我可以遍历 OPA 中对象的键和值以验证它们是否符合某种格式(CamelCase) [英] Can I loop over keys and values of an object in OPA to validate if they adhere to a certain format (CamelCase)
问题描述
我们正在使用 conftest 来验证我们的 terraform 变更集是否适用于某些规则 &合规性.我们要验证的一件事是我们的 AWS 资源是否根据 AWS 标记约定进行标记,该约定指定要使用的某些标签(例如 Owner、ApplicationRole、Project)并指定所有标签和值都在 CamelCase 中.
We are using conftest to validate if our terraform changeset applies to certain rules & compliances. One thing we want to validate is wether our AWS resources are tagged according to the AWS tagging convention, which specifies certain tags to use (e.g. Owner, ApplicationRole, Project) and specifies that all tags and values are in CamelCase.
在 terraform 中,变更集在以下(简化的)json 输出中描述:
in terraform the changeset is portrayed in the following (simplified) json output:
{
"resource_changes":{
"provider_name":"aws",
"change":{
"before":{
},
"after":{
"tags":{
"ApplicationRole":"SomeValue",
"Owner":"SomeValue",
"Project":"SomeValue"
}
}
}
}
}
我现在要做的是验证以下内容:
What I am now trying to do is to validate the following:
- 检查是否设置了标签.
- 验证键和值是否都是驼峰式.
- 检查键是否至少包含集合(ApplicationRole、Owner、Project).
但是,我无法在 Rego 中定义它(我对 OPA 很陌生).
However, I am having trouble defining that in Rego (I am quite new to OPA).
有没有办法循环"对象的键和值,并验证它们的格式是否正确?
Is there a way to "loop" over the keys and values of an object, and validate if they are formatted correctly?
在伪代码中:
for key, value in tags {
re_match(`([A-Z][a-z0-9]+)+`, key)
re_match(`([A-Z][a-z0-9]+)+`, value)
}
我尝试了以下方法:
tags_camel_case(tags) {
some key
val := tags[key]
re_match(`^([A-Z][a-z0-9]+)+`, key) # why is key not evaluated?
re_match(`^([A-Z][a-z0-9]+)+`, val)
}
但是,在针对以下测试 json 进行评估时:
However, when evaluating against the following test json:
{
"AppRole": "SomeValue",
"appRole": "SomeValue"
}
规则返回真,即使我同时检查键和值与正则表达式
the rule returns true, even though I am checking both key and value vs the regex
推荐答案
tags_camel_case(tags) 函数对带有两个键的输入返回 true,因为(默认情况下)Rego 中的变量是存在量化的.这意味着,如果对于某些 变量绑定集,规则主体中的语句为真,则满足规则主体.在上面的示例中,{key=AppRole, val=SomeValue} 将满足规则主体.
The tags_camel_case(tags) function returns true for the input with two keys because (by default) variables in Rego are existentially quantified. This means rule bodies are satisfied if for some set of variable bindings, the statements in the rule body are true. In the example above, the rule body would be satisfied by {key=AppRole, val=SomeValue}.
要表达为所有人,您可以使用一个简单的技巧.首先编写一个规则来检查是否有任何标签不是驼峰式.第二个写规则,检查第一个规则是否不满足.
To express for all you can use a simple trick. First write a rule to check if any of the tags ARE NOT camel case. Second write the rule to check if the first rule is not satisfied.
例如:
# checks if all tags are camel case
tags_camel_case(tags) {
not any_tags_not_camel_case(tags)
}
# checks if any tags are NOT camel case
any_tags_not_camel_case(tags) {
some key
val := tags[key]
not is_camel_case(key, val)
}
# checks if a and b are both camel case
is_camel_case(a, b) {
re_match(`^([A-Z][a-z0-9]+)+`, a)
re_match(`^([A-Z][a-z0-9]+)+`, b)
}
有关 Rego 中所有人"表达的更多信息,请参阅 https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies/#universal-quantification-for-all
For more info on expression 'for all' in Rego see https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies/#universal-quantification-for-all
这篇关于我可以遍历 OPA 中对象的键和值以验证它们是否符合某种格式(CamelCase)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
