You can create a template for a policy rule by using Rego in the Create Template API. Rego is the native query language for Open Policy Agent (OPA), an open source policy engine. For information about Rego coding, see OPA Policy Language. Using Rego, you can define the logic to perform in the template.

List of Valid Rego Operations

The following is a list of safe, built-in OPA functions that are allowed for policy evaluation. These are basic operations needed for policy evaluation and exclude dangerous operations. The operations are required for the Create Template API.

Operator type	Valid operators
Comparison	`eq`, `equal`, `neq`, `gt`, `lt`, `gte`, `lte`
Arithmetic operations	`plus`, `minus`, `mul`, `div`, `abs`, `round`, `ceil`, `floor`
String operations	`concat`, `contains`, `endswith`, `format_int`, `indexof`, `lower`, `replace`, `split`, `startswith`, `substring`, `trim`, `trim_left`, `trim_prefix`, `trim_right`, `trim_suffix`, `upper`
Array operations	`array.concat`, `array.reverse`, `array.slice`
Set operations	`set_diff`, `intersection`, `union`
Object operations	`object.get`, `object.keys`, `object.remove`, `object.union`, `object.union_n`
Type conversion	`to_number`
Aggregation	`count`, `sum`, `max`, `min`, `sort`, `all`, `any`
Logic operations	`and`, `or`
JSON operations	`json.filter`, `json.patch`, `json.remove`, `json.unmarshal`
Encoding	`base64.encode`, `base64.decode`, `base64url.encode`, `base64url.decode`, `urlquery.encode`, `urlquery.decode`
Time operations (read-only, no system clock manipulation)	`time.now_ns`, `time.parse_ns`, `time.parse_rfc3339_ns`, `time.parse_duration_ns`
Units	`units.parse`, `units.parse_bytes`
Regex	`regex.match`, `regex.find_all_string_submatch_n`, `regex.split`
Graph	`graph.reachable`, `graph.reachable_paths`
Type checking	`is_number`, `is_string`, `is_boolean`, `is_array`, `is_object`, `is_set`, `is_null`
Type name	`type_name`