Pass back a value from Open Policy Agent (OPA) query

Instead of seeing who can access what, I want to setup policies that return how many connections are allowed per second, or, how much bandwidth is allowed. How do I define my policies to return values instead of true/false?

Solution

Complete rules are just if-then statements that assign a VALUE to a VARIABLE. When the VALUE is omitted, it's implicitly true:

allow { input.method == "GET" }

Is equivalent to:

allow = true { input.method == "GET" }

There is nothing special about allow or true though; you could similarly define a rule that sets the connections per second limit:

connections_per_second = 7 { input.tier == "gold" }

If you have multiple definitions just be aware that only one can succeed (otherwise OPA will raise a conflict error). You need to resolve the conflict inside of your policy. There are different ways of handling this, e.g., default, else, negation, etc.

Access denied when put bucket policy on aws s3 bucket with root user (= bucket owner)
Is it a possible to call a lambda in different account from the cloudformation one?
not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action
Chrome not recognizing custom policies set for an extension
Does GitHub delete repositories with no activity after some length of time?
can we use wildcard in consul policy for node or service
How $this->authorize() understand which policy should be called in laravel?
The 'calls' attribute is invalid - The value '' is not within allowed values range
AWS Role Policy for different SMS numbers
Azure API Management Policy: Unable to add condition to check it the string is empty
Azure Policy with "modify" effect needs update or create event - how to deal with existing resources?
AWS-cloudformation: Resource handler returned message: "An ARN in the specified key policy is invalid. "
Azure Policy - deny changes via user interface
azure policy deny changes on resources with source:terraform tag
Azure Policy says, that resources managed by Microsoft are non-compliant
Hide specific instaces for IAM users in AWS console
The policies in Laravel are not working for me, this is my code
The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2
SQL row level security policy
Azure policy for naming conventions for subnets to start with "snet", but allow subnet names like "AzureBastionSubnet", "AzureFirewallSubnet", etc
401 Unauthorized when calling Cosmos DB Api via Azure APIM send-request
Laravel policy does not authorize action
configuring a dynamic websocket endpoint in azure apim
Azure powershell list assigned backup policy to VM
Azure APIM IP filter blocks developer portal
PostgreSQL - infinite recursion detected in policy for relation
Laravel: Difference Between Route Middleware and Policy
Custom message on Laravel policy authorization
Policy based authorization needs to return some reason when it fails
What capability does a policy need in order to start jobs in Nomad?