Terrform policies fall into three broad categories – tfplan based, tfconfig based and tfstate based policies. This post discusses a couple of common tfplan based policies.

A simple tfplan sentinel policy to restrict to certain types of resources 

import "tfplan"

# Limit Google Cloud compute resources to stay below compute n1-standard-16 (16 cores)

allowed_machine_types = [
"n1-standard-1",
"n1-standard-2",
"n1-standard-4",
"n1-standard-8",
]

main = rule {
all tfplan.resources as r {
r.attr.machine_type in allowed_machine_types
}
}
Another tfplan policy to restrict regions for resources

import "env"
import "tfplan"

# Only provision staging resources in us-west and production resources in us-east

valid_regions = {"staging": "us-west-1", "production": "us-east-1"}

main = rule {
all tfplan.config.providers as p {
p.type is not "aws" or
p.config.region == valid_regions[env.ENV]
}
}

tfconfig Policies

Coming Soon

tfstate Policies

Coming Soon