I'm helping a project modernizing their policies, and to prepare them for OPA 1.0. Running opa fmt --rego-v1 on one of their policies resulted in output that opa check later rejected as unparseable. Minimal example to reproduce:
package policy
import rego.v1
is_array(arr, _) := path if {
not contains(arr, "_")
path = arr
}
contains(arr, elem) if {
arr[_] = elem
}
This looks valid, or at least it does to me... but opa check disagrees. If I had to guess, perhaps using contains as a custom function name would be the culprit (and maybe it is), but the error message leaves more questions than it answers:
$ opa check .
1 error occurred during loading: policy.rego:10: rego_parse_error: unexpected if keyword
contains(arr, elem) if {
^
That's... not right. Removing the is_array function above resolves the issue, so presumably there's some weird state kept from parsing that? Both function parses fine in isolation though.
Some thoughts:
Why is this a parser error?
Why is the if reported as unexpected?
Should it be possible to name a custom function contains in Rego v1?
Should opa fmt --rego-v1 perhaps do a parse validation of its output to ensure it's valid? I would prefer it if that tool said "can't convert this because of ..." than having it say nothing and discover the issue later.
I'm helping a project modernizing their policies, and to prepare them for OPA 1.0. Running
opa fmt --rego-v1
on one of their policies resulted in output thatopa check
later rejected as unparseable. Minimal example to reproduce:original.rego
formatted.rego
This looks valid, or at least it does to me... but
opa check
disagrees. If I had to guess, perhaps usingcontains
as a custom function name would be the culprit (and maybe it is), but the error message leaves more questions than it answers:That's... not right. Removing the
is_array
function above resolves the issue, so presumably there's some weird state kept from parsing that? Both function parses fine in isolation though.Some thoughts:
if
reported as unexpected?contains
in Rego v1?opa fmt --rego-v1
perhaps do a parse validation of its output to ensure it's valid? I would prefer it if that tool said "can't convert this because of ..." than having it say nothing and discover the issue later.