> For the complete documentation index, see [llms.txt](https://docs.gomboc.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.gomboc.ai/orl/agent-skills/examples/multiple-environment-rule.md). # Multiple Environments Apply different AMI allowlists per environment in a single rule. This example uses `vars.custom.account_id` to select Prod, Staging, or Dev. ## Prompt The following can be used with the [gomboc-enterprise-skills](/orl/agent-skills/gomboc-enterprise-skills.md). ```markdown /gomboc:fix I want to create an ORL rule that checks that the AMI used for EC2 instances, launch configurations, or launch templates is one of the following AMIs, based on environment: - Prod (129483756201): - ami-0a1b2c3d4e5f67890 - ami-0987654321fedcba0 - ami-0ff11223344556677 - ami-0abcdef1234567890 - ami-0123456789abcdef0 - Staging (884920193475): - ami-0a1b2c3d4e5f6g7h8 - ami-1234567890abcdef0 - ami-9876543210fedcba9 - ami-z9y8x7w6v5u4t3s2r - ami-f0e1d2c3b4a596877 - Dev (340912837456): - ami-0a1b2c3d4e5f6g7h8 - ami-08e1a47b2c9f3d6a1 - ami-0c5f8d2e1b4a79362 - ami-0fb92e1d7c4b3a850 - ami-0d6a2f4c1e9b7a3d8 Do not remediate. Audit only, using an error message that lists the valid AMIs for the detected environment. **Important**: The account ID SHOULD be provided via `vars.custom.account_id`. If that is not defined then assume `Prod`. ``` {% hint style="info" %} Use `/gomboc-community:fix` if you have the [gomboc-community-skills](/orl/agent-skills/gomboc-community-skills.md) installed. {% endhint %} Include the full allowlist for each environment and specify a default (Prod here) when `vars.custom.account_id` is unset. ## Rule Output Example ```yaml --- type: Ruleset version: v1 metadata: name: gomboc-ai/terraform/aws/approved-ami-by-environment display_name: "Approved AMI by Environment" description: |- Audits aws_instance, aws_launch_configuration, and aws_launch_template to ensure the AMI ID is from the approved list for the environment determined by vars.custom.account_id. Defaults to Prod (129483756201) when vars.custom.account_id is not set. spec: template: language: terraform audit_language: ast rules: - name: approved-ami-aws-instance audit: | {{ aResource("aws_instance", anAttribute("ami")) }} skip_finding: | let account_id = vars.custom?.account_id; let ami = $.value | trim("\""); (account_id == nil || account_id == "129483756201") && ami in ["ami-0a1b2c3d4e5f67890", "ami-0987654321fedcba0", "ami-0ff11223344556677", "ami-0abcdef1234567890", "ami-0123456789abcdef0"] || account_id == "884920193475" && ami in ["ami-0a1b2c3d4e5f6g7h8", "ami-1234567890abcdef0", "ami-9876543210fedcba9", "ami-z9y8x7w6v5u4t3s2r", "ami-f0e1d2c3b4a596877"] || account_id == "340912837456" && ami in ["ami-0a1b2c3d4e5f6g7h8", "ami-08e1a47b2c9f3d6a1", "ami-0c5f8d2e1b4a79362", "ami-0fb92e1d7c4b3a850", "ami-0d6a2f4c1e9b7a3d8"] remediation: - command: audit flags: level: ERROR value: |- aws_instance "{{ $.name | trim("\"") }}" uses AMI "{{ $.value | trim("\"") }}" which is not approved for the detected environment (account_id: {{ vars.custom?.account_id ?? "129483756201" }}). Approved AMIs for Prod (129483756201): ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0 Approved AMIs for Staging (884920193475): ami-0a1b2c3d4e5f6g7h8, ami-1234567890abcdef0, ami-9876543210fedcba9, ami-z9y8x7w6v5u4t3s2r, ami-f0e1d2c3b4a596877 Approved AMIs for Dev (340912837456): ami-0a1b2c3d4e5f6g7h8, ami-08e1a47b2c9f3d6a1, ami-0c5f8d2e1b4a79362, ami-0fb92e1d7c4b3a850, ami-0d6a2f4c1e9b7a3d8 - name: approved-ami-launch-configuration audit: | {{ aResource("aws_launch_configuration", anAttribute("image_id")) }} skip_finding: | let account_id = vars.custom?.account_id; let ami = $.value | trim("\""); (account_id == nil || account_id == "129483756201") && ami in ["ami-0a1b2c3d4e5f67890", "ami-0987654321fedcba0", "ami-0ff11223344556677", "ami-0abcdef1234567890", "ami-0123456789abcdef0"] || account_id == "884920193475" && ami in ["ami-0a1b2c3d4e5f6g7h8", "ami-1234567890abcdef0", "ami-9876543210fedcba9", "ami-z9y8x7w6v5u4t3s2r", "ami-f0e1d2c3b4a596877"] || account_id == "340912837456" && ami in ["ami-0a1b2c3d4e5f6g7h8", "ami-08e1a47b2c9f3d6a1", "ami-0c5f8d2e1b4a79362", "ami-0fb92e1d7c4b3a850", "ami-0d6a2f4c1e9b7a3d8"] remediation: - command: audit flags: level: ERROR value: |- aws_launch_configuration "{{ $.name | trim("\"") }}" uses image_id "{{ $.value | trim("\"") }}" which is not approved for the detected environment (account_id: {{ vars.custom?.account_id ?? "129483756201" }}). Approved AMIs for Prod (129483756201): ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0 Approved AMIs for Staging (884920193475): ami-0a1b2c3d4e5f6g7h8, ami-1234567890abcdef0, ami-9876543210fedcba9, ami-z9y8x7w6v5u4t3s2r, ami-f0e1d2c3b4a596877 Approved AMIs for Dev (340912837456): ami-0a1b2c3d4e5f6g7h8, ami-08e1a47b2c9f3d6a1, ami-0c5f8d2e1b4a79362, ami-0fb92e1d7c4b3a850, ami-0d6a2f4c1e9b7a3d8 - name: approved-ami-launch-template audit: | {{ aResource("aws_launch_template", anAttribute("image_id")) }} skip_finding: | let account_id = vars.custom?.account_id; let ami = $.value | trim("\""); (account_id == nil || account_id == "129483756201") && ami in ["ami-0a1b2c3d4e5f67890", "ami-0987654321fedcba0", "ami-0ff11223344556677", "ami-0abcdef1234567890", "ami-0123456789abcdef0"] || account_id == "884920193475" && ami in ["ami-0a1b2c3d4e5f6g7h8", "ami-1234567890abcdef0", "ami-9876543210fedcba9", "ami-z9y8x7w6v5u4t3s2r", "ami-f0e1d2c3b4a596877"] || account_id == "340912837456" && ami in ["ami-0a1b2c3d4e5f6g7h8", "ami-08e1a47b2c9f3d6a1", "ami-0c5f8d2e1b4a79362", "ami-0fb92e1d7c4b3a850", "ami-0d6a2f4c1e9b7a3d8"] remediation: - command: audit flags: level: ERROR value: |- aws_launch_template "{{ $.name | trim("\"") }}" uses image_id "{{ $.value | trim("\"") }}" which is not approved for the detected environment (account_id: {{ vars.custom?.account_id ?? "129483756201" }}). Approved AMIs for Prod (129483756201): ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0 Approved AMIs for Staging (884920193475): ami-0a1b2c3d4e5f6g7h8, ami-1234567890abcdef0, ami-9876543210fedcba9, ami-z9y8x7w6v5u4t3s2r, ami-f0e1d2c3b4a596877 Approved AMIs for Dev (340912837456): ami-0a1b2c3d4e5f6g7h8, ami-08e1a47b2c9f3d6a1, ami-0c5f8d2e1b4a79362, ami-0fb92e1d7c4b3a850, ami-0d6a2f4c1e9b7a3d8 ``` The ruleset repeats the same environment logic for each resource type that accepts an AMI. `skip_finding` selects the allowlist from `vars.custom.account_id` (defaulting to Prod). The audit message lists valid AMIs for all environments so reviewers can see every option. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.gomboc.ai/orl/agent-skills/examples/multiple-environment-rule.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.