dd-trace-rb VS OPA (Open Policy Agent)

This action starts two Ruby on Rails APIs, one instrumented with ddtrace and another with OpenTelemetry SDK, both connecting to an OpenTelemetry Collector that sends data to Jaeger:

Thing is, once you have 1) and 2), the added complexity of bringing in, integrating, and writing for a different tool to achieve 3) begins to make little sense, when you can just go along and do it just as well in rspec anyway... It's a matter of balance and heavily depends on the project.

> if you're still at Datadog

As a matter of fact I am. Feel free to shoot me an email.

    curl -s https://github.com/DataDog/dd-trace-rb/commit/176c642ca73679cabc5fa1a113bc9b600aa04dcd.patch | grep '^From:'

> For myself, I'm fine with the typing being in a separate .rbs file

We type[0] by having one separate .rbs file per .rb file. Works really well with an editor's vertical splits: type outline on one side, code on the other. That, or use something like vim-projectionist[1].

[0]: (WIP: there's a huge codebase to type, but we're progressively getting there) https://github.com/DataDog/dd-trace-rb/tree/master/sig

[1]: https://github.com/tpope/vim-projectionist

Thanks! I'll pass it on to the team :D

I've got to say, the folks at Intercom made it particularly fun. They were sending us traces and graphs from their internal systems when we trying to figure out some issues with them (e.g. we ran into this datadog context problem: https://github.com/DataDog/dd-trace-rb/issues/1389)

OPA (Open Policy Agent) https://www.openpolicyagent.org Add policy checks and guardrails to your Terraform/OpenTofu plans without hardcoding rules.

The only production experience I have with logic programming is OPA Rego for writing security policies (not sure it's a "pure" logic language but feels like the primary paradigm).

I found it pretty interesting for that use case, although the learning curve isn't trivial for traditional devs.

https://www.openpolicyagent.org/

Policy-as-code is one of those things that everyone knows should be done, but in practice is rarely implemented.

We believe this is caused by the combination of the following 2 factors:

- OPA [1] and tools like cloud custodian [2] are cumbersome to set up, so writing even a single policy/ setting it up in your organisation takes a lot of effort.

- Each policy project needs to start from scratch because policies aren't re-usable

Infrabase checks your infra with an LLM instead of policies directly (currently a combination of gemini-2.5-pro-preview-05-06 and o4-mini). You can write your own policies as natural language [3] prompts to customize behaviour.

This is still early: non-determinism and latency are open problems. But for most teams, “some guard-rails today” beats “perfect rego never”, and llm's are only getting better.

We'd love your feedback on it!

[1] OPA: https://github.com/open-policy-agent/opa

Security at scale: Automate secrets management with Vault, enforce policies using OPA.

OPA (Open Policy Agent) Policy-as-code framework to enforce infra rules

Policy-as-code with tools like OPA

Perfect for bundling extensive resources like opa policies

External Authorization System Using Policy engines like SpiceDB, OpenFGA, ORY Keto, OpenPolicy Agent (OPA), let you put your ReBAC rules in an external system and reference them from your queries. The main benefit you get from the centralized relationships model is it makes it possible to manage authorization centrally. This means that development teams can create new applications and add new relationships without needing to update any application code.

Going multicloud and multi-cluster can make it harder to maintain continual oversight of your security posture. Different clouds and cluster distributions may have their own security defaults and policy engines, so you need a mechanism that permits you to centrally roll out new configurations and compliance controls. Standardizing on a well-supported policy model such as Open Policy Agent (OPA) will make it easier to apply consistent settings to all your environments.

Open Policy Agent is an open-source policy engine recently graduated by the Cloud Native Computing Foundation (CNCF). Developed by the community and maintained by Styra, the OPA project aims to offer a unified framework to define, manage, and enforce policies through policies-as-code (PaC) across the technology stack layers of cloud-native applications.