User Variables

Pass variables at remediation time and reference them in audit logic, skip conditions, or remediation values. This example sets the AMI from vars.custom.ami_id.

Prompt

The following can be used with the gomboc-enterprise-skills.

/gomboc:fix

I want to create an ORL rule that checks that the AMI used for EC2 instances, launch configurations, or launch templates is one of the following:

- ami-0a1b2c3d4e5f67890
- ami-0987654321fedcba0
- ami-0ff11223344556677
- ami-0abcdef1234567890
- ami-0123456789abcdef0

The rule should use the variable `vars.custom.ami_id` to set the value.  The rule should skip itself (using `skip_expression`) if the variable is not set.  If skipped the `skip_reason` should be in the form "Variable 'vars.custom.ami_id' is not defined. Set it to one of: <AMIs from list>".

Use /gomboc-community:fix if you have the gomboc-community-skills installed.

Name the variable and define behavior when it is missing (here, skip the rule with a clear reason).

Rule Output Example

# yaml-language-server: $schema=../schema/ruleset.json
---
type: Ruleset
version: v1
metadata:
  name: ensure-approved-ami-is-used
  display_name: Ensure EC2 instances and auto-scaling groups use an approved AMI
  description: |
    Ensures that all aws_instance, aws_launch_configuration, and aws_launch_template
    resources use one of the approved AMI IDs, supplied via vars.custom.ami_id.
  skip_expression: "vars.custom?.ami_id == nil"
  skip_reason: "Variable 'vars.custom.ami_id' is not defined. Set it to one of: ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0"

spec:
  template:
    language: terraform
    audit_language: ast

  rules:
  - name: ensure-aws_instance-ami-is-approved
    audit: |
      {{ aResource("aws_instance", anAttribute("ami")) }}
    skip_finding: "trim($.value, \"\\\"\" ) == vars.custom.ami_id"
    remediation:
      - command: replace
        path: value
        value: "\"{{ vars.custom.ami_id }}\""

  - name: ensure-aws_launch_configuration-image_id-is-approved
    audit: |
      {{ aResource("aws_launch_configuration", anAttribute("image_id")) }}
    skip_finding: "trim($.value, \"\\\"\" ) == vars.custom.ami_id"
    remediation:
      - command: replace
        path: value
        value: "\"{{ vars.custom.ami_id }}\""

  - name: ensure-aws_launch_template-image_id-is-approved
    audit: |
      {{ aResource("aws_launch_template", anAttribute("image_id")) }}
    skip_finding: "trim($.value, \"\\\"\" ) == vars.custom.ami_id"
    remediation:
      - command: replace
        path: value
        value: "\"{{ vars.custom.ami_id }}\""

Each rule audits one resource type. Values that do not match vars.custom.ami_id are replaced with the variable value.

PreviousPolicy-as-Code NextGomboc Community Skills

Last updated 2 days ago

# yaml-language-server: $schema=../schema/ruleset.json
---
type: Ruleset
version: v1
metadata:
  name: ensure-approved-ami-is-used
  display_name: Ensure EC2 instances and auto-scaling groups use an approved AMI
  description: |
    Ensures that all aws_instance, aws_launch_configuration, and aws_launch_template
    resources use one of the approved AMI IDs, supplied via vars.custom.ami_id.
  skip_expression: "vars.custom?.ami_id == nil"
  skip_reason: "Variable 'vars.custom.ami_id' is not defined. Set it to one of: ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0"

spec:
  template:
    language: terraform
    audit_language: ast

  rules:
  - name: ensure-aws_instance-ami-is-approved
    audit: |
      {{ aResource("aws_instance", anAttribute("ami")) }}
    skip_finding: "trim($.value, \"\\\"\" ) == vars.custom.ami_id"
    remediation:
      - command: replace
        path: value
        value: "\"{{ vars.custom.ami_id }}\""

  - name: ensure-aws_launch_configuration-image_id-is-approved
    audit: |
      {{ aResource("aws_launch_configuration", anAttribute("image_id")) }}
    skip_finding: "trim($.value, \"\\\"\" ) == vars.custom.ami_id"
    remediation:
      - command: replace
        path: value
        value: "\"{{ vars.custom.ami_id }}\""

  - name: ensure-aws_launch_template-image_id-is-approved
    audit: |
      {{ aResource("aws_launch_template", anAttribute("image_id")) }}
    skip_finding: "trim($.value, \"\\\"\" ) == vars.custom.ami_id"
    remediation:
      - command: replace
        path: value
        value: "\"{{ vars.custom.ami_id }}\""