> ## Documentation Index > Fetch the complete documentation index at: https://docs.ubiquex.io/llms.txt > Use this file to discover all available pages before exploring further. # policy block > Enforce compliance rules at compile time — no OPA, no external tools. The `policy` block defines compile-time rules evaluated during `ubx validate` and `ubx apply`. No OPA, no external tools. ## Syntax ```hcl theme={null} policy "name" { description = "Human-readable description" severity = "error" # error | warn rule { resource = "resource_type" condition = "boolean expression" } } ``` ## Example ```hcl theme={null} policy "no_public_s3" { description = "S3 buckets must not be publicly accessible" severity = "error" rule { resource = "aws_s3_bucket_v2" condition = "acl != 'public-read' && acl != 'public-read-write'" } } ``` Violation: ``` ✗ stack.iac:6 policy "no_public_s3" violated by unit "aws_s3_bucket_v2" "public_bucket": condition "acl != 'public-read'" evaluated to false ``` ## Severity | Value | Effect | | --------- | ------------------------------------- | | `"error"` | Blocks `ubx validate` and `ubx apply` | | `"warn"` | Shows warning, does not block | ## Multiple Rules All rules must pass: ```hcl theme={null} policy "rds_security" { description = "RDS must be encrypted and private" severity = "error" rule { resource = "aws_rds_instance" condition = "storage_encrypted == true" } rule { resource = "aws_rds_instance" condition = "publicly_accessible != true" } } ``` ## Condition Syntax | Operator | Example | | -------- | --------------------------------------- | | `==` | `acl == 'private'` | | `!=` | `acl != 'public-read'` | | `&&` | `encrypted == true && multi_az == true` | | `\|\|` | `type == 'small' \|\| type == 'micro'` | | `!` | `!publicly_accessible` | String literals use **single quotes**. Unset attributes are `null`. ## No TypeScript Emitted Policy blocks are compile-time only — zero runtime cost.