Add a builtin function to render JSON templates
RDVasavada opened this issue ยท 2 comments
What is the underlying problem you're trying to solve?
I have encountered a number of use cases that involve running policies against templated JSON. Some examples are:
- Given a JSON template and a set of input variables, validate that the resulting JSON rendered with the input variables is in valid JSON format.
- Given a JSON template and a set of input variables, validate that the resulting JSON rendered with the input variables matches a specific criteria.
- Render a JSON template with input variables so that the resulting static JSON can be sent to an external API which contains a decoupled decisioning engine and use the result in our own policies.
For example, here's a scenario of what templating might look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStatement",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
],
"Resource": [{{range $i, $name := .sqs_queues}}{{if $i}},{{end}}
"arn:aws:sqs:us-east-2:{{$.accountId}}:{{$name}}",
"arn:aws:sqs:eu-west-3:{{$.accountId}}:{{$name}}"{{end}}
]
}
]
}
Describe the ideal solution
Ideally, there could be a builtin function which takes in a templated JSON string representation and a mapping of template input variables, and returns the rendered JSON with the template variables injected. This can be done using the text/template standard library native to Go, which supports common templating syntax.
Describe a "Good Enough" solution
The current solution is to manually implement logic in rego to parse JSON and insert template variables. However, this becomes very complex when trying to extend to more advanced templating syntax, such as looping through multiple values.
Additional Context
I'd be happy to work on this issue if it's approved!
Hi @RDVasavada ๐ I'd be curious to learn more about your use case! Is this for infrastructure policy, authorization, or something else?
I'd also be curious to know why you'd need to parse JSON and insert variables. Can you not simply use the input JSON directly in your policy? That way you'll have access to loops, and whatever else you'd get from templating. The decision can of course be any valid JSON, so it feels like OPA and Rego would do well for this purpose, but perhaps there's something I'm not getting :)
Some example policy with inputs/outputs might help shed some light here.
Render a JSON template with input variables so that the resulting static JSON can be sent to an external API which contains a decoupled decisioning engine and use the result in our own policies.
Now you've piqued my curiosity! ๐ You'd use OPA for templating but not as a decision engine? What would you use for that instead?
Hey @anderseknert! Happy to provide more context as to my specific use case.
Our OPA policies are used for infrastructure policy. Our policy bundle runs a number of decisioning checks against infrastructure configurations, one of them being IAM policies. For IAM policies, in certain cases we would be receiving templated JSON as an input, along with template variables. After injecting template variables, we would like to run a number of policy checks on our own side (e.g. character count, JSON format validation) as well as send the rendered JSON to a decoupled decision engine which accepts static IAM policies and runs additional validations.
So the need for template handling comes from the fact that the templated JSON itself is the input for our policies.