Add `--rego-v1` flag to `check` command
Closed this issue · 0 comments
johanfylling commented
When applied, the --rego-v1
flag should make the check
command reject modules that aren't compliant with OPA 1.0 Rego.
Since both the rego.v1
and future.keywords
imports are no-ops in OPA 1.0, any valid combination of these imports are allowed, as long as the rest of the module is compliant with 1.0 Rego. E.g.:
Valid (rego.v1
imported):
package example
import rego.v1
p contains x if {
x := input.x;
x in [1, 2, 3]
}
Valid (future.keywords
imported):
package example
import future.keywords.contains
import future.keywords.if
import future.keywords.in
p contains x if {
x := input.x;
x in [1, 2, 3]
}
Invalid (no imports):
package example
p contains x if {
x := input.x;
x in [1, 2, 3]
}
The last module is fully OPA 1.0 compliant Rego, but since this isn't also compatible with <1.0 Rego it must be rejected. To aid in migrating existing policies to 1.0 compliant Rego, it is important that the check
command doesn't force users into updating existing code to no longer be compatible with their current runtime.