opa

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 11, 2026 License: Apache-2.0 Imports: 13 Imported by: 12

Documentation

Overview

Package opa provides helpers for running Open Policy Agent (OPA) evaluations in automated tests.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DownloadPolicyE added in v0.40.20 

func DownloadPolicyE(t testing.TestingT, rulePath string) (string, error)

DownloadPolicyE takes in a rule path written in go-getter syntax and downloads it to a temporary directory so that it can be passed to opa. The temporary directory that is used is cached based on the go-getter base path, and reused across calls. For example, if you call DownloadPolicyE with the go-getter URL multiple times: 

git::https://github.com/gruntwork-io/terratest.git//policies/foo.rego?ref=main

The first time the gruntwork-io/terratest repo will be downloaded to a new temp directory. All subsequent calls will reuse that first temporary dir where the repo was cloned. This is preserved even if a different subdir is requested later, e.g.: git::https://github.com/gruntwork-io/terratest.git//examples/bar.rego?ref=main Note that the query parameters are always included in the base URL. This means that if you use a different ref (e.g., git::https://github.com/gruntwork-io/terratest.git//examples/bar.rego?ref=v0.39.3), then that will be cloned to a new temporary directory rather than the cached dir.

func Eval 

func Eval(t testing.TestingT, options *EvalOptions, jsonFilePaths []string, resultQuery string)

Eval runs `opa eval` on the given JSON files using the configured policy file and result query. Translates to: 

opa eval -i $JSONFile -d $RulePath $ResultQuery

This will asynchronously run OPA on each file concurrently using goroutines. This will fail the test if any one of the files failed.

func EvalE 

func EvalE(t testing.TestingT, options *EvalOptions, jsonFilePaths []string, resultQuery string) (err error)

EvalE runs `opa eval` on the given JSON files using the configured policy file and result query. Translates to: 

opa eval -i $JSONFile -d $RulePath $ResultQuery

This will asynchronously run OPA on each file concurrently using goroutines.

func EvalWithOutput added in v0.48.0 

func EvalWithOutput(t testing.TestingT, options *EvalOptions, jsonFilePaths []string, resultQuery string) (outputs []string)

EvalWithOutput runs `opa eval` on the given JSON files using the configured policy file and result query. Translates to: 

opa eval -i $JSONFile -d $RulePath $ResultQuery

This will asynchronously run OPA on each file concurrently using goroutines. This will fail the test if any one of the files failed. For each file, the output will be returned on the outputs slice.

func EvalWithOutputE added in v0.48.0 

func EvalWithOutputE(t testing.TestingT, options *EvalOptions, jsonFilePaths []string, resultQuery string) (outputs []string, err error)

EvalWithOutputE runs `opa eval` on the given JSON files using the configured policy file and result query. Translates to: 

opa eval -i $JSONFile -d $RulePath $ResultQuery

This will asynchronously run OPA on each file concurrently using goroutines. For each file, the output will be returned on the outputs slice.

Types

type EvalOptions 

type EvalOptions struct {
	// Path to rego file containing the OPA rules. Can also be a remote path defined in go-getter syntax. Refer to
	// https://github.com/hashicorp/go-getter#url-format for supported options.
	RulePath string

	// Set a logger that should be used. See the logger package for more info.
	Logger *logger.Logger

	// Extra command line arguments to pass to opa eval. These are added after the eval subcommand
	// and before the standard arguments (-i, -d, query).
	// Example: []string{"--v0-compatible"} to enable OPA v0 compatibility mode.
	// Example: []string{"--strict"} to enable strict mode for the eval subcommand.
	ExtraArgs []string

	// Whether OPA should run checks with failure.
	FailMode FailMode

	// When true, keep any temp files and folders that are created for the purpose of running opa eval.
	DebugKeepTempFiles bool

	// When true, disable the functionality where terratest reruns the opa check on the same file and query all elements
	// on error. By default, terratest will rerun the opa eval call with `data` query so you can see all the contents
	// evaluated.
	DebugDisableQueryDataOnError bool
}

EvalOptions defines options that can be passed to the 'opa eval' command for checking policies on arbitrary JSON data via OPA.

type FailMode 

type FailMode int

FailMode signals whether `opa eval` should fail when the query returns an undefined value (FailUndefined), a defined value (FailDefined), or not at all (NoFail). 

const (
	// FailUndefined causes `opa eval` to fail when the query returns an undefined value.
	FailUndefined FailMode = iota
	// FailDefined causes `opa eval` to fail when the query returns a defined value.
	FailDefined
	// NoFail causes `opa eval` not to fail based on the query result.
	NoFail
)

FailMode values for [EvalOptions.FailMode] that control when `opa eval` should fail.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.