Overview
A common pattern in OPA policies is to import external data from JSON/YAML files. This could include things like user roles, attribute-based access control (ABAC) mappings, or service configurations. This data is typically loaded from JSON or YAML files when OPA starts. Policies then reference this data using the global data keyword.
When developing locally and running opa eval locally, it is common to load data files and directories directly from the command line using the -d (--data) flag to specify a file or a directory. OPA will recursively load all .json and .yaml files from that location.
Terraform Enterprise Policy Evaluations execute a formatted opa eval command and uses the -b (--bundle) flag, which has different file-loading behavior than -d (--data). This flag is used to load all Rego files in the current directory and subdirectories, however it does not automatically load all JSON and YAML files in this scope, instead only loading those with a specific naming convention of data.json or data.yaml (see the following opa documentation).
- OPA will only load data files named
data.jsonordata.yaml(which contain JSON or YAML respectively). Other JSON and YAML files will be ignored.
Procedure
In order to load base data defined in JSON or YAML files, rename the files to data.json or data.yaml. This will ensure the files are loaded when Terraform Enterprise executes the opa eval command. Data will be rooted under the data variable. For example, given the following directory structure, data in the JSON file foo/bar/data.json would be loaded and rooted under data.foo.bar.
foo/
|
+-- bar/
| |
| +-- data.json
|
+-- baz.rego
|
+-- manifest.yamlAdditional Information