First Guardrail
Creating and activating your first Guardrail
Last updated
Creating and activating your first Guardrail
Last updated
Guardrails are policies built for infrastructure, embedded into your developer workflows.
Use Guardrails to define rules that are enforced as part of your existing CI pipeline and expose those rules to developers as part of Blueprint forms. Build highly custom workflows, take context into account, and route Terraform that violates your Guardrails for approval.
With Guardrails:
Write Guardrails using Really
, Resourcely's policy-as-code language
Test Guardrails to see how they will behave
(Optionally) Integrate Guardrails into Blueprints, giving developers feedback at time of configuration
Evaluate and enforce Guardrails as part of your CI pipeline
Guardrails follow a basic syntax:
Navigate to Foundry and click Author a Guardrail to create a Guardrail for AWS RDS.
Copy the above Really code into the Guardrail Content field.
You're almost there! Let's make sure the Guardrail performs as we expect
Navigate to Developer Experience and click Generate Example. This will generate a Terraform example that you can alter.
You can also paste your own Terraform for testing purposes. After you have created test Terraform, click Evaluate.
In our case, our test Terraform would have passed our Guardrail evaluation and merging any PR with this code would not have been blocked.
Let's use some Terraform from the First Blueprintwe created in our test:
If we hit Evaluate, we'll see that our test Terraform had mysql
for the engine
parameter, violating our Guardrail.
The Guardrail creation UI features autocomplete, which makes changing parameters a breeze. Go back to the Settings tab in Foundry and delete engine = "postgres"
. Type the letter "s" after REQUIRE
and observe the menu that appears:
Autocompletion surfaces possible parameters or Really syntax that could be used, that are related to aws_db_instance
in this case.
Select skip_final_snapshot
and set it to true, like the following:
To activate our new Guardrail, navigate to Define Metadata, give it a name and hit Publish Guardrail.
Our Guardrail is now Active, and will be evaluated in our CI pipeline whenever anyone tries to merge Terraform that includes an aws_db_instance
resource.
Guardrails can have different states, which allow you to roll them out in an incremental way. Check out Releasing Guardrails to learn more.
This Guardrail will also be applied to Blueprints that features aws_db_instance
resources. You can customize this in the Customize Guardrails section when editing or creating Blueprints.
If you created the RDS Blueprint in the First Blueprint section, you should see the Guardrail that you just named attached to your Blueprint. This will appear in the Blueprint form when developers are configuring infrastructure:
Check out creating your First Resource to see how Blueprints and Guardrails are used by developers to create cloud resources while integrating into your existing change management and CI pipeline.