Trying to understand the concept of falsehood in OPA. My situation is such - I need to verify whether all cloud resources are in allowed regions of AWS. What I have right now is:
allowed_locations := ["eastus", "westus"]
exists(array, value) {
array[_] == value
}
all_resources_in_allowed_regions {
not any_resource_not_in_allowed_regions
}
any_resource_not_in_allowed_regions {
some index
exists(allowed_locations, input.planned_values.root_module.resources[index].values.location) != true
}
The problem is, I think I'm missing something about the result of policies/functions when it's not true - for instance, the result of exists(allowed_locations, "westeurope") is not false but "undefined" of some sort, which means that the result of exists(allowed_locations, "westeurope") != true is also "undefined", which means that all_resources_in_allowed_regions is assigned not "undefined" which is true.
How would you solve this issue with OPA? Am I missing something about the proper way to use it?
Check out the "For All" section of the docs:
More explanation about what is happening: https://www.openpolicyagent.org/docs/latest/policy-language/#universal-quantification-for-all
Quick Examples: https://www.openpolicyagent.org/docs/latest/policy-reference/#for-all
Following on from your reply open policy agent - false vs none the updated policy as described looks like:
allowed_locations := ["eastus", "westus"]
exists(array, value) {
array[_] == value
}
not_exists(array, value) {
not exists(array, value)
}
all_resources_in_region {
not any_resource_not_in_region
}
any_resource_not_in_region {
not_exists(allowed_locations, input.planned_values.root_module.resource[_].values.location)
}
Playground example: https://play.openpolicyagent.org/p/f1bI2Ddc9D