Skip to main content

Migrating to EnforceAuth (from Styra DAS / OPA-OCP)

Overview

A Professional-track course for teams that already run OPA policy under a source system, typically Styra DAS or OPA on OpenShift, and want to move to EnforceAuth without rewriting their Rego. The migration is a lift of governance and delivery, not a rewrite of policy. You will assess what you have, map source-system concepts onto Writ's entity hierarchy, make Git the single source of truth, deliver signed bundles to your existing PDPs (Kubernetes, Envoy, Terraform-provisioned), prove behavior is preserved with a parity suite, and cut over with a clean rollback path. The lab is that parity suite: the same policy, a set of golden decisions, and a test that fails the moment behavior changes.

Who this is for

EnforceAuth customers and platform teams running OPA today under Styra DAS or on OpenShift, who own the PDPs and the CI that ships policy. As a Professional-track course this builds on both Associate foundations: The AI Security Fabric & the Authorization Gap for the concepts and OPA & Enterprise OPA Fundamentals for authoring and testing Rego. You should be comfortable writing a default-deny Rego policy and reading a GitHub Actions workflow before starting; the lab has you author policy, not just read it.

Styra DAS and OpenShift are third-party products referenced here only as migration sources.

Outcomes

By the end of this course you will be able to:

  • Run a pre-migration assessment and explain why the Rego itself is preserved, not rewritten.
  • Map source-system organizing concepts (DAS systems and stacks) onto Writ's tenant to org to system to app hierarchy.
  • Make Git the source of truth and deliver signed bundles to OPA and Enterprise OPA PDPs running as Kubernetes sidecars, Envoy ext_authz, or Terraform-provisioned services, using deploy-action with GitHub OIDC.
  • Build a parity suite that proves the migrated policy returns identical decisions, run it in shadow mode, and cut over with rollback by prior commit_sha.

Lessons

  1. Assess and map: migrate governance, not Rego
  2. Git as source of truth and bundle delivery
  3. Parity and cutover

Hands-on lab

This course includes a graded lab in lab/: the policy under migration plus a parity suite of golden decisions. It ships RED: policy.rego is a starter with the same_tenant gate provided and the four allow rules left as a # TODO(learner) stub. You reconstruct the preserved rules (wired into lesson 3) until the parity suite is green. Run it with:

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/migrating-to-enforceauth -v

The starter reports PASS: 4/8; the goal is PASS: 8/8.

Certification

Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam. The quiz in quiz.json checks the concepts.