Introduction
When testing Open Policy Agent (OPA) policies locally, you may need to replicate the exact opa eval command that HCP Terraform uses. In addition to the Terraform plan JSON data, OPA is also provided with metadata about the run, as described in the Terraform Run Data documentation.
This article provides the command structures for both VCS-based and non-VCS-based (managed) policy sets.
Procedure
The command structure for opa eval varies depending on how your policies are managed in HCP Terraform.
For VCS-Based Policies
If your policies are sourced from a version control system (VCS), use the following command structure. The -b flag specifies the bundle path for the policy set.
$ opa eval -f pretty --fail -i <input_path> -b <policy_set_path_for_vcs> <query>
For Non-VCS (Managed) Policies
If your policies are managed directly within HCP Terraform (not connected to a VCS), use the following command structure. The -d flag specifies the path to the policy file.
$ opa eval -f pretty --fail -i <input_path> -d <policy_path> <query>
Additional Information
- For more details on the data provided to OPA during a run, please see the OPA Policy Enforcement: Terraform Run Data documentation.