Skip to content

chore: add policy opa crud #1096

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adityachoudhari26 merged 2 commits into from
May 1, 2026
Merged

chore: add policy opa crud #1096

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3451007
chore: add policy opa crud
adityachoudhari26 May 1, 2026
582df3e
fix
adityachoudhari26 May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions apps/api/openapi/openapi.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,9 @@
"gradualRollout": {
"$ref": "#/components/schemas/GradualRolloutRule"
},
"planValidationOpa": {
"$ref": "#/components/schemas/PlanValidationOpaRule"
},
Comment on lines +212 to +214
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Align the rule key with the requested API contract (planValidation).

The linked objective payload uses rules[].planValidation, but the spec only accepts planValidationOpa. That creates a contract mismatch for clients following the issue’s documented shape.

📌 Proposed OpenAPI alignment (apply in all three schemas) 
-               "planValidationOpa": {
+               "planValidation": {
                   "$ref": "#/components/schemas/PlanValidationOpaRule"
                },

Also applies to: 1691-1693, 2887-2889

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@apps/api/openapi/openapi.json` around lines 212 - 214, The OpenAPI schema
property "planValidationOpa" is misnamed and should be "planValidation" to match
the API contract; update each occurrence where the spec currently has the object
key "planValidationOpa" to use "planValidation" instead and keep the same
referenced schema (PlanValidationOpaRule) or rename that schema to
PlanValidationRule if you prefer clearer naming—ensure you update all three
places mentioned (and corresponding $ref targets if you rename the schema) so
the components/schemas and any consumers reference "planValidation"
consistently.

"retry": {
"$ref": "#/components/schemas/RetryRule"
},
Expand Down Expand Up @@ -1588,6 +1591,26 @@
],
"type": "object"
},
"PlanValidationOpaRule": {
"properties": {
"description": {
"type": "string"
},
"name": {
"description": "Human-readable rule name; used in check output to identify which rule produced a violation.",
"type": "string"
},
"rego": {
"description": "Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }).",
"type": "string"
}
},
"required": [
"name",
"rego"
],
"type": "object"
},
Comment on lines +1594 to +1613
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add severity to PlanValidationOpaRule (currently missing on Line 1595 schema fields).

The objective/example includes severity, and validation result reads are expected to include rule severity. Without this field in the schema, the contract is incomplete.

🛠️ Proposed schema fix 
          "PlanValidationOpaRule": {
             "properties": {
                "description": {
                   "type": "string"
                },
                "name": {
                   "description": "Human-readable rule name; used in check output to identify which rule produced a violation.",
                   "type": "string"
                },
+               "severity": {
+                  "description": "Severity used when reporting validation outcomes.",
+                  "enum": [
+                     "error",
+                     "warning"
+                  ],
+                  "type": "string"
+               },
                "rego": {
                   "description": "Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }).",
                   "type": "string"
                }
             },
             "required": [
                "name",
+               "severity",
                "rego"
             ],
             "type": "object"
          },
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"PlanValidationOpaRule": {
"properties": {
"description": {
"type": "string"
},
"name": {
"description": "Human-readable rule name; used in check output to identify which rule produced a violation.",
"type": "string"
},
"rego": {
"description": "Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }).",
"type": "string"
}
},
"required": [
"name",
"rego"
],
"type": "object"
},
"PlanValidationOpaRule": {
"properties": {
"description": {
"type": "string"
},
"name": {
"description": "Human-readable rule name; used in check output to identify which rule produced a violation.",
"type": "string"
},
"severity": {
"description": "Severity used when reporting validation outcomes.",
"enum": [
"error",
"warning"
],
"type": "string"
},
"rego": {
"description": "Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }).",
"type": "string"
}
},
"required": [
"name",
"severity",
"rego"
],
"type": "object"
},
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@apps/api/openapi/openapi.json` around lines 1594 - 1613,
PlanValidationOpaRule is missing a severity field; update the
PlanValidationOpaRule schema by adding a new property named "severity" (type:
string) with a clear description such as "Severity level of the rule (e.g.,
error, warning, info)" and include "severity" in the required array if callers
must always receive it (or leave out of required if optional), so consumers and
validation result reads can rely on rule severity.

