opa-dynamodb

OPA DynamoDB

Infinitely scalable policy store with instantaneous policy updates for use by small and enterprise scale teams wanting to use Open Policy Agent.

OPA DynamoDB adds custom functionality to rego policies to query data from DynamoDB.

OPA has several strategies for managing policies at scale and accepting internal data which you can read about here. This repository implements Option 5 using DynamoDB as the external data source. This implementation also removes the current limitations described by OPA.

• Using this runtime you can test your policies against external data
• AWS credentials can be infered by the credentials chain in Goland AWS SDK
• Retry logic and caching are implemented by the AWS SDK and this implementation

DynamoDB As A Backend

DynamoDB is an excellent backend for policy data. You can store documentesque data across dynamo rows and query them using a collections pattern. This method is efficient (single read to get entire policy) and scalable (dynamodb storage is extremely scalable).

If you want to understand more about Single Table Design, item collections, and DynamoDB in general I recommend this book by Alex Debrie https://www.dynamodbbook.com/. I have no affiliation with Alex or his book. It's that good.

Architecture

This high level flow diagram shows how we can check if a user attempting to get a document has access to this document or not.