SYSTEM OPERATIONAL
v0.1.0-beta
Docs · Core concepts

Policy engine

Declare what your agents and engineers are allowed to change.

driftguard.yml config

policy:
  # These patterns will BLOCK the PR (exit 1 in CI)
  block:
    - aws_rds_cluster.*.delete         # never delete prod databases
    - aws_iam_policy.*.resources=*     # no wildcard IAM

  # These patterns will WARN in the PR comment but allow merge
  warn:
    - aws_security_group.ingress.0.0.0.0/0
    - aws_s3_bucket.*.acl=public-read

Pattern syntax

Patterns follow resource_type.name.attribute=value. Wildcards (*) match any value. Patterns are evaluated against every resource change in the Terraform plan.

OPA / Rego (Enterprise)

Enterprise plans support full OPA Rego policy bundles for complex logic — multi-environment rules, team-based access, time-based restrictions. Contact us for the Rego integration guide.