Terraform policies integrated into CI

Creating and activating your first Guardrail

PreviousQuickstart NextRemediate policy violations in existing infrastructure

Last updated 2 months ago

Terraform policies integrated into CI

Creating and activating your first Guardrail

This Quickstart assumes you have set up a scaffolding repo: or

Guardrails are Terraform policies built for infrastructure, embedded into your developer workflows.

With Guardrails:

Choose which rules you want to enforce, or write your own
Evaluate and enforce Guardrails as part of your CI pipeline
Remediate violations in your existing infrastructure

In this guide, we'll focus on evaluating and enforcing policies as part of a CI pipeline.

Write a Guardrail

Guardrails follow a readable syntax:

GUARDRAIL "Name of your Guardrail"
    WHEN some_resource_name
        REQUIRE <some behavior>
    OVERRIDE WITH APPROVAL @groupname

Navigate to and click Author a Guardrail to create a Guardrail for AWS RDS.

Copy the above Really code into the Guardrail Content field.

You're almost there! Let's make sure the Guardrail performs as we expect

Test the Guardrail

Navigate to Developer Experience and click Generate Example. This will generate a Terraform example that you can alter.

resource "aws_db_instance" "sample_aws_db_instance" {
  engine = "postgres"
}

/// Example generates Terraform for testing a Guardrail

You can also paste your own Terraform for testing purposes. After you have created test Terraform, click Evaluate.

In our case, our test Terraform would have passed our Guardrail evaluation and merging any PR with this code would not have been blocked.

Activating

To activate our new Guardrail, navigate to Define Metadata, give it a name and hit Publish Guardrail.

Our Guardrail is now Active, and will be evaluated in our CI pipeline whenever anyone tries to merge Terraform that includes an aws_db_instance resource.

Guardrails can be set to Evaluate Only mode, so that change requests will only be annotated, but not blocked. See Releasing Guardrailsto learn more about different Guardrail states.

Submit a PR to see the Guardrail in action

To embed into your existing CI pipeline instead of using a scaffolding repo, find your setup at CI/CD & Terraform Runners

Let's use some test Terraform to see how our Guardrails before during CI. Add the following Terraform to your scaffolding repository's main.tf and submit a change request.

Test Terraform

resource "aws_db_instance" "my-db-name_fraMshbmm94dxGRa" {
  allocated_storage            = 50
  deletion_protection          = true
  monitoring_interval          = 0
  performance_insights_enabled = false
  multi_az                     = false
  storage_encrypted            = true
  db_name                      = "my-db-name"
  engine                       = "mysql"
  engine_version               = "16.4"
  instance_class               = "db.m1.medium"
  username                     = "username"
  password                     = "password"
  skip_final_snapshot          = false
}

/// Sample Terraform code. In this case we set MySQL for the engine

Wait for the Resourcely bot to evaluate the change request, and see what happens. You should see some findings that block merge!

Change a parameter

The Guardrail creation UI features autocomplete, which makes changing parameters a breeze. Go back to the Settings tab in Foundry and delete engine = "postgres". Type the letter "s" after REQUIRE and observe the menu that appears:

Autocompletion surfaces possible parameters or Really syntax that could be used, that are related to aws_db_instance in this case.

Select skip_final_snapshot and set it to true, like the following:

GUARDRAIL "Ensure AWS RDS instances use PostgreSQL"
  WHEN aws_db_instance
    REQUIRE skip_final_snapshot = true
  OVERRIDE WITH APPROVAL @default

Now, try resubmitting your change request from earlier! You'll see new findings from the Resourcely bot.

Pre-built Guardrails

Resourcely features hundreds of pre-built Terraform policies, and policy packs that align with popular standards such as CIS, HITRUST, PCI, and more.

Next steps

PreviousQuickstart NextRemediate policy violations in existing infrastructure

Last updated 2 months ago

This Quickstart assumes you have set up a scaffolding repo: or

Guardrails are Terraform policies built for infrastructure, embedded into your developer workflows.

With Guardrails:

Choose which rules you want to enforce, or write your own
Evaluate and enforce Guardrails as part of your CI pipeline
Remediate violations in your existing infrastructure

In this guide, we'll focus on evaluating and enforcing policies as part of a CI pipeline.

Write a Guardrail

Guardrails follow a readable syntax:

GUARDRAIL "Name of your Guardrail"
    WHEN some_resource_name
        REQUIRE <some behavior>
    OVERRIDE WITH APPROVAL @groupname

Navigate to and click Author a Guardrail to create a Guardrail for AWS RDS.

Copy the above Really code into the Guardrail Content field.

You're almost there! Let's make sure the Guardrail performs as we expect

Test the Guardrail

Navigate to Developer Experience and click Generate Example. This will generate a Terraform example that you can alter.

resource "aws_db_instance" "sample_aws_db_instance" {
  engine = "postgres"
}

/// Example generates Terraform for testing a Guardrail

You can also paste your own Terraform for testing purposes. After you have created test Terraform, click Evaluate.

In our case, our test Terraform would have passed our Guardrail evaluation and merging any PR with this code would not have been blocked.

Activating

To activate our new Guardrail, navigate to Define Metadata, give it a name and hit Publish Guardrail.

Our Guardrail is now Active, and will be evaluated in our CI pipeline whenever anyone tries to merge Terraform that includes an aws_db_instance resource.

Guardrails can be set to Evaluate Only mode, so that change requests will only be annotated, but not blocked. See Releasing Guardrailsto learn more about different Guardrail states.

Submit a PR to see the Guardrail in action

To embed into your existing CI pipeline instead of using a scaffolding repo, find your setup at CI/CD & Terraform Runners

Let's use some test Terraform to see how our Guardrails before during CI. Add the following Terraform to your scaffolding repository's main.tf and submit a change request.

Test Terraform

resource "aws_db_instance" "my-db-name_fraMshbmm94dxGRa" {
  allocated_storage            = 50
  deletion_protection          = true
  monitoring_interval          = 0
  performance_insights_enabled = false
  multi_az                     = false
  storage_encrypted            = true
  db_name                      = "my-db-name"
  engine                       = "mysql"
  engine_version               = "16.4"
  instance_class               = "db.m1.medium"
  username                     = "username"
  password                     = "password"
  skip_final_snapshot          = false
}

/// Sample Terraform code. In this case we set MySQL for the engine

Wait for the Resourcely bot to evaluate the change request, and see what happens. You should see some findings that block merge!

Change a parameter

Autocompletion surfaces possible parameters or Really syntax that could be used, that are related to aws_db_instance in this case.

Select skip_final_snapshot and set it to true, like the following:

GUARDRAIL "Ensure AWS RDS instances use PostgreSQL"
  WHEN aws_db_instance
    REQUIRE skip_final_snapshot = true
  OVERRIDE WITH APPROVAL @default

Now, try resubmitting your change request from earlier! You'll see new findings from the Resourcely bot.

Pre-built Guardrails

Resourcely features hundreds of pre-built Terraform policies, and policy packs that align with popular standards such as CIS, HITRUST, PCI, and more.

You can find these Guardrails in the , under the Guardrail starter dropdown.