Skip to main content

Policy Lifecycle: Build, Promote & Roll Back

Overview

A policy bundle is code, and it ships like code: built and tested, promoted through environments, and rolled back when a change goes wrong. This Professional course walks the deploy pipeline for an OPA policy bundle end to end. You build the bundle with opa build (stamping the commit_sha as its revision), test it, deploy it with EnforceAuth/deploy-action@v1 over GitHub OIDC (RFC 8693 token exchange, id-token: write, a trust policy, and no API keys), promote it dev to staging to prod under Writ, and roll it back by a prior commit_sha when a bad change lands. A runnable OPA lab is the exact bundle those steps build and move.

Who this is for

Platform, DevOps, and security engineers who will own the pipeline that ships authorization policy. Both EnforceAuth customers and open-source OPA users. You should have finished the Associate foundations course (Foundations: The Authorization Gap) and OPA & EOPA Fundamentals, so you can write a small Rego policy, not just read one. The lab has you author the bundle's allow rules.

Outcomes

By the end of this course you will be able to:

  • Treat an OPA policy bundle as a versioned, testable artifact and gate its promotion on opa test.
  • Build a deployable bundle with opa build, stamp the commit_sha as its manifest revision, and read that manifest with opa inspect.
  • Explain how deploy-action authenticates to the EnforceAuth API with a short-lived GitHub OIDC token instead of a stored API key, and what the id-token: write permission and trust policy are for.
  • Read a GitHub Actions workflow that builds, tests, and promotes a bundle dev to staging to prod, and say what Writ governs at each stage.
  • Roll a bundle back to a known-good commit_sha and explain why rollback is a re-deploy of a prior version, not an edit.

Lessons

  1. The bundle as a versioned artifact
  2. Build and promote with deploy-action over GitHub OIDC
  3. Roll back by prior commit_sha

Hands-on lab

This course includes a hands-on lab in lab/. The lab is the OPA bundle the pipeline builds and promotes: a default-deny policy that authorizes who may promote or roll back a bundle in each environment. It ships as a starter with a TODO(learner) stub, and your job is to author the allow rules until the test suite passes. Test it with:

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/policy-lifecycle-build-promote-rollback -v

Run it from the cloned university-labs repo. The starter reports FAIL: 3/7; a complete implementation reports PASS: 7/7. In lesson 2 you also build the same bundle into a deployable artifact with opa build -b <lab-dir> -r <commit_sha> --ignore '*_test.rego' -o bundle.tar.gz and read its manifest with opa inspect.

Certification

Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam.