policy block - UbiqueX

The policy block defines compile-time rules evaluated during ubx validate and ubx apply. No OPA, no external tools.

Syntax

policy "name" {
  description = "Human-readable description"
  severity    = "error"   # error | warn

  rule {
    resource  = "resource_type"
    condition = "boolean expression"
  }
}

Example

policy "no_public_s3" {
  description = "S3 buckets must not be publicly accessible"
  severity    = "error"

  rule {
    resource  = "aws_s3_bucket_v2"
    condition = "acl != 'public-read' && acl != 'public-read-write'"
  }
}

Violation:

✗  stack.iac:6  policy "no_public_s3" violated by unit "aws_s3_bucket_v2"
                 "public_bucket": condition "acl != 'public-read'" evaluated to false

Severity

Value	Effect
`"error"`	Blocks `ubx validate` and `ubx apply`
`"warn"`	Shows warning, does not block

Multiple Rules

All rules must pass:

policy "rds_security" {
  description = "RDS must be encrypted and private"
  severity    = "error"

  rule {
    resource  = "aws_rds_instance"
    condition = "storage_encrypted == true"
  }

  rule {
    resource  = "aws_rds_instance"
    condition = "publicly_accessible != true"
  }
}

Condition Syntax

Operator	Example
`==`	`acl == 'private'`
`!=`	`acl != 'public-read'`
`&&`	`encrypted == true && multi_az == true`
`\|\|`	`type == 'small' \|\| type == 'micro'`
`!`	`!publicly_accessible`

String literals use single quotes. Unset attributes are null.

No TypeScript Emitted

Policy blocks are compile-time only — zero runtime cost.

​Syntax

​Example

​Severity

​Multiple Rules

​Condition Syntax

​No TypeScript Emitted