Terraform policies integrated into CI
Creating and activating your first Guardrail
This Quickstart assumes you have set up a scaffolding repo: GitHub Actions or GitLab Pipelines
Guardrails are Terraform policies built for infrastructure, embedded into your developer workflows.
With Guardrails:
Choose which rules you want to enforce, or write your own
Evaluate and enforce Guardrails as part of your CI pipeline
Remediate violations in your existing infrastructure
In this guide, we'll focus on evaluating and enforcing policies as part of a CI pipeline.
Write a Guardrail
Guardrails follow a readable syntax:
Navigate to Foundry and click Author a Guardrail to create a Guardrail for AWS RDS.
Copy the above Really code into the Guardrail Content field.
You're almost there! Let's make sure the Guardrail performs as we expect
Test the Guardrail
Navigate to Developer Experience and click Generate Example. This will generate a Terraform example that you can alter.
You can also paste your own Terraform for testing purposes. After you have created test Terraform, click Evaluate.

In our case, our test Terraform would have passed our Guardrail evaluation and merging any PR with this code would not have been blocked.
Activating
To activate our new Guardrail, navigate to Define Metadata, give it a name and hit Publish Guardrail.
Our Guardrail is now Active, and will be evaluated in our CI pipeline whenever anyone tries to merge Terraform that includes an aws_db_instance
resource.
Guardrails can be set to Evaluate Only mode, so that change requests will only be annotated, but not blocked. See Releasing Guardrailsto learn more about different Guardrail states.
Submit a PR to see the Guardrail in action
To embed into your existing CI pipeline instead of using a scaffolding repo, find your setup at CI/CD & Terraform Runners
Let's use some test Terraform to see how our Guardrails before during CI. Add the following Terraform to your scaffolding repository's main.tf
and submit a change request.
Wait for the Resourcely bot to evaluate the change request, and see what happens. You should see some findings that block merge!
Change a parameter
The Guardrail creation UI features autocomplete, which makes changing parameters a breeze. Go back to the Settings tab in Foundry and delete engine = "postgres"
. Type the letter "s" after REQUIRE
and observe the menu that appears:

Autocompletion surfaces possible parameters or Really syntax that could be used, that are related to aws_db_instance
in this case.
Select skip_final_snapshot
and set it to true, like the following:
Now, try resubmitting your change request from earlier! You'll see new findings from the Resourcely bot.
Pre-built Guardrails
Resourcely features hundreds of pre-built Terraform policies, and policy packs that align with popular standards such as CIS, HITRUST, PCI, and more.
You can find these Guardrails in the Foundry, under the Guardrail starter dropdown.
Next steps
Last updated