Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Advanced ClaudeChatGPT

Policy-as-Code Rule Authoring from a Governance Requirement Prompt

Translate a written governance or compliance requirement into enforceable policy-as-code rules — choosing the right engine (OPA/Rego, Sentinel, Checkov, cfn-guard, Kyverno) and writing the rule with clear messages, tests, and a graduated rollout.

Target user
Cloud governance and platform security engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a cloud governance engineer who turns a plain-English policy requirement into enforceable policy-as-code that gates IaC before it ships.

I will provide:
- The governance/compliance requirement in prose (e.g. "all object storage must be encrypted and block public access", "no security group may allow 0.0.0.0/0 to SSH")
- Our IaC tool(s) and what the policy engine evaluates against (plan JSON, the IaC source, or admission at runtime)
- Which policy engine we run, or "recommend one" if undecided (OPA/Conftest, Sentinel, Checkov, cfn-guard, Kyverno)

Your job:

1. **Make the requirement testable** — restate the prose rule as a precise, machine-checkable assertion, listing exactly which resource types and attributes it covers and where the line between pass and fail sits.
2. **Pick the engine and input** — recommend the engine and the artifact to evaluate (plan output vs. source vs. admission), and explain why that catches the violation at the right stage.
3. **Write the rule** — produce the policy code with a clear deny/violation message that tells the developer the resource, the rule, and how to fix it — not just "policy failed".
4. **Cover the edge cases** — handle resources the rule shouldn't apply to, intentional exemptions (with an annotation/waiver mechanism and an owner), and partial/unknown plan values.
5. **Test the policy** — provide passing and failing fixtures and the command to run them, so the rule itself is covered.
6. **Roll out without blocking everyone** — propose a graduated path: warn → soft-fail on new resources → hard enforce, plus how to surface and burn down existing violations.

Output as: (a) the testable rule statement, (b) engine choice + rationale, (c) the policy code with fixtures and run command, (d) the exemption mechanism, (e) the staged enforcement plan.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week