Terraform policies integrated into CI

Guardrails are Terraform policies built for infrastructure, embedded into your developer workflows.

With Guardrails:

1. Choose which rules you want to enforce, or write your own

2. Evaluate and enforce Guardrails as part of your CI pipeline

3. Remediate violations in your existing infrastructure

In this guide, we'll focus on evaluating and enforcing policies as part of a CI pipeline.

Write a Guardrail

Guardrails follow a readable syntax:

GUARDRAIL "Name of your Guardrail"
    WHEN some_resource_name
        REQUIRE <some behavior>
    OVERRIDE WITH APPROVAL @groupname

Navigate to Foundry and click Author a Guardrail to create a Guardrail for AWS RDS.

GUARDRAIL "Ensure AWS RDS instances use PostgreSQL"
  WHEN aws_db_instance
    REQUIRE engine = "postgres"
  OVERRIDE WITH APPROVAL @default

Copy the above Really code into the Guardrail Content field.

Test the Guardrail

Navigate to Developer Experience and click Generate Example. This will generate a Terraform example that you can alter.

resource "aws_db_instance" "sample_aws_db_instance" {
  engine = "postgres"
}

/// Example generates Terraform for testing a Guardrail

You can also paste your own Terraform for testing purposes. After you have created test Terraform, click Evaluate.

In our case, our test Terraform would have passed our Guardrail evaluation and merging any PR with this code would not have been blocked.

Activating

To activate our new Guardrail, navigate to Define Metadata, give it a name and hit Publish Guardrail.

Our Guardrail is now Active, and will be evaluated in our CI pipeline whenever anyone tries to merge Terraform that includes an aws_db_instance resource.

Submit a PR to see the Guardrail in action

Let's use some test Terraform to see how our Guardrails before during CI. Add the following Terraform to your scaffolding repository's main.tf and submit a change request.

resource "aws_db_instance" "my-db-name_fraMshbmm94dxGRa" {
  allocated_storage            = 50
  deletion_protection          = true
  monitoring_interval          = 0
  performance_insights_enabled = false
  multi_az                     = false
  storage_encrypted            = true
  db_name                      = "my-db-name"
  engine                       = "mysql"
  engine_version               = "16.4"
  instance_class               = "db.m1.medium"
  username                     = "username"
  password                     = "password"
  skip_final_snapshot          = false
}

/// Sample Terraform code. In this case we set MySQL for the engine

Wait for the Resourcely bot to evaluate the change request, and see what happens. You should see some findings that block merge!

Change a parameter

The Guardrail creation UI features autocomplete, which makes changing parameters a breeze. Go back to the Settings tab in Foundry and delete engine = "postgres". Type the letter "s" after REQUIRE and observe the menu that appears:

Autocompletion surfaces possible parameters or Really syntax that could be used, that are related to aws_db_instance in this case.

Select skip_final_snapshot and set it to true, like the following:

GUARDRAIL "Ensure AWS RDS instances use PostgreSQL"
  WHEN aws_db_instance
    REQUIRE skip_final_snapshot = true
  OVERRIDE WITH APPROVAL @default

Now, try resubmitting your change request from earlier! You'll see new findings from the Resourcely bot.

Pre-built Guardrails

Resourcely features hundreds of pre-built Terraform policies, and policy packs that align with popular standards such as CIS, HITRUST, PCI, and more.

You can find these Guardrails in the Foundry, under the Guardrail starter dropdown.

Next steps