A plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.

opa-lambda-extension-plugin

A custom plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.

To learn more about how Lambda Extensions work, check out these AWS docs, which provide a helpful graphic depicting the Lambda lifecycle.

Usage

This project provides an OPA plugin that integrates OPA with the Lambda Extension API. To use this plugin, you must compile a custom version of the OPA binary. Instructions to do this are available in OPA's documentation. In the future, we hope to contribute/release changes that provide a simpler experience, similar to the opa-envoy-plugin project.

This plugin can be tricky to implement, depending on whether or not you use the OPA discovery plugin.

Usage without Discovery

If you don't need to use the discovery plugin, then you don't need to make many changes in your custom OPA compilation. Just modify main.go to import the plugin module (see snippet just below). If you're unfamiliar with custom plugins in OPA, check out the OPA docs on the subject.

// Copyright 2016 The OPA Authors.  All rights reserved.
// Use of this source code is governed by an Apache2
// license that can be found in the LICENSE file.

package main

import (
  "fmt"
  "os"

  // Import the plugin so that it can register itself with the OPA runtime on init
  _ "github.com/godaddy/opa-lambda-extension-plugin/plugins/lambda"

  "github.com/open-policy-agent/opa/cmd"
)

func main() {
  if err := cmd.RootCommand.Execute(); err != nil {
    fmt.Println(err)
    os.Exit(1)
  }
}

// Capabilities file generation:
//go:generate build/gen-run-go.sh internal/cmd/genopacapabilities/main.go capabilities.json

// WASM base binary generation:
//go:generate build/gen-run-go.sh internal/cmd/genopawasm/main.go -o internal/compiler/wasm/opa/opa.go internal/compiler/wasm/opa/opa.wasm  internal/compiler/wasm/opa/callgraph.csv

Everything else can be wired up in OPA configuration. Note the trigger: manual on the bundles, decision_logs, and status plugins.

services:
  acmecorp:
    url: https://example.com/control-plane-api/v1

bundles:
  authz:
    service: acmecorp
    resource: bundles/http/example/authz.tar.gz
    polling:
      trigger: manual
      scope: write

decision_logs:
  service: acmecorp
  reporting:
    trigger: manual

status:
  service: acmecorp
  trigger: manual

plugins:
  lambda_extension:
    minimum_trigger_threshold: 30
    trigger_timeout: 7
    plugin_start_priority:
      - bundle
      - decision_logs
      - status
    plugin_stop_priority:
      - decision_logs
      - status
      - bundle

Usage with Discovery

The discovery plugin prevents other plugins from being registered in the bootstrap configuration. This prevents the lambda extension plugin from being registered via configuration, because the lambda extension plugin must run before the discovery plugin. To use the lambda extension plugin with discovery, you must compile a custom OPA binary wherein you register the lambda extension plugin directly with the runtime, e.g.

lambdaPluginFactory := lambda.PluginFactory{}
rt.Manager.Register(lambda.Name, lambdaPluginFactory.New(rt.Manager, nil))

This is less than ideal and the complexity involved with this implementation is outside the scope of this document. For now, just know that if you really need to implement both the discovery and lambda extension plugins, it is possible to do so. In the future, we hope to contribute/release changes that make this implementation simpler.

Configuration

plugins:
  lambda_extension:
    # The number of seconds that must elapse before plugins will be triggered by a lambda function invocation
    minimum_trigger_threshold: 30
    # The number of seconds that ALL plugins have to complete their trigger before they are canceled.
    trigger_timeout: 7
    # The order in which plugins will be started while the Lambda Extension is in its init phase.
    plugin_start_priority:
      - bundle
      - decision_logs
      - status
    # The order in which plugins will be stopped while the Lambda Extension is in its shutdown phase.
    plugin_stop_priority:
      - decision_logs
      - status
      - bundle

Development

make fmt

make lint

make test

More Information

The plugin is heavily commented with useful information.

Owner
GoDaddy
GoDaddy
https://github.com/godaddy/opa-lambda-extension-plugin
Similar Resources

Hexa is the open-source, standards-based policy orchestration software for multi-cloud and hybrid businesses.

Hexa Policy Orchestrator Hexa is the open-source, standards-based policy orchestration software for multi-cloud and hybrid businesses. The Hexa projec

Dec 22, 2022

nano-gpu-agent is a Kubernetes device plugin for GPU resources allocation on node.

nano-gpu-agent is a Kubernetes device plugin for GPU resources allocation on node.

Nano GPU Agent About this Project Nano GPU Agent is a Kubernetes device plugin implement for gpu allocation and use in container. It runs as a Daemons

Dec 29, 2022

AWS Cloudtrail event alerting lambda function. Send alerts to Slack, Email, or SNS.

AWS Cloudtrail event alerting lambda function. Send alerts to Slack, Email, or SNS.