"Policy": {
"properties": {
"createdAt": {
Expand Down Expand Up @@ -1665,6 +1688,9 @@
"id": {
"type": "string"
},
"planValidationOpa": {
"$ref": "#/components/schemas/PlanValidationOpaRule"
},
"policyId": {
"type": "string"
},
Expand Down Expand Up @@ -2858,6 +2884,9 @@
"id": {
"type": "string"
},
"planValidationOpa": {
"$ref": "#/components/schemas/PlanValidationOpaRule"
},
"policyId": {
"type": "string"
},
Expand Down
19 changes: 19 additions & 0 deletions apps/api/openapi/schemas/policies.jsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ local openapi = import '../lib/openapi.libsonnet';
versionCooldown: openapi.schemaRef('VersionCooldownRule'),
versionSelector: openapi.schemaRef('VersionSelectorRule'),
retry: openapi.schemaRef('RetryRule'),
planValidationOpa: openapi.schemaRef('PlanValidationOpaRule'),
},
},

Expand All @@ -106,6 +107,7 @@ local openapi = import '../lib/openapi.libsonnet';
versionCooldown: openapi.schemaRef('VersionCooldownRule'),
versionSelector: openapi.schemaRef('VersionSelectorRule'),
retry: openapi.schemaRef('RetryRule'),
planValidationOpa: openapi.schemaRef('PlanValidationOpaRule'),
},
},

Expand All @@ -125,6 +127,23 @@ local openapi = import '../lib/openapi.libsonnet';
versionCooldown: openapi.schemaRef('VersionCooldownRule'),
versionSelector: openapi.schemaRef('VersionSelectorRule'),
retry: openapi.schemaRef('RetryRule'),
planValidationOpa: openapi.schemaRef('PlanValidationOpaRule'),
},
},

PlanValidationOpaRule: {
type: 'object',
required: ['name', 'rego'],
properties: {
name: {
type: 'string',
description: 'Human-readable rule name; used in check output to identify which rule produced a violation.',
},
description: { type: 'string' },
rego: {
type: 'string',
description: 'Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }).',
},
Comment on lines +134 to +146
Copy link

Copilot AI May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR is marked as "fixes #1090", but #1090’s spec calls for a planValidation rule type (with a severity field) and also a validations read endpoint. This change set adds planValidationOpa without severity and doesn’t introduce the validations read route. Either update the PR description/issue linkage to reflect the narrower scope, or align the schema/API with the issue’s contract.

Copilot uses AI. Check for mistakes.
},
Comment on lines +134 to 147
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add severity to the plan-validation rule schema.

The linked issue’s request shape includes severity, but PlanValidationOpaRule only accepts name, description, and rego. As-is, clients cannot submit or read rule severity through the policy endpoints.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@apps/api/openapi/schemas/policies.jsonnet` around lines 134 - 147,
PlanValidationOpaRule is missing the severity field so clients cannot
submit/read rule severity; add a new optional property "severity" to
PlanValidationOpaRule's properties (next to name/description/rego) with type
"string", a descriptive "description" explaining it conveys rule severity, and
an enum matching the request shape used elsewhere (e.g.
["error","warning","info"] or whatever the project convention is); if severity
must be mandatory per the linked issue, also add "severity" to the required
array alongside "name" and "rego".

},

Expand Down
22 changes: 22 additions & 0 deletions apps/api/src/routes/v1/workspaces/policies.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ const deleteAllRulesForPolicy = async (tx: Tx, policyId: string) => {
await tx
.delete(schema.policyRuleVersionSelector)
.where(eq(schema.policyRuleVersionSelector.policyId, policyId));
await tx
.delete(schema.policyRulePlanValidationOpa)
.where(eq(schema.policyRulePlanValidationOpa.policyId, policyId));
};

const insertPolicyRules = async (tx: Tx, policyId: string, rules: any[]) => {
Expand Down Expand Up @@ -128,6 +131,15 @@ const insertPolicyRules = async (tx: Tx, policyId: string, rules: any[]) => {
description: rule.versionSelector.description,
selector: rule.versionSelector.selector,
});

if (rule.planValidationOpa != null)
await tx.insert(schema.policyRulePlanValidationOpa).values({
id: ruleId,
policyId,
name: rule.planValidationOpa.name,
description: rule.planValidationOpa.description,
rego: rule.planValidationOpa.rego,
});
Comment on lines +135 to +142
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Persist and return plan-validation severity.

This branch stores and formats name/description/rego only. Once severity is added to the contract, POST/PUT/GET/LIST will still drop it here, which breaks the requested rule shape and leaves the validations read endpoint without the joined severity data.

