Open Policy Agent (OPA) is a declarative policy language that can be used across your cloud ecosystem to ensure controlled deployments. It has increased in popularity with the Terraform community as a way to check Terraform plans and ensure DevOps teams are deploying according to organizational standards.
The first 3 parts in this series provided an overview of developing and testing OPA policies and a detailed guide to writing OPA policies for Terraform and Scalr.
In this article we are providing a series of simple templates that implement a number of common policy requirements. The templates are easily adaptable for resource and attribute, and each template is set to work for top level attributes of a resource.
This initial set of templates covers the following.
In general these templates can be configured simply by setting the resources, attribute and ...list variables as in this example:
The templates can all be pulled from this Github repo (https://github.com/scalr-eap/policy-templates). Below are a few examples with expanded descriptions of the OPA logic.
These templates make use of the capability to reference an attribute via a variable as shown in this code snippet
The variable “item” would now contain the value of the “key_name” attribute, or would be undefined if the attribute does not exist.
This policy implements a black list for values of a scalar type attribute.
The critical rule here is
This iterates on all the values in the black_list and if a match with the attribute value is found then the reason is assigned in the next rule.
This policy implements a white list for values of an array type attribute.
This policy differs from the first one in two respects. Firstly it’s a white list, so we need to check for matches to any values, and secondly the attribute is an array, so we need iterate on that array as well as the white list
The critical lines are
The resource attribute is also an array, so we need to start an iteration on that as well. We can use the same variable to reference the attribute and simply suffix the expression with “[_]” to start the iteration.
Because it’s a white list we can't do a simple iteration on the array. The attribute value will only match zero or one item in the array, and all the non matching values would drop through and set the reason. So to make this work we need a helper rule (array_contains) that will return true if there is any match to the array. We only want to set the reason if there is no match, so we negate the function call with a “not”
The examples above and other templates can be pulled from this Github repo (https://github.com/scalr-eap/policy-templates).
If you have not read parts one, two or three yet, please check them out. If you are interested in more examples, Scalr maintains an ever expanding library of OPA policy examples in our Github repository. Feel free to make a PR and contribute or create an issue if there is an example you would like to see.