search

StyraInc / opa-aws-cloudformation-hook

AWS Cloudformation Hook for OPA-powered infrastructure policy enforcement
Apache License 2.0
35 stars 5 forks source link

Populate OPA error messages in CloudWatch and CloudFormation #37

Closed peteroneilljr closed 2 years ago

peteroneilljr commented 2 years ago

Right now when the hook fails all we see is: The following hook(s) failed: [Styra::opa::Hook] is it possible to populate the error messages generated in DAS back to CloudWatch and CloudFormation?

anderseknert commented 2 years ago

What kind of error are we talking about here?

If OPA responds with violations, we do log that to CloudWatch. If OPA responds with an error code, we log that as well.

peteroneilljr commented 2 years ago

ahh then it might be broken then. This is what I'm seeing in CloudWatch

Exception caught sequence item 0: expected str instance, dict found
Traceback (most recent call last):
  File "/var/task/cloudformation_cli_python_lib/hook.py", line 273, in __call__
    raise error
  File "/var/task/cloudformation_cli_python_lib/hook.py", line 262, in __call__
    caller_sess, request, invocation_point, callback, type_configuration
  File "/var/task/cloudformation_cli_python_lib/hook.py", line 100, in _invoke_handler
    return handler(session, request, callback_context, type_configuration)
  File "/var/task/styra_opa_hook/handlers.py", line 123, in pre_handler
    return opa_query(request, session, type_configuration, action)
  File "/var/task/styra_opa_hook/handlers.py", line 93, in opa_query
    message = " | ".join(body["violations"])
TypeError: sequence item 0: expected str instance, dict found
anderseknert commented 2 years ago

Alright :) Looks like we do log the error then, even if somewhat obtuse. Since the error message is the same as reported here, let's close this one in favor of that.