opa
opa copied to clipboard
open-policy-agent
Add --stdin-input flag to opa exec command
What is the underlying problem you're trying to solve?
I am trying to figure out how to execute OPA inside a standard AWS Lambda. The requirements are:
- Configure OPA through Discovery API;
- Collect Status and Decision Logs telemetry;
- Use any kind of built-in function (SDK dependent or not);
- Take into account that a Lambda is not alive all the time.
So I'm working in a POC to see if the opa exec command is a good fit, but in my tests, I saw that the opa exec command executes against input files. I can write an input.json file on the filesystem before invoking the command, but it would be cheaper if it were possible to pass input data from stdin, so I could dynamically build my input together command and invoke OPA.
For example:
echo my_input | opa exec --stdin-input ...
Describe the ideal solution
Adding the new flag, as we have on the opa eval command, will make the use of OPA more flexible when using OPA as a command inside scripts.
Describe a "Good Enough" solution
Maybe creating an input.json before invoking the OPA command, but this solution is not so efficient and more expensive.
Additional Context
There is an OPA integration with AWS API Gateway, but in my case, I'm trying to enforce authorization policies inside a standard AWS Lambda that could be written in any language. WebAssembly will not work because I need to use any kind of built-in function from Rego code.
Sounds like a good addition to me. I was hoping something like this would work:
echo '{"foo": "bar"}' | opa exec -b bundle/ --decision foo/bar /dev/stdin
And it "works", but not really, as apparently we filter out any file which doesn't have a .json suffix, and /dev/stdin obviously doesn't :/
Sounds like a good one. @humbertoc-silva if you'd like to contribute that would be great!
Yes @ashutosh-narkar, I would. I will see how things work on the opa eval command to have an idea.
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
@humbertoc-silva have you had a chance to work on this? If not, I can give it a shot.
Hi guys, I am so sorry but I did not have a chance to look at it. But you can count on me to do some tests.
@anderseknert I was thinking this should support both JSON and YAML, since that's the current support for input files. I was also thinking there should probably be a timeout on stdin, with an exit 1 when the timeout expires. Maybe 20 or 30 seconds. Thoughts?
We don't really have a precedence on timeouts for stdin I think, but I like the idea of having that. I always found it confusing that opa fmt when provided no args, just hangs there forever. I'm sure there are other examples too. 30 seconds timeout sounds like a good default to me.
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.
Checking back in here. I'll be able to get back to this issue this coming week. Code is mostly done, just needs verification. Sorry for the delay!