Creating Policy-as-Code Governance Rules

Firefly provides two approaches for creating custom compliance and security policies that will be enforced across your cloud infrastructure and IaC deployments. These rules help ensure your cloud resources adhere to your organization's standards, security requirements, and best practices. Once created, Firefly will continuously evaluate your infrastructure against these policies and flag any violations, helping you maintain governance at scale.

Choose the approach that best fits your team's expertise and requirements:

Option 1: No‑Code Policy Builder

The No‑Code Policy Builder allows you to define governance rules without writing any code. It's ideal for security, compliance, or platform teams who want quick policy creation without coding expertise. The No‑Code Builder includes two flows: Attribute‑Based and Tags‑Based.

How to create a No‑Code policy:

1. Open Governance page: In the Firefly app, go to Governance page. This page allows you to manage all your governance policies.

2. Add a new policy: Click on + Custom Policy. This will open the Create Custom Policy form.

3. Select No‑Code Policy Builder: Choose No‑Code Policy Builder as your policy type.

4. Choose the flow type: Select either Attribute‑Based or Tags‑Based depending on your requirements:

   • Attribute‑Based: For checking resource properties like encryption status, public access, instance types, etc.

   • Tags‑Based: For enforcing tagging requirements and standards.

5. Configure policy details: Fill in the Policy Details section:

   • Name: Give the policy a clear name (e.g., Ensure all S3 buckets are encrypted).

   • Description: Provide a clear description of what the policy checks and why it's important. This helps team members understand the policy's purpose.

   • Severity: Choose the severity level (LOW, MEDIUM, HIGH, CRITICAL) for violations.

   • Data Source: Select the cloud provider (e.g., AWS, Azure, GCP) or specific cloud accounts.

   • Asset Type: Choose the specific resource type to evaluate (e.g., AWS S3 Bucket, EC2 Instance).

6. Define conditions:

   If Attribute‑Based:

   • Pick an Attribute from the dropdown (e.g., volume_encrypted, public_access, instance_type).

   • Choose an Operator: Is, Is Not, or Contains.

   • Enter a Value for the condition.

   • Add multiple attributes as needed (conditions are combined with AND logic).

   If Tags‑Based:

   • Choose one of the following conditions:

     • Tags Missing Entirely – flags assets that have no tags at all.

     • Specific Tag Missing – requires specific tag keys like owner, environment, project.

     • Specific Tag Value – enforces exact tag values (e.g., cost-center=finance).

     • Specific Tag Value — IS NOT – disallows specific tag values (negative match).

7. Save the policy: Click Create to activate the policy. Firefly will begin evaluating your infrastructure against it and enforce it during IaC deployments.

Example: No-Code Attribute-Based Policy

Scenario: Ensure all EC2 instances have EBS optimization enabled.

Steps:

1. Asset Type: Select "AWS EC2 Instance"

2. Attribute: Choose ebs_optimized

3. Operator: Select "Is"

4. Value: Enter true

This creates a policy that flags any EC2 instance where EBS optimization is not enabled, without requiring any code knowledge.

Example: No-Code Tags-Based Policy

Scenario: Ensure all resources have required organizational tags.

Steps:

1. Flow Type: Select "Tags-Based"

2. Condition: Choose "Specific Tag Missing"

3. Required Tags: Enter Environment, Owner, Project

This creates a policy that flags any resource missing any of these required tags.

Option 2: Policy-as-Code (Rego)

Policy-as-Code uses the Rego language (Open Policy Agent) to define custom governance rules. This approach provides maximum flexibility and allows you to create complex, highly specific policies for advanced use cases.

How to create a Policy-as-Code rule:

1. Open Governance page: In the Firefly app, go to Governance page. This page allows you to manage all your governance policies.

2. Add a new policy: Click on + Custom Policy. This will open the Create Custom Policy form.

3. Select Policy-as-Code: Choose Policy-as-Code as your policy type.

4. Configure policy details: Fill in the Policy Details section:

   • Name: Give the policy a clear name (e.g., Ensure all S3 buckets are encrypted).

   • Category: Select or create a category to organize your policies (e.g., Observability, Security, Compliance).

   • Severity: Choose the severity level (LOW, MEDIUM, HIGH, CRITICAL) for violations.

   • Data Source: Select the cloud provider (e.g., AWS, Azure, GCP) or specific cloud accounts.

   • Asset Type: Choose the specific resource type to evaluate (e.g., AWS S3 Bucket, EC2 Instance). Can be multiple resource types and even all resource types.

5. Add policy description: In the Policy description field, provide details about what the policy checks and why it's important. This helps team members understand the policy's purpose.

