nicholasjackson/opa-rego-language

Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.

1.19x

Quality

Pending

Does it follow best practices?

Impact

99%

1.19x

Average score across 31 eval scenarios

Securityby

Pending

The risk profile of this skill

Overview

Eval results

Files

Regal: Comprehension Patterns

Name: nicholasjackson/opa-rego-language
Rating: 0.99 (1 reviews)
Author: nicholasjackson

This document covers Regal rules related to set, object, and array comprehensions.

Relevant Regal rules:

comprehension-term-assignment — do not assign a value inside a comprehension just to use it as the term; use the expression directly
use-object-keys — use object.keys(obj) instead of {k | some k in obj} to get object keys
use-some-for-output-vars — declare output variables with some in comprehension bodies

Pattern: Comprehension Term Assignment

Use the expression directly as the comprehension term rather than assigning it to a variable first.

# CORRECT: use expression directly as the term
names := {container.name | some container in input.spec.containers}

# CORRECT: multi-field object comprehension
resources := {name: limit |
    some container in input.spec.containers
    name := container.name
    limit := container.resources.limits.cpu
}

# WRONG: assigning to variable just to use as term (comprehension-term-assignment violation)
names := {name | some container in input.spec.containers; name := container.name}

Pattern: Object Keys

Use object.keys() to get the keys of an object.

# CORRECT: use object.keys()
required_fields := {"name", "email", "role"}
provided_fields := object.keys(input.user)
missing := required_fields - provided_fields

# WRONG: comprehension to get keys (use-object-keys violation)
provided_fields := {k | some k in input.user}

Pattern: Output Variables in Comprehensions

Declare output variables with some in comprehension bodies.

# CORRECT: some for output variable
active_users := {user |
    some user in input.users
    user.active == true
}

# CORRECT: some for key iteration
tag_names := {key | some key, _ in input.resource.tags}

Complete Example: Resource Compliance Check

package terraform.compliance
import rego.v1

# Use object.keys() — not a comprehension
provided_tags := object.keys(input.resource.tags)

required_tags := {"environment", "owner", "cost_center"}

missing_tags := required_tags - provided_tags

# Use expression directly as term — no intermediate variable
allowed_regions := {"us-east-1", "us-west-2", "eu-west-1"}

deny contains msg if {
    count(missing_tags) > 0
    msg := sprintf("missing required tags: %v", [missing_tags])
}

deny contains msg if {
    input.resource.region != null
    not input.resource.region in allowed_regions
    msg := sprintf("region '%s' is not allowed", [input.resource.region])
}

Testing Comprehension Patterns

package terraform.compliance_test
import rego.v1
import data.terraform.compliance

test_missing_tags if {
    some msg in compliance.deny
    contains(msg, "missing required tags")
} with input as {
    "resource": {
        "tags": {"environment": "prod"},
        "region": "us-east-1"
    }
}

test_all_tags_present if {
    count(compliance.deny) == 0
} with input as {
    "resource": {
        "tags": {"environment": "prod", "owner": "team-a", "cost_center": "123"},
        "region": "us-east-1"
    }
}