A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/open-policy-agent/opa/issues/5619 below:

opa eval cant parse json file when it used in GitHub Actions. But locally it works. · Issue #5619 · open-policy-agent/opa · GitHub

Short description

I evaluate OPA policy to find the Azure resources without the required tags. Locally it works and outputs non-compliant resources. But when I try to evaluate the policy in the GitHub Actions pipeline - the output is empty. I rechecked everything: local and 'in pipeline' configs, versions are the same, all files exist, permissions, etc. In debug mode, I see that "in pipeline" OPA replaces input data with a simple "command" string.

Config:
Local and "in pipeline" OPA version - 0.48.0
Local machine - MacOS Ventura
Pipeline runner image based on - Ubuntu 22.04

OPA policy:

package policy

mandatory_tags[msg] {
  check_tags(changes[c])
  #msg := sprintf("fail: %v is missing required tags.", [changes[c].address])
	msg := sprintf("%v", [changes[c].address])
}

check_tags(resource) {
 # read the tags based on the resource type
 tags = read_tags(resource)
 # check for the tag enforcement
 match(resource.change.after)
}

read_tags(resource) = tags {
 tags = resource.change.after.tags
}

match(i) {
	not i.tags
}

match(i) {
	not i.tags.AgileTeam
}

match(i) {
	not i.tags.Contact
}

match(i) {
	not i.tags.Environment
}

match(i) {
	not i.tags.Repository
}

# get the changed resources
changes := { c |
	some path, value
	walk(input, [path, value])
	reverse_index(path, 1) == "resource_changes"
	c = value[_]
}

reverse_index(path, idx) = value {
	value := path[count(path) - idx]
}

I run the next commands:

terraform init
terraform plan --out tfplan.binary
terraform show -json tfplan.binary > tfplan.json

opa eval data.policy.all_policies -d ../../.opa/ -i tfplan.json -f pretty

Local output:

[
  "fail: azurerm_nat_gateway.development is missing required tags.",
  "fail: azurerm_public_ip_prefix.development is missing required tags."
]

In pipeline output:

Local debug:

In pipeline debug:

And, again, all needed files are in place, OPA version is the same. Locally it works but doesn't work in GitHub Actions Pipeline

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4