Resourcely Documentation
LoginSign Up
  • Get Started
    • 🎱What is Resourcely?
    • 👋Why Resourcely
    • 🏃Quickstart
      • Terraform policies integrated into CI
      • Remediate policy violations in existing infrastructure
      • Templates for generating Terraform
      • Glossary
  • Concepts
    • Foundry
      • Create Blueprints with Foundry
      • Creating Guardrails with Foundry
      • lmport Terraform Modules
    • Guardrails
      • Writing your own Guardrails
      • Editing Guardrails
      • Releasing Guardrails
      • Enabling Inactive Guardrails
      • Guardrails in Action
        • 🐱GitHub Actions
        • 🦊GitLab Pipelines
    • Campaigns
      • Get started with Campaigns
      • Creating Campaigns
      • Remediate Resources
      • Campaign Agent
        • State File Support
          • Amazon Simple Storage Service (S3)
          • Google Cloud Storage (GCS)
          • HCP Terraform
          • Spacelift
        • Running Campaigns with GitHub Actions and a Repo-Hosted State File
        • Running Campaigns Locally
    • Blueprints
      • Authoring Your Own Blueprints
      • Using Built-in Resourcely Blueprints
      • Configuring Global Contexts
      • Deep Linking
    • Resources
      • Provisioning Infrastructure
      • Editing Infrastructure
      • Shopping Cart
      • Config Roots and Environments
    • Other Features and Settings
      • Global Values
      • Global Context
      • Metrics
      • Resourcely-cli
      • Resourcely.yaml
      • VCS Proxy
      • Settings
        • User management
        • Company Information
        • Notification Settings
        • Change Management
          • 🐱Connect to GitHub
          • 🦊Connect to Gitlab
        • Generate API Token
    • ✨Production Setup
      • Single Sign-On (SSO)
        • Auth0
        • AWS Single Sign-On
        • Azure AD
        • Google Workspace
        • JumpCloud
        • Okta
        • Omnissa Workspace ONE (formerly VMware)
        • OneLogin
        • Ping Identity
        • Other SAML / OIDC Providers
      • Source Code Management
        • Page
        • 🐱GitHub
        • 🦊GitLab
        • Atlassian Bitbucket
        • Azure Repos
  • Tutorials and guides
    • Remediation Use Cases
      • Apply tags to resources for automating backups
      • Implement centralized logging
    • Blueprints Use Cases
      • Automate Data Pipeline Creation
      • Encryption for GCP
      • AWS Account Factory
      • Streamline and govern AI
      • IAM Factory
      • Cost optimization for FinOps
      • Guardrails for Terraform Modules
    • Using the Resourcely Terraform Provider
      • Setup Resourcely Provider
      • Blueprints
      • Guardrails
      • Global Context
  • Integrate
    • CI/CD & Terraform Runners
      • Atlantis
      • 🐟AWS CodeBuild
      • Azure Pipelines
      • Buildkite
      • CircleCI
      • CloudBees CI
      • Codefresh
      • Digger
      • Env0
      • 🎏GitHub Actions
        • 🐱Local Plan
          • 🐹AWS with OpenID Connect
        • 🐶Terraform Cloud Integration
      • 🦊GitLab Pipelines
      • Harness
      • 🗻HashiCorp Cloud Platform (formerly Terraform Cloud)
      • Jenkins
      • Octopus Deploy
      • Scalr
      • 🌌Spacelift
      • Terramate
      • 🌎Terrateam
    • Cloud Providers
      • 🌨️Amazon Web Services (AWS)
      • 🤓Google Cloud Platform (GCP)
        • Guardrail Gaunlet at Google Cloud Next 2025
      • 💾Microsoft Azure
      • Alibaba Cloud
      • Huawei Cloud
      • IBM Cloud
      • Oracle Cloud Infrastructure (OCI)
      • Tencent Cloud
      • VMware vSphere
    • Developer Portals
      • Atlassian Compass
      • Backstage
      • Cortex
      • Harness IDP
      • Home grown internal developer portals
      • OpsLevel
      • Port
      • Roadie
    • ITSM
      • Atlassian Jira
      • FreshWorks
      • ServiceNow ITSM
      • ZenDesk
    • CSPM
      • Wiz
    • More Terraform Provider Integrations
      • 🚂ConductorOne Provider
      • Databricks Provider
      • Kubernetes Provider
      • 🐕Datadog Provider
      • ❄️Snowflake Provider
Powered by GitBook
On this page
  • Write a Guardrail
  • Test the Guardrail
  • Activating
  • Submit a PR to see the Guardrail in action
  • Change a parameter
  • Pre-built Guardrails
  • Next steps
  1. Get Started
  2. Quickstart

