Operational Rules Catalog
All 7 rules available in the compliance.tf registry. Each rule is applied during terraform init. No forks, no wrapper modules.
Prevent Destroy DataAdds prevent_destroy = true to data-bearing resources. Blocks accidental deletion of S3 buckets, RDS instances, DynamoDB tables, and EFS file systems.Ignore Tag ChangesAdds ignore_changes for tags and tags_all on all resources. Prevents Terraform from reverting tags managed by AWS Config, Service Catalog, or external automation.Ignore Autoscaling ChangesAdds ignore_changes for read_capacity and write_capacity on DynamoDB tables. Prevents Terraform from reverting autoscaler adjustments on every plan.Ignore AMI ChangesAdds ignore_changes for the ami attribute on EC2 instances. Prevents Terraform from forcing instance replacement when an AMI lookup resolves to a newer image.Prevent Destroy EncryptionAdds prevent_destroy = true to encryption key resources. Protects KMS keys and Secrets Manager secrets from accidental deletion.No ProvisionersRemoves all provisioner blocks from all resources. Provisioners bypass the declarative model and introduce hidden side effects.Restrict Instance TypesDenies GPU and specialty EC2 instance types (p3, p4, x1, x2, u-*). Prevents surprise compute bills from expensive instance families.
How rules are applied
Rules are applied server-side during terraform init, at the same time as compliance controls. The downloaded module is standard Terraform HCL with the rule transformations already in place. See How rules work for the full flow.
Configuring rules for your organization
Org admins control which rules are enabled by default. See the Getting Started guide for setup instructions.