Also applies to: 278-286

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/routes/v1/workspaces/policies.ts` around lines 135 - 142, The
insertion for planValidationOpa omits the new severity field so
POST/PUT/GET/LIST lose that value; update the tx.insert into
schema.policyRulePlanValidationOpa (the branch checking rule.planValidationOpa)
to include severity: rule.planValidationOpa.severity in the .values(...) payload
and likewise update the symmetric insert block later (the other branch around
lines 278-286) to persist severity as well, and ensure any projection/formatting
code that builds the returned rule object includes the persisted severity
property from the policyRulePlanValidationOpa record.

}
};

Expand All @@ -142,6 +154,7 @@ const policyWithRules = {
verificationRules: true,
versionCooldownRules: true,
versionSelectorRules: true,
planValidationOpaRules: true,
} as const;

type PolicyRow = NonNullable<
Expand Down Expand Up @@ -262,6 +275,15 @@ const formatPolicy = (p: PolicyRow) => {
},
}),
),
...p.planValidationOpaRules.map((r) =>
formatPolicyRule(r.id, r.policyId, r.createdAt, {
planValidationOpa: {
name: r.name,
rego: r.rego,
...(r.description != null && { description: r.description }),
},
}),
),
];

return {
Expand Down
10 changes: 10 additions & 0 deletions apps/api/src/types/openapi.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1199,6 +1199,7 @@ export interface components {
deploymentWindow?: components["schemas"]["DeploymentWindowRule"];
environmentProgression?: components["schemas"]["EnvironmentProgressionRule"];
gradualRollout?: components["schemas"]["GradualRolloutRule"];
planValidationOpa?: components["schemas"]["PlanValidationOpaRule"];
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Rule key name diverges from the required payload shape (planValidation vs planValidationOpa).

The objective specifies rules[].planValidation, but these public request/response types expose only planValidationOpa. This creates a contract mismatch for API consumers following the issue spec.

Suggested key alignment 
- planValidationOpa?: components["schemas"]["PlanValidationOpaRule"];
+ planValidation?: components["schemas"]["PlanValidationOpaRule"];

Also applies to: 1706-1706, 2146-2146

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/types/openapi.ts` at line 1202, The public type exposes
planValidationOpa which diverges from the required payload key planValidation;
rename the property planValidationOpa to planValidation in the OpenAPI types
(update the property in the declaration shown and the other occurrences
currently using planValidationOpa) so it matches the expected payload key,
keeping the existing type (components["schemas"]["PlanValidationOpaRule"]); if
backward compatibility is needed consider adding a deprecated optional alias
property named planValidationOpa that forwards to the new planValidation until
callers are migrated.

retry?: components["schemas"]["RetryRule"];
verification?: components["schemas"]["VerificationRule"];
versionCooldown?: components["schemas"]["VersionCooldownRule"];
Expand Down Expand Up @@ -1671,6 +1672,13 @@ export interface components {
[key: string]: unknown;
};
};
PlanValidationOpaRule: {
description?: string;
/** @description Human-readable rule name; used in check output to identify which rule produced a violation. */
name: string;
/** @description Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }). */
rego: string;
};
Comment on lines +1675 to +1681
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Missing severity in PlanValidationOpaRule leaves the API contract incomplete.

The PR objective requires rules[].planValidation.severity, but this schema only exposes name, description, and rego. That blocks clients from sending/storing severity through typed API contracts.

Suggested contract update 
 PlanValidationOpaRule: {
     description?: string;
     /** `@description` Human-readable rule name; used in check output to identify which rule produced a violation. */
     name: string;
     /** `@description` Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }). */
     rego: string;
+    /** `@description` Severity level for violations produced by this rule. */
+    severity: string;
 };
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/types/openapi.ts` around lines 1675 - 1681,
PlanValidationOpaRule is missing the severity field required by the PR; update
the PlanValidationOpaRule type to include a severity property (preferably a
typed enum/union such as "error" | "warning" | "info" or reference an existing
Severity enum) and make it required if callers must supply
rules[].planValidation.severity, e.g. add severity: Severity | "error" |
"warning" | "info" to the PlanValidationOpaRule interface so API contracts and
clients can send/store the severity value.

