All posts
August 25, 20223 min read

Open Policy Agent (OPA) Approval Workflows via Slack/Teams

When managing policies in complex systems, the ability to integrate dynamic approval workflows can significantly improve operational efficiency. Open Policy Agent (OPA), a policy-as-code engine, already simplifies policy management, but how can we make approvals more accessible for teams? Enter Slack and Microsoft Teams — platforms where collaboration happens frequently and where decision-making processes can seamlessly be integrated. In this post, we’ll explore how you can set up OPA-based app

Free White Paper

Open Policy Agent (OPA) + Slack / Teams Security Notifications: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

When managing policies in complex systems, the ability to integrate dynamic approval workflows can significantly improve operational efficiency. Open Policy Agent (OPA), a policy-as-code engine, already simplifies policy management, but how can we make approvals more accessible for teams? Enter Slack and Microsoft Teams — platforms where collaboration happens frequently and where decision-making processes can seamlessly be integrated.

In this post, we’ll explore how you can set up OPA-based approval workflows that leverage Slack or Teams for real-time collaboration. We’ll break down the core ideas behind this integration, why it matters, and how to implement it effectively.

Why Bring OPA Workflows to Slack and Teams?

OPA is widely used to enforce authorization policies in cloud-native applications. However, many decisions involve human approvals, particularly in production environments or when handling sensitive operations. Without clear workflows, managing approvals can result in bottlenecks or inefficiencies.

Slack and Teams are natural choices for interactive approvals because:

  • They centralize communications, making it easier to keep stakeholders in the loop.
  • They notify relevant approvers immediately, improving response times.
  • They simplify actions, like approving or rejecting requests, with buttons or quick commands.

Integrating these platforms with OPA policies pulls human approvals into the same automated workflows that ensure compliance, making the decision process straightforward and traceable.

The Core Workflow

At a high level, here’s what the approval process looks like:

  1. Policy Evaluation in OPA: A request triggers OPA to check the defined policy logic.
  2. Approval Needed: If a decision requires human input, OPA flags the request and sends the context (e.g., requester details, operation purpose) to Slack or Teams.
  3. Send Notification: Slack/Teams notify the designated approver(s) with all relevant details.
  4. Approve or Reject: Approvers can click a button to either allow or deny the request.
  5. Update Result: The decision is logged, and OPA updates the workflow accordingly.

This cycle ensures decisions are both compliant and collaborative without delaying operations for manual checks.

How to Implement an OPA-Based Approval Workflow

Here’s a step-by-step guide:

1. Define Policies in OPA

Start by writing your policy in Rego (OPA’s query language). For example, consider a policy where deploys to production require explicit human approval:

Continue reading? Get the full guide.

Open Policy Agent (OPA) + Slack / Teams Security Notifications: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
package approvals

allow {
 input.resource == "production"
 input.approved == true
}

deny {
 input.resource == "production"
 not input.approved
}

This policy ensures that no production operations occur without approval.

2. Integrate with Slack or Teams via Webhooks

Configure your application to send messages to Slack or Teams when OPA hits an “approval required” status. Use their APIs to send interactive messages that contain context and approval buttons.

For example, a Slack message might include:

  • Request details (operation type, requester name).
  • Buttons for Approve and Reject.

3. Implement a Callback Listener

Set up an endpoint in your application to handle actions on Slack/Teams. When someone clicks “Approve” or “Reject,” the decision is sent back, and your workflow updates OPA accordingly.

For instance, after approval, your callback might add approved: true to the input data sent to OPA.

4. Automate Updates to OPA Decisions

Once your listener processes the human decision, re-evaluate the original policy. If it passes, the request continues; if not, it halts.

Let’s say the Slack approver clicked “Approve.” The OPA input would look like this:

{
 "resource": "production",
 "approved": true
}

Since the approved == true condition is met, the policy allows the request to proceed.

5. Keep a Decision Log

Integrating logging ensures that every approval or rejection is recorded for auditing purposes. This provides clear visibility into who approved what and when. Both Slack and Teams allow timestamps and user IDs to be captured automatically.

Benefits of This Integration

  1. Improved Collaboration: Brings approvals to the tools your team already uses.
  2. Faster Response: Notifications ensure approvers are alerted in real time.
  3. Greater Audibility: Decisions are logged automatically, ensuring compliance with regulatory requirements.
  4. Seamless Automation: Aligns human decisions with OPA’s policy engine for consistent workflows.

See it in Action with Hoop.dev

Integrating OPA workflows with Slack or Teams sounds complex, but it doesn’t have to be. At Hoop.dev, we make it simple to set up approval workflows integrated with your favorite tools. With a live setup in just minutes, you can experience how straightforward policy-based automation can be.

Ready to take your OPA workflows to the next level? Explore how Hoop.dev bridges the gap between automation and collaboration today.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts