Policy Lifecycle: Build, Promote & Roll Back
Overview
A policy bundle is code, and it ships like code: built and tested, promoted through environments, and rolled back when a change goes wrong. This Professional course walks the deploy pipeline for an OPA policy bundle end to end. You build the bundle with opa build (stamping the commit_sha as its revision), test it, deploy it with EnforceAuth/deploy-action@v1 over GitHub OIDC (RFC 8693 token exchange, id-token: write, a trust policy, and no API keys), promote it dev to staging to prod under Writ, and roll it back by a prior commit_sha when a bad change lands. A runnable OPA lab is the exact bundle those steps build and move.
Who this is for
Platform, DevOps, and security engineers who will own the pipeline that ships authorization policy. Both EnforceAuth customers and open-source OPA users. You should have finished the Associate foundations course (Foundations: The Authorization Gap) and OPA & EOPA Fundamentals, so you can write a small Rego policy, not just read one. The lab has you author the bundle's allow rules.
Outcomes
By the end of this course you will be able to:
- Treat an OPA policy bundle as a versioned, testable artifact and gate its promotion on
opa test. - Build a deployable bundle with
opa build, stamp thecommit_shaas its manifest revision, and read that manifest withopa inspect. - Explain how
deploy-actionauthenticates to the EnforceAuth API with a short-lived GitHub OIDC token instead of a stored API key, and what theid-token: writepermission and trust policy are for. - Read a GitHub Actions workflow that builds, tests, and promotes a bundle dev to staging to prod, and say what Writ governs at each stage.
- Roll a bundle back to a known-good
commit_shaand explain why rollback is a re-deploy of a prior version, not an edit.
Lessons
- The bundle as a versioned artifact
- Build and promote with deploy-action over GitHub OIDC
- Roll back by prior commit_sha
Hands-on lab
This course includes a hands-on lab in lab/. The lab is the OPA bundle the pipeline builds and promotes: a default-deny policy that authorizes who may promote or roll back a bundle in each environment. It ships as a starter with a TODO(learner) stub, and your job is to author the allow rules until the test suite passes. Test it with:
git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/policy-lifecycle-build-promote-rollback -v
Run it from the cloned university-labs repo. The starter reports FAIL: 3/7; a complete implementation reports PASS: 7/7. In lesson 2 you also build the same bundle into a deployable artifact with opa build -b <lab-dir> -r <commit_sha> --ignore '*_test.rego' -o bundle.tar.gz and read its manifest with opa inspect.
Certification
Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam.