Guardrails Pro+
Guardrails enforce infrastructure policies across your repositories, preventing unauthorized or dangerous changes from being applied.
Overview
Guardrails let you define rules that evaluate Terraform plans before they are applied. When a plan violates a guardrail, Controlinfra can block the apply, warn the user, or require approval — depending on the enforcement mode.
Creating a Guardrail
- Navigate to Guardrails from the main navigation
- Click Create Guardrail
- Configure the guardrail:
| Field | Description |
|---|---|
| Name | Descriptive name (e.g., "No Public S3 Buckets") |
| Description | What this guardrail enforces |
| Enforcement Mode | How violations are handled |
| Rules | One or more policy rules |
| Repositories | Which repos this guardrail applies to |
Enforcement Modes
Each guardrail operates in one of four enforcement modes:
| Mode | Behavior |
|---|---|
| Block | Prevents the apply from proceeding. The drift fix or apply is rejected. |
| Warn | Allows the apply but flags the violation in the UI and notifications. |
| Dry Run | Evaluates the guardrail and logs results without affecting the apply. Useful for testing new rules. |
| Require Approval | Pauses the apply until an authorized user approves or rejects it. |
TIP
Start with Dry Run mode when creating new guardrails. Review the evaluation results for a few days before switching to Warn or Block.
Rules
Each guardrail contains one or more rules. A guardrail is violated if any rule triggers (OR logic).
Rule Structure
Rules evaluate Terraform plan attributes:
Resource Type: aws_s3_bucket
Attribute: acl
Operator: equals
Value: public-readSupported Operators
| Operator | Description | Example |
|---|---|---|
equals | Exact match | acl equals "public-read" |
not_equals | Not an exact match | engine not_equals "mysql" |
contains | String contains | name contains "prod" |
not_contains | String does not contain | tags not_contains "temporary" |
regex | Regular expression match | name regex "^prod-.*" |
exists | Attribute is present | encryption exists |
not_exists | Attribute is absent | logging not_exists |
greater_than | Numeric comparison | instance_count greater_than 10 |
less_than | Numeric comparison | retention_days less_than 30 |
Templates
Controlinfra provides built-in guardrail templates for common policies:
| Template | Description |
|---|---|
| No Public S3 Buckets | Blocks S3 buckets with public ACLs or public access |
| Enforce Encryption | Requires encryption on RDS, S3, EBS, and EFS |
| Restrict Instance Types | Limits EC2 instance types to an approved list |
| Require Tags | Enforces mandatory tags on all resources |
| No Wildcard IAM | Blocks IAM policies with * actions or resources |
| Restrict Regions | Limits resource creation to approved AWS regions |
To use a template:
- Go to Guardrails → Templates
- Select a template
- Customize the rules if needed
- Set the enforcement mode
- Deploy to repositories
Deploying Guardrails
After creating a guardrail, deploy it to one or more repositories:
- Open the guardrail detail page
- Click Deploy
- Select target repositories
- Confirm deployment
Once deployed, the guardrail evaluates every Terraform plan in those repositories.
Undeploying
To remove a guardrail from repositories:
- Open the guardrail detail page
- Click Undeploy
- Select repositories to remove
- Confirm
Break-Glass Bypass
In emergency situations, authorized users can bypass guardrails:
WARNING
Break-glass bypass is logged in the audit trail and triggers notifications to all org admins. Use only for genuine emergencies.
To bypass a blocked apply:
- On the blocked apply screen, click Request Break-Glass Bypass
- Provide a justification reason
- An admin or owner must approve the bypass
- The apply proceeds with the guardrail violation logged
Event Monitoring
All guardrail evaluations are logged and visible in the Guardrails Events section:
- Passed: Plan met all guardrail requirements
- Violated: Plan triggered one or more rules
- Bypassed: Violation was bypassed via break-glass
Events include:
- Timestamp
- Repository and workspace
- Guardrail name and rules triggered
- Enforcement action taken
- User who initiated the plan
Best Practices
- Start with Dry Run — Test guardrails before enforcing them
- Use templates — Build on proven patterns rather than starting from scratch
- Layer enforcement — Use Warn for guidelines, Block for hard requirements
- Review events regularly — Monitor for frequent violations that may indicate process gaps
- Document justifications — When using break-glass, always provide clear reasons