kind: ConfigMap
apiVersion: v1
metadata:
  name: deployment-allowed-role-ns
  namespace: opa
  labels:
    app: opa
    owner: jimmy
    openpolicyagent.org/policy: rego
data:
  main: |
    package kubernetes.admission

    import data.lib.k8s.helpers as helpers

    deny[msg] {
      helpers.request_kind = "Deployment"
      helpers.allowed_operations[helpers.request_operation]
      role := helpers.deployment_role
      namespace := helpers.request_namespace
      not ns_roles_allowed(namespace,role)
      msg := sprintf("%q: %q role is not allowed for the %q namespace. Resource ID (ns/name/kind): %q", [helpers.deployment_error,role,namespace,helpers.request_id])
    }

    ns_roles_allowed(n,r) {
    	# a dictionary mapping each namespace to a set of permitted roles for that namespace
        allowed := {
          "prod": {"arn:aws:iam::123456789012:role/prod"},
        	"dev": {"arn:aws:iam::123456789012:role/dev","arn:aws:iam::123456789012:role/test"},
          "opa-test": {"arn:aws:iam::123456789012:role/test"},
        }
        allowed[n][r]
    }