open-telemetry · lmolkova · Jan 6, 2025 · Jan 3, 2025 · Jan 6, 2025
@@ -6,7 +6,7 @@
 FROM otel/weaver:v0.12.0 AS weaver
 
 # OPA is used to test policies enforced by weaver.
-FROM openpolicyagent/opa:0.70.0 AS opa
+FROM openpolicyagent/opa:1.0.0 AS opa
 
 # Semconv gen is used for backwards compatibility checks.
 # TODO(jsuereth): Remove this when no longer used.

@@ -1,7 +1,7 @@
 package after_resolution
-
+import rego.v1
 # checks that stable group does not have experimental attributes with requirement levels other than opt_in
-deny[group_stability_violation(description, group.id, name)] {
+deny contains group_stability_violation(description, group.id, name) if {
     group := input.groups[_]
     # ignore attribute_groups
     group.type != "attribute_group"
@@ -27,7 +27,7 @@ deny[group_stability_violation(description, group.id, name)] {
     description := sprintf("Stable group '%s' references experimental attribute with requirement level '%s', only 'opt_in' level is allowed", [group.id, name])
 }
 
-group_stability_violation(description, group, attr) = violation {
+group_stability_violation(description, group, attr) = violation if {
     violation := {
         "id": description,
         "type": "semconv_attribute",

@@ -1,11 +1,12 @@
 package before_resolution
+import rego.v1
 
 # This file enforces policies requiring all attributes to be defined within
 # a semantic convention "registry".  This is a naming/structure convention
 # used by semantic conventions.
 
 # Helper to create attribute registry violations.
-attr_registry_violation(description, group_id, attr_id) = violation {
+attr_registry_violation(description, group_id, attr_id) = violation if {
     violation := {
         "id": description,
         "type": "semconv_attribute",
@@ -16,7 +17,7 @@ attr_registry_violation(description, group_id, attr_id) = violation {
 }
 
 # We only allow attribute groups in the attribute registry.
-deny[attr_registry_violation(description, group.id, "")] {
+deny contains attr_registry_violation(description, group.id, "") if {
     group := input.groups[_]
     startswith(group.id, "registry.")
     group.type != "attribute_group"
@@ -28,7 +29,7 @@ deny[attr_registry_violation(description, group.id, "")] {
 
 # Any group that is NOT in the attribute registry that has an attribute id is
 # in violation of not using the attribute registry.
-deny[attr_registry_violation(description, group.id, attr.id)] {
+deny contains attr_registry_violation(description, group.id, attr.id) if {
     group := input.groups[_]
     not startswith(group.id, "registry.")
     attr := group.attributes[_]
@@ -43,7 +44,7 @@ deny[attr_registry_violation(description, group.id, attr.id)] {
 
 # A registry `attribute_group` containing at least one `ref` attribute is
 # considered invalid if it's not in the registry group.
-deny[attr_registry_violation(description, group.id, attr.ref)] {
+deny contains attr_registry_violation(description, group.id, attr.ref) if {
     # TODO - this will need to be updated to support `embed` in the future.
     group := input.groups[_]
     startswith(group.id, "registry.")
@@ -56,7 +57,7 @@ deny[attr_registry_violation(description, group.id, attr.ref)] {
 }
 
 # We don't allow attribute definitions to have requirement_level
-deny[attr_registry_violation(description, group.id, attr.id)] {
+deny contains attr_registry_violation(description, group.id, attr.id) if {
     group := input.groups[_]
     startswith(group.id, "registry.")
 
@@ -69,8 +70,8 @@ deny[attr_registry_violation(description, group.id, attr.id)] {
     description := sprintf("Attribute definition '%s' has requirement_level set to %s. Only attribute references can set requirement_level.", [attr.id, attr.requirement_level])
 }
 
-get_attribute_name(attr, group) = name {
-    full_name = concat(".", [group.prefix, attr.id])
+get_attribute_name(attr, group) := name if {
+    full_name := concat(".", [group.prefix, attr.id])
 
     # if there was no prefix, we have a leading dot
     name := trim(full_name, ".")

@@ -1,7 +1,8 @@
 package before_resolution
+import rego.v1
 
 # checks attribute name format
-deny[yaml_schema_violation(description, group.id, name)] {
+deny contains yaml_schema_violation(description, group.id, name) if {
     group := input.groups[_]
     attr := group.attributes[_]
     name := attr.id
@@ -12,7 +13,7 @@ deny[yaml_schema_violation(description, group.id, name)] {
 }
 
 # checks attribute name has a namespace
-deny[yaml_schema_violation(description, group.id, name)] {
+deny contains yaml_schema_violation(description, group.id, name) if {
     group := input.groups[_]
     attr := group.attributes[_]
     name := attr.id
@@ -24,9 +25,8 @@ deny[yaml_schema_violation(description, group.id, name)] {
     description := sprintf("Attribute name '%s' should have a namespace. Attribute name %s", [name, invalid_name_helper])
 }
 
-
 # checks metric name format
-deny[yaml_schema_violation(description, group.id, name)] {
+deny contains yaml_schema_violation(description, group.id, name) if {
     group := input.groups[_]
     name := group.metric_name
 
