OPA bundler is responsible for bundling the policies in bundle directory with data fetched from remote sources.
The bundler is scheduled to run at an interval, but can also be triggered by a SNS message.
OPA evaluates policies written in Rego agains input and data.
OPA policies is defined in bundle/ directory.
The bundle/ is synchronized with data by the opa-bundler/ and made available to OPA in an AWS S3 bucket (sm-opa-bundles).
For Mac install by:
brew install opa
For other platforms see: https://www.openpolicyagent.org/docs/latest/#1-download-opa
If using VSCode there's also a nice extension available https://marketplace.visualstudio.com/items?itemName=tsandall.opa.
Run all tests in bundle/ directory by:
opa test ./bundle
For testing OPA http.send
requests (remote data fetching):
First start the MMOCK (mocking data) server by:
docker run --rm -v $(pwd)/mmockconfig:/config -p 5678:8083 jordimartin/mmock
Then in another shell set test env vars by:
export $(cat .env-integration-test | xargs)
... then do testing with:
opa test ./bundle
To unset the variables from .env-integration-test do:
unset $(cat .env-integration-test | cut -d = -f 1 | xargs)
For testing the bundle (synchronized with data) with OPA server.
First sync a bundle for testing by:
yarn sls invoke local -e S3_BUNDLE_KEY=bundle_test.tar.gz -f sync_bundle_cron
Then run a local OPA server with AWS S3 as bundle service by:
AWS_REGION=eu-west-1 opa run -s --log-format=text -c opa-test-config.yaml
You will need aws credentials in environment variables (AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
).