Skip to content

Instantly share code, notes, and snippets.

View anderseknert's full-sized avatar
👨‍💻
Hacking on all things OPA

Anders Eknert anderseknert

👨‍💻
Hacking on all things OPA
View GitHub Profile
@anderseknert
anderseknert / google_sql_database_instance.rego
Last active May 27, 2024 07:47
google_sql_database_instance policy
package google_sql_database_instance
import rego.v1
violations contains db_instance.id if {
some db_instance in input.google_sql_database_instance
not valid_db_instance(db_instance)
}
valid_db_instance(db_instance) if every setting in db_instance.config.settings {
@anderseknert
anderseknert / db_setting.rego
Last active May 25, 2024 08:47
Terrascan DB settings policy
package accurics
import rego.v1
violations contains db_instance.id if {
some db_instance in input.google_sql_database_instance
some setting in db_instance.config.settings
invalid_db_instance_setting(setting)
}
@anderseknert
anderseknert / or_array.rego
Created September 20, 2023 12:54
Or array
arr := [x | some x in input.my_array]
@anderseknert
anderseknert / or_array.js
Created September 20, 2023 12:53
Imperative OR array
arr = my_array || []
@anderseknert
anderseknert / object_get.rego
Created September 20, 2023 12:52
object.get
allow if {
# return input.user.name, or "anyomous" if the lookup fails
user := object.get(input, ["user", "name"], "anonymous")
user != "anonymous"
# ... more conditions
}
@anderseknert
anderseknert / object_or.rego
Created September 20, 2023 12:51
Object-based OR
deny := message if {
code_reason_map := {
400: "Bad request",
404: "Not found",
500: "Internal server error",
}
message := code_reason_map[status_code]
}
allow {
# Simple way to "inline" an OR check — turn it into a "contains" problem
input.request.method in {“HEAD”, “GET”}
}
# Expressions may be evaluated in any order
allow if expression1
allow if expression2
allow if expression3
# Expressions evaluated from top to bottom
allow if {
expression1
} else {
expression2
@anderseknert
anderseknert / pattern_matching.rego
Created September 20, 2023 12:48
Pattern matching
# First name may be either "joe" or "jane" for function to evaluate
# No rule body needed as argument passed will be matched for equality
allowed_firstname("joe")
allowed_firstname("jane")
# This works with multiple arguments too, where only some are matched
# statically
alcohol_allowed("Sweden", age) if age > 18
alcohol_allowed("USA", age) if age > 21
alcohol_allowed(country, age) if {
@anderseknert
anderseknert / pattern_matching.rego
Created September 20, 2023 12:47
Pattern matching
# First name may be either "joe" or "jane" for function to evaluate
allowed_firstname(name) if name == "joe"
allowed_firstname(name) if name == "jane"