Skip to content

Instantly share code, notes, and snippets.

@mandarjog

mandarjog/expression.yaml

Last active March 28, 2022 17:42
Show Gist options
  • Save mandarjog/24b37f1685c4b23ccdb8533e223c55b2 to your computer and use it in GitHub Desktop.
Save mandarjog/24b37f1685c4b23ccdb8533e223c55b2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
expression.yaml
filters:
OR:
- { attr.ip: 1.2.3.4/32 }
- { attr.ip: 1.2.3.5/32 }
- AND:
- { attr.region: us-west1 }
- { dept: eng }
@mandarjog
Copy link
Author 

resource.ip == "1.2.3.4/32" || resource.ip == "1.2.3.5/32" || 
      ( resource.region == "us-west1" && resource.tag.dept == "eng")

@mandarjog
Copy link
Author

mandarjog commented Mar 28, 2022
edited
Loading 

// Match expression defined over resources.
message MatchExpr {
    // Logical oneof between the following fields.
    // Proto restrictions do not let us use oneof here.

    //oneof {
        // ANDs all the repeated fields.
        repeated MatchExpr and = 1;
        // ORs all the repeated fields.
        repeated MatchExpr or = 2;
        // Expresses a match.
        repeated string match = 3;

        // syntactic sugar for AND with all MATCH elements.
        map<string, string> matchall = 4;
        // syntactic sugar for OR with all MATCH elements.
        map<string, string> matchany = 5;

    // } end oneof
}

Only using and, or, match we get the following output

The following application domain is defined by the union of a subnet group consisting of two CIDRs, and one VM and VPC expression each.

{
  "or": [
    {"or": [
        {"match": ["ip", "10.4.5.0/24"]},
        {"match": ["ip", "10.4.4.0/24"]}]
    },
    {"and": [
        {"match": ["type", "vm"]},
        {"match": ["zone", "us-west-2"]},
        {"match": ["tags.application", "app1"]}]
    },
    {"and": [
        {"match": ["type", "vpc"]},
        {"match": ["tags.application", "app1"]}]
    }
  ]
}

**Using matchall shortcut **

{
  "or": [
    {"matchany": {
        "ip": "10.4.5.0/24",
        "ip": "10.4.4.0/24" }
    },
    {"matchall": {
        "type": "vm",
        "zone": "us-west-2",
        "tags.application": "app1" }
    },
    {"matchall": {
        "type": "vpc",
        "tags.application": "app1" }
    }
  ]

Alternative

syntax = "proto3";

package proto.global_config;


// combines n-booleans
message BoolExpr {
  enum BoolOp {
    UNSPECIFIED = 0;
    AND = 1;
    OR = 2;
    NOT = 3;
  }
  BoolOp op = 1;
  repeated Expr args = 2;
}

message MatchExpr {
  repeated string args = 1;
}

message Expr {
  oneof expr {
    BoolExpr combine = 1;
    MatchExpr match = 2;
  }
}

Rendering yaml using the alternative

  combine: {
    op: or,
    args: [
      {combine: {op: and,
      args: [
        {MATCH: {args: [type, vm]}},
        {MATCH: {args: [ip, 10.4.4.0/24]}},
      ]}},
      {combine: {op: and,
      args: [
        {MATCH: {args: [type, vm]}},
        {MATCH: {args: [zone, us-west-2]}},
        {MATCH: {args: [tags.application, app1]}}
      ]}},
      {combine: {op: and,
      args: [
        {MATCH: {args: [type, vpc]}},
        {MATCH: {args: [tags.application, app1]}}
      ]}}
    ]
  }

@narayanangit
Copy link

Using a oneof that supports basic and full ast version -
We may not have to change the protobuf defintion if we use the oneof?

 message Selector {
  oneof ver {
    // Basic version is what we will support in phase 1
    Basic basic = 1;
    // Based on requirements, we can support full AST (The alternative method suggested by Mandar)
    FullAst fullast = 2
  }
}


message Basic {
  repeated MatchExpr expr = 1
}

message MatchExpr {
  map <str, str> match = 1
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment