docs/projects/regal/rules/idiomatic/no-defined-entrypoint.md
Summary: Missing entrypoint annotation
Category: Idiomatic
Type: Aggregate - only runs when more than one file is provided for linting
Avoid
package policy
default allow := false
# Nothing wrong with this rule, but an
# entrypoint should be documented as such
allow if user_is_admin
allow if public_resource_read
user_is_admin if {
some role in input.user.roles
role in data.permissions.admin_roles
}
public_resource_read if {
input.request.method == "GET"
input.request.path[0] == "public"
}
Prefer
package policy
default allow := false
# METADATA
# description: Allow only admins, or reading public resources
# entrypoint: true
allow if user_is_admin
allow if public_resource_read
user_is_admin if {
some role in input.user.roles
role in data.permissions.admin_roles
}
public_resource_read if {
input.request.method == "GET"
input.request.path[0] == "public"
}
Defining one or more entrypoints for your policies is a good practice to follow. An entrypoint is simply a package or rule that is meant to be queried for decisions from the outside. While it might seem obvious to the policy author which rules are meant to be queried, adding an extra line of two of metadata will help make it obvious to others.
Marking a package or rule via an entrypoint annotation attribute not only provides good documentation for others, but also unlocks programmatic possibilities, like:
This linter rule provides the following configuration options:
rules:
idiomatic:
no-defined-entrypoint:
# one of "error", "warning", "ignore"
level: error