- Notifications
You must be signed in to change notification settings - Fork2
Grammar for AWS Event Rules:https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns-content-based-filtering.html
License
3p3r/tree-sitter-eventrule
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Grammar for AWS Event Rules:https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns-content-based-filtering.html
Event Rules are JSON documents that are used to filter other JSON documents.
On AWS EventBridge, they are used to filter AWS CloudWatch Events.
Comparing to other policy formats, Event Rules are limited in terms of features,but are easy to understand for non-technical folks and are an extension to JSON.
This utility is shipped with the npm package and is a small compiler that makesOPA REGO policies from AWS Event Rule patterns. It requires NodeJS version whichis capable of running WASM binaries (recent version). WASM is used to parse theJSON input and generate the REGO policy.
$ npm install -g tree-sitter-eventrule$ rule2rego --helpCompiles AWS Event Rule pattern JSON to OPA REGO policy.Usage: rule2rego [<rule>.json] [folder]
For example, for the following input Rule Event:
// Effect of "source" && ("metricName" || "namespace"){"source": ["aws.cloudwatch"],"$or": [ {"metricName": ["CPUUtilization","ReadLatency"] }, {"namespace": ["AWS/EC2","AWS/ES"] } ]}
You will get the following REGO policy output:
packagerule2regodefaultallow:=falsedefaultallow_or_metricName:=falsedefaultallow_or_namespace:=falsedefaultallow_or:=falsedefaultallow_source:=falseallow_or_metricName {({"CPUUtilization","ReadLatency" }& { input["metricName"] })== { input["metricName"] }}allow_or_namespace {({"AWS/EC2","AWS/ES" }& { input["namespace"] })== { input["namespace"] }}allow_or {allow_or_metricName}allow_or {allow_or_namespace}allow_source {({"aws.cloudwatch" }& { input["source"] })== { input["source"] }}allow {allow_orallow_source}
If you compile a directory you will get each policy output separated by a single blank line. The final policy is a combination policy that checks if input matchesany of the generated policies.
Compile the rules with OPA (example compiles to WASM)
npx rule2rego rule.json> policy.regoopa build -t wasm -e rule2rego -o bundle.tar.gz policy.regotar -xvf bundle.tar.gz /policy.wasmNow you can use the WASM compiled OPA in any application that supports WASM.
You can compile the policies to any format opa supports and use it however you want. This applications main concern is to convert cloudwatch event rules to rego.
A quick way to write each rule.json rule in a folder to separate policies is:
mkdir -p outnpx rule2rego folder| awk -v RS='{print > ("out/" NR ".rego")}'# write each converted rule to out/#.rego
In addition to being a CLI utility you can use rule2rego directly in your JS applications.
constfs=require("fs");constpath=require("path");const{compile}=require("tree-sitter-eventrule/dist/main");(async()=>{construles=awaitcompile("rule.json");for(construleofrules){console.log(rule);}})()
About
Grammar for AWS Event Rules:https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns-content-based-filtering.html
Topics
Resources
License
Contributing
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Uh oh!
There was an error while loading.Please reload this page.
Contributors2
Uh oh!
There was an error while loading.Please reload this page.