Code I'm using in seeking help from the OPA Slack channel.
Here's the idea.
For the resource_key_value_matches
function, I want to allow users to specify the path within a resource, with any number of nested levels deep.
For an example call, see the common_test.rego
file.
resource_key_value_matches(s3_bucket_plan.resource_changes[0], "server_side_encryption_configuration[0].rule[0].apply_server_side_encryption_by_default[0].sse_algorithm", "AES256")
The function won't know how many levels deep it should go until the user supplies it.
I didn't expect it to work as-is, but I wanted to show what I am aiming for. Hoping that someone from the slack channel can help with this.
Please let me know if you have any ideas. Thank you!!
opa test -v .
opa run ./plan-file-for-reference.json
You can view the sample plan file for reference. It's the JSON file in this gist.
Response from Patrick East:
For nested resources check out the snippet on open-policy-agent/opa#1772 for an example of a helper that retrieves all the resources for a given plan regardless of depth. From there you can write rules to match the resource type/address/whatever