1

I want to return a non-zero exit code when my policy fails so that my CI/CD buildspec stops building. I also want to return a string error message from my rule(s).

I noticed the --fail and --fail-defined options for opa eval command. These options seem perfect. However, returning a string technically isn't 'failing' or returning 'undefined'. So, it seems to me impossible to return a string error message as well as a non-zero exit code without also sabotaging a good output string and test case.

Am I correct here? Is there any way to get the best of both worlds? I'm still new to Rego

Ex rego file:

package play

default hello := "hello failed"

hello := "hello passed" {
     input.message == "world"
}

input: {"message": "world"}

Running the following command will return a non-zero exit code no matter what opa eval -i .\input.json -d .\test_rego.rego 'data.play.hello' --fail-defined -f raw

Similarly, the command below won't help because in this case the result is always defined opa eval -i .\input.json -d .\test_rego.rego 'data.play.hello' --fail -f raw

Any help is appreciated

Improve this question

1 Answer 1

Reset to default
1

That's an interesting case. Normally you'll have either boolean rules to work with, or in the case where you want to return e.g. a message partial set rules where you can test for emptiness. If you really want to return a string for both the failure and the success case, you could use not to achieve that:

opa eval -d test_rego.rego -i input.json --fail 'not data.play.hello == "hello passed"'

If using partial rules, i.e:

hello["hello passed"] {
     input.message == "world"
}

You could test iteration over the rule to check for empty:

opa eval -d play.rego --fail 'data.play.hello[_]'
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

My coworker and I considered partial set rules and chaining together a nice output message. I'll revisit that with him now that I know we can test for emptiness. However, our policies are often relatively short, and the trying to write partial set rules that encompass only a few checks. We will certainly look at using 'not' for both strings cases
Great! Don't forget to accept the answer so it won't show up when searching for unanswered questions :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.