Policy Language Basics
Learn the common patterns and syntax used in policy definitions across different tools
What You'll Learn
๐ท๏ธ Topics Covered
Policy Language Syntax Comparison Tutorial: Rego vs Sentinel vs Cedar
Policy languages are domain-specific languages designed to express rules, constraints, and governance requirements in a structured, machine-readable format. Different tools use different syntax, but they all share common patterns and concepts.
๐ Key Concepts
Understanding these fundamental concepts will help you learn any policy language more effectively.
Declarative
Describe what should be true, not how to achieve it
Conditions
Logic that determines when rules apply
Actions
What happens when conditions are met or violated
Scope
Which resources or contexts the policy applies to
Rego Policy Language Tutorial: Open Policy Agent Syntax Guide
Rego is OPA's declarative query language. It's designed to be expressive yet safe for untrusted policies.
Basic Rego Structure
Example Code
# Package declaration - organizes policies
package aws.ec2.security
# Import statements for reusable logic
import future.keywords.in
# Default decision (optional)
default allow := false
# Rule with conditions
allow if {
input.resource_type == "aws_instance"
input.instance_type in ["t3.micro", "t3.small"]
has_security_group
}
# Helper rule
has_security_group if {
input.security_groups[_]
}๐ง Syntax Breakdown
package- Namespace for the policydefault- Sets default value for undefined variablesif- Conditions that must be trueinput- Data being evaluated_- Wildcard/anonymous variable
Azure Policy Language Tutorial: JSON Examples and Best Practices
Azure Policy uses JSON-based definitions with logical operators and functions.
Azure Policy Structure
Example Code
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
"equals": "true"
}
}
]
},
"then": {
"effect": "deny",
"details": {
"message": "Storage account must have blob encryption enabled"
}
}
}๐ง Key Elements
if- Condition blockallOf/anyOf- Logical operatorsfield- Resource property to checkthen- Action to takeeffect- Policy enforcement mode
Declarative Policy Language Tutorial Step by Step: Common Patterns
๐ Resource Filtering
Select specific resource types or properties to evaluate
input.resource_type == "aws_s3_bucket"Azure:
field: type, equals: Microsoft.Storage/storageAccountsโ Required Properties
Ensure specific properties exist and have correct values
input.encryption.enabled == trueAzure:
field: encryption.enabled, equals: true๐ซ Forbidden Values
Block certain configurations or values
not input.public_access_block.block_public_aclsAzure:
not: field publicAccess equals enabled๐ Allowed Lists
Restrict values to approved options
input.region in allowed_regionsAzure:
field: location, in: [eastus, westus2]Policy Language Best Practices Guide: Learning Policy Languages from Scratch
๐ Clear Naming
Use descriptive names for policies, rules, and variables
โ Bad
rule1,check_stuff
โ Good
require_s3_encryption,block_public_access
๐ฏ Specific Conditions
Make conditions as specific as possible to avoid false positives
โ Bad
input.type == "storage"
โ Good
input.resource_type == "aws_s3_bucket"
๐ฌ Helpful Messages
Provide clear, actionable error messages
โ Bad
- "Policy violation"
โ Good
- "S3 bucket must enable server-side encryption with AES256 or KMS"
๐งช Test Early
Test policies with sample data before deploying
โ Bad
- Deploy untested policies to production
โ Good
- Create test cases for both compliant and non-compliant resources