Combining exit codes and 'defined' string return values from rules in Rego

Question

I want to return a non-zero exit code when my policy fails so that my CI/CD buildspec stops building. I also want to return a string error message from my rule(s).

I noticed the --fail and --fail-defined options for opa eval command. These options seem perfect. However, returning a string technically isn't 'failing' or returning 'undefined'. So, it seems to me impossible to return a string error message as well as a non-zero exit code without also sabotaging a good output string and test case.

Am I correct here? Is there any way to get the best of both worlds? I'm still new to Rego

Ex rego file:

package play

default hello := "hello failed"

hello := "hello passed" {
     input.message == "world"
}

input: {"message": "world"}

Running the following command will return a non-zero exit code no matter what opa eval -i .\input.json -d .\test_rego.rego 'data.play.hello' --fail-defined -f raw

Similarly, the command below won't help because in this case the result is always defined opa eval -i .\input.json -d .\test_rego.rego 'data.play.hello' --fail -f raw

Any help is appreciated

Answer 1

That's an interesting case. Normally you'll have either boolean rules to work with, or in the case where you want to return e.g. a message partial set rules where you can test for emptiness. If you really want to return a string for both the failure and the success case, you could use not to achieve that:

opa eval -d test_rego.rego -i input.json --fail 'not data.play.hello == "hello passed"'

If using partial rules, i.e:

hello["hello passed"] {
     input.message == "world"
}

You could test iteration over the rule to check for empty:

opa eval -d play.rego --fail 'data.play.hello[_]'