Combining exit codes and 'defined' string return values from rules

[stevend-15]

I want to return a non-zero exit code when my policy fails so that my CI/CD buildspec stops building. I also want to return a string error message from my rule(s).

I noticed the --fail and --fail-defined options for opa eval command. These options seem perfect. However, returning a string
technically isn't 'failing' or returning 'undefined'. So, it seems to me impossible to return a string error message as well as
a non-zero exit code without also sabotaging a good output string and test case.

Am I correct here? Is there any way to get the best of both worlds? I'm still new to Rego

Ex rego file:

package play

default hello := "hello failed"

hello := "hello passed" {
     input.message == "world"
}

input:
{"message": "world"}

Running the following command will return a non-zero exit code no matter what
opa eval -i .\input.json -d .\test_rego.rego 'data.play.hello' --fail-defined -f raw

Similarly, the command below won't help because in this case the result is always defined
opa eval -i .\input.json -d .\test_rego.rego 'data.play.hello' --fail -f raw

Any help is appreciated

[srenatus]

As you've noted, with the default hello rule, there's no way that data.play.hello would ever be undefined. So --fail-defined would always, --fail never be the case.

Commonly, you'd use --fail-defined with a set rule of some sort, like this call using that policy, which OPA itself uses in CI.

[stevend-15]

@srenatus thank you for the confirmation. Maybe this limitation could be improved for greater evaluation flexibility?

[srenatus]

I guess we could add a feature of some sort; but I wonder if there's no hacky acceptable workaround out there. Like, throw in a print(msg) and fiddle with the defaults, or something like that...

[stevend-15]

The 'hacky' solution I'm thinking of right now is to grep output and return an exit code from there.

> opa eval -i input.json -d policy.rego -f pretty 'data.example.deny' | grep "violation"

I think that snippet could make it in a CI/CD pipeline. Otherwise a shell script should achieve something similar.

We thought about those print statements, but we're going to have a lot of policies and would prefer to avoid death by print statements.