@@ -37,7 +37,7 @@ deny[yaml_schema_violation(description, group.id, name)] {
 }
 
 # checks that metric id matches metric.{metric_name}
-deny[yaml_schema_violation(description, group.id, name)] {
+deny contains yaml_schema_violation(description, group.id, name) if {
     group := input.groups[_]
     name := group.metric_name
     name != null
@@ -49,7 +49,7 @@ deny[yaml_schema_violation(description, group.id, name)] {
 }
 
 # checks event name format
-deny[yaml_schema_violation(description, group.id, name)] {
+deny contains yaml_schema_violation(description, group.id, name) if {
     group := input.groups[_]
     group.type == "event"
     name := group.name
@@ -61,7 +61,7 @@ deny[yaml_schema_violation(description, group.id, name)] {
 }
 
 # checks that event id matches event.{name}
-deny[yaml_schema_violation(description, group.id, name)] {
+deny contains yaml_schema_violation(description, group.id, name) if {
     group := input.groups[_]
     group.type == "event"
     name := group.name
@@ -73,7 +73,7 @@ deny[yaml_schema_violation(description, group.id, name)] {
 }
 
 # checks event.name is not referenced in event attributes
-deny[yaml_schema_violation(description, group.id, name)] {
+deny contains yaml_schema_violation(description, group.id, name) if {
     group := input.groups[_]
     group.type == "event"
     name := group.name
@@ -85,15 +85,15 @@ deny[yaml_schema_violation(description, group.id, name)] {
 }
 
 # require resources have names
-deny[yaml_schema_violation(description, group.id, "")] {
+deny contains yaml_schema_violation(description, group.id, "") if {
     group := input.groups[_]
     group.type == "resource"
     group.name == null
     description := sprintf("Resource id '%s' is invalid. Resource must have name.", [group.id])
 }
 
 # checks resource name format
-deny[yaml_schema_violation(description, group.id, name)] {
+deny contains yaml_schema_violation(description, group.id, name) if {
     group := input.groups[_]
     group.type == "resource"
     name := group.name
@@ -105,7 +105,7 @@ deny[yaml_schema_violation(description, group.id, name)] {
 }
 
 # checks that resource group id matches resource.{name}
-deny[yaml_schema_violation(description, group.id, name)] {
+deny contains yaml_schema_violation(description, group.id, name) if {
     group := input.groups[_]
     group.type == "resource"
 
@@ -122,7 +122,7 @@ deny[yaml_schema_violation(description, group.id, name)] {
 }
 
 # checks attribute member id format
-deny[yaml_schema_violation(description, group.id, attr_name)] {
+deny contains yaml_schema_violation(description, group.id, attr_name) if {
     group := input.groups[_]
     attr := group.attributes[_]
     attr_name := attr.id
@@ -134,7 +134,7 @@ deny[yaml_schema_violation(description, group.id, attr_name)] {
 }
 
 # check that attribute is fully qualified with their id, prefix is no longer supported
-deny[yaml_schema_violation(description, group.id, "")] {
+deny contains yaml_schema_violation(description, group.id, "") if {
     group := input.groups[_]
 
     group.prefix != null
@@ -146,7 +146,7 @@ deny[yaml_schema_violation(description, group.id, "")] {
 
 # TODO: remove after span_kind is required https://github.com/open-telemetry/semantic-conventions/issues/1513
 # checks that span id matches span.*. pattern if span_kind is not provided
-deny[yaml_schema_violation(description, group.id, "")] {
+deny contains yaml_schema_violation(description, group.id, "") if {
     group := input.groups[_]
     group.type == "span"
     kind := group.span_kind
@@ -157,7 +157,7 @@ deny[yaml_schema_violation(description, group.id, "")] {
 }
 
 # checks that span id matches span.*.{kind} pattern if span_kind is not provided
-deny[yaml_schema_violation(description, group.id, "")] {
+deny contains yaml_schema_violation(description, group.id, "") if {
     group := input.groups[_]
     group.type == "span"
     kind := group.span_kind
@@ -168,7 +168,7 @@ deny[yaml_schema_violation(description, group.id, "")] {
     description := sprintf("Group id '%s' is invalid. Span group 'id' must follow 'span.*.%s' pattern", [group.id, kind])
 }
 
-yaml_schema_violation(description, group, attr) = violation {
+yaml_schema_violation(description, group, attr) = violation if {
     violation := {
         "id": description,
         "type": "semconv_attribute",

@@ -100,21 +100,21 @@ test_fails_on_invalid_resource_id if {
     }
 }
 
-create_attribute_group(attr) = json {
+create_attribute_group(attr) = json if {
     json := [{"id": "yaml_schema.test", "attributes": [{"id": attr}]}]
 }
 
-create_metric(name) = json {
+create_metric(name) = json if {
     id := sprintf("metric.%s", [name])
     json := [{"id": id, "type": "metric", "metric_name": name}]
 }
 
-create_event(name) = json {
+create_event(name) = json if {
     id := sprintf("event.%s", [name])
     json := [{"id": id, "type": "event", "name": name}]
 }
 
-create_resource(name) = json {
+create_resource(name) = json if {
     id := sprintf("resource.%s", [name])
     json := [{"id": id, "type": "resource", "name": name}]
 }