Validating Rego
Before adding a policy, check that it compiles and has the correct structure:
POST /policy-sets/validate-rego
{
"rego_source": "package forgecroft.policy\n\ndeny[msg] { msg := \"test\" }"
}
Response on success:
{ "valid": true }
Response on failure:
{ "valid": false, "error": "..." }
The validator checks:
- Rego compiles without syntax errors
package forgecroft.policyexists- At least one of
denyorrequire_approvalrules is present denyreturns an array of stringsrequire_approvalreturns an array of objects
Timeout: 5 seconds.
Evaluating Rego
Test a policy against custom input to see what it would produce:
POST /policy-sets/evaluate-rego
{
"rego_source": "package forgecroft.policy\n\ndeny[msg] { input.workspace.attributes.environment == \"production\"; msg := \"prod\" }",
"input": {
"workspace": {
"attributes": { "environment": "production" }
}
}
}
Response:
{
"deny": ["prod"],
"require_approval": []
}
The evaluation runs under fake IDs ("playground") with a 10-second timeout.
Testing require_approval
POST /policy-sets/evaluate-rego
{
"rego_source": "package forgecroft.policy\n\nrequire_approval[r] { input.workspace.attributes.environment == \"production\"; r := {\"team\": \"platform\", \"min\": 1, \"stage\": 1, \"reason\": \"test\", \"timeout_hours\": 0} }",
"input": {
"workspace": {
"attributes": { "environment": "production" }
}
}
}
Response:
{
"deny": [],
"require_approval": [
{
"team": "platform",
"min": 1,
"stage": 1,
"reason": "test",
"timeout_hours": 0
}
]
}
Workflow
- Write your Rego policy
- Validate it with
POST /policy-sets/validate-rego - Evaluate it with
POST /policy-sets/evaluate-regousing test input - Iterate until the output matches expectations
- Add the policy to a policy set with
POST /policy-sets/{id}/policies
Related
- Writing Rego — Policy structure and examples
- Policy Sets — Adding policies to sets