ec opa deps

Analyze Rego query dependencies

Synopsis

Print dependencies of provided query.

Dependencies are categorized as either base documents, which is any data loaded from the outside world, or virtual documents, i.e values that are computed from rules.

Example

Given a policy like this:

package policy
import rego.v1
allow if is_admin
is_admin if "admin" in input.user.roles

To evaluate the dependencies of a simple query (e.g. data.policy.allow), we’d run opa deps like demonstrated below:

$ opa deps --data policy.rego data.policy.allow
+------------------+----------------------+
|  BASE DOCUMENTS  |  VIRTUAL DOCUMENTS   |
+------------------+----------------------+
| input.user.roles | data.policy.allow    |
|                  | data.policy.is_admin |
+------------------+----------------------+

From the output we’re able to determine that the allow rule depends on the input.user.roles base document, as well as the virtual document (rule) data.policy.is_admin.

ec opa deps <query> [flags]

Options

-b, --bundle

set bundle file(s) or directory path(s). This flag can be repeated.

-d, --data

set policy or data file(s). This flag can be repeated.

-f, --format

set output format (Default: pretty)

-h, --help

help for deps (Default: false)

--ignore

set file and directory names to ignore during loading (e.g., '.*' excludes hidden files) (Default: [])

--v1-compatible

opt-in to OPA features and behaviors that are enabled by default in OPA v1.0 (Default: false)

Options inherited from parent commands

--debug

same as verbose but also show function names and line numbers (Default: false)

--kubeconfig

path to the Kubernetes config file to use

--logfile

file to write the logging output. If not specified logging output will be written to stderr

--quiet

less verbose output (Default: false)

--timeout

max overall execution duration (Default: 5m0s)

--trace

enable trace logging, set one or more comma separated values: none,all,perf,cpu,mem,opa,log (Default: none)

--verbose

more verbose output (Default: false)

See also