Skip to main content

Styra Link Workflow

The Styra Link Workflow is focused on the lifecycle of policies in a Styra DAS system. First, a new System is initialized and installed. Then policy code cycles through authoring, testing, validating, and deployment. Styra Link provides commands to facilitate each step of this workflow.

Initialize the System

To get started with Styra Link, you first initialize a System, linking your local policies with a Styra DAS System. You can link either a new System or an existing System.

To initialize a System, run the following command:

styra link init

This starts an interactive set of prompts to set up the System. Alternatively, the command accepts flags allowing you to set all values while invoking the command rather than answering interactively.

  • Name: The name of the Styra Link project. This will also be the name of your System in Styra DAS. If you are linking an existing System, the name must match the System's name in Styra DAS so that Styra Link can find and connect to it.
  • Type: The type of project you create (for example, Envoy, Kubernetes, or Terraform). The interactive prompt will provide a list of options to choose from.
  • Policy Storage Path: The directory path where your policy code will live inside your repository. A directory is created with this name, and all policies are contained within it. Styra Link is designed to live within a larger code base, for example, an application or Terraform project. You can choose any path or use the default directory authorization.
  • Git Integration: You can configure Styra DAS Git integration at initialization time, or you can set it up later using the styra link config git command.

Once your project is initialized, you will see a new .styra directory and the policy directory you chose (in this example, authorization).

The .styra directory contains all the configuration files and resources Styra Link needs to connect your local project with Styra DAS. Inside your policy directory (located at the policy storage path you chose), you will see both a bundle folder and a src folder.

  • bundle: A local copy of the bundle that Styra DAS sends to OPA. This includes any policy code from Stacks or Libraries. The bundle directory is added to .gitignore.
  • src: The directory where you author your policies.

Run styra link bundle update to apply changes from your ‘src’ directory to the local bundle. This is done automatically when running commands like ‘test’ and ‘validate’. If you have modified the bundle in Styra DAS (for example, adding a Stack to the System or adding a new Data Source), run styra link bundle update -r to refresh your local copy with a fresh one from Styra DAS.

Install the System

A project initialized with a new System must be installed. Installing a System allows Styra DAS to manage policy decisions through OPA. The requirements will differ among System types. For example, an Envoy System requires running kubectl commands to add OPA and Envoy sidecars, while a Terraform System requires downloading a configuration file to use when validating the output of a Terraform plan. Each System has specific installation instructions.

To get installation instructions for your System run the following command:

styra link config install

Installation instructions are organized into different categories. Categories represent the different ways a System can be installed (for example, in a Kubernetes System you can install the System using kubectl, helm, helm3, or kustomize). Instructions are filterable by category, or you can use the --interactive flag to select an installation category interactively.


To uninstall your System styra link config uninstall provides the required commands. These are organized into categories similar to the install instructions. Depending on the installation category you used, use the corresponding uninstallation category when available to ensure everything is properly uninstalled.

Author Policies

To author policies, you create, update, or delete Rego files inside the src directory using a code editor.

The CLI tool also supports adding library rules provided by Styra DAS with the styra link rules command. The search subcommand allows you to search through and get information about available rules, while the use subcommand will output the Rego snippet, which can be copied into your policy files. You can use the --interactive flag on either subcommand to interactively find an available rule.

To search for rules applicable to your System, run the following command:

styra link rules search

To use a rule you found by running search, run the following command:

styra link rules use [flags]

Unit Test your Policies

Once you have updated your policy code, Styra Link allows you to run any unit tests you have authored without publishing the modified code to your Styra DAS System. Styra Link runs your unit tests in the context of your full policy bundle, including any Stack or Library Rego code.

To run your policy unit tests, run the following command:

styra link test

Validate Your Changes

Validating policy changes against previously made decisions provides additional confidence in your Rego code. Styra DAS collects decisions from OPA and stores them. With Styra Link, you can evaluate the input from stored decisions against your locally updated policy code. This provides insight into what decisions would have been different if the new policy code had been in place at the time of the decisions.

To run previous decisions against your latest policy code, run the following command:

styra link validate decisions

Deploy New Policies

Styra Link uses Styra DAS Git integration for policy deployment. Git integration can be configured when a System is initialized or set up using the styra link config git command.

To configure Git integration you will need a local Git repository, a remote Git repository (for example, GitHub), and your credentials for the remote repository (either HTTPS or SSH). Your local repository must reside at the root of your project alongside your .styra/ directory. This is how Styra Link understands the mapping of your authored policy files into Styra DAS. Styra Link Git configuration works best if your local repository already has the remote repository added before configuring Styra DAS Git integration.

To configure Git integration for a Styra Link project, run the following command:

styra link config git

  • URL: The remote repository URL. This can be either HTTPS or SSH style, depending on the type of authentication you choose.
  • Username: The username for an HTTPS Git connection.
  • Secret: The password or token for an HTTPS Git connection.
  • Private Key File Path: The location of the SSH private key file for an SSH Git connection.
  • Passphrase: The private key passphrase for an SSH Git connection. Leave this blank or use the --skip-passphrase flag if your key does not require one.
  • Git Reference (how to sync your policies): You can have Styra DAS track a Git branch, use a specific Git SHA hash, or use a Git tag when syncing policies.

Once your System is configured for Git, your policies are compiled into a bundle and sent to all configured OPAs based on your chosen Git reference. If you configure a ‘branch’ reference, any changes pushed to that branch will trigger a new bundle build. If you configure a Git commit SHA hash or a tag, you must update the configuration to use a new hash or tag. Once the configuration is updated, Styra DAS will build and deploy a new bundle.

To update your Git reference, you do not need to provide Git credentials again. The --update-ref flag allows reconfiguration of the reference used only. When this option is used, all URL and credential input is ignored.

To reconfigure your git reference only, run the following command:

styra link config git --update-ref


If you try to initialize a System with Styra Link that already has Git configuration, it will fail. The Styra Link workflow expects a specific setup for Git. If you would like to reconfigure a System to work with Styra Link, you will first need to remove the current Git configuration, initialize the System with Styra Link, and then configure Git syncing. This ensures file mappings for Styra DAS are correct in the Git repository.

Compliance Validation

If you are using Styra Link with a System type that supports compliance monitoring (for example, Kubernetes), you can run a compliance check against your locally updated files by running the following command:

styra link validate compliance


Compliance checks your System’s resources against the currently authored rules set to monitor or enforce mode. If a resource exists that would have been denied by any of those rules, it will show up as a compliance violation. To validate compliance against a specific standard, author rules to enforce that standard and then use the compliance tooling to check the current state of your System against those rules.

Releasing policy code using CI/CD

You can use Styra Link within a continuous deployment system using the styra link publish command. This example uses GitHub actions, but this concept can be adapted for most available continuous deployment systems.

To deploy code on publish using GitHub actions, first create a new GitHub workflow in your project:


name: Deploy updated policy code

types: [published]


runs-on: ubuntu-latest
- uses: actions/checkout@v3
- name: deploy-policy
uses: docker://styra/cli:latest
args: link config git --update-ref --tag ${{ github.ref_name }}

This simple workflow configures the Styra CLI using environment variables. The Styra CLI Docker container runs the Styra Link command, which updates the Git reference to the newly published release tag. Note that it is best not to use the ‘latest’ tag in your workflow. You should use the tag corresponding to the Styra CLI version you have tested with your project. Once the workflow is defined, commit it to your GitHub remote repository.

With the workflow in place at GitHub, whenever a new release is published the workflow runs and updates the Styra DAS Git reference to track the release tag. Standard Git tags not associated with a GitHub release will not deploy new policy code.