> For the complete documentation index, see [llms.txt](https://docs.gomboc.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.gomboc.ai/orl/agent-skills/examples/policy-as-code-rule.md).

# Policy-as-Code

Use ORL as Policy-as-Code (PaC) by setting remediation to `audit` with `level: ERROR`. ORL then exits with a non-zero status when a finding is reported.

## Prompt

The following can be used with the [gomboc-enterprise-skills](/orl/agent-skills/gomboc-enterprise-skills.md).

```markdown
/gomboc:fix

I want to create an ORL rule or ruleset that checks that the AMI used for EC2 instances, launch configurations, or launch templates is one of the following:

- ami-0a1b2c3d4e5f67890
- ami-0987654321fedcba0
- ami-0ff11223344556677
- ami-0abcdef1234567890
- ami-0123456789abcdef0

The rule should not attempt to remediate the finding.  It should simply audit using an error message that explains what the valid AMIs are.  The message should be prefixed with "(PaC)"
```

{% hint style="info" %}
Use `/gomboc-community:fix` if you have the [gomboc-community-skills](/orl/agent-skills/gomboc-community-skills.md) installed.
{% endhint %}

Tell the agent not to remediate because by default `fix` attempts to create a code change rule

## Rule Output Example

```yaml
---
type: Ruleset
version: v1
metadata:
  name: "ensure-ami-is-in-approved-allowlist"
  display_name: "Ensure AMI is from the approved allowlist"
  description: |
    ## Description

    Ensure that EC2 instances, launch configurations, and launch templates use only
    approved AMIs. Resources referencing an AMI that is not in the allowlist will be
    flagged with an audit error but will not be automatically remediated.
  annotations:
    contributed-by: user
    provider: AWS
    resource: aws_instance, aws_launch_configuration, aws_launch_template
spec:
  template:
    language: terraform
    audit_language: ast
  rules:
    - name: "ensure-aws_instance-ami-is-in-allowlist"
      audit: |
        {{ aResource("aws_instance", anAttribute("ami")) }}
      skip_finding: |
        hasSubString($.value, "ami-0a1b2c3d4e5f67890") || hasSubString($.value, "ami-0987654321fedcba0") || hasSubString($.value, "ami-0ff11223344556677") || hasSubString($.value, "ami-0abcdef1234567890") || hasSubString($.value, "ami-0123456789abcdef0")
      remediation:
        - command: audit
          flags:
            level: ERROR
          value: "(PaC) The AMI is not in the approved allowlist. Valid AMIs are: ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0"

    - name: "ensure-aws_launch_configuration-image_id-is-in-allowlist"
      audit: |
        {{ aResource("aws_launch_configuration", anAttribute("image_id")) }}
      skip_finding: |
        hasSubString($.value, "ami-0a1b2c3d4e5f67890") || hasSubString($.value, "ami-0987654321fedcba0") || hasSubString($.value, "ami-0ff11223344556677") || hasSubString($.value, "ami-0abcdef1234567890") || hasSubString($.value, "ami-0123456789abcdef0")
      remediation:
        - command: audit
          flags:
            level: ERROR
          value: "(PaC) The AMI is not in the approved allowlist. Valid AMIs are: ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0"

    - name: "ensure-aws_launch_template-image_id-is-in-allowlist"
      audit: |
        {{ aResource("aws_launch_template", anAttribute("image_id")) }}
      skip_finding: |
        hasSubString($.value, "ami-0a1b2c3d4e5f67890") || hasSubString($.value, "ami-0987654321fedcba0") || hasSubString($.value, "ami-0ff11223344556677") || hasSubString($.value, "ami-0abcdef1234567890") || hasSubString($.value, "ami-0123456789abcdef0")
      remediation:
        - command: audit
          flags:
            level: ERROR
          value: "(PaC) The AMI is not in the approved allowlist. Valid AMIs are: ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0"
```

`skip_finding` skips compliant values. Non-compliant values trigger an audit error with the valid AMI list.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.gomboc.ai/orl/agent-skills/examples/policy-as-code-rule.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.