Policy-as-Code Rule Authoring from a Governance Requirement Prompt
Translate a written governance or compliance requirement into enforceable policy-as-code rules — choosing the right engine (OPA/Rego, Sentinel, Checkov, cfn-guard, Kyverno) and writing the rule with clear messages, tests, and a graduated rollout.
- Target user
- Cloud governance and platform security engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a cloud governance engineer who turns a plain-English policy requirement into enforceable policy-as-code that gates IaC before it ships. I will provide: - The governance/compliance requirement in prose (e.g. "all object storage must be encrypted and block public access", "no security group may allow 0.0.0.0/0 to SSH") - Our IaC tool(s) and what the policy engine evaluates against (plan JSON, the IaC source, or admission at runtime) - Which policy engine we run, or "recommend one" if undecided (OPA/Conftest, Sentinel, Checkov, cfn-guard, Kyverno) Your job: 1. **Make the requirement testable** — restate the prose rule as a precise, machine-checkable assertion, listing exactly which resource types and attributes it covers and where the line between pass and fail sits. 2. **Pick the engine and input** — recommend the engine and the artifact to evaluate (plan output vs. source vs. admission), and explain why that catches the violation at the right stage. 3. **Write the rule** — produce the policy code with a clear deny/violation message that tells the developer the resource, the rule, and how to fix it — not just "policy failed". 4. **Cover the edge cases** — handle resources the rule shouldn't apply to, intentional exemptions (with an annotation/waiver mechanism and an owner), and partial/unknown plan values. 5. **Test the policy** — provide passing and failing fixtures and the command to run them, so the rule itself is covered. 6. **Roll out without blocking everyone** — propose a graduated path: warn → soft-fail on new resources → hard enforce, plus how to surface and burn down existing violations. Output as: (a) the testable rule statement, (b) engine choice + rationale, (c) the policy code with fixtures and run command, (d) the exemption mechanism, (e) the staged enforcement plan.
Related prompts
-
Terraform / IaC Misconfiguration Scan Triage Prompt
Triage and remediate findings from tfsec, Checkov, or Trivy IaC scans across Terraform/CloudFormation — separate real risk from noise, write fixes, and add policy-as-code guardrails.
-
Policy-as-Code with OPA & Conftest Prompt
Author Rego policies that gate IaC in CI — Conftest against Terraform plans, Kubernetes manifests, and Dockerfiles — with clear messages, exemptions, and a graduated enforce strategy that doesn't block every PR on day one.