Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New opa exec subcommand #3525

Closed
anderseknert opened this issue Jun 3, 2021 · 1 comment
Closed

New opa exec subcommand #3525

anderseknert opened this issue Jun 3, 2021 · 1 comment
Assignees
@tsandall
Labels
runtime

Comments

@anderseknert
Copy link
Member

When deploying OPA in a CI/CD context to verify configuration or deployment resources, run Terraform policies, etc.. it isn't always ideal to run OPA in server mode. While OPA and the ecosystem provides some great options to run one-off policy checks, like opa eval or Conftest, they don't currently provide some of the management and configuration capabilities that running OPA as a standalone server does. Having CI/CD policy tasks fetch policy bundles from a centralized location, or have OPA report back the decisions it took, are both important features for OPA deployments at scale.

I suggest we introduce an --exec flag to opa run that does the following:

  • Runs OPA with any flags (like --config-file) normally available to opa run.
  • Operates with any plug-ins configured, like discovery, bundles and decision logging.
  • Terminates after policy evaluation (like opa eval) with exit code set depending on outcome.

While this mode of operation is going to be somewhat slower having to startup OPA and potentially pull/push data at each invocation, performance is normally not a big concern in this context.

Could be that some of the improvements for the serverless use case could be used here too, but the two use cases are fundamentally different IMO.
@anderseknert anderseknert mentioned this issue Oct 25, 2021
Closed
@tsandall tsandall mentioned this issue Nov 3, 2021
Closed
@stale
Copy link

stale bot commented Nov 22, 2021

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

@stale stale bot added the inactive label Nov 22, 2021
@tsandall tsandall removed the inactive label Nov 24, 2021
@tsandall tsandall self-assigned this Nov 30, 2021
@tsandall tsandall changed the title Add one-off --exec option to opa run New opa exec subcommand Dec 8, 2021
tsandall added a commit to tsandall/opa that referenced this issue Dec 16, 2021
@tsandall
cmd/exec: Add new exec subcommand
e495fe3 
This is just a skeleton but the basic functionality is there: run OPA
in a "one shot" mode against a set of input files and print the
results for each.

Fixes open-policy-agent#3525

Signed-off-by: Torin Sandall <torinsandall@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsandall tsandall

Labels
runtime
Projects
Open Policy Agent
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsandall @anderseknert