nicholasjackson/opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.
99
Quality
Pending
Does it follow best practices?
Impact
99%
1.19xAverage score across 31 eval scenarios
Pending
The risk profile of this skill
task.mdevals/scenario-16/
Terraform: Multi-Region Deployment Policies
We use OPA to validate Terraform plans before they are applied. Write a Rego policy that enforces region and data residency requirements.
The policy must:
- Deny the plan if the AWS provider region is not in the approved set:
us-east-1,us-west-2,eu-west-1,eu-central-1 - Deny creation of
aws_s3_bucket,aws_rds_cluster, oraws_dynamodb_tableresources taggedDataResidency = "EU"in a non-EU region (eu-west-1andeu-central-1are EU regions) - Warn (but do not deny) when
aws_s3_bucketoraws_dynamodb_tableresources taggedCriticality = "high"are created without replication configured
The AWS provider region is available at tfplan.configuration.provider_config.aws.expressions.region.constant_value.
Replication for S3 is indicated by the presence of r.change.after.replication_configuration; for DynamoDB by count(r.change.after.replica) > 0.
The policy must support both raw Terraform input and HCP Terraform / Terraform Enterprise input.
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31