Compliance as Code

Attaching New Control Resources

Create and link new policy or control resources to existing graph nodes using declarative compliance targets.

Edit this page on GitHub

Attaching New Control Resources

Use Case: Model a policy, control, or configuration that applies to a resource, such as an MFA requirement, Backup Policy, or Anti-Malware configuration. This pattern finds matching resources, creates a new resource representing the control, and links it to the original resource.

[[control]]
id = "UEM-09"
name = "Anti-Malware Detection and Prevention"
description = """Configure managed endpoints with anti-malware detection and prevention
technology and services."""

# This target attaches an anti-malware policy to all systems.
[[control.target]]
description = "Enforce anti-malware protection on all managed systems."
# Supports a single string or a list of types (e.g. ["identity", "service_account"])
origin_resource_types = "system"
match_on = [ { property = "environment", value = "prod" } ]

# Define the new resource to be created.
# Tera templating is supported in the name property.
[control.target.resource]
type = "policy"
name = "antimalware_policy_for_{{origin_resource.name}}"

[control.target.resource.properties] # Define properties directly
detection_enabled = true
prevention_enabled = true
status = "mandatory"

# Define the relationship linking the origin resource to the new resource.
[control.target.relation]
type = "GOVERNED_BY"
  • Result: A system gets a new policy resource linked to it.
graph LR
    subgraph Before
        S1[system<br>name: win-desktop-01]
    end

    subgraph After
        S2[system<br>name: win-desktop-01] -->|GOVERNED_BY| P[policy<br>detection_enabled: true<br>status: mandatory]
    end

Advanced: Linking the New Resource to Others

In more complex scenarios, the new control resource you create might itself need to be linked to other existing parts of your architecture. You can achieve this by adding a [[control.target.resource_links]] block.

Use Case: An internal application must have a specific firewall rule. The control should create the firewall_rule resource and then link that new rule to the existing network_zone it applies to.

[[control]]
id = "NET-SEG-01"
name = "Segment Internal Apps"

[[control.target]]
# 1. Find the internal application.
origin_resource_type = "application"
match_on = [ { property = "environment", value = "internal" } ]

# 2. Define the new 'firewall_rule' resource to attach.
[control.target.resource]
type = "firewall_rule"
name = "rule_for_{{origin_resource.name}}"
[control.target.resource.properties]
action = "allow"

# 3. Link the application to the new rule.
[control.target.relation]
type = "HAS_RULE"

# 4. Add a secondary link from the new rule to an existing network zone.
[[control.target.resource_links]]
[control.target.resource_links.relation]
type = "APPLIES_TO_ZONE"
[control.target.resource_links.resource]
type = "network_zone"
match_on = [ { property = "name", value = "internal-zone" } ]

This pattern allows you to insert new control artifacts into your graph and immediately connect them to the relevant architectural components in a single, declarative rule.