Rego Cheat Sheet

tip

Did you know? There's a printable PDF version of the cheatsheet too!

All code examples on this page share this preamble:

package cheat
import rego.v1

Rules - _{^{The building blocks of Rego}}

Single-Value Rules

Single-value rules assign a single value. In older documentation, these are sometimes referred to as "complete rules". (Try It)

input.json

{
  "user": {
    "role": "admin",
    "internal": true
  }
}

policy.rego

default allow := false

allow if {
	input.user.role == "admin"
	input.user.internal
}

default request_quota := 100
request_quota := 1000 if input.user.internal
request_quota := 50 if input.user.plan.trial

Multi-Value Set Rules

Multi-value set rules generate and assign a set of values to a variable. In older documentation these are sometimes referred to as "partial set rules". (Try It)

input.json

{
  "user": {
    "teams": [
      "ops",
      "eng"
    ]
  }
}

policy.rego

paths contains "/handbook/*"

paths contains path if {
	some team in input.user.teams
	path := sprintf("/teams/%v/*", [team])
}

Multi-Value Object Rules

Multi-value object rules generate and assign a set of keys and values to a variable. In older documentation these are sometimes referred to as "partial object rules". (Try It)

input.json

{
  "paths": [
    "a/123.txt",
    "a/456.txt",
    "b/foo.txt",
    "b/bar.txt",
    "c/x.txt"
  ]
}

policy.rego

# Creates an object with sets as the values.
paths_by_prefix[prefix] contains path if {
	some path in input.paths
	parts := split(path, "/")
	prefix := parts[0]
}

Iteration - _{^{Make quick work of collections}}

Some

Name local query variables. (Try It)

policy.rego

all_regions := {
	"emea": {"west", "east"},
	"na": {"west", "east", "central"},
	"latam": {"west", "east"},
	"apac": {"north", "south"},
}

allowed_regions contains region_id if {
	some area, regions in all_regions

	some region in regions
	region_id := sprintf("%s_%s", [area, region])
}

Every

Check conditions on many elements. (Try It)

input.json

{
  "userID": "u123",
  "paths": [
    "/docs/u123/notes.txt",
    "/docs/u123/q4-report.docx"
  ]
}

policy.rego

allow if {
	prefix := sprintf("/docs/%s/", [input.userID])
	every path in input.paths {
		startswith(path, prefix)
	}
}

Control Flow - _{^{Handle different conditions}}

Logical AND

Statements in rules are joined with logical AND. (Try It)

input.json

{
  "email": "joe@example.com"
}

policy.rego

valid_staff_email if {
	regex.match(`^\S+@\S+\.\S+$`, input.email) # and
	endswith(input.email, "example.com")
}

Logical OR

Express OR with multiple rules, functions or the in keyword. (Try It)

input.json

{
  "email": "opa@example.com",
  "name": "anna",
  "method": "GET"
}

policy.rego

# using multiple rules
valid_email if endswith(input.email, "@example.com")
valid_email if endswith(input.email, "@example.org")
valid_email if endswith(input.email, "@example.net")

# using functions
allowed_firstname(name) if {
	startswith(name, "a")
	count(name) > 2
}

allowed_firstname("joe") # if name == 'joe'

valid_name if allowed_firstname(input.name)

valid_request if {
	input.method in {"GET", "POST"} # using `in`
}

Testing - _{^{Validate your policy's behavior}}

With

Override input and data using the with keyword. (Try It)

policy.rego

allow if input.admin == true

test_allow_when_admin if {
	allow with input as {"admin": true}
}

Debugging - _{^{Find and fix problems}}

Print

Use print in rules to inspect values at runtime. (Try It)

policy.rego

allowed_users := {"alice", "bob"}

allow if {
	some user in allowed_users
	print(user)
	input.user == user
}

Comprehensions - _{^{Rework and process collections}}

Arrays

Produce ordered collections, maintaining duplicates. (Try It)

policy.rego

doubled := [m |
	some n in [1, 2, 3, 3]
	m := n * 2
]

Sets

Produce unordered collections without duplicates. (Try It)

policy.rego

unique_doubled contains m if {
	some n in [10, 20, 30, 20, 10]
	m := n * 2
}

Objects

Produce key:value data. Note, keys must be unique. (Try It)

policy.rego

is_even[number] := is_even if {
	some number in [1, 2, 3, 4]
	is_even := (number % 2) == 0
}

Builtins - _{^{Handy functions for common tasks}}

Regex

Pattern match and replace string data. (Try It)

policy.rego

example_string := "Build Policy as Code with OPA!"

check_match if regex.match(`\w+`, example_string)

check_replace := regex.replace(example_string, `\s+`, "_")

Strings

Check and transform strings. (Try It)

policy.rego

example_string := "Build Policy as Code with OPA!"

check_contains if contains(example_string, "OPA")
check_startswith if startswith(example_string, "Build")
check_endswith if endswith(example_string, "!")
check_replace := replace(example_string, "OPA", "OPA!")
check_sprintf := sprintf("OPA is %s!", ["awesome"])

Aggregates

Summarize data. (Try It)

policy.rego

vals := [5, 1, 4, 2, 3]
vals_count := count(vals)
vals_max := max(vals)
vals_min := min(vals)
vals_sorted := sort(vals)
vals_sum := sum(vals)

Objects: Extracting Data

Work with key value and nested data. (Try It)

policy.rego

obj := {"userid": "18472", "roles": [{"name": "admin"}]}

# paths can contain array indexes too
val := object.get(obj, ["roles", 0, "name"], "missing")

defaulted_val := object.get(
	obj,
	["roles", 0, "permissions"], # path
	"unknown", # default if path is missing
)

keys := object.keys(obj)

Objects: Transforming Data

Manipulate and make checks on objects. (Try It)

policy.rego

unioned := object.union({"foo": true}, {"bar": false})

subset := object.subset(
	{"foo": true, "bar": false},
	{"foo": true}, # subset object
)

removed := object.remove(
	{"foo": true, "bar": false},
	{"bar"}, # remove keys
)