Risk Rules
Configure rules to score Terraform plan changes based on resource types, actions, tags, and custom conditions.
Risk rules define what changes matter to your organization. Each rule specifies conditions to match and a score to add when those conditions are met. Rules are evaluated against every resource change in a Terraform plan, and matching rules contribute to the total risk score.
How scoring works
Risk scores are additive. When a resource change matches multiple rules, each rule's score is added to the total. This allows you to build layered policies:
- Set a baseline score for production accounts
- Add points for high-risk resource types
- Add more points for destructive actions like deletes
Each rule's score is counted once per plan, regardless of how many resources trigger it. If a rule matches 10 resources, it still contributes its score only once to the total.
Condition fields
Rules match against these fields:
| Field | Description | Example |
|---|---|---|
account_id | AWS Account ID | 123456789012 |
resource_type | Terraform resource type | aws_db_instance |
resource_address | Full Terraform address | module.vpc.aws_subnet.main |
workspace | Terraform workspace name | production |
region | AWS region | us-east-1 |
action | Change action | create, update, delete, replace |
tag.<key> | Resource tag value | tag.environment, tag.team |
attribute.<path> | Resource attribute | attribute.instance_type |
cost.monthly | Estimated monthly cost after change | 5000 |
cost.diff | Absolute cost difference in dollars | 500 |
cost.percentChange | Percentage change in cost | 25 |
Cost fields (cost.monthly, cost.diff, cost.percentChange) are only available when you have configured an Infracost API key. See Cost Estimation for setup instructions.
Operators
| Operator | Description | Example |
|---|---|---|
equals | Exact match | resource_type equals aws_db_instance |
notEquals | Does not match | action notEquals create |
contains | String contains | resource_type contains iam |
notContains | String does not contain | resource_address notContains test |
matches | Regex pattern | resource_type matches ^aws_iam_.* |
in | Value in list | action in [delete, replace] |
notIn | Value not in list | workspace notIn [dev, staging] |
exists | Field is present | tag.environment exists |
notExists | Field is missing | tag.cost-center notExists |
greaterThan | Numeric comparison | attribute.size greaterThan 100 |
lessThan | Numeric comparison | attribute.size lessThan 50 |
Condition groups
Combine conditions using AND/OR logic. You can nest up to two levels of groups.
AND group - All conditions must match:
resource_type equals aws_db_instance
AND action equals delete
This matches only when both conditions are true.
OR group - Any condition can match:
resource_type equals aws_db_instance
OR resource_type equals aws_rds_cluster
This matches when either condition is true.
Nested groups - Combine AND and OR:
(resource_type equals aws_db_instance OR resource_type equals aws_rds_cluster)
AND action equals delete
This matches database deletions of either type.
Example rules
Production account baseline
Add a baseline risk score for any change in a production account. This stacks with other rules, so a database deletion in production would score higher than in staging.
| Setting | Value |
|---|---|
| Name | Production Account Baseline |
| Score | 100 |
| Condition | account_id equals 123456789012 |
Block database deletions
Assign a very high score to database deletions to trigger blocking or require multiple approvers.
| Setting | Value |
|---|---|
| Name | Database Deletion |
| Score | 2000 |
| Conditions | resource_type in [aws_db_instance, aws_rds_cluster, aws_dynamodb_table] AND action equals delete |
With default thresholds, this single rule would require 3 reviewers and potentially block the change.
IAM role modifications
Flag changes to IAM roles as high-risk for security review.
| Setting | Value |
|---|---|
| Name | IAM Role Change |
| Score | 500 |
| Conditions | resource_type contains iam_role AND action in [update, delete] |
Security group changes
Network changes can expose services. Add risk for security group modifications.
| Setting | Value |
|---|---|
| Name | Security Group Change |
| Score | 300 |
| Conditions | resource_type equals aws_security_group AND action in [create, update] |
Production environment tag
Match resources tagged with a production environment, regardless of which account they are in.
| Setting | Value |
|---|---|
| Name | Production Tagged Resources |
| Score | 150 |
| Condition | tag.environment in [production, prod] |
Untagged resources
Flag resources missing required tags. This encourages tagging hygiene.
| Setting | Value |
|---|---|
| Name | Missing Environment Tag |
| Score | 50 |
| Condition | tag.environment notExists |
High cost increase
Flag plans that increase monthly infrastructure cost by more than $500. Requires Infracost integration.
| Setting | Value |
|---|---|
| Name | High Cost Increase |
| Score | 300 |
| Condition | cost.diff greaterThan 500 |
Major percentage cost increase
Flag plans that increase cost by more than 25%. Useful for catching proportionally large changes in smaller environments.
| Setting | Value |
|---|---|
| Name | Major Cost Percentage Increase |
| Score | 200 |
| Condition | cost.percentChange greaterThan 25 |
Layered rules example
Rules stack together to create nuanced scoring. Consider a database deletion in a production account:
| Rule | Condition | Score |
|---|---|---|
| Production Account Baseline | account_id equals 123456789012 | +100 |
| Database Deletion | resource_type in [aws_db_instance, ...] AND action equals delete | +2000 |
| Production Tagged Resources | tag.environment equals production | +150 |
| Total | 2250 |
This change would be rated Critical (over 1000 points) and require 3 reviewers based on default approval tiers.
The same database deletion in a staging account would only score 2000 points (no account baseline, different tag), still critical but clearly lower risk than production.
Creating rules
- Visit PR Reviews → Risk Rules and click the settings icon, or navigate directly to the rules configuration.
- Click Create Rule.
- Enter a name and description.
- Set the risk score (points this rule adds when matched).
- Build your condition group using the visual builder or enter conditions directly.
- Save the rule.
New rules are enabled by default and immediately apply to new plan evaluations.
Next steps
- Set up plan uploads to start scoring your Terraform plans.
- Enable cost estimation to add cost-based risk rules.
- Review PR evaluations to see risk scores in action.
- Configure API tokens for CI authentication.