Important

You will need a StackGen Admin or DevOps access to run this command.

resource-restriction-policy

The stackgen upload resource-restriction-policy command allows you to upload policies that limit the StackGen/Custom resources that users can select from the drag-and-drop menu in their topologies.

Supported Clouds

All cloud providers.

Usage

stackgen upload resource-restriction-policy [flags]

Flags

Flag	Description
-p, --restriction-policy-file-path string	Path to resource restriction policy file.
-h, --help	Help for resource-restriction-policy.

Example

Upload resource restriction policy from a local file

stackgen upload resource-restriction-policy -p /path/to/resource_restriction_policy.json

This command will:

• Read the restriction policy from the specified JSON file,
• Upload the policy to the StackGen platform,
• Limit which resources users can select in the drag-and-drop menu.

File Format

The resource restriction policy file should be in JSON format and define which resources are allowed in topologies. Here's an example:

{
  "name": "Allow s3",
  "description": "This restriction will only allow s3",
  "resources": [
    "aws_s3"
  ]
}

Each policy object must include:

• name: A unique identifier for the policy.
• description: A brief explanation of the policy's purpose.
• resources: An array of resource types that will be allowed in the drag-and-drop menu.

Example: Enforce latest custom module version in your appStack

You can enforce the use of a specific version of a custom module. In our example below, we are using a custom aws_s3 resource. This is defined using the baseId and the templateId. This helps enforce consistency and ensures developers use approved and possibly secure or optimized versions of the S3 resource in their appStacks.

{
        "name": "Allow latest version of s3",
        "description": "This restriction will only allow for resources with ResourcType aws_s3, or the specified custom modules.",
        "resources": [
                "aws_s3"
        ],
        "customModuleFilters": [
                {
                        "provider": "aws",
                        "resourceType": "custom_aws_s3",
                        "baseId": "ebab23b-35bf-4e90-af6c-1813512edbef",
                        "templateId": "147aaa561-e47e-4fb3-8ef1-099a0f2e1eb7"
                }
        ]
}

You can retrieve the templateId and baseId for a custom module by following these steps:

1. From your chrome browser, click Inspect > Network > Custom Module.
2. Click on the appStack id and you will see the values for the templateId and templatebaseId in Response.

Check out the video below to learn how to fetch the templateId and baseId for a custom module.

note

• Resource restriction policies help enforce standardization and compliance.
• Resources not listed in the policy will not be available for selection.
• You can use this to limit users to only approved resource types.