OPA bundle eval performance

[jigar-hashicorp]

We have 400+ OPA policies into our bundle. We are processing these policies using Terraform Agent. Why does the policy evaluation stage run opa eval for each individual policy that is provided in the bundle instead of running once and then parsing through the return results per policy? Currently, it is taking one second to parse each policy, which means close to 7 mins to parse the bundle. Is it because opa eval is single threaded? How can we improve performance?

[anderseknert]

Hi there!

We are processing these policies using Terraform Agent. Why does the policy evaluation stage run opa eval for each individual policy

I don't think anyone here knows how Terraform Agent integrates with OPA, and I couldn't find any docs on the topic either. But what you describe sounds more like an issue with that software than with OPA. There's nothing in OPA that would force the kind of evaluation flow that you describe.

But if you can isolate your issue to OPA alone, and provide some examples, I'd be happy to try and help.

[anderseknert]

I'm afraid I can't answer why it does that, as I haven't written that integration :) But yes, there are certainly more efficient ways to do that. A common pattern to use is dynamic policy composition, where one "main policy" is called once, and that policy routes to all sub-policies applicable, and aggregates the decision from each into a final result sent back to the client. You can read more about this pattern in this blog: https://www.styra.com/blog/dynamic-policy-composition-for-opa/

Happy to answer any questions on that!

[jigar-hashicorp]

Thank you for the explanation and the link to the blog. I will work with Terraform team to see if the performance can be improved using your suggestion.