Cloudtrail-Tattletail is a Lambda based Cloudtrail alerting tool. It allows you to write simple rules for interesting Cloudtrail events and forward those events to a number of different systems.

Jan 6, 2023

Stream, Mutate and Sign Images with AWS Lambda and ECR

Stream, Mutate and Sign Images with AWS Lambda and ECR

ocistow About How it works Try it yourself Prerequisites CLI (cmd/ocistow) Lambda (cmd/ocistow-lambda) Deploy Invoke Verify signatures with =cosign= I

May 12, 2022

Deploy 2 golang aws lambda functions using serverless framework.

Deploy 2 golang aws lambda functions using serverless framework.

Jan 20, 2022

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

cosign-gatekeeper-provider To integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying i

Dec 8, 2022

Generic inquiry tool to OPA server for CI process, such as GitHub Actions

opaq opaq is a generic inquiry tool to OPA server. A major purpose of this tool is for inquiry in GitHub Actions. Features Data formatting: OPA server

Jan 20, 2022

Create AWS Auto Scaling groups from running instances or AMIs automatically.

AWS Auto Scaling Groups Builder AWS Auto Scaling group is a great way of managing Amazon EC2 instances. AWS Auto Scaling group watches the correspondi

Oct 7, 2022

Prevent Kubernetes misconfigurations from ever making it (again 😤) to production! The CLI integration provides policy enforcement solution to run automatic checks for rule violations. Docs: https://hub.datree.io

Prevent Kubernetes misconfigurations from ever making it (again 😤) to production! The CLI integration provides policy enforcement solution to run automatic checks for rule violations. Docs: https://hub.datree.io

What is Datree? Datree helps to prevent Kubernetes misconfigurations from ever making it to production. The CLI integration can be used locally or in

Jan 1, 2023
Comments
  • Bump github.com/open-policy-agent/opa from 0.32.0 to 0.40.0

    Bump github.com/open-policy-agent/opa from 0.32.0 to 0.40.0

    Bumps github.com/open-policy-agent/opa from 0.32.0 to 0.40.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.40.0

    This release contains a number of fixes and enhancements.

    Metadata introspection

    The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

    package example

    METADATA
    

    title: Edits by owner only
    

    description: |
    

    Only the owner is allowed to edit their data.
    

    deny[{"allowed": false, "message": rego.metadata.rule().description}] {
input.user != input.owner
}

    This snippet will evaluate to

    [{
  "allowed": false,
  "message": "Only the owner is allowed to edit their data.\n"
}]

    Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

    All the details can be found in the documentation of these new built-in functions.

    Function mocking

    It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

    package authz
import data.jwks.cert
import data.helpers.extract_token

    allow {
[true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"})
}
    

    test_allow {
allow
with input.headers as []
with data.jwks.cert as "mock-cert"
with io.jwt.decode_verify as [true, {}, {}] # mocked built-in
with extract_token as "my-jwt"              # mocked non-built-in
}

    For further information about policy testing with data and function mock, see the Policy Testing docs. All details about with can be found in its Policy Language section.

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.40.0

    This release contains a number of fixes and enhancements.

    Metadata introspection

    The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

    package example

    METADATA
    

    title: Edits by owner only
    

    description: |
    

    Only the owner is allowed to edit their data.
    

    deny[{"allowed": false, "message": rego.metadata.rule().description}] {
input.user != input.owner
}

    This snippet will evaluate to

    [{
  "allowed": false,
  "message": "Only the owner is allowed to edit their data.\n"
}]

    Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

    All the details can be found in the documentation of these new built-in functions.

    Function mocking

    It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

    package authz
import data.jwks.cert
import data.helpers.extract_token

    allow {
[true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"})
}
    

    test_allow {
allow
with input.headers as []
with data.jwks.cert as "mock-cert"
with io.jwt.decode_verify as [true, {}, {}] # mocked built-in

    ... (truncated)

    Commits
    • b3c8d80 Prepare v0.40.0 Release (#4631)
    • 39125a0 downloader: support for downloading bundles from an OCI registry (#4558)
    • 2f6b417 format: keep whitespaces for multiple indented same-line withs (#4635)
    • 7e50293 ast+topdown+planner: replacement of non-built-in functions via 'with' (#4616)
    • 02c1c1e bundle/status: Include bundle type in status information
    • 654b245 docs: update version in kubernetes examples (#4627)
    • 8e79fc9 build(deps): bump github.com/fsnotify/fsnotify v1.5.2 -> v1.5.4 (#4628)
    • 4154d99 Dockerfile: add source annotation (#4626)
    • b481f00 topdown/net: require prefix length for IPv6 in net.cidr_merge (#4613)
    • eb94b73 website: add playground button to navbar (#4622)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • Configure Renovate

    Configure Renovate

    Mend Renovate

    Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

    🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

    Detected Package Files

    • go.mod (gomod)

    Configuration

    🔡 Renovate has detected a custom config for this PR. Feel free to ask for help if you have any doubts and would like it reviewed.

