4.1 KiB
Runbook: Policy Engine - Rego Compilation Errors
Sprint: SPRINT_20260117_029_DOCS_runbook_coverage Task: RUN-003 - Policy Engine Runbooks
Metadata
| Field | Value |
|---|---|
| Component | Policy Engine |
| Severity | High |
| On-call scope | Platform team |
| Last updated | 2026-01-17 |
| Doctor check | check.policy.compilation-health |
Symptoms
- Policy deployment failing with "compilation error"
- Alert
PolicyCompilationFailedfiring - Error: "rego_parse_error" or "rego_type_error"
- New policies not taking effect
- OPA rejecting policy bundle
Impact
| Impact Type | Description |
|---|---|
| User-facing | New policies cannot be deployed; using stale policies |
| Data integrity | Existing policies continue to work; new rules not enforced |
| SLA impact | Policy updates blocked; security posture may be outdated |
Diagnosis
Quick checks
-
Check Doctor diagnostics:
stella doctor --check check.policy.compilation-health -
Check policy compilation status:
stella policy status --compilation -
Validate specific policy:
stella policy validate --file <policy-file>
Deep diagnosis
-
Get detailed compilation errors:
stella policy compile --verboseLook for: Line numbers, error types, undefined references
-
Check for syntax errors:
stella policy lint --file <policy-file> -
Check for type errors:
stella policy typecheck --file <policy-file> -
Check OPA version compatibility:
stella policy opa version stella policy check-compat --file <policy-file>
Resolution
Immediate mitigation
-
Rollback to last working policy:
stella policy rollback --to-last-good -
Disable the failing policy:
stella policy disable <policy-id> stella policy reload -
Use previous bundle:
stella policy bundle load --version <previous-version>
Root cause fix
If syntax error:
-
Get exact error location:
stella policy validate --file <policy-file> --show-line -
Common syntax issues:
- Missing brackets or braces
- Invalid rule head syntax
- Incorrect import statements
-
Fix and re-validate:
stella policy validate --file <fixed-policy.rego>
If undefined reference:
-
Check for missing imports:
stella policy analyze --file <policy-file> --show-imports -
Verify data references exist:
stella policy data show -
Add missing imports or data definitions
If type error:
-
Check type mismatches:
stella policy typecheck --file <policy-file> --verbose -
Common type issues:
- Comparing incompatible types
- Invalid function arguments
- Missing type annotations
If OPA version incompatibility:
-
Check Rego version features used:
stella policy analyze --file <policy-file> --show-features -
Update policy to use compatible features or upgrade OPA
Verification
# Validate fixed policy
stella policy validate --file <fixed-policy.rego>
# Test policy compilation
stella policy compile --file <fixed-policy.rego>
# Deploy policy
stella policy deploy --file <fixed-policy.rego>
# Test policy evaluation
stella policy evaluate --test
Prevention
- CI/CD: Add policy validation to CI pipeline before deployment
- Linting: Run
stella policy linton all policy changes - Testing: Write unit tests for policies with
stella policy test - Staging: Deploy to staging environment before production
Related Resources
- Architecture:
docs/modules/policy/architecture.md - Related runbooks:
policy-opa-crash.md,policy-evaluation-slow.md - Rego reference: https://www.openpolicyagent.org/docs/latest/policy-language/
- Policy testing:
docs/modules/policy/testing.md