Policy: {
createdAt: string;
description?: string;
Expand All @@ -1695,6 +1703,7 @@ export interface components {
environmentProgression?: components["schemas"]["EnvironmentProgressionRule"];
gradualRollout?: components["schemas"]["GradualRolloutRule"];
id: string;
planValidationOpa?: components["schemas"]["PlanValidationOpaRule"];
policyId: string;
retry?: components["schemas"]["RetryRule"];
verification?: components["schemas"]["VerificationRule"];
Expand Down Expand Up @@ -2134,6 +2143,7 @@ export interface components {
environmentProgression?: components["schemas"]["EnvironmentProgressionRule"];
gradualRollout?: components["schemas"]["GradualRolloutRule"];
id?: string;
planValidationOpa?: components["schemas"]["PlanValidationOpaRule"];
policyId?: string;
retry?: components["schemas"]["RetryRule"];
verification?: components["schemas"]["VerificationRule"];
Expand Down
10 changes: 10 additions & 0 deletions e2e/api/schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1199,6 +1199,7 @@ export interface components {
deploymentWindow?: components["schemas"]["DeploymentWindowRule"];
environmentProgression?: components["schemas"]["EnvironmentProgressionRule"];
gradualRollout?: components["schemas"]["GradualRolloutRule"];
planValidationOpa?: components["schemas"]["PlanValidationOpaRule"];
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Rule key name differs from expected API shape (planValidation vs planValidationOpa)

Lines 1202, 1706, and 2146 expose planValidationOpa, but the target contract specifies planValidation within rules[]. This naming mismatch can break consumers using the documented payload shape.

Suggested key alignment (source OpenAPI schema, then regenerate) 
- planValidationOpa?: components["schemas"]["PlanValidationOpaRule"];
+ planValidation?: components["schemas"]["PlanValidationOpaRule"];

Also applies to: 1706-1706, 2146-2146

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@e2e/api/schema.ts` at line 1202, Fix the misnamed rule key by renaming the
property planValidationOpa to planValidation everywhere it appears (e.g., the
property declaration planValidationOpa?:
components["schemas"]["PlanValidationOpaRule"] should become planValidation?:
components["schemas"]["PlanValidationOpaRule"]) and update any references in
arrays or types that expect rules[]. Also search for and replace other usages of
planValidationOpa (including in the schemas referenced by rules[]) so the shape
matches the API contract, then regenerate the OpenAPI-derived types/clients to
pick up the corrected key.

retry?: components["schemas"]["RetryRule"];
verification?: components["schemas"]["VerificationRule"];
versionCooldown?: components["schemas"]["VersionCooldownRule"];
Expand Down Expand Up @@ -1671,6 +1672,13 @@ export interface components {
[key: string]: unknown;
};
};
PlanValidationOpaRule: {
description?: string;
/** @description Human-readable rule name; used in check output to identify which rule produced a violation. */
name: string;
/** @description Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }). */
rego: string;
};
Comment on lines +1675 to +1681
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

PlanValidationOpaRule is missing severity in the public contract

Line 1675–Line 1681 defines the new rule schema without severity, so clients can’t submit/read rule severity through typed payloads. This conflicts with the requested rule shape for plan validation.

Suggested contract shape (source OpenAPI schema, then regenerate) 
 PlanValidationOpaRule: {
   description?: string;
   /** `@description` Human-readable rule name; used in check output to identify which rule produced a violation. */
   name: string;
+  /** `@description` Validation severity (for example: error, warning). */
+  severity: string;
   /** `@description` Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }). */
   rego: string;
 };
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
PlanValidationOpaRule: {
description?: string;
/** @description Human-readable rule name; used in check output to identify which rule produced a violation. */
name: string;
/** @description Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }). */
rego: string;
};
PlanValidationOpaRule: {
description?: string;
/** `@description` Human-readable rule name; used in check output to identify which rule produced a violation. */
name: string;
/** `@description` Validation severity (for example: error, warning). */
severity: string;
/** `@description` Rego v1 source code. Must define a `deny` rule set following the Conftest convention (deny contains msg if { ... }). */
rego: string;
};
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@e2e/api/schema.ts` around lines 1675 - 1681, The PlanValidationOpaRule type
definition is missing the severity field so clients cannot send or receive rule
severity; update the PlanValidationOpaRule interface/shape to include a severity
property (e.g., severity: string or an enum type consistent with the OpenAPI
contract) alongside name, rego, and optional description, regenerate the
OpenAPI/TS schema artifacts if applicable, and ensure any consumers/validators
(e.g., places referencing PlanValidationOpaRule) are adjusted to handle the new
severity field.

