Styra CLI
The Styra CLI provides the full power of Styra from your terminal.
Install the CLI
-
Download and install the CLI for your system by executing
curl -o styra ${STYRA_CLI_URL}command on your terminal.Table 1 - CLI Download LinksOS Download Link macOS M1 (ARM CPU) darwin/arm64/styra macOS (Intel CPU) darwin/amd64/styra Linux (ARM CPU) linux/arm64/styra Linux (Intel CPU) linux/amd64/styra Windows windows/amd64/styra.exe -
Copy the downloaded file as
styraorstyra.exein your shell's executable path.mv styra /usr/local/bin/styra -
For Mac and Linux systems, it is required to change the permissions of the downloaded file to make it executable. To change the file permissions in the directory where you downloaded the file, run:
chmod u+x /usr/local/bin/styra -
Test the installation.
styra --help
If you are using a Mac and see an error that Styra CLI "can't be opened because Apple cannot check it for malicious software" you can add an exception by running:
xattr -d com.apple.quarantine /usr/local/bin/styra
This is only necessary once after installing a new version of the CLI.
Docker Container
The official build of the Styra CLI is located on hub.docker.com/r/styra-cli.
Run the CLI by executing docker run -v $HOME:/home/styra styra/cli and use
the following instructions.
Install the Custom CA Certificates
Services that Styra CLI must access can be configured with a server certificate
issued by a custom CA. In order to validate the certificate presented from the
service, the corresponding CA certificate must be added to Styra CLI client.
You can use the environment variable SSL_CERT_DIR to point to the directory
where the CA certificate(s) are located in the container. The CA certificates
directory can be mounted using the Docker volume option (-v) when starting the
Styra or CLI container.
For example:
docker run -v $HOME:/home/styra \
-v /host/etc/certs:/container/etc/certs \
-e SSL_CERT_DIR="/container/etc/certs" \
styra/cli
Create a Configuration File
The Styra CLI needs your organization id and an authentication token. You may
provide these values from a configuration file or environment variable. The
command ./styra configure can be used to create a configuration file.
The following values can be retrieved from the environment variable:
| ENV | VALUE |
|---|---|
STYRA_ORGANIZATION_ID | <das-id>.styra.com |
STYRA_TOKEN | Use value from Step 1 |
For example:
STYRA_ORGANIZATION_ID='<das-id>.styra.com' \
STYRA_TOKEN='<value from token created in UI>' \
./styra
Evaluate Policies
The Styra CLI embeds OPA in a sub-command called vet that evaluates policies
against a JSON file on a laptop or a CI/CD pipeline. This allows Styra CLI to
be used with Terraform to check Terraform plans against OPA policies.
The styra-cli vet command accepts a list of files or directories in the
command line and uses OPA configuration from the current directory (the
location of the opa configuration could be changed through the --opaconfig
command line flag). The OPA configuration helps styra-cli determine the
system on DAS to vet the plan against.
On invocation, vet collects all JSON and YAML files from provided directories
and runs the targeted system's main rule with each file contents as input and
displays the results. It also produces decision logs like OPA would normally
do. This can be used for any system-type and cases besides Terraform. For
Terraform, it is already pre-configured in such a way that you can use
styra-cli vet to validate your Terraform plan files after converting them to
JSON.