Skip to main content

Rego Built-in Function: regex.template_match

regex.template_match() is an advanced function for matching inputs against complex patterns. Sometimes, an input string needs to be validated as a series of distinct components. This function allows you to offer patterns to validate specific parts of the string separately.


Before continuing, make sure your use case is not solved by the simpler regex.match() or glob.match functions.

This functions are easier to use and thus less error prone for simpler use cases.


Advanced path pattern matching

In the example that follows, we have a complex path which represents an AWS ARN owned by a project with a UUID v4 identifier. The path is validated in two parts using two separate patterns, each contained to particular segments of the path.

# policy.rego
uuid_v4_pattern := `[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}`

aws_arn_pattern := `arn:(aws[a-zA-Z-]*):([a-zA-Z0-9-]+):([a-zA-Z0-9-]*):([0-9]*):([a-zA-Z0-9-:/]+)`

path := "/projects/10ceef56-2b18-4cf7-895f-14d2dc45cc66/arn:aws:ec2:us-west-2:123456789012:instance/i-1234567890abcdef0"

path_pattern_template := sprintf("/projects/{%s}/{%s}", [

matches := regex.template_match(path_pattern_template, path, "{", "}")

Run in OPA Playground

RuleOutput ValueNotes
matchestrueThe path is a valid UUID followed by a valid AWS ARN.