Add policy enforcement for attribute registry. (#1208)
Co-authored-by: Liudmila Molkova <limolkova@microsoft.com>
This commit is contained in:
Josh Suereth
GitHub
parent
4d271fbbf5
commit
459fbdbe0a
11
Makefile
11
Makefile
|
|
@ -111,6 +111,15 @@ install-yamllint:
|
|||
yamllint:
|
||||
yamllint .
|
||||
|
||||
# Check semantic convention policies on YAML files
|
||||
.PHONY: check-policies
|
||||
check-policies:
|
||||
docker run --rm -v $(PWD)/model:/source -v $(PWD)/policies:/policies -v $(PWD)/templates:/templates \
|
||||
otel/weaver:${WEAVER_VERSION} registry check \
|
||||
--registry=/source \
|
||||
--diagnostic-format=ansi \
|
||||
--policy=/policies/registry.rego
|
||||
|
||||
# Generate markdown tables from YAML definitions
|
||||
.PHONY: table-generation
|
||||
table-generation:
|
||||
|
|
@ -180,7 +189,7 @@ fix-format:
|
|||
# Run all checks in order of speed / likely failure.
|
||||
# As a last thing, run attribute registry generation and git-diff for differences.
|
||||
.PHONY: check
|
||||
check: misspell markdownlint check-format markdown-toc compatibility-check markdown-link-check attribute-registry-generation
|
||||
check: misspell markdownlint check-format markdown-toc compatibility-check markdown-link-check check-policies attribute-registry-generation
|
||||
git diff --exit-code ':*.md' || (echo 'Generated markdown Table of Contents is out of date, please run "make markdown-toc" and commit the changes in this PR.' && exit 1)
|
||||
@echo "All checks complete"
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,42 @@
|
|||
package before_resolution
|
||||
|
||||
# This file enforces policies requiring all attributes to be defined within
|
||||
# a semantic convention "registry". This is a naming/structure convention
|
||||
# used by semantic conventions.
|
||||
|
||||
# Helper to create attribute registry violations.
|
||||
attr_registry_violation(violation_id, group_id, attr_id) = violation {
|
||||
violation := {
|
||||
"id": violation_id,
|
||||
"type": "semantic_convention_policies",
|
||||
"category": "attribute_registry_checks",
|
||||
"group": group_id,
|
||||
"attr": attr_id,
|
||||
}
|
||||
}
|
||||
|
||||
# We only allow attribute groups in the attribute registry.
|
||||
deny[attr_registry_violation("attribute_registry_can_only_contain_attribute_groups", group.id, "")] {
|
||||
group := input.groups[_]
|
||||
startswith(group.id, "registry.")
|
||||
group.type != "attribute_group"
|
||||
}
|
||||
|
||||
# Any group that is NOT in the attribute registry that has an attribute id is
|
||||
# in violation of not using the attribute registry.
|
||||
deny[attr_registry_violation("attributes_must_be_defined_in_attribute_registry", group.id, attr.id)] {
|
||||
group := input.groups[_]
|
||||
not startswith(group.id, "registry.")
|
||||
attr := group.attributes[_]
|
||||
attr.id != null
|
||||
}
|
||||
|
||||
# A registry `attribute_group` containing at least one `ref` attribute is
|
||||
# considered invalid if it's not in the registry group.
|
||||
deny[attr_registry_violation("attributes_in_registry_cannot_reference_each_other", group.id, attr.ref)] {
|
||||
# TODO - this will need to be updated to support `embed` in the future.
|
||||
group := input.groups[_]
|
||||
startswith(group.id, "registry.")
|
||||
attr := group.attributes[_]
|
||||
attr.ref != null
|
||||
}
|
||||
Loading…
Reference in New Issue