First Guardrail

Guardrails are policies built for infrastructure, embedded into your developer workflows.

Use Guardrails to define rules that are enforced as part of your existing CI pipeline and expose those rules to developers as part of Blueprint forms. Build highly custom workflows, take context into account, and route Terraform that violates your Guardrails for approval.

With Guardrails:

1. Write Guardrails using Really, Resourcely's policy-as-code language

2. Test Guardrails to see how they will behave

3. (Optionally) Integrate Guardrails into Blueprints, giving developers feedback at time of configuration

4. Evaluate and enforce Guardrails as part of your CI pipeline

Write a Guardrail

Guardrails follow a basic syntax:

GUARDRAIL "Name of your Guardrail"
    WHEN some_resource_name
        REQUIRE <some behavior>
    OVERRIDE WITH APPROVAL @groupname

Navigate to Foundry and click Author a Guardrail to create a Guardrail for AWS RDS.

GUARDRAIL "Ensure AWS RDS instances use PostgreSQL"
  WHEN aws_db_instance
    REQUIRE engine = "postgres"
  OVERRIDE WITH APPROVAL @default

Copy the above Really code into the Guardrail Content field.

Test the Guardrail

Navigate to Developer Experience and click Generate Example. This will generate a Terraform example that you can alter.

resource "aws_db_instance" "sample_aws_db_instance" {
  engine = "postgres"
}

/// Example generates Terraform for testing a Guardrail

You can also paste your own Terraform for testing purposes. After you have created test Terraform, click Evaluate.

In our case, our test Terraform would have passed our Guardrail evaluation and merging any PR with this code would not have been blocked.

Generate your own test

Let's use some Terraform from the First Blueprintwe created in our test:

resource "aws_db_instance" "my-db-name_fraMshbmm94dxGRa" {
  allocated_storage            = 50
  deletion_protection          = true
  monitoring_interval          = 0
  performance_insights_enabled = false
  multi_az                     = false
  storage_encrypted            = true
  db_name                      = "my-db-name"
  engine                       = "mysql"
  engine_version               = "16.4"
  instance_class               = "db.m1.medium"
  username                     = "username"
  password                     = "password"
  skip_final_snapshot          = false
}

/// Code we generated from our Blueprint. In this case we chose MySQL for the engine

If we hit Evaluate, we'll see that our test Terraform had mysql for the engine parameter, violating our Guardrail.

Change a parameter

The Guardrail creation UI features autocomplete, which makes changing parameters a breeze. Go back to the Settings tab in Foundry and delete engine = "postgres". Type the letter "s" after REQUIRE and observe the menu that appears:

Autocompletion surfaces possible parameters or Really syntax that could be used, that are related to aws_db_instance in this case.

Select skip_final_snapshot and set it to true, like the following:

GUARDRAIL "Ensure AWS RDS instances use PostgreSQL"
  WHEN aws_db_instance
    REQUIRE skip_final_snapshot = true
  OVERRIDE WITH APPROVAL @default

Activating

To activate our new Guardrail, navigate to Define Metadata, give it a name and hit Publish Guardrail.

Our Guardrail is now Active, and will be evaluated in our CI pipeline whenever anyone tries to merge Terraform that includes an aws_db_instance resource.

Attaching to Blueprints

This Guardrail will also be applied to Blueprints that features aws_db_instance resources. You can customize this in the Customize Guardrails section when editing or creating Blueprints.

If you created the RDS Blueprint in the First Blueprint section, you should see the Guardrail that you just named attached to your Blueprint. This will appear in the Blueprint form when developers are configuring infrastructure:

Next steps

Check out creating your First Resource to see how Blueprints and Guardrails are used by developers to create cloud resources while integrating into your existing change management and CI pipeline.