The policy block defines a governance rule that is checked against the resources in a stack. Policies are evaluated during plan- and scan-style checks (see ubx scan) to enforce organizational standards before changes are applied.
Syntax
policy name {
description = "…"
severity = "error"
rule {
resource = "aws.s3.Bucket"
condition = <boolean expression>
}
}
The label is a bare identifier, quotes optional. A quoted label may contain spaces.
Fields
| Field | Description |
|---|
description | Optional. A human-readable explanation of the policy. |
severity | "error" or "warn". An error fails the check; a warn reports the violation without failing. |
rule { } | One or more rule blocks. See rule. |
Rule blocks
| Field | Description |
|---|
resource | The resource type the rule applies to, e.g. "aws.s3.Bucket". |
condition | A boolean expression that must hold for every matched resource. |
Inside condition, bare identifiers resolve against the matched resource’s attributes — for example, acl refers to the matched bucket’s acl attribute.
Example
policy no_public_buckets {
description = "S3 buckets must not be public"
severity = "error"
rule {
resource = "aws.s3.Bucket"
condition = acl != "public-read"
}
}
How policies are used
Policies are evaluated during plan- and scan-style checks. Every matched resource is tested against each rule’s condition; a failing rule reports its policy according to the declared severity.