Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Using Regula and OPA to check AWS AMI IDs in Terraform (blog post) -- Rego custom rule and Terraform file
# A Terraform file to test the approved_ami.rego custom rule
# See our blog post for details:
provider "aws" {
region = "us-east-1"
resource "aws_instance" "good" {
ami = "ami-09e67e426f25ce0d7"
instance_type = "t2.micro"
resource "aws_instance" "bad" {
ami = "ami-totallylegitamiid"
instance_type = "t2.micro"
# A Rego custom rule to check AWS EC2 AMI IDs, for use with Regula
# See our blog post for details:
package rules.approved_ami
__rego__metadoc__ := {
"id": "CUSTOM_0002",
"title": "AWS EC2 instances must use approved AMIs",
"description": "Per company policy, EC2 instances may only use AMI IDs from a pre-approved list",
"custom": {
"controls": {
"severity": "High"
resource_type = "aws_instance"
approved_amis = {
# Ubuntu Server 20.04 LTS (HVM), SSD Volume Type
"ami-09e67e426f25ce0d7", # us-east-1
"ami-03d5c68bab01f3496" # us-west-2
deny[msg] {
not approved_amis[input.ami]
msg = sprintf("%s is not an approved AMI ID", [input.ami])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment