-
Notifications
You must be signed in to change notification settings - Fork 20
/
otel_policies.rego
91 lines (79 loc) · 2.78 KB
/
otel_policies.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package otel
# Conventions for OTel:
# - `data` holds the current released semconv, which is known to be valid.
# - `input` holds the new candidate semconv version, whose validity is unknown.
#
# Note: `data` and `input` are predefined variables in Rego.
# ========= Violation rules applied on unresolved semconv files =========
# A registry `attribute_group` containing at least one `ref` attribute is
# considered invalid.
deny[attr_registry_violation("registry_with_ref_attr", group.id, attr.ref)] {
group := input.groups[_]
startswith(group.id, "registry.")
attr := group.attributes[_]
attr.ref != null
}
# A registry `attribute_group` marked as `deprecated` must only contain
# attributes marked as `deprecated`.
deny[attr_registry_violation("deprecated_registry_with_regular_attr", group.id, attr.ref)] {
group := input.groups[_]
startswith(group.id, "registry.")
endswith(group.id, ".deprecated")
attr := group.attributes[_]
not attr.deprecated
}
# An attribute whose stability is not `deprecated` and that is not part of a
# deprecated attribute_group registry but has the deprecated field
# set to true is invalid.
deny[attr_violation("attr_stability_deprecated", group.id, attr.id)] {
group := input.groups[_]
not endswith(group.id, ".deprecated")
attr := group.attributes[_]
attr.stability != "deprecated"
attr.deprecated
}
# An attribute cannot be removed from a group that has already been released.
deny[schema_evolution_violation("attr_removed", old_group.id, old_attr.id)] {
old_group := data.groups[_]
old_attr := old_group.attributes[_]
not attr_exists_in_new_group(old_group.id, old_attr.id)
}
# ========= Helper functions =========
# Check if an attribute from the old group exists in the new
# group's attributes
attr_exists_in_new_group(group_id, attr_id) {
new_group := input.groups[_]
new_group.id == group_id
attr := new_group.attributes[_]
attr.id == attr_id
}
# Build an attribute registry violation
attr_registry_violation(violation_id, group_id, attr_id) = violation {
violation := {
"id": violation_id,
"type": "semconv_attribute",
"category": "attrigute_registry",
"group": group_id,
"attr": attr_id,
}
}
# Build an attribute violation
attr_violation(violation_id, group_id, attr_id) = violation {
violation := {
"id": violation_id,
"type": "semconv_attribute",
"category": "attrigute",
"group": group_id,
"attr": attr_id,
}
}
# Build a schema evolution violation
schema_evolution_violation(violation_id, group_id, attr_id) = violation {
violation := {
"id": violation_id,
"type": "semconv_attribute",
"category": "schema_evolution",
"group": group_id,
"attr": attr_id,
}
}