Config-validator - Failed to load server failed to compile dependency code - rego_parse_error: rule name conflicts with built-in function

[jralmaraz]

Hi,

We've been using the forseti policy-library as a base and built other policies on top of it to work with Custom Governance.

We're currently evaluating if the same policies would work with Forseti config-validator as a back-up option as Custom Governance is still a pre-GA product and there are restrictions of running it in production.

I have copied the working policy library from Custom Governance to a new modulerelease522 forseti installation and currently face the below error when try to start the config-validator service.

Is there a way we can verify what version of OPA is being currently used by config validator ?

Also, is there a way we can upgrade the OPA version used by Forseti config-validator ?

We've been using and testing the policies with opa version 0.17.3 and wonder if that might be the cause of the problem.

Thank you.

Jose

---

`ubuntu@forseti-server-vm-eb216d0f:~/policy-library/policy-library$ sudo systemctl status config-validator ● config-validator.service - Config Validator API Server Loaded: loaded (/lib/systemd/system/config-validator.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2021-07-21 00:25:29 UTC; 52min ago Process: 28016 ExecStart=/home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath=/home/ubuntu/policy-library/policy-library/policies --policyLibraryPath=/home/ubuntu/policy-library/policy-libra Main PID: 28016 (code=exited, status=1/FAILURE)

Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: Started Config Validator API Server. Jul 21 00:25:29 forseti-server-vm-eb216d0f ConfigValidatorRPCServer[28016]: 2021/07/21 00:25:29 Failed to load server failed to compile dependency code: 2 errors occurred: Jul 21 00:25:29 forseti-server-vm-eb216d0f ConfigValidatorRPCServer[28016]: /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:21: rego_parse_error: rule name conflicts with built-in function Jul 21 00:25:29 forseti-server-vm-eb216d0f ConfigValidatorRPCServer[28016]: /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:28: rego_parse_error: rule name conflicts with built-in function Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: config-validator.service: Main process exited, code=exited, status=1/FAILURE Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: config-validator.service: Failed with result 'exit-code'.

ubuntu@forseti-server-vm-eb216d0f:~/policy-library/policy-library$ cat /lib/systemd/system/config-validator.service [Unit] Description=Config Validator API Server [Service] User=ubuntu Environment="GOGC=1000" ExecStart=/home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath='/home/ubuntu/policy-library/policy-library/policies' --policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib' -port=50052 [Install] WantedBy=multi-user.target ubuntu@forseti-server-vm-eb216d0f:~/policy-library/policy-library$ sudo /home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath='/home/ubuntu/policy-library/policy-library/policies' --policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib' -port=50052 2021/07/21 01:18:28 Failed to load server failed to compile dependency code: 2 errors occurred: /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:21: rego_parse_error: rule name conflicts with built-in function /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:28: rego_parse_error: rule name conflicts with built-in function

`

[aimjwizards]

+Hemant Kunda @.***>

On Wed, Jul 21, 2021 at 1:30 AM Jose Roberto Almaraz < @.***> wrote:

Hi,

We've been using the forseti policy-library as a base and built other policies on top of it to work with Custom Governance.

We're currently evaluating if the same policies would work with Forseti config-validator as a back-up option as Custom Governance is still a pre-GA product and there are restrictions of running it in production.

I have copied the working policy library from Custom Governance to a new modulerelease522 forseti installation and currently face the below error when try to start the config-validator service.

Is there a way we can verify what version of OPA is being currently used by config validator ?

Also, is there a way we can upgrade the OPA version used by Forseti config-validator ?

We've been using and testing the policies with opa version 0.17.3 and wonder if that might be the cause of the problem.

Thank you.

Jose

@.***:~/policy-library/policy-library$ sudo systemctl status config-validator ● config-validator.service - Config Validator API Server Loaded: loaded (/lib/systemd/system/config-validator.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2021-07-21 00:25:29 UTC; 52min ago Process: 28016 ExecStart=/home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath=/home/ubuntu/policy-library/policy-library/policies --policyLibraryPath=/home/ubuntu/policy-library/policy-libra Main PID: 28016 (code=exited, status=1/FAILURE)

Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: Started Config Validator API Server. Jul 21 00:25:29 forseti-server-vm-eb216d0f ConfigValidatorRPCServer[28016]: 2021/07/21 00:25:29 Failed to load server failed to compile dependency code: 2 errors occurred: Jul 21 00:25:29 forseti-server-vm-eb216d0f ConfigValidatorRPCServer[28016]: /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:21: rego_parse_error: rule name conflicts with built-in function Jul 21 00:25:29 forseti-server-vm-eb216d0f ConfigValidatorRPCServer[28016]: /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:28: rego_parse_error: rule name conflicts with built-in function Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: config-validator.service: Main process exited, code=exited, status=1/FAILURE Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: config-validator.service: Failed with result 'exit-code'.

@.:/policy-library/policy-library$ cat /lib/systemd/system/config-validator.service [Unit] Description=Config Validator API Server [Service] User=ubuntu Environment="GOGC=1000" ExecStart=/home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath='/home/ubuntu/policy-library/policy-library/policies' --policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib' -port=50052 [Install] WantedBy=multi-user.target @.:/policy-library/policy-library$ sudo /home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath='/home/ubuntu/policy-library/policy-library/policies' --policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib' -port=50052 2021/07/21 01:18:28 Failed to load server failed to compile dependency code: 2 errors occurred: /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:21: rego_parse_error: rule name conflicts with built-in function /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:28: rego_parse_error: rule name conflicts with built-in function

`

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/forseti-security/config-validator/issues/167, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZQCJXUTHSZ3O5EFURMEEDTY2ASRANCNFSM5AXO4XMQ .

