Skip to main content
The policy block defines a governance rule that is checked against the resources in a stack. Policies are evaluated during plan- and scan-style checks (see ubx scan) to enforce organizational standards before changes are applied.

Syntax

policy name {
  description = "…"
  severity    = "error"

  rule {
    resource  = "aws.s3.Bucket"
    condition = <boolean expression>
  }
}
The label is a bare identifier, quotes optional. A quoted label may contain spaces.

Fields

FieldDescription
descriptionOptional. A human-readable explanation of the policy.
severity"error" or "warn". An error fails the check; a warn reports the violation without failing.
rule { }One or more rule blocks. See rule.

Rule blocks

FieldDescription
resourceThe resource type the rule applies to, e.g. "aws.s3.Bucket".
conditionA boolean expression that must hold for every matched resource.
Inside condition, bare identifiers resolve against the matched resource’s attributes — for example, acl refers to the matched bucket’s acl attribute.

Example

policy no_public_buckets {
  description = "S3 buckets must not be public"
  severity    = "error"

  rule {
    resource  = "aws.s3.Bucket"
    condition = acl != "public-read"
  }
}

How policies are used

Policies are evaluated during plan- and scan-style checks. Every matched resource is tested against each rule’s condition; a failing rule reports its policy according to the declared severity.