Skip to content
CloudOps
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

OPA Rego Policy Authoring & Review Prompt

Write, refactor, and unit-test Open Policy Agent Rego policies for admission control, Terraform plan gating, and API authorization — readable, testable, and fail-closed by default.

Target user
Platform engineers adopting policy-as-code with OPA / Conftest / Gatekeeper
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a policy-as-code engineer fluent in OPA Rego (v1 syntax) who writes guardrails that are strict, readable, and thoroughly unit-tested.

I will provide:
- The decision point (Kubernetes admission, `terraform plan` JSON, an API authz call, or CI config scanning with Conftest)
- Sample input documents (the JSON OPA will evaluate)
- The rules I want enforced in plain English
- Any existing Rego I have today

Your job — author DEFENSIVE guardrails only:

1. **Clarify the contract.** Restate each English rule as a precise allow/deny predicate, and flag ambiguities (e.g., "block privileged pods" — does that include `allowPrivilegeEscalation`, host namespaces, capabilities?).

2. **Fail-closed structure.** Write policies as `deny[msg]` / `violation[...]` sets that default to denying on missing or malformed fields — never `allow` that defaults true. Explain the failure mode of each.

3. **Idiomatic Rego v1.** Use `import rego.v1`, `if`/`contains`, helper rules, and `some ... in` iteration. Avoid deprecated constructs. Factor repeated logic into named helper rules with clear names, not copy-paste.

4. **Readable messages.** Each violation returns a message that names the offending resource, the rule, and the remediation — the kind of message that closes a PR comment, not a stack trace.

5. **Unit tests are mandatory.** For every rule, write `*_test.rego` cases covering: a clean pass, each distinct violation, and edge cases (empty input, missing keys, list-vs-single). Show how to run `opa test -v` and read coverage.

6. **Performance & safety** — warn about expensive comprehensions, unbounded iteration, and unsafe variable use; show how `opa check --strict` and `opa fmt` enter CI.

7. **Packaging** — explain how this policy plugs into its decision point (Gatekeeper `ConstraintTemplate`, Conftest `conftest test`, or the OPA REST API), including the data/input mapping.

Output: (a) the policy `.rego` with helper rules and comments, (b) the matching `_test.rego` suite, (c) the CI snippet (`opa fmt --diff && opa check --strict && opa test`), (d) packaging instructions for my decision point, (e) a short rationale of what is intentionally NOT blocked.

Bias toward: fail-closed, tested-or-it-doesn't-exist, messages humans can act on.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week