Example Rego Policy (OPA) for a Custom Rule

Suppose you want to create a custom policy in Firefly: "EC2 instances must not use the default VPC." This is not covered by built-in policies, so you write a Rego policy.

Here's a simple Rego snippet for that:

package firefly.policies.aws

# Default deny rule returns false when no violations are found
default deny_default_vpc = false

# Rule to detect EC2 instances using default VPC
deny_default_vpc[msg] {
  input.asset.type == "AWS::EC2::Instance"
  input.asset.properties.VpcId == input.asset.properties.DefaultVpcId  # Pseudo-code: check if using default VPC
  msg := sprintf("EC2 instance %v is in the default VPC, which is not allowed.", [input.asset.id])
}

Explanation:

• The policy package is under firefly.policies.aws. Firefly likely expects custom policies in a certain package path (consult docs; some might use generic package).

• We define a rule deny_default_vpc. By default it's false (no violation).

• The rule triggers (== true) for each EC2 instance (asset.type) where the VPC ID matches the account's default VPC ID.

• We produce a message naming the instance.

This is a simplistic approach. In actual implementation, Firefly's input format must be known. Likely input.asset.properties would contain something like VpcId. The default VPC ID might not be directly in the asset properties, so you might need to fetch it differently (maybe via another input or hardcode known default VPC IDs per account – not ideal). Another approach: check if VpcId ends with "default" or is one of a known list.

Regardless, let's assume Firefly can provide a flag if a VPC is default (some systems do mark it). The message uses input.asset.id which could be the instance ID.

How to use in Firefly:

1. Go to Governance > Custom Policies > Add Policy.

2. Give it a name: "Disallow Default VPC Usage".

3. Category: maybe "Best Practices" or "Networking".

4. Severity: likely Medium (it's not a security hole per se, but a compliance thing).

5. In the code editor, paste the Rego snippet. Firefly might require you to specify which boolean denotes a violation. Possibly they expect a rule named violation or just any deny_ rules output messages. Let's assume the above is acceptable.

6. Save and run. Firefly will evaluate it against current assets. If any EC2 are in default VPC, they'll appear as violations with the message.

7. Developers will then see those and can migrate instances to custom VPCs as needed.

Testing the policy:

It's wise to test Rego policies outside (using OPA tooling) or on a small data sample. Firefly may provide a test interface: you could simulate an input of an EC2 in default VPC to see if it triggers properly.