This repository contains basic exercises and examples for learning and implementing Policy-as-Code concepts using Open Policy Agent (OPA). It's designed to provide hands-on experience with policy enforcement using Rego, OPA's native query and policy language.
- Introduction
- Prerequisites
- Getting Started
- Project Structure
- Exercises
- Using OPA
- Contributing
- License
Policy-as-Code is an approach to policy management where policies are defined, updated, and version controlled using code. This tutorial repository aims to help you understand and implement basic Policy-as-Code practices using Open Policy Agent (OPA), focusing on Role-Based Access Control (RBAC) and Policy-Based Access Control (PBAC).
Before you begin, ensure you have the following installed:
To get started with this project, follow these steps:
-
Clone the repository:
git clone https://github.com/shawn/policy-as-code.git
-
Navigate to the project directory:
cd policy-as-code
-
Verify OPA installation:
opa version
The repository is organized as follows:
policy-as-code/
├── exercises/
│ ├── pbac/
│ │ ├── pbac.rego
│ │ ├── _data.json
│ │ └── _input.json
│ └── rbac/
│ ├── rbac.rego
│ ├── _data.json
│ └── _input.json
├── presentation/
├── LICENSE
└── README.md
exercises/
: Contains subdirectories for different policy exercises.presentation/
: Reserved for presentation materials related to the project.LICENSE
: The license file for the project.README.md
: This file, providing an overview of the project.
The repository includes two main types of exercises:
- RBAC (Role-Based Access Control): Located in
exercises/rbac/
. - PBAC (Policy-Based Access Control): Located in
exercises/pbac/
.
Each exercise directory contains:
- A
.rego
file with the policy definitions. - A
_data.json
file with the policy data. - An
_input.json
file with sample inputs for testing the policies.
To work on these exercises, open the respective .rego
files and follow the instructions provided in the comments.
To evaluate policies using OPA:
-
Navigate to an exercise directory:
cd exercises/rbac
-
Run OPA evaluation:
Before running the evaluation, ensure OPA is installed:
-
For macOS (using Homebrew):
brew install opa
-
For Linux (using the install script):
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64 chmod 755 ./opa sudo mv opa /usr/local/bin
-
For Windows (using Chocolatey):
choco install opa
After installation, verify OPA is correctly installed:
opa version
This line demonstrates how to use the OPA command-line interface to evaluate a policy.
opa eval -d rbac.rego -d rbac_data.json -i rbac_input.json "data.app.rbac.allow"
Let's break it down:
opa eval
: This is the command to evaluate a policy using OPA.-d rbac.rego
: Specifies the Rego policy file to use.-d rbac_data.json
: Provides the data file containing role and permission information.-i rbac_input.json
: Specifies the input file with the request details to evaluate."data.app.rbac.allow"
: This is the query to evaluate. It checks if theallow
rule in theapp.rbac
package evaluates to true given the input and data.
This command will return the result of the policy evaluation, indicating whether the specified action is allowed based on the RBAC policy, data, and input provided.
-
For more information on using OPA, refer to the OPA Documentation.
Contributions to improve the exercises or add new ones are welcome. Please feel free to submit pull requests or open issues for any suggestions or problems you encounter.