An opa policy and Containerfile sidecar definition for use with ansible-runner runtime policy evaluation experiements

basic.opa

# This file is in ./policy/basic.opa

package ansible.basic
import future.keywords

default allow := false

allow if {
    input.event == "runner_on_start"
    input.task == "ansible.builtin.file"
    input.hidden.state != "directory"
}

allow if {
    input.event == "runner_on_start"
    input.task != "ansible.builtin.file"
}

allow if {
    input.event != "runner_on_start"
}

Containerfile.yml

version: '3.7'

volumes:
  opa_data:
    driver: local

networks:
  opa:
    driver: bridge

services:
  opa:
    image: openpolicyagent/opa:latest
    command: run --server --log-level debug --addr :8181 --set decision_logs.console=true /policy/basic.rego
    ports:
      - 8181:8181
    volumes:
      - ./policy:/policy
      - opa_data:/data
    networks:
      - opa