Terraform policies integrated into CI

Creating and activating your first Guardrail

PreviousQuickstartNextRemediate policy violations in existing infrastructure

Last updated 2 months ago

This Quickstart assumes you have set up a scaffolding repo: or

Guardrails are Terraform policies built for infrastructure, embedded into your developer workflows.

With Guardrails:

  1. Choose which rules you want to enforce, or write your own

  2. Evaluate and enforce Guardrails as part of your CI pipeline

  3. Remediate violations in your existing infrastructure

In this guide, we'll focus on evaluating and enforcing policies as part of a CI pipeline.

Write a Guardrail

Guardrails follow a readable syntax:

GUARDRAIL "Name of your Guardrail"
    WHEN some_resource_name
        REQUIRE <some behavior>
    OVERRIDE WITH APPROVAL @groupname

Navigate to and click Author a Guardrail to create a Guardrail for AWS RDS.




Copy the above Really code into the Guardrail Content field.

You're almost there! Let's make sure the Guardrail performs as we expect

Test the Guardrail

Navigate to Developer Experience and click Generate Example. This will generate a Terraform example that you can alter.

resource "aws_db_instance" "sample_aws_db_instance" {
  engine = "postgres"
}

/// Example generates Terraform for testing a Guardrail

You can also paste your own Terraform for testing purposes. After you have created test Terraform, click Evaluate.

In our case, our test Terraform would have passed our Guardrail evaluation and merging any PR with this code would not have been blocked.

Activating

To activate our new Guardrail, navigate to Define Metadata, give it a name and hit Publish Guardrail.

Our Guardrail is now Active, and will be evaluated in our CI pipeline whenever anyone tries to merge Terraform that includes an aws_db_instance resource.

Guardrails can be set to Evaluate Only mode, so that change requests will only be annotated, but not blocked. See Releasing Guardrailsto learn more about different Guardrail states.

Submit a PR to see the Guardrail in action

To embed into your existing CI pipeline instead of using a scaffolding repo, find your setup at CI/CD & Terraform Runners

Let's use some test Terraform to see how our Guardrails before during CI. Add the following Terraform to your scaffolding repository's main.tf and submit a change request.

Test Terraform
resource "aws_db_instance" "my-db-name_fraMshbmm94dxGRa" {
  allocated_storage            = 50
  deletion_protection          = true
  monitoring_interval          = 0
  performance_insights_enabled = false
  multi_az                     = false
  storage_encrypted            = true
  db_name                      = "my-db-name"
  engine                       = "mysql"
  engine_version               = "16.4"
  instance_class               = "db.m1.medium"
  username                     = "username"
  password                     = "password"
  skip_final_snapshot          = false
}

/// Sample Terraform code. In this case we set MySQL for the engine

Wait for the Resourcely bot to evaluate the change request, and see what happens. You should see some findings that block merge!

Change a parameter

The Guardrail creation UI features autocomplete, which makes changing parameters a breeze. Go back to the Settings tab in Foundry and delete engine = "postgres". Type the letter "s" after REQUIRE and observe the menu that appears:

Autocompletion surfaces possible parameters or Really syntax that could be used, that are related to aws_db_instance in this case.

Select skip_final_snapshot and set it to true, like the following:

GUARDRAIL "Ensure AWS RDS instances use PostgreSQL"
  WHEN aws_db_instance
    REQUIRE skip_final_snapshot = true
  OVERRIDE WITH APPROVAL @default

Now, try resubmitting your change request from earlier! You'll see new findings from the Resourcely bot.

Pre-built Guardrails

Resourcely features hundreds of pre-built Terraform policies, and policy packs that align with popular standards such as CIS, HITRUST, PCI, and more.

Next steps

You can find these Guardrails in the , under the Guardrail starter dropdown.

🏃
GitHub Actions
GitLab Pipelines
Foundry
Foundry
Result of testing a Guardrail
Guardrail autocompletion in Foundry