    Important: Now that this branch is edited, Renovate can't rebase it from the base branch any more. If you make changes to the base branch that could impact this onboarding PR, please merge them manually.

    What to Expect

    With your current configuration, Renovate will create 2 Pull Requests:

    Update module github.com/open-policy-agent/opa to v0.44.0
    Update module go to 1.19
    • Schedule: ["at any time"]
    • Branch name: renovate/go-1.x
    • Merge into: main
    • Upgrade go to 1.19

    ❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section. If you need any further assistance then you can also request help here.

    This PR has been generated by Mend Renovate. View repository job log here.

  • Bump github.com/open-policy-agent/opa from 0.32.0 to 0.42.0

    Bump github.com/open-policy-agent/opa from 0.32.0 to 0.42.0

    Bumps github.com/open-policy-agent/opa from 0.32.0 to 0.42.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.42.0

    This release contains a number of fixes and enhancements.

    New built-in function: object.subset

    This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

    If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

    See the built-in functions docs for all details

    This implementation fixes #4358 and was authored by @​charlesdaniels.

    New keywords: "contains" and "if"

    These new keywords let you increase the expressiveness of your policy code:

    Before

    package authz
allow { not denied } # `denied` left out for presentation purposes

    deny[msg] {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

    After

    package authz
import future.keywords

    allow if not denied # one expression only => no { ... } needed!
    

    deny contains msg if {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

    Note that rule bodies containing only one expression can be abbreviated when using if.

    To use the new keywords, use import future.keywords.contains and import future.keywords.if; or import all of them at once via import future.keywords. When these future imports are present, the pretty printer (opa fmt) will introduce contains and if where applicable.

    if is allowed in all places to separate the rule head from the body, like

    </tr></table>

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.42.0

    This release contains a number of fixes and enhancements.

    New built-in function: object.subset

    This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

    If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

    See the built-in functions docs for all details

    This implementation fixes #4358 and was authored by @​charlesdaniels.

    New keywords: "contains" and "if"

    These new keywords let you increase the expressiveness of your policy code:

    Before

    package authz
allow { not denied } # `denied` left out for presentation purposes

    deny[msg] {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

    After

    package authz
import future.keywords

    allow if not denied # one expression only => no { ... } needed!
    

    deny contains msg if {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}

    Note that rule bodies containing only one expression can be abbreviated when using if.

    To use the new keywords, use import future.keywords.contains and import future.keywords.if; or import all of them at once via import future.keywords. When these future imports are present, the

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

Related tags
DevOps Tools opa-lambda-extension-plugin
Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA)
 Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA)

Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA) In the beginning, I believe it is worth saying that this proje

Nov 30, 2022
runtime - an abstraction library on top of the Open Policy Agent (OPA)

runtime - an abstraction library on top of the Open Policy Agent (OPA) Introduction The "runtime" project is a library that sits on top of OPA. The go

Nov 7, 2022
Cmsnr - cmsnr (pronounced "commissioner") is a lightweight framework for running OPA in a sidecar alongside your applications in Kubernetes.

cmsnr Description cmsnr (pronounced "commissioner") is a lightweight framework for running OPA in a sidecar alongside your applications in Kubernetes.

Jan 13, 2022
Aws-secretsmanager-caching-extension - Cache server for AWS Secrets Manager
 Aws-secretsmanager-caching-extension - Cache server for AWS Secrets Manager

AWS Lambda Extension / Sidecar Container Cache Server The cache server is writte

Aug 12, 2022
Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo

igo agent 英文 | 中文 Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo, and other capabilities may be added lat

Dec 22, 2021
Shoes-agent - Framework for myshoes provider using agent
 Shoes-agent - Framework for myshoes provider using agent

shoes-agent Framework for myshoes provider using agent. agent: agent for shoes-a

Jan 8, 2022
Coriolis-snapshot-agent - Coriolis snapshot agent leverages the blk-snap kernel module to create copy-on-write snapshots of block devices

Coriolis snapshot agent Coriolis snapshot agent leverages the blk-snap kernel mo

Feb 17, 2022
Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)
 Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)

OmniSSHAgent About The chaotic windows ssh-agent has been integrated into one program. Chaos Map of SSH-Agent on Windows There are several different c

Dec 19, 2022
octant plugin for kubernetes policy report
 octant plugin for kubernetes policy report

Policy Report octant plugin [Under development] Resource Policy Report Tab Namespace Policy Report Tab Policy Report Navigation Installation Install p

Aug 7, 2022
This plugin helps you to use the AWS Command Line Interface (AWS CLI) to start and end sessions to your managed instances

Session Manager Plugin This plugin helps you to use the AWS Command Line Interface (AWS CLI) to start and end sessions to your managed instances. Sess

Dec 28, 2022