Skip to main content

Define a policy

The policies enforced by the Styra CLI you just downloaded are managed within the Styra DAS. The DAS provides some built-in rules that you can choose from a list, or your can write your own rules using Rego (OPA's policy language).

To put your first rules in place:

  1. In the Styra DAS, navigate to the file your system name >> policy >> aws >> ec2 >> rules.rego.

  2. Add the following rule:

enforce[decision] {
data.global.systemtypes["terraform:1.0"].library.provider.aws.ec2.without_vpc.v1.ec2_outside_vpc[message]

decision := {
"allowed": false,
"message": message
}
}

This rule requires every EC2 instance to belong to a VPC. It is in Enforce mode, which means that when you evaluate it against a Terraform plan, the plan fails the policy check if the rule generates a violation.

Rules can also be in Monitor mode, which means the Terraform plan will always pass the policy check, but the Styra CLI will generate warnings.

You can browse the list of other pre-built rules by clicking the Add rule button.

To make this policy live, click on the Publish button and confirm. You will then see the toolbar shift from Draft to System and the Draft tag disappears in the inventory.