Skip to main content

Define a Policy

The policies enforced by the Styra CLI you just downloaded are managed within the Styra DAS. The Styra DAS provides some built-in rules that you can choose from a list, or you can write your own rules using Rego (OPA's policy language).

To put your first rules in place:

  1. In the Styra DAS, navigate to the file your system name >> policy >> aws >> ec2 >> rules.rego.

  2. Using the Add rule button, search for the AWS: EC2: Prohibit EC2 instances without a VPC rule and click to add it. Change the rule from Monitor to Enforce. This results in the following Rego code:

monitor[decision] {
  data.global.systemtypes["terraform:2.0"].library.provider.aws.ec2.without_vpc.v1.ec2_outside_vpc[violation]
  decision := {
    "allowed": false,
    "message": violation.message,
    "metadata": violation.metadata
  }
}

This rule requires every EC2 instance to belong to a VPC. It is in Enforce mode, which means that when you evaluate it against a Terraform plan, the plan fails the policy check if the rule generates a violation.

Rules can also be in Monitor mode, which means the Terraform plan will always pass the policy check, but the Styra CLI will generate warnings.

You can browse the list of other pre-built rules by clicking the Add rule button.

To make this policy live, click on the Publish button and confirm. You will then see the toolbar shift from Draft to System and the Draft tag disappears in the inventory.