OPA Policy Evaluations Fail With Errors "`if` keyword is required before rule body" and "`contains` keyword is required for partial set rules"

Avatar
Nathan P.
  • Updated

Problem

OPA Policy Evaluations in HCPT/Terraform Enterprise are failing with the following error.

"failed running OPA policy evaluation run for policy: data.terraform.policies.public_ingress.deny, (output: \"1 error occurred: loading error: bundle /home/tfc-agent/.tfc-agent/component/policy/policy-runs/poleval-gPpSRtrdiRC6HfHr/policy/public_ingress: 2 errors occurred:\\n/home/tfc-agent/.tfc-agent/component/policy/policy-runs/poleval-gPpSRtrdiRC6HfHr/policy/public_ingress/public_ingress.rego:5: rego_parse_error: `if` keyword is required before rule body\\n/home/tfc-agent/.tfc-agent/component/policy/policy-runs/poleval-gPpSRtrdiRC6HfHr/policy/public_ingress/public_ingress.rego:5: rego_parse_error: `contains` keyword is required for partial set rules\\n\") (exit 2)"

Prerequisites

  • OPA Policy Sets in HCPT/Terraform Enterprise with OPA Runtime version >= 1.0.0

Cause

Changes to Rego in OPA v1.0 now enforce the use of if and contains keywords in rule head declarations.

  • "if keyword is required before rule body" - OPA v1.0.0 requires the if keyword before rule conditions
  • "contains keyword is required for partial set rules" - Rules that generate sets (like deny[msg]) now require the contains keyword

These syntax changes are part of OPA's move toward more explicit and readable policy syntax. For more information, see the Upgrading to v1.0 OPA documentation.

Solution

As a temporary workaround, pin the Runtime Version on affected Policy Sets to 0.61.0 by editing the Policy Set. To prepare for an update to v1.0, Rego code will need to be modified to account for the changes introduced in Rego v1.0. Rule head declarations which were previously using deny[msg] syntax will need to be updated to deny contains msg if. Below is an example taken from the HashiCorp documentation demonstrating the syntax changes required.

  • Original  
package terraform.policies.public_ingress

import input.plan as plan

deny[msg] {
  r := plan.resource_changes[_]
  r.type == "aws_security_group"
  r.change.after.ingress[_].cidr_blocks[_] == "0.0.0.0/0"
  msg := sprintf("%v has 0.0.0.0/0 as allowed ingress", [r.address])
}
  • Updated for OPA v1.0
package terraform.policies.public_ingress

import input.plan as plan

deny contains msg if {
  r := plan.resource_changes[_]
  r.type == "aws_security_group"
  r.change.after.ingress[_].cidr_blocks[_] == "0.0.0.0/0"
  msg := sprintf("%v has 0.0.0.0/0 as allowed ingress", [r.address])
}

If not accounted for already, ensure HCPT/Terraform Enterprise Policy Sets pin the OPA Runtime Version and follow HashiCorp's recommended process for testing upgrades to the OPA runtime.

Additional Information

Articles in this section

See more