[hkundag]

Hi Jose! I believe you would be using OPA 0.17.2 if you didn't override any of the Terraform defaults listed here (specifically config_validator_image_tag). The default image uses this go.mod.

What version of Custom Governance are you currently using? CG 1.3.x should be using OPA 0.17.2 as well, while CG 1.4.x uses OPA 0.24.0.

Can you attach labels.rego to the thread? As far as I know, that's not a default library file.

[jralmaraz]

Hi @hkundag , thanks for the reply. I didn't override any of the default Terraform tags apart from config_validator_enabled and the variables.

We're using OPA 0.17.2 and Custom Governance 1.3.2. We have just also completed an upgrade from CG 1.3.2 to 1.4.2 and the policy library works well (we did have to change all their kind/names as there's a mandatory naming format where they should all start with a GCP or GKE prefix).

We did extend some of the libraries and they work well on CG 1.3.2 and 1.4.2 and our goal is to measure the impact in case we temporarily need to use Forseti until CG becomes GA.

Thanks!

lib.zip

[jralmaraz]

Forgot to mention, we're not using the forseti GKE deployment, but the regular GCE due to the same reason (beta/pre-GA versus GA). So, basically deployed the terraform-google-forseti/examples/install_simple with config_validator_enabled and configured the policy on the forseti-server VM. Cheers.

[morgante]

Also, is there a way we can upgrade the OPA version used by Forseti config-validator ?

Just to be totally clear, Config Validator is independent of Forseti. Custom Governance also uses Config Validator.

Forseti also embeds Config Validator, but Forseti is not actively updated/maintained currently. Based on this line, it looks like Forseti is using a version of Config Validator from August 2020. At the time, Config Validator used OPA 0.17.2.

[hkundag]

Thanks for clarifying, @morgante!

@jralmaraz I'm not able to reproduce those errors in the CV server unless I go pretty far back, to a2d913a (which is over 2 years old and uses OPA v0.11.0). Out of curiosity, what happens if you change the := to = at labels.rego:21 and labels.rego:28? Something like this used to be an issue, at least before OPA v0.14.0.

On a side note, OPA v0.17.2 is used on master in terraform-google-forseti, but I'm having trouble figuring out the CV version that terraform-google-forseti v5.2.2 is using. @morgante do you know where it might be specified? It looks like the image tag is a variable on master but not on the release branches.

[jralmaraz]

Thanks @hkundag . I will try a new installation from master branch, I used the 5.2.2 just because it was pointed in this doc: https://forsetisecurity.org/docs/latest/setup/install/index.html

I tried that yesterday (replacing := with = in all places it pointed out). Then it moved the error to expression is unsafe as below:

ubuntu@forseti-server-vm-eb216d0f:~/policy-library$ sudo /home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath='/home/ubuntu/policy-library/policy-library/policies' --policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib' -port=50052 2021/07/22 01:38:37 Failed to load server failed to compile dependency code: 2 errors occurred: /home/ubuntu/policy-library/policy-library/lib/common/location.rego:10: rego_parse_error: rule name conflicts with built-in function /home/ubuntu/policy-library/policy-library/lib/common/location.rego:14: rego_parse_error: rule name conflicts with built-in function ubuntu@forseti-server-vm-eb216d0f:~/policy-library$ sudo vim /home/ubuntu/policy-library/policy-library/lib/common/location.rego ubuntu@forseti-server-vm-eb216d0f:~/policy-library$ sudo /home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath='/home/ubuntu/policy-library/policy-library/policies' --policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib' -port=50052 2021/07/22 01:39:00 Failed to load server failed to compile dependency code: 3 errors occurred: /home/ubuntu/policy-library/policy-library/lib/common/location.rego:145: rego_unsafe_var_error: expression is unsafe /home/ubuntu/policy-library/policy-library/lib/constraints.rego:24: rego_unsafe_var_error: expression is unsafe /home/ubuntu/policy-library/policy-library/lib/violations.rego:10: rego_unsafe_var_error: expression is unsafe

I will keep you posted when I run the installation from master and updating the validator tag hash to a more recent one.

Thanks again for all the feedback on this guys.

[jralmaraz]

I have re-provisioned the installation from the master branch and config-validator is able to compile our policies.

Thanks for looking at this.

`ubuntu@forseti-server-vm-6495cb00:~$ sudo systemctl status config-validator ● config-validator.service - Config Validator API Server Loaded: loaded (/lib/systemd/system/config-validator.service; disabled; vendor preset: enabled) Active: active (running) since Thu 2021-07-22 02:48:51 UTC; 5s ago Main PID: 30744 (docker) Tasks: 10 (limit: 4915) CGroup: /system.slice/config-validator.service └─30744 /usr/bin/docker run --rm -p 50052:50052 --name config-validator --log-driver=gcplogs --log-opt gcp-log-cmd=true --log-opt labels=config-validator -v /home/ubuntu/policy-library:/home/ubuntu/policy-library

Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: } Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: I0722 02:48:52.792419 1 regorewriter.go:406] Formatted rego: Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: # Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: # Enforce GCP Big Query IAM Access Policies Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: # https://confluence.service.anz/pages/viewpage.action?pageId=549065159 Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: # Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: package templates.gcp.GCPBQC005DatasetPermissionsConstraintV1 Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: import data.lib.validator.gcp.lib as lib Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: import data.lib.validator.gcp.lib.common.project_name as pn Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: # The asset type that should be examined by this policy`