I want to return a non-zero exit code when my policy fails so that my CI/CD buildspec stops building. I also want to return a string error message from my rule(s).
I noticed the --fail and --fail-defined options for opa eval command. These options seem perfect. However, returning a string technically isn't 'failing' or returning 'undefined'. So, it seems to me impossible to return a string error message as well as a non-zero exit code without also sabotaging a good output string and test case.
Am I correct here? Is there any way to get the best of both worlds? I'm still new to Rego
Ex rego file:
package play
default hello := "hello failed"
hello := "hello passed" {
input.message == "world"
}
input:
{"message": "world"}
Running the following command will return a non-zero exit code no matter what
opa eval -i .\input.json -d .\test_rego.rego 'data.play.hello' --fail-defined -f raw
Similarly, the command below won't help because in this case the result is always defined
opa eval -i .\input.json -d .\test_rego.rego 'data.play.hello' --fail -f raw
Any help is appreciated
That's an interesting case. Normally you'll have either boolean rules to work with, or in the case where you want to return e.g. a message partial set rules where you can test for emptiness. If you really want to return a string for both the failure and the success case, you could use not
to achieve that:
opa eval -d test_rego.rego -i input.json --fail 'not data.play.hello == "hello passed"'
If using partial rules, i.e:
hello["hello passed"] {
input.message == "world"
}
You could test iteration over the rule to check for empty:
opa eval -d play.rego --fail 'data.play.hello[_]'