H. Ozgan hozgan

## README
###
### [2023-06-19] UPDATE: Just tried to use my instructions again on a fresh install and it failed in a number of places.
###.   Not sure if I'll update this gist (though I realise it seems to still have some traffic), but here's a list of
###.   things to watch out for:
###      - Check out the `nix-darwin` instructions, as they have changed.
###      - There's a home manager gotcha https://github.com/nix-community/home-manager/issues/4026
###

# I found some good resources but they seem to do a bit too much (maybe from a time when there were more bugs).
# So here's a minimal Gist which worked for me as an install on a new M1 Pro.

## opa-vs-casbin.md

      
              1 file
            
          
              4 forks
            
          
                7 comments
              
            
              46 stars
            
          
                StevenACoffman
                / opa-vs-casbin.md
            
            
              Last active
              October 25, 2025 06:57
            
              
                OPA vs Casbin
              
          
    Information in this Gist originally from this github issue, which is outdated.

As @RomanMinkin mentioned, you can also consider Casbin (https://github.com/casbin/casbin). It is the most starred authorization library in Golang. There are several differences between Casbin and OPA.


Feature
Casbin
OPA


Library or service?
Library/Service
Library/Service


How to write policy?
Two parts: model and policy. Model is general authorization logic. Policy is concrete policy rule.
A single part: Rego


RBAC hierarchy
Casbin supports role hierarchy (a role can have a sub-role)
Role hierarchies can be encoded in data. Also with the new graph.reachable() built-in function queries over those hierarchies are much more feasible now.


RBAC separation of duties
Not supported
Supported: two roles cannot be assigned together


## 0.12.tf
#### first class expresssion
variable "ami" {}
resource "aws_instance" "example" {
  ami           = var.ami
}

#### list & map
resource "aws_instance" "example" {
  vpc_security_group_ids = var.security_group_id != "" ? [var.security_group_id] : []
}

## Makefile
# How to encrypt/decrypt your text/blob secret with AWS KMS with AWS cli

KEY_ID=alias/my-key
SECRET_BLOB_PATH=fileb://my-secret-blob
SECRET_TEXT="my secret text"

ENCRYPTED_SECRET_AS_BLOB=encrypted_secret_blob
DECRYPTED_SECRET_AS_BLOB=decrypted_secret_blob  # Result of decrypt-blob target

encrypt-text:
	###
	### [2023-06-19] UPDATE: Just tried to use my instructions again on a fresh install and it failed in a number of places.
	###. Not sure if I'll update this gist (though I realise it seems to still have some traffic), but here's a list of
	###. things to watch out for:
	### - Check out the `nix-darwin` instructions, as they have changed.
	### - There's a home manager gotcha https://github.com/nix-community/home-manager/issues/4026
	###

	# I found some good resources but they seem to do a bit too much (maybe from a time when there were more bugs).
	# So here's a minimal Gist which worked for me as an install on a new M1 Pro.
Feature	Casbin	OPA
Library or service?	Library/Service	Library/Service
How to write policy?	Two parts: model and policy. Model is general authorization logic. Policy is concrete policy rule.	A single part: Rego
RBAC hierarchy	Casbin supports role hierarchy (a role can have a sub-role)	Role hierarchies can be encoded in data. Also with the new `graph.reachable()` built-in function queries over those hierarchies are much more feasible now.
RBAC separation of duties	Not supported	Supported: two roles cannot be assigned together
	#### first class expresssion
	variable "ami" {}
	resource "aws_instance" "example" {
	ami = var.ami
	}

	#### list & map
	resource "aws_instance" "example" {
	vpc_security_group_ids = var.security_group_id != "" ? [var.security_group_id] : []
	}
	# How to encrypt/decrypt your text/blob secret with AWS KMS with AWS cli

	KEY_ID=alias/my-key
	SECRET_BLOB_PATH=fileb://my-secret-blob
	SECRET_TEXT="my secret text"

	ENCRYPTED_SECRET_AS_BLOB=encrypted_secret_blob
	DECRYPTED_SECRET_AS_BLOB=decrypted_secret_blob # Result of decrypt-blob target

	encrypt-text: