ubx validate — before the bucket exists, before any credentials are needed, before CI even gets to the apply stage — is worth orders of magnitude more. The policy block brings compliance rules into your .iac source as first-class declarations: a condition over resource attributes, a severity, and an error message. error severity violations block ubx validate and ubx apply. warn severity violations are shown but don’t block. Every resource of the matching type in every .iac file in your project is evaluated against every applicable policy automatically — no separate tool to run, no post-apply scanner to wait for.
What you’ll learn
- How
policyblocks enforce rules atubx validatetime - The difference between
severity = "error"andseverity = "warn" - How to test a policy by writing a deliberately violating resource
Why this matters
Policy violations with
severity = "error" block both ubx validate and ubx apply. This means policy enforcement is part of the same pipeline as type-checking — a project with policy violations is a project that doesn’t compile, by design.The source code
How it works
Policies are evaluated during the type-check pass
After the schema type check, ubx evaluates every
policy block against every unit block whose resource type matches the rule.resource field. This happens at ubx validate time — no cloud credentials, no network access required.The condition is evaluated against resolved attribute values
The condition string
"acl != 'public-read' && acl != 'public-read-write'" is evaluated as an expression against the unit block’s attribute map. Attributes with literal values (like acl = "private") are fully evaluated. Attributes with pending values are checked for the presence of a literal that could violate the condition.Violations are reported with source location
A failing condition produces an error referencing the violating
unit block by file, line, type, and label. The description and the condition that failed are both included in the error message, making the violation self-explanatory without needing to look up the policy.What ubx generates
policy blocks produce no generated code — they are compile-time validators only. The generated TypeScript/Python/Go contains only the unit resources. Policy enforcement happens in the ubx compiler, not in the Pulumi runtime.index.ts
Common mistakes
Run it
What you learned
policy blocks enforce rules at ubx validate time — before any cloud credentials are neededseverity = "error" blocks validate and apply; severity = "warn" shows a warning but doesn’t blockPolicy blocks produce no generated code — enforcement is entirely in the ubx compiler
Next steps
import existing resource
Bring existing cloud resources under ubx management
policy block reference
Full policy block syntax and condition language
Full runnable example: github.com/ubiquex/ubx-examples/30-policy-as-code

