Guardrails

Guardrails enforce policies and best practices within your IaC workspaces. By establishing specific rules, they ensure your deployments adhere to organizational standards, preventing non-compliant changes from being applied. Guardrails block deployments that violate these rules, maintaining the integrity and security of your cloud infrastructure.

Rule types

There are three types of rules to enforce policies in your Workspaces. The following table outlines the different types and their functions:

Rule type
Function
Example

Cost

Manage and control cloud costs by setting limits on cost changes. Monitor cost changes and block deployments that exceed the specified amount or percentage.

A cost rule can be set to block any deployment that results in a cost increase of more than $100. If a proposed change exceeds this limit, the deployment is blocked.

Policy

Ensures adherence to predefined guidelines. Verify violations within the specified scope and prevent deployments that do not meet organizational standards.

Ensure resources have encryption enabled. If a deployment attempts to create a resource without encryption, the Guardrail blocks the deployment.

Resource

Control modifications to cloud resources. Block actions such as creating, deleting, or modifying resources based on asset type, region, or specific resource address.

A resource rule can prevent the creation of resources in a specific region. If a deployment attempts to create resources in an excluded region, such as us-west-2, the Guardrail blocks the change to enforce regional compliance policies.

Tag

Ensure all resources have tags and/or specific tag names to enforce consistent tagging standards. Block deployments with non-compliant resources.

A tag rule can block any deployment where resources are missing required tags. For example, if a resource lacks the Environment tag, the deployment is blocked to ensure compliance with tagging policies.

Creating a new Guardrail

Procedure

  1. Select Workflows > Guardrails > + Add New.

  2. Select the Rule Type.

  3. Enter the Rule Name.

  4. Define the scope of your Guardrail by specifying the relevant Workspaces, Repositories, Branches, and Labels.

    • Use wildcards (*) to match patterns.

    • Leave fields blank to apply to all by default.

For Cost rules, under Criteria:

  1. Specify the amount that, if exceeded by cost change, triggers this Guardrail. Select either an exact amount or a percentage.

  2. In the field, define the cost change limit.

For Policy rules, under Criteria:

  1. Select the policies to which this Guardrail applies. Leave blank to apply to all policies.

  2. Select any policies to exclude from this Guardrail. Leave blank if there are no exclusions.

  3. Select the minimum severity level this Guardrail enforces.

For Resource rules, under Criteria:

This rule allows you to block actions such as creation, deletion, or modification of resources based on asset type, region, or specific resource address. Use the fields to define the scope of actions to block resource modifications.

For Tag rules, under Criteria:

  • Select whether to block deployments if resources are missing any tags (tag missing entirely) or specific tag name (specific tag missing).

  • If you selected specific tag missing, specify the required tags. Use wildcards (*) to match patterns.

Adding Notifications

Select the notification destination (e.g., Slack, email, PagerDuty) from the available options. After you select the notification destination, the system automatically sends alerts to the specified channels whenever the guardrail rule is violated.

Examples of Guardrail rules

Type of Guardrail
Rule Name
Scope
Criteria

Cost

Limit cost increases

Specific workspace (e.g., Development)

Block any deployment with a cost increase over $100

Policy

Encrypt all resources

All workspaces

Enforce encryption policy on all resources

Resource

Disallow resources in us-west-2

All workspaces except specific workspace (e.g., Development)

Block the creation of resources in the us-west-2 region. This ensures that resources are not deployed in a restricted region, maintaining compliance with regional policies or avoiding certain geographic restrictions.

Tag

Ensure environment tag

All workspaces

Block deployments where resources are missing the Environment tag, ensuring all resources are properly tagged for easier management and compliance.

Additional features and functionalities

Guardrails Step

When a deployment violates one or more Guardrails, it reaches the Guardrails Step. In Firefly, a list of specific violations that caused the deployment to be blocked, along with detailed feedback on what needs to be corrected to proceed is displayed. Additionally, you can see which Guardrails rules were checked and passed, providing a comprehensive view of the deployment's compliance status.

Pull Request (PR) Comment

If a deployment is blocked due to Guardrail violations, a comment detailing all violations is automatically be added to the associated PR. This ensures that the team is immediately informed about the issues that need to be addressed before the deployment can be approved.

Filters

The following filters offer various options to help you manage and navigate your Guardrails effectively:

Filter

Creator

Filter Guardrails by the creator

Type

Filter Guardrails by rule type (Policy, Cost, or Resource)

Label

Filter Guardrails that apply to the label

Repository

Filter Guardrails that apply to the repository

Workspace

Filter Guardrails that apply to the workspace

PreviousWorkflowsNextIntegrations

Last updated