fix: adds mapping to /comply:pack-assessment#133
Conversation
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
d656ccd to
efcc853
Compare
|
|
||
| 1. List all `.rego` files in the policy directory | ||
| 2. For each file, extract the `package` declaration (e.g., `package kubernetes.tls_version`) | ||
| 3. Match each package namespace to its corresponding `requirement-id` from the Policy's `adherence.assessment-plans` |
There was a problem hiding this comment.
Is it the requirement-id or the plan-id?
There was a problem hiding this comment.
It's the requirement_id for the rego namespace. Here's complytime-providers documentation for reference. The gemara Policy assessment-plans.requirement-id doesn't include the plan-* prefix
There was a problem hiding this comment.
Testing this PR and going to push a bundle. I will share it with you
gvauter
left a comment
There was a problem hiding this comment.
[HIGH] OPA mapping filename mismatch — compliance-mapping.json should be complytime-mapping.json
The OPA provider expects complytime-mapping.json (defined as a constant at complytime-providers/cmd/opa-provider/generate/mapping.go:22):
MappingFileName = "complytime-mapping.json"The PR uses compliance-mapping.json in 4 locations, which would cause the same LoadMapping() file-not-found error reported in #132.
The issue #132 description text uses compliance-mapping.json, but the embedded error output and the provider source code both use complytime-mapping.json. The PR followed the description rather than the source of truth.
This review was generated by /review-pr (AI-assisted).
Co-authored-by: George V <gvauter@redhat.com>
Co-authored-by: George V <gvauter@redhat.com>
Co-authored-by: George V <gvauter@redhat.com>
Co-authored-by: George V <gvauter@redhat.com>
| description: Use when user mentions Rego, Conftest, OPA, AMPEL, "generate policy", or "assessment logic" in the context of Gemara catalogs. Generates policies from Gemara Control Catalogs for Kubernetes (Deployments, Pods, DaemonSets, StatefulSets, CronJobs, Jobs, Services, NetworkPolicies, Ingress, RBAC, ConfigMaps, Secrets), CI/CD pipelines (GitHub Actions, GitLab CI, Azure Pipelines), Conftest, OPA, or AMPEL | ||
| --- | ||
|
|
||
| # /comply:pack-assessment — Rego Policy Generation and Assessment |
There was a problem hiding this comment.
| # /comply:pack-assessment — Rego Policy Generation and Assessment | |
| # /comply:pack-assessment — Rego/AMPEL Policy Generation and Assessment |
Since the skill now covers AMPEL, these should be generalized.
| | 6. Generate policy | Write Rego against schema contract | .rego file | | ||
| | 7. Write to disk | Save to `policy/` | File on disk | | ||
| | 8. Validate | Contract check then test | Pass/fail results | | ||
| | 8. Generate provider mapping | Create provider-specific mapping file | `complytime-mapping.json` (OPA) or `complytime-ampel-policy.json` (Ampel) | |
There was a problem hiding this comment.
| | 8. Generate provider mapping | Create provider-specific mapping file | `complytime-mapping.json` (OPA) or `complytime-ampel-policy.json` (Ampel) | | |
| | 8. Generate provider mapping | Create provider-specific mapping file | `complytime-mapping.json` (OPA) or granular policy files (AMPEL) | |
| ### Ampel provider (`evaluator-id: ampel`) — granular policy files + `complytime-ampel-policy.json` | ||
|
|
||
| Generate one JSON file per assessment requirement (granular policy), then merge them into a single `complytime-ampel-policy.json` bundle. |
There was a problem hiding this comment.
| ### Ampel provider (`evaluator-id: ampel`) — granular policy files + `complytime-ampel-policy.json` | |
| Generate one JSON file per assessment requirement (granular policy), then merge them into a single `complytime-ampel-policy.json` bundle. | |
| ### AMPEL provider (`evaluator-id: ampel`) — granular policy files | |
| Generate one JSON file per assessment requirement (granular policy). Each file's `id` field must match the Gemara `requirement-id` from `adherence.assessment-plans` — this is how the AMPEL provider matches policies to requirements (no separate mapping file is needed). |
Summary
Adds a new Step 8 to the /comply:pack-assessment skill that generates provider-specific mapping files after writing policy files to disk. Supports OPA and AMPEL for mapping rego namespaces to requirement_ids and granular policies to requirement_ids. Checklist item added to verify mapping file generation.
Related Issues
Review Hints