Instantly share code, notes, and snippets.
Last active
February 5, 2026 14:02
-
Star
0
(0)
You must be signed in to star a gist -
Fork
0
(0)
You must be signed in to fork a gist
-
-
Save anderseknert/7b69d3d7f343e5dedb4856d37030a5b5 to your computer and use it in GitHub Desktop.
Cedar Example rewritten in Rego
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Source: https://github.com/cedar-policy/cedar-examples/blob/release/4.8.x/cedar-example-use-cases/tags_n_roles/policies.cedar | |
| @id("Role-A policy") | |
| permit ( | |
| principal in Role::"Role-A", | |
| action in [Action::"Role-A Actions"], | |
| resource | |
| ) | |
| when | |
| { | |
| // match the production_status tag if present for this role | |
| principal.allowedTagsForRole has "Role-A" && | |
| (if | |
| principal.allowedTagsForRole["Role-A"] has production_status | |
| then | |
| if | |
| resource.tags has production_status | |
| then | |
| principal.allowedTagsForRole | |
| [ | |
| "Role-A" | |
| ] | |
| .production_status | |
| .contains | |
| ( | |
| "ALL" | |
| ) || | |
| resource.tags.production_status.contains("ALL") || | |
| principal.allowedTagsForRole | |
| [ | |
| "Role-A" | |
| ] | |
| .production_status | |
| .containsAll | |
| ( | |
| resource.tags["production_status"] | |
| ) | |
| else | |
| true | |
| else | |
| true) | |
| } | |
| when | |
| { | |
| // match the country tag if present for this role | |
| principal.allowedTagsForRole has "Role-A" && | |
| (if | |
| principal.allowedTagsForRole["Role-A"] has country | |
| then | |
| if | |
| resource.tags has country | |
| then | |
| principal.allowedTagsForRole["Role-A"].country.contains("ALL") || | |
| resource.tags.country.contains("ALL") || | |
| principal.allowedTagsForRole | |
| [ | |
| "Role-A" | |
| ] | |
| .country | |
| .containsAll | |
| ( | |
| resource.tags["country"] | |
| ) | |
| else | |
| true | |
| else | |
| true) | |
| } | |
| when | |
| { | |
| // match the stage tag if present for this role | |
| principal.allowedTagsForRole has "Role-A" && | |
| (if | |
| principal.allowedTagsForRole["Role-A"] has stage | |
| then | |
| if | |
| resource.tags has stage | |
| then | |
| principal.allowedTagsForRole["Role-A"].stage.contains("ALL") || | |
| resource.tags.stage.contains("ALL") || | |
| principal.allowedTagsForRole | |
| [ | |
| "Role-A" | |
| ] | |
| .stage | |
| .containsAll | |
| ( | |
| resource.tags["stage"] | |
| ) | |
| else | |
| true | |
| else | |
| true) | |
| }; | |
| // Similar to the above policy, but for Role B | |
| @id("Role-B policy") | |
| permit ( | |
| principal in Role::"Role-B", | |
| action in [Action::"Role-B Actions"], | |
| resource | |
| ) | |
| when | |
| { | |
| principal.allowedTagsForRole has "Role-B" && | |
| (if | |
| principal.allowedTagsForRole["Role-B"] has production_status | |
| then | |
| if | |
| resource.tags has production_status | |
| then | |
| principal.allowedTagsForRole | |
| [ | |
| "Role-B" | |
| ] | |
| .production_status | |
| .contains | |
| ( | |
| "ALL" | |
| ) || | |
| resource.tags.production_status.contains("ALL") || | |
| principal.allowedTagsForRole | |
| [ | |
| "Role-B" | |
| ] | |
| .production_status | |
| .containsAll | |
| ( | |
| resource.tags["production_status"] | |
| ) | |
| else | |
| true | |
| else | |
| true) | |
| } | |
| when | |
| { | |
| principal.allowedTagsForRole has "Role-B" && | |
| (if | |
| principal.allowedTagsForRole["Role-B"] has country | |
| then | |
| if | |
| resource.tags has country | |
| then | |
| principal.allowedTagsForRole["Role-B"].country.contains("ALL") || | |
| resource.tags.country.contains("ALL") || | |
| principal.allowedTagsForRole | |
| [ | |
| "Role-B" | |
| ] | |
| .country | |
| .containsAll | |
| ( | |
| resource.tags["country"] | |
| ) | |
| else | |
| true | |
| else | |
| true) | |
| } | |
| when | |
| { | |
| principal.allowedTagsForRole has "Role-B" && | |
| (if | |
| principal.allowedTagsForRole["Role-B"] has stage | |
| then | |
| if | |
| resource.tags has stage | |
| then | |
| principal.allowedTagsForRole["Role-B"].stage.contains("ALL") || | |
| resource.tags.stage.contains("ALL") || | |
| principal.allowedTagsForRole | |
| [ | |
| "Role-B" | |
| ] | |
| .stage | |
| .containsAll | |
| ( | |
| resource.tags["stage"] | |
| ) | |
| else | |
| true | |
| else | |
| true) | |
| }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package permit | |
| allow if { | |
| some role in ["Role-A", "Role-B"] | |
| every name in ["production_status", "country", "stage"] { | |
| allowed(role, name) | |
| } | |
| } | |
| allowed(role, name) if "ALL" in array.flatten([ # allow if any array contains "ALL" | |
| object.get(input.principal.allowedTagsForRole[role], name, "ALL"), # or is undefined, which we treat as | |
| object.get(input.resource.tags, name, "ALL"), # "ALL" for the purposes of this check | |
| ]) | |
| allowed(role, name) if every tag in input.resource.tags[name] { | |
| tag in input.principal.allowedTagsForRole[role][name] | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package permit | |
| allow if { | |
| some role in {"Role-A", "Role-B"} | |
| every name in {"production_status", "country", "stage"} { | |
| allowed(role, name) | |
| } | |
| } | |
| allowed(role, name) if "ALL" in input.principal.allowedTagsForRole[role][name] | |
| allowed(role, name) if not input.principal.allowedTagsForRole[role][name] | |
| allowed(_, name) if "ALL" in input.resource.tags[name] | |
| allowed(_, name) if not input.resource.tags[name] | |
| allowed(role, name) if every tag in input.resource.tags[name] { | |
| tag in input.principal.allowedTagsForRole[role][name] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment