In the Spacelift UI navigate to Policies > Create Policy and select type `Plan`; plan policies receive the full Terraform plan JSON as input.
Write a Rego policy that denies resource destruction beyond a threshold: `deny[sprintf("destroying %d resources", [count])] { count := count([r | r := input.terraform.resource_changes[_]; r.change.actions[_] == "delete"]); count > 5 }`.
Spacelift supports both Rego v0 and v1; select the version in the policy editor and use Rego v1 for new policies.
Attach the plan policy to a stack by navigating to the stack's Policies tab and linking the created policy.
Trigger a proposed run (PR) on the stack; after the plan phase Spacelift evaluates attached plan policies and blocks apply if any `deny` rule fires.
Use `warn` rules instead of `deny` for advisory messages; warnings surface in the run UI without blocking apply.
Known gotchas
Spacelift plan policies receive the Terraform plan JSON structure, not HCL; access resources via `input.terraform.resource_changes[_]` not via the HCL module tree.
Plan policies fire on both proposed (PR) and tracked (deploy) runs; separate policy logic by checking `input.run.type` if different behavior is needed per run type.
A plan policy `deny` rule blocks the apply but does not prevent the plan from completing; the plan output is still visible in the run log.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp