource matches against the provided configuration. If the resource is not included in the provided parameters, it is considered compliant by default.
# input: Azure Microsoft Resource basic information along with its diagnostic settings.
# reference: Azure Monitor Diagnostic Settings (https://docs.microsoft.com/en-us/rest/api/monitor/diagnostic-settings/list)
# output:
#   true:
#     - The resource is not included in the provided parameters.
#     - The resource diagnostic settings configuration matches with the provided criteria.
#   false:
#     - There are no diagnostic settings configured.
#     . None of the configured diagnostic settings matches against the provided criteria.
compliant = true
{
  count([temp | temp := data.resources[_]; lower(temp.type) == lower(input.resource.type)]) == 0
}
else = true
{
  configuration = [temp | temp := data.resources[_]; lower(temp.type) == lower(input.resource.type)][0]
  diagnosticSettings = [temp | temp := input.resource.children[_];lower(temp.resourceType) == "microsoft.insights/diagnosticsettings"][0].contents
  count([temp | temp :=  evaluate(diagnosticSettings[_], configuration)]) != 0
}

Build Command

./opa.exe build .\policy.rego --v0-compatible --target wasm --output .\output.tar.gz --entrypoint azure_resources_diagnostic_settings --debug

Error Message

error: 1 error occurred: .\policy.rego:1: rego_type_error: undefined ref:  data.azure_resources_diagnostic_settings.evaluate  
          data.azure_resources_diagnostic_settings.evaluate  
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
          have: (any, any) => boolean

I've Tried

Replace: count([temp | temp := evaluate(diagnosticSettings[_], configuration)]) != 0
For: count([temp | temp := diagnosticSettings[_]; evaluate(temp, configuration)]) != 0

But still receive the same error. I am a little confused about the error message, for what I understand, it's not recognizing the evaluate function, but later throws an error on it of: have: (any, any) => boolean

As far as I understand, the issue is that it doesn't recognize the function evaluate, so when it doesn't do it in the second compliant block and the result is an array. Debugging I could find that the issue is with the following line in evaluate function: count([temp | temp := logs(diagnosticSetting.properties.logs, configuration)]) != 0 Seems the error is calling logs function, but I wasn't able to make it work on build. It works in the rego playground and with opa run

  1. Can you help me to understand why I don't have the same error in the Rego Playground?
  2. What can I do to compile / build it in wasm?
Improve this question
Related questions
0
sprintf in opa rego policy
0
OPA rego policy - pattern matching using valid regex not working
0
OPA Rego issues counting
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.