Skip to main content

Define a Policy

Styra DAS provides a library of built-in Terraform rules for AWS, GCP, Azure, and Kubernetes Terraform providers, which you can explore in the Terraform Policy Library Rules documentation.

For this tutorial, the Terraform Fake Web Services provider is used with a simple custom policy for the fake VPC resource.

Decision Input Format

As part of the run task integration with Styra DAS, Terraform Cloud will send Styra DAS the plan details and context for each run. Within Styra DAS, you can use rego policies to evaluate properties of this data, which is available via the input parameter in the following format:

{
    "format_version": "1.0",
    "terraform_version": "1.1.9",
    "configuration": {},
    "prior_state": {},
    "planned_values": {},
    "resource_changes": [],
    "variables": {},
    "styra-tfc-webhook": {
        "access_token": "",
        "is_speculative": "",
        "organization_name": "",
        "payload_version": "",
        "plan_json_api_url": "",
        "run_app_url": "",
        "run_created_at": "",
        "run_created_by": "",
        "run_id": "",
        "run_message": "",
        "stage": "",
        "task_result_callback_url": "",
        "task_result_enforcement_level": "",
        "task_result_id": "",
        "vcs_branch": "",
        "vcs_commit_url": "",
        "vcs_pull_request_url": "",
        "vcs_repo_url": "",
        "workspace_app_url": "",
        "workspace_id": "",
        "workspace_name": ""
    }
}

Full details of Terraform's plan data format can be found in Terraform's Plan Representation documentation.

Create the Policy

  1. In your Terraform system in Styra DAS, use the left-side file tree and navigate to the policy directory.

  2. Click on the options menu on the policy folder and select Add Policy.

  3. Enter a path of fws.vpc and a module name of rules.rego, then click Add.

Add a rule

In the new fws/vpc/rules.rego policy file, add the following rule Rego code:

enforce[decision] {
    # Get all resources in the plan resource_changes object
    resource := input.resource_changes[_]

    # Check the CIDR block value for the fakewebservices_vpc resource
    resource.type == "fakewebservices_vpc"
    resource.change.after.cidr_block == "10.0.0.0/16"
    
    # Return the resource type in the message if the resource fails the policy
    message := sprintf("VPC CIDR 10.0.0.0/16 is not allowed for resource %s", [resource.type])

    decision := {
        "allowed": false,
        "message": message
    }
}

This rule prevents using 10.0.0.0/16 for a VPC's CIDR block for the Fake Web Services provider. This is done by evaluating the properties of Terraform resources, which Styra DAS receives in the plan JSON from Terraform Cloud. The rule checks if a resource is a VPC resource and then checks the CIDR block value. If both of these conditions match, the rule will not allow the resource to be deployed.

This rule is in Enforce mode, which means when it is evaluated against a Terraform plan, the plan will fail the policy check if the rule generates a violation. Rules can also be in Monitor mode, which will not prevent the full policy check to pass, but Styra DAS will generate a warning for the rule.

Additional details on authoring Terraform policies can be found on the Terraform Policy Authoring documentation page.

Publish the policy

To start enforcing this policy for future Terraform plans, click on the Publish button and confirm.