ByteCruncher
Reputation: 153
OPA - rego policy to validate RBAC with Azure Key vault
I am new to OPA and want to add some OPA policies with my Terraform deployment pipeline. Here are the code that I use for validating with OPA policy. But the result.json is empty. Which means the policy is not functioning.
package terraform.keyvault
Allowed roles for administrators
admin_roles = {
"Owner": true,
"Contributor": true
}
# Ensure the assigned role is allowed for managing Key Vault
valid_admin_role_assignment[assignment] {
assignment := input.planned_values.root_module.resources[_]
assignment.type == "azurerm_role_assignment"
role := assignment.role_definition_name
admin_roles[role]
}
# Invalid admin role assignment (when a user is assigned a non-admin role)
invalid_admin_role_assignment[assignment] {
assignment := input.planned_values.root_module.resources[_]
assignment.type == "azurerm_role_assignment"
role := assignment.role_definition_name
not admin_roles[role]
print("Invalid admin role assignment:", role)
}
I have tried to get the value to debug using the below code. But this also results an empty json.
debug_assignment[msg] {
assignment := input.planned_values.root_module.resources[_]
assignment.type == "azurerm_role_assignment"
msg = sprintf("Assignment: %v", [assignment.role_definition_name])
}
Any help would be appreciated.
Upvotes: 0
Views: 12
Answers (0)
Related Questions
- How to import different policies inside OPA rego policy?
- sprintf in opa rego policy
- OPA rego policy - pattern matching using valid regex not working
- Rego policy for Kubernets label with /
- Can this Rego policy be simplified
- OPA rego policy to block access to kubernetes namespace
- How to create OPA rego policy for a whitelist?
- rego opa policy to check if resources are provided for deployment in kubernetes
- OPA Rego issues counting