6. Define the policy logic: In the Rego Playground section, you have two options for creating your policy logic: Option A: AI-Generated Code (Recommended)

   • Click "Generate with Thinkerbell AI" to automatically generate Rego code based on your policy details.

   • Ensure you've provided a clear, descriptive policy description in step 4 for best AI results.

   • The AI will analyze your requirements and generate appropriate Rego code.

   • Review and modify the generated code as needed.

   Option B: Manual Code Writing

   • Write the policy logic manually using the Rego policy language (the language used by Open Policy Agent).

   • The playground provides:

     • A code editor with syntax highlighting.

     • An asset selector to choose a sample of resource data for viewing the input schema.

     • Input schema display showing the structure of data your policy will receive.

     • Real-time validation of your Rego code.

7. Test the policy:

   • Click Evaluate to test your Rego code.

   • Check the MATCHING RESULTS to see which resources would be affected.

8. Save the policy: Once your policy is working correctly (showing "Success" message), click Create to create the policy. The policy will be activated and Firefly will begin evaluating your infrastructure against it. The policy will also be enforced during IaC deployments to prevent non-compliant resources from being created.

After creating a policy, you can view violations in the Governance dashboard. Each violation will show which resource violated the policy and why, allowing you to take corrective action. If needed, you can always disable or delete the policy later via the Governance page.

Example: S3 Bucket Encryption Policy

Here's a practical example of a Rego policy that ensures all AWS S3 buckets have server-side encryption enabled by default:

firefly {
  match
}

match {
  not input.rule.apply_server_side_encryption_by_default
}

How this policy works:

• firefly: This is the main rule that Firefly evaluates. When this rule is true, it means the resource violates the policy.

• match: This is a helper rule that contains the actual policy logic.

• not input.rule.apply_server_side_encryption_by_default: This condition checks if the S3 bucket configuration does NOT have server-side encryption enabled by default.

Policy behavior:

• If an S3 bucket has apply_server_side_encryption_by_default set to true, the match rule will be false, and the policy passes.

• If an S3 bucket has apply_server_side_encryption_by_default set to false or is missing this setting, the match rule will be true, flagging it as a violation.

When to use this policy: This policy is essential for organizations that need to ensure all S3 buckets are encrypted at rest to meet security and compliance requirements. It helps prevent accidental creation of unencrypted buckets and identifies existing buckets that need encryption enabled.

Setting up this policy:

1. Set Asset Type to "AWS S3 Bucket" when creating the policy.

2. Set Data Source to your AWS accounts.

3. Choose appropriate Severity (typically HIGH or CRITICAL for encryption policies).

4. Use the Rego code above in the policy logic section.

After Creating a Policy

After creating a policy (whether no-code or policy-as-code), you can:

• View violations in the Governance dashboard. Each violation will show which resource violated the policy and why, allowing you to take corrective action.

• Set up notifications to alert your team when new violations occur.

• Disable or delete the policy later via the Governance page if needed.

When to Create Custom Governance Rules

Creating custom governance policies is valuable in several scenarios:

• Industry-specific compliance: If your organization must adhere to specific regulations (like HIPAA, PCI-DSS, or GDPR), you can create policies that enforce those requirements across your cloud infrastructure.

• Internal security standards: Enforce your organization's security best practices, such as requiring MFA for all IAM users, preventing public access to sensitive resources, or ensuring proper encryption settings.

• Cost optimization: Create policies that identify wasteful resources, such as oversized instances, unused volumes, or resources without proper lifecycle management.

• Tagging and organization: Ensure all resources follow your tagging strategy by creating policies that check for required tags or naming conventions.

• Architecture standards: Enforce architectural best practices, such as requiring multi-AZ deployments for production databases or preventing the use of deprecated services.

Note: Firefly comes with built-in policies for many common use cases. You can add custom policies to fit your specific organizational needs.

Choosing Between No-Code and Policy-as-Code

Use No-Code Policy Builder when:

• You need quick policy creation without coding expertise.

• Your requirements fit standard attribute or tag-based conditions.

• You want to empower non-technical team members to create policies.

• You need simple, straightforward governance rules.

Use Policy-as-Code (Rego) when:

• You need complex, highly specific policy logic.

• Your requirements involve multiple conditions or advanced logic.

• You want maximum flexibility and customization.

• You have technical team members comfortable with code.

By implementing custom governance rules, you can automate compliance checking, reduce manual auditing efforts, and catch potential issues before they become problems. This proactive approach to governance helps maintain security and compliance at scale while still allowing teams to move quickly.