Policy: {
createdAt: string;
description?: string;
Expand All @@ -1695,6 +1703,7 @@ export interface components {
environmentProgression?: components["schemas"]["EnvironmentProgressionRule"];
gradualRollout?: components["schemas"]["GradualRolloutRule"];
id: string;
planValidationOpa?: components["schemas"]["PlanValidationOpaRule"];
policyId: string;
retry?: components["schemas"]["RetryRule"];
verification?: components["schemas"]["VerificationRule"];
Expand Down Expand Up @@ -2134,6 +2143,7 @@ export interface components {
environmentProgression?: components["schemas"]["EnvironmentProgressionRule"];
gradualRollout?: components["schemas"]["GradualRolloutRule"];
id?: string;
planValidationOpa?: components["schemas"]["PlanValidationOpaRule"];
policyId?: string;
retry?: components["schemas"]["RetryRule"];
verification?: components["schemas"]["VerificationRule"];
Expand Down
99 changes: 99 additions & 0 deletions e2e/tests/api/policies/policies.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -784,6 +784,105 @@ test.describe("Policy API", () => {
});
});

test("should create a policy with planValidationOpa rule", async ({
api,
workspace,
}) => {
const name = `policy-opa-${faker.string.alphanumeric(8)}`;
const rego = `package ctrlplane.plan_validation

import rego.v1

deny contains msg if {
input.environment.name == "production"
msg := "production deploys require approval"
}
`;
const createRes = await api.POST("/v1/workspaces/{workspaceId}/policies", {
params: { path: { workspaceId: workspace.id } },
body: {
name,
rules: [
{
planValidationOpa: {
name: "require-prod-approval",
description: "Production deploys must be approved",
rego,
},
},
],
},
});

expect(createRes.response.status).toBe(202);
const policyId = createRes.data!.id;
const rules = createRes.data!.rules;
expect(rules).toHaveLength(1);
expect(rules[0]!.planValidationOpa).toEqual({
name: "require-prod-approval",
description: "Production deploys must be approved",
rego,
});

const getRes = await api.GET(
"/v1/workspaces/{workspaceId}/policies/{policyId}",
{
params: { path: { workspaceId: workspace.id, policyId } },
},
);

expect(getRes.response.status).toBe(200);
expect(getRes.data!.rules[0]!.planValidationOpa).toEqual({
name: "require-prod-approval",
description: "Production deploys must be approved",
rego,
});

await api.DELETE("/v1/workspaces/{workspaceId}/policies/{policyId}", {
params: { path: { workspaceId: workspace.id, policyId } },
});
});

test("should create a policy with planValidationOpa rule omitting description", async ({
api,
workspace,
}) => {
const name = `policy-opa-min-${faker.string.alphanumeric(8)}`;
const rego = `package ctrlplane.plan_validation

import rego.v1

deny contains msg if {
msg := "always denied"
}
`;
const createRes = await api.POST("/v1/workspaces/{workspaceId}/policies", {
params: { path: { workspaceId: workspace.id } },
body: {
name,
rules: [
{
planValidationOpa: { name: "always-deny", rego },
},
],
},
});

expect(createRes.response.status).toBe(202);
const policyId = createRes.data!.id;
const rules = createRes.data!.rules;
expect(rules).toHaveLength(1);
expect(rules[0]!.planValidationOpa).toMatchObject({
name: "always-deny",
rego,
});
expect(rules[0]!.planValidationOpa?.description).toBeUndefined();

await api.DELETE("/v1/workspaces/{workspaceId}/policies/{policyId}", {
params: { path: { workspaceId: workspace.id, policyId } },
});
});

test("should create a policy with environmentProgression rule", async ({
api,
workspace,
Expand Down
28 changes: 0 additions & 28 deletions packages/db/src/schema/deployment-plan.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ import {

import { deployment } from "./deployment.js";
import { environment } from "./environment.js";
import { policy } from "./policy.js";
import { release } from "./release.js";
import { resource } from "./resource.js";
import { workspace } from "./workspace.js";
Expand Down Expand Up @@ -188,33 +187,6 @@ export const deploymentPlanTargetVariableRelations = relations(
}),
);

export const policyRulePlanValidationOpa = pgTable(
"policy_rule_plan_validation_opa",
{
id: uuid("id").primaryKey().defaultRandom(),
policyId: uuid("policy_id")
.notNull()
.references(() => policy.id, { onDelete: "cascade" }),
name: text("name").notNull(),
description: text("description"),
rego: text("rego").notNull(),
createdAt: timestamp("created_at", { withTimezone: true })
.notNull()
.defaultNow(),
},
(t) => [index().on(t.policyId)],
);

export const policyRulePlanValidationOpaRelations = relations(
policyRulePlanValidationOpa,
({ one }) => ({
policy: one(policy, {
fields: [policyRulePlanValidationOpa.policyId],
references: [policy.id],
}),
}),
);

type Violation = { message: string };

export const deploymentPlanTargetResultValidation = pgTable(
Expand Down
Loading
Loading