180 questions
0
votes
0
answers
40
views
Issues with OPA/Reg Policy Compilation to WASM
I'm working on a Rego/OPA policy, specifically for checking azure resources diagnostic settings compliant based on specified parameters. However, I'm having several issues when trying to compile my ...
- 669
0
votes
1
answer
123
views
Do Rego policies compiled into WASM modules support `http.send`?
The OPA WASM documentation mentions that built-in functions like http.send are not natively supported by WASM.
However, I was able to successfully compile and evaluate WASM modules from Rego policies ...
- 1
0
votes
1
answer
64
views
Rego graph.reachable not printing leaf nodes
I'm trying to get a simple expansion of some relations using Rego's graph.reachable. For some reason this isn't printing leaf nodes and I've not yet figured out why.
inherits_from[role_id] contains ...
- 15.2k
1
vote
0
answers
96
views
Writing an OPA Policy that enforces tagging, but only for AWS resources that allow tagging
In the project I'm working on, we're getting OPA failures because our policy checks for tags on resources, but some resources do not allow tags, such as SNS.
Is it possible to write a policy that can ...
- 59
2
votes
0
answers
68
views
Translating a Rego policy to AWS Cedar
I have the following dummy Rego policy
is_permitted if {
owner := dataowner.resources[input.resource][input.resource_id].owner
permitted_members := data.owners[owner].permissions[input....
- 539
0
votes
1
answer
492
views
How can I return a single value in rego function?
I have the following rego:
retry_count_key := "retry"
get_retries_count(str) := {x |
some i
parts := split(str[i], ":")
parts[0] == retry_count_key
x := to_number(...
- 357
1
vote
1
answer
125
views
OPA/REGO Using AND condition to combine two arrays of Boolean values
I whish to combine two arrays of Boolean value using AND.
For example: a1 := [true, true, false], a2 := [false, true, false].
the resulting AND operation:
a3 = a1 AND a2 would be [false, true, false]
- 156
0
votes
1
answer
789
views
Nested if or some kind of nested condition in OPA rule engine
I am new to OPA rule engine and have tried a few things out, I am unable to write a nested if in opa rule engine like
output := someValue if {
someValue := someOtherValue if {
}
}
I know ...
- 21
1
vote
1
answer
249
views
Rego object comprehension seems incomprehensible to me; lowercase the keys
In rego, I want to convert this:
d := {"a": "aye", "B": "bEe"}
to:
l := {"a": "aye", "b": "bEe"}
where the keys are ...
- 7,617
0
votes
1
answer
76
views
What would be the opa policy for accessung a special path?
I am new to OPA and have tried a lot to get this result:
I want OPA to only allow access to /index. I am working on minikube with docker installed and I have a mciroservice as webserver. But the ...
- 11
0
votes
1
answer
107
views
Tutorial from the OPA-Website for Istio is not working as it should
I followed all these steps here:
https://istio.io/latest/docs/setup/getting-started/
And then all steps for the Opa-Istio-Tutorial here:
https://www.openpolicyagent.org/docs/envoy/tutorial-istio
I don'...
- 11
0
votes
1
answer
780
views
OPA eval command
I am very new to OPA but testing something very simple. I would like to create a policy to ensure my s3 is not public.
my simple TF file:
terraform {
required_providers {
aws = {
source = ...
- 161
0
votes
1
answer
131
views
Generate dictionary with a string as a key and an array of strings as value
I have the following Rego policy:
package authz
import future.keywords.in
# The permissions the user has for each property
permissions[property_id][permission] {
some property_id, property_roles ...
- 5,279
2
votes
1
answer
205
views
Conditions in a OPA policy function (Rego)
I have the following helper function in a test of my OPA policy. I would like to make it more generic and return the resource with the commonName field only if cn is not empty. Any ideas on how I can ...
- 163
1
vote
1
answer
701
views
Hiding an object from output in Rego Policy
I created a Rego Policy but I would like to hide some of the objects from the output of the Rego.
Lets take this simple Rego as an example.
package cats
default cats := false
cats{
input.cat == ...
- 11
0
votes
2
answers
1k
views
Rego: how to merge objects set values
How can I merge the values of an object in rego (set type) into a single set containing all the object values ?
This is my input object :
input_data = {
"1": {
"bob": {"...
- 1
1
vote
0
answers
275
views
Rego number of policies evaluated
I am trying to validate some policies using the /opa/rego package.
The policies are evaluated as expected in this script. But, I also want to count the number of rules and the rule names evaluated as ...
- 33
0
votes
1
answer
283
views
OPA REGO deconstructing nested array
I got data something like this:
{
"TENANT1":{ <-- Multiple tenants
"SITE1":{ <-- Every tenant can have multiple sites
"SITE1_DEVICE1":[ <-- Every ...
- 74
1
vote
1
answer
631
views
Getting Error: undefined: rego.ReadFile while trying to read rego file
While I was trying to compile the code, getting below error. I have imported "github.com/open-policy-agent/opa/rego" but still getting the error.
-bash-4.2$ go build main.go
# command-line-...
- 547
3
votes
1
answer
1k
views
In Rego, why is "every" never false?
According to the Open Policy Agent documentation, in Rego, every evaluates either to true or undefined. Why not true or false? What is it about Rego that suggests false is the wrong value? By ...
- 25.8k
2
votes
2
answers
4k
views
OPA giving error "rego_parse_error: var cannot be used for rule name"
I have a simple rego file like this:
package example
default isApplicable := false
isApplicable if {
timeNow := time.now_ns()
timeNow >= input.startDatetime
}
and I keep getting parse ...
- 10.7k
0
votes
1
answer
296
views
Transform ["a=b","c=d","e=f"] to {"a":"b","c":"d","e":"f"} in rego
I have an array as defined below
["dev=devA",
"instance=instanceA",
"domain=domainA",
"namespace=namespaceA",
"...
1
vote
3
answers
922
views
How to ignore FAIL during conftest policy check in atlantis
I am still in the testing phase and would like to allow merging of my PR even if the policy_check is FAIlING. What flag I can pass to enable that ?
My current config:
repos:
- id: /.*/
...
- 31
0
votes
1
answer
474
views
Rego - how to mimic set generation using functions
I have a rule that I expect to be reused by a variety of modules. I figured, let's turn that into a function, have the modules pass their input into a function and use a set comprehension like ...
- 18.2k
0
votes
1
answer
2k
views
Is there a way in OPA to only evaluate policies relevant to certain request?
I'm experimenting with OPA and securing HTTP REST API. I want to implement ABAC authorization. My question is if it's possible to create rules in such a way that only those relevant to the request ...
- 35