OPA, Styra and Terraform: protect your cloud

Introduction to Styra DAS:

Styra Declarative Authorization Service (DAS), built on top of the open-source project Open Policy Agent (OPA), provides a single pane of glass for authorization and policy across the cloud-native ecosystem of software systems. Using the DAS allows you to use a single language for expressing policy and a single software system for managing those policies across a broad spectrum of software systems, for example: Kubernetes, microservices, public cloud, Linux, and databases. The Styra DAS provides the world’s first enterprise-grade policy-development lifecycle including policy authoring, policy testing, policy distribution, policy monitoring, and policy logging.

The Styra DAS works with any software system integrated with OPA. It provides a core feature set that applies regardless of which underlying software system is integrated with OPA. As integrations become more popular the Styra DAS adds special support to help streamline installation, policy-authoring, testing, and so on.

Introduction to OPA:

The Open Policy Agent (OPA, pronounced “oh-pa”) is an open-source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software. You can use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.

Download OPA:

To get started, download an OPA binary for your platform from GitHub releases:

On macOS (64-bit):

curl -L -o opa https://openpolicyagent.org/downloads/v0.36.1/opa_darwin_amd64

On Linux (64-bit):

curl -L -o opa https://openpolicyagent.org/downloads/v0.36.1/opa_linux_amd64_static

Set permissions on the OPA executable:

chmod 755 ./opa

OPA includes an interactive shell or REPL (Read-Eval-Print-Loop). You can use the REPL to experiment with policies and prototype new ones.

To start the REPL:

./opa run

In this tutorial, you will learn how to use the Styra CLI and its embedded OPA to run OPA policies against your Terraform plans. You will also learn how to manage OPA policies using Styra’s Declarative Authorization Service (DAS).

This tutorial guides you through the following tasks:

  • Create StyraDAS Tenent Account.
  • Add a Terraform DAS System (the core unit of policy management within DAS).
  • Choose the rules you want to enforce.
  • Download the Styra CLI and its embedded OPA.
  • Use the Styra CLI to evaluate your rules against some sample Terraform plans.


$ terraform version
  • If you have Sample Terraform plans (converted to JSON) that you can use, it is not required to install Terraform.

Add a Terraform System in StyraDAS:

Once I’m logged in, I can create a Terraform system. One of the nice features of DAS is the helpful quick start that will walk me through how to use the Terraform system and get more familiar. Now that I have a Terraform system, I’m going to pull down the Styra CLI and the OPA config file.

Steps to create a new Terraform system:

1. Click the plus sign (+) next to the SYSTEMS section in the left navigation panel.

2. Select a system-type from the list of available types.

3. For this tutorial, select Terraform system-type.

4. In the Add System › Terraform dialog, fill the following profile information:

  • System name (required): Name your new Terraform system.
  • Description: (Optional) Enter a description.
  • Leave the Read-only switch ON to prevent other users from editing policy for this system using the policy control plane console.
  • Leave the Launch Quick Start switch on. After this system is added, the Quick Start sidebar will guide you through configuring the system.

5. Click the Add system button.

Now, a Terraform system is created in the left navigation panel under the SYSTEMS section.

  • After creating a new Terraform system, the DAS drops you onto the Install page. You can also find the installation instructions under your System name>> Settings >> Install page. This page gives you the instructions to download the requirements and start enforcing policies in your laptop.

You don’t have to run all the commands on this screen. You only have to perform the following two tasks on your terminal window.

  1. Download the Styra CLI (either for Mac or Linux).
  2. Download the CLI configuration.

The Styra CLI will automatically use the CLI configuration you downloaded as long as it is in the same directory.

What is Terraform:

Terraform is a tool that allows you to describe a plan for your infrastructure. You can do things like building a virtual machine in Amazon Web Services to run containers in docker on your local machine. The important elements are that you declare the infrastructure resources that you want and the place, or places, that provide those resources.

Evaluate your Terraform Plan:

Normally, you would create your own Terraform plan, convert it to JSON, and then run policies against it.

Now, go back to your terminal and evaluate your policies against the sample Terraform plan using the Styra CLI.

Using your own Terraform files:

→ Generate a Terraform v12+ plan and save it to a file.

 $ terraform init
$ terraform plan — out tfplan.binary

→ Convert the Terraform plan to JSON.

$ terraform show -json tfplan.binary > tfplan.json

→Run policy checks against the plan.

$ ./styra vet tfplan.json

I don’t have any policy in Styra DAS at the moment but I like to run the policy empty so that I can get a decision log in Styra DAS to help with development.

Develop, test and publish the policy:

Now, we have a Terraform system and the Styra CLI is set up locally and we can see our first decisions in Styra DAS. Now, it’s time to configure the policy.

In the Styra DAS, navigate back to the same policy file as earlier: your system name>> policy >> aws >> ec2 >> rules.rego.

Add the following rule to your policy to prohibit overly-permissive IAM settings on AWS:

enforce[decision] {
data.global.systemtypes["terraform:1.0"].library.provider.aws.iam.restricted_policy.v1.restricted_iam_policy[message] decision := {
"allowed": false,
"message": message

Before you publish and start enforcing your new policy, you want to know what impact it will have. The Validate button explains how many past decisions will be changed by your new policy:

When you click on the Validate button, the following results are displayed:

  • Results explaining that your policy will still reject the first sample Terraform plan.
  • Now, it will also reject the second sample Terraform plan that was previously allowed.
  • Click on the green icon, and DAS will replay that decision using your policy, show you the new result, and which rules contributed to that result.

This kind of visibility helps you predict whether your organization is operationally ready for tighter Terraform controls.

Rules can also be in Monitor mode, which means the Terraform plan will always pass the policy check, but the Styra CLI will generate warnings.

  • You can browse the list of other pre-built rules by clicking the Add rule button.
Browse list of pre-built rules by clicking ADD rule button

To make this policy live, click on the Publish button and confirm. You will then see the toolbar shift from Draft to System and the Draft tag disappears in the inventory.


Now, you have learned how to use the Styra CLI and its embedded OPA to run OPA policies against your Terraform plans using Styra’s Declarative Authorization Service (DAS).


  • The DAS Terraform system-type helps you put guardrails onto the public cloud resources you manage with Terraform.
  • The policies enforced by the Styra CLI you just downloaded are managed within the Styra DAS. The DAS provides some built-in rules that you can choose from a list, or your can write your own rules using Rego (OPA’s policy language).

Reference Documents: