Skip to main content
Version: Release 23.3

OPA Integration

Open Policy Agent (OPA) is a freely available engine that enables you to write policies in the form of code and incorporate them into your application or process. The Release OPA Integration enables Release to work with Open Policy Agent server to manage policies and to evaluate inputs based on policy language known as REGO, which allows you to write policies for various services utilizing the same language.

important

You must set up a connection to the OPA server before adding OPA tasks. For more information, see Set up Connection to OPA Server.

note

In the release flow editor, OPA tasks have a blue border.

OPA provides the following features:

  • Create, Update, Delete, and Get an OPA policy
  • Evaluate an input against an OPA policy

Prerequisites

For OPA integration, you need the following:

  • OPA server running and accessible via HTTP(s)
  • Access credentials to the GitHub storage repo which stores the policies

Set up Connection to OPA Server

  1. From the navigation pane, under Configuration, click Connections.
  2. Under HTTP Server connections, next to OPA: Server, click add button.
  3. In the Title field, enter a name for the configuration.
  4. In the URL field, enter the address of the server.
  5. If required, enter authentication details and proxy details.
  6. To test the connection, click Test.
  7. To save the configuration, click Save.

Create OPA server

Add Create Policy Task

The Create Policy task creates a policy in the OPA server.

  1. In the release flow tab of a Release template, add a task of type OPA > Create Policy.
  2. Click the added task to open it.
  3. In the Server field, select the configured OPA server.
  4. In the Name of policy to be created field, add the policy name.
  5. For policy that is a string, paste the policy in the Policy field.
  6. To fetch the policy as a code from the GitHub repository, add the URL of GitHub raw file in the Git File Url field, and the GitHub PAT in the Git PAT field.

OPA Create Policy

Add Update Policy Task

The Update Policy task updates a policy in the OPA server.

  1. In the release flow tab of a Release template, add a task of type OPA > Update Policy.
  2. Click the added task to open it.
  3. In the Server field, select the configured OPA server.
  4. In the Name of policy to be Updated field, add the policy name.
  5. For Policy as a String, paste the policy in the Policy field. Or to fetch Policy as a Code from GitHub Repository, add the URL of GitHub raw file in the Git File Url field, and the GitHub PAT in Git PAT field.

OPA Update Policy

Add Get Policy Task

The Get Policy task gets a policy from the OPA server.

  1. In the release flow tab of a Release template, add a task of type OPA > Get Policy.
  2. Click the added task to open it.
  3. In the Server field, select the configured OPA server.
  4. In the Name of policy field, add the policy name.
  5. The policy will be stored in the output Policy field.

OPA Get Policy

Add Delete Policy Task

The Delete Policy task deletes a policy from the OPA server.

  1. In the release flow tab of a Release template, add a task of type OPA > Delete Policy.
  2. Click the added task to open it.
  3. In the Server field, select the configured OPA server.
  4. In the Name of policy field, add the policy name.

OPA Delete Policy

Add Evaluate Policy Task

The Evaluate Policy task evaluates an input against a policy in the OPA server.

  1. In the release flow tab of a Release template, add a task of type OPA > Evaluate Policy.
  2. Click the added task to open it.
  3. In the Server field, select the configured OPA server.
  4. In the Json Input For Evaluation field, add the input which will be evaluated against the policy.
  5. In the Name of policy to Check with field.
  6. In the Expected Output field, the expected output will be checked with the actual policy check result.

OPA Evaluate Policy

Add Parse GitHub Actions Log Task

Note: This task works only with Application Security Log.

  1. In the release flow tab of a Release template, add a task of type OPA > Parse GitHub Actions Log.
  2. Click the added task to open it.
  3. In the Server field, select the configured OPA server.
  4. In the Application Type field, select Android or Ios.
  5. In the Base url field, enter the GitHub api, for example https://api.github.com.
  6. In the Username field, enter the GitHub username.
  7. In the Git PAT field, enter the GitHub PAT.
  8. In the Repository Name field, enter the GitHub repository name.
  9. In the Workflow Run ID field, enter the GitHub Actions workflow ID.
  10. In the Json Input output properties field, the output will be assigned to the variable assigned in this field.

Note: The output variable can be used for further evaluation as an input.

OPA Parse GitHub Actions Log

Add Parse Jenkins Log Task

Note: This task works only with Application Security Log.

  1. In the release flow tab of a Release template, add a task of type OPA > Parse Jenkins Actions Log.
  2. Click the added task to open it.
  3. In the Server field, select the configured OPA server.
  4. In the Application Type field, select Android or Ios.
  5. In the Jenkins Server field, select the configured Jenkins server.
  6. In the Username field, enter the Jenkins username.
  7. In the Password field, enter the Jenkins password, or else use the Token field.
  8. In the API Token field, enter the Jenkins token, or else use the Password.
  9. In the Job Url field, enter the Jenkins job URL.
  10. In the Json Input output properties field, the output will be assigned to the variable assigned in this field.

Note: The output variable can be used for further evaluation as an input.

OPA Parse Jenkins Actions Log