verbose partial rule output

[stevend-15]

I would like to get verbose partial rule output. Namely, I would like to define two or more variables that will act as checks for certain error conditions in my policy. I would like these variables to have default values such that I know where things went wrong in my policy. If they the policy goes correctly, I would like them to update as well. For example, I have the following input approximately taken from an aws page (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#aws-resource-ec2-subnet--examples)

"Resources": {
        "mySubnet" : {
        "Type" : "AWS::EC2::Subnet",
        "Properties" : {
            "VpcId" : { "Ref" : "myVPC" },
            "CidrBlock" : "10.0.0.0/24",
            "AvailabilityZone" : "us-east-1a",
            "MapPublicIpOnLaunch": false,
            "Tags" : [ { "Key" : "stack", "Value" : "production" } ]
        }
        }
    }
}

Here is my example policy. I'm simply checking if the resource is an aws subnet and then if the MapPublicIpOnLaunch is set to false. For the record, I was experimenting heavily with these composite keys and variable assignments so I understand they're likely not correct.

deny_subnet_public_ip [{subnet_check: "not a subnet resource", 
    public_ip_field_ck: "bad field"}] := "passed"
{
    input.Resources[_].Type == "AWS::EC2::Subnet"
    subnet_check := "subnet check passed"
    input.Resources[_].Properties.MapPublicIpOnLaunch == false
    public_ip_field_ck := "public ip field ck passed"
}

When I run opa eval -i input.txt -d example.rego 'data.example.deny_subnet_public_ip' -f pretty , I get the following output:

{
  "{\"public ip field ck passed\":\"bad field\",\"subnet check passed\":\"not a subnet resource\"}": "passed"
}

How come I'm still seeing the default values for those two variables? Should they not have updated when the policy passed? Conversely, when I run the above command with the "MapPublicIpOnLaunch" field set to "true", I get this output:
{}

How come the default values in the key did not appear? How am I supposed to get default values back for partial rules? Is it then possible to update these default values upon rule success?

Any help is appreciated

[peteroneilljr]

Hi @stevend-15

There are couple things that would help here.

1. To set a default value you can use the default keyword: Default Keyword
2. Splitting some of the logic into helper functions.

I've shown this as an example here: https://play.openpolicyagent.org/p/IPLoeC7Awy

What would be more common, is to set a policy that compiles a list of deny messages, each one checking one specific piece of the input.

package play

deny[msg] {
    input.Resources[_].Type == "AWS::EC2::Subnet"
    msg := "type Subnet is not expected"
}

deny[msg] {
    input.Resources[_].Properties.MapPublicIpOnLaunch == false
    msg := "MapPublicIp is set to false"
}

[stevend-15]

Thank you @peteroneilljr, this was very helpful and well explained. I couldn't figure out how to incorporate the default values within the partial rules - splitting them up into complete rules makes sense.