{"id":2429,"date":"2025-08-28T16:38:09","date_gmt":"2025-08-28T16:38:09","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/28\/policy-as-code-explained\/"},"modified":"2025-08-28T16:38:09","modified_gmt":"2025-08-28T16:38:09","slug":"policy-as-code-explained","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/28\/policy-as-code-explained\/","title":{"rendered":"Policy as code, explained"},"content":{"rendered":"

Infrastructure as code<\/a> is steadily becoming mainstream<\/a>. Why? Because without it, operations teams typically end up relying on pages and pages of documentation or unwritten tribal knowledge to explain how they\u2019re supposed to build, upgrade, and triage infrastructure.<\/p>\n

Codification<\/a> of infrastructure, by contrast, allows all of that knowledge to be automated by machines. Some configuration languages like HCL are built to maintain operator readability so that infrastructure code can do two things: Drive automation and serve as documentation. <\/p>\n

Another codification within IT operations that\u2019s gaining traction is policy as code<\/em><\/strong>. As it turns out, the same coding practices that are applied to infrastructure can be very effective at managing and automating the enforcement of IT operations policies. <\/p>\n

This post will define policy as code, explain how it can be used, outline its benefits, and illustrate what it looks like in practice with real use case quotes from organizations including Fannie Mae, ADB, Wayfair, Booking.com, MediaMarkt, and Petco.<\/p>\n

What is policy?<\/h2>\n

Policies are essentially requirements.<\/p>\n

In this post, we\u2019re not talking about the policies your company might have around whether you can bring your dog to work. We\u2019re talking about the policies that must be followed by engineers, IT systems, and software products. <\/p>\n

IT policies often start out in shared documents (PDFs, Word, GDocs, etc.). Once authors distribute them or add them to a document storage system, then it’s up to operations, security, compliance reviewers, and\/or developers to memorize the policy documents or reread them when reviewing every code review ticket. <\/p>\n

This workflow is slow, error prone, and makes it difficult to scale up the number of policies and the number of tickets being reviewed. <\/p>\n

What is policy as code?<\/h2>\n

Policy as code gives you an automated way to check, in seconds, if your IT and business stakeholders\u2019 requirements are being followed \u2014 in every deployment. A policy as code framework includes a policy coding language that can be tested, peer reviewed, versioned, automated, and re-used much like application or infrastructure code.<\/p>\n

Some software tools and IT systems have their own built-in policy systems. For example, HashiCorp Vault<\/a> \u2014 a secrets management system \u2014 has configurable (codable) policies<\/a> that describe which stored credentials a user or machine can access. But this isn\u2019t necessarily policy as code.<\/p>\n

Policy as code is more flexible<\/em>. You can write your own custom policy checks through a policy language.<\/p>\n

It\u2019s similar to application testing and validation gates \u2014 it\u2019s run by a framework and either blocks a submission or notifies the submitter when a requirement is not met. A codified policy knows what to look for and how to react based on how it was built, and policies can be customized in a multitude of ways.<\/p>\n

The term \u201cpolicy as code\u201d applies specifically to policies being used for infrastructure operations<\/em>, especially infrastructure provisioning and workload orchestration.<\/p>\n

Because a policy as code framework is so flexible, it can cover a wide range of operational concerns:<\/p>\n

Security
\nCompliance
\nObservability
\nArchitecture
\nResilience
\nFinOps<\/p>\n

A policy framework is most effective when it works as a preventative step, running within your infrastructure provisioning or orchestration tools instead of detecting policy violations after deployment is finished, which requires a more expensive remediation process. <\/p>\n

Policy as code example<\/h2>\n

What does a policy in the form of code actually look like? It could use a few different domain-specific languages. <\/p>\n

Because HashiCorp Terraform<\/a> is the most popular<\/a> product for infrastructure as code, the policy as code framework that is built into HashiCorp Cloud Platform services and HashiCorp Enterprise products \u2014 Sentinel<\/a> \u2014 is a common language for policy as code. (Other high-level policy languages like Rego for Open Policy Agent (OPA) are options as well) So this example will be written in Sentinel.<\/p>\n

This example policy enforces requirements for AWS EC2 provisioning. The comments describe what each section does, with more description after the code block:<\/p>\n

# Get all AWS instances from all modules<\/p>\n

ec2_instances = filter tfplan.resource_changes as _, rc {
\n rc.type is “aws_instance”
\n}<\/p>\n

# Mandatory Instance Tags<\/p>\n

mandatory_tags = [
\n “Name”,
\n]<\/p>\n

# Allowed Types<\/p>\n

allowed_types = [
\n “t2.micro”,
\n “t2.small”,
\n “t2.medium”,<\/p>\n

]<\/p>\n

# Rule to enforce “Name” tag on all instances<\/p>\n

mandatory_instance_tags = rule {
\n all ec2_instances as _, instance {
\n all mandatory_tags as mt {
\n instance.change.after.tags contains mt
\n }
\n }
\n}<\/p>\n

# Rule to restrict instance types<\/p>\n

instance_type_allowed = rule {
\n all ec2_instances as _, instance {
\n instance.change.after.instance_type in allowed_types
\n }
\n}<\/p>\n

# Main rule that requires other rules to be true<\/p>\n

main = rule {
\n (instance_type_allowed and mandatory_instance_tags) else true
\n}<\/p>\n

In the policy above, all EC2 instances: <\/p>\n

Must have a Name tag
\nMust be of type t2.micro, t2.small or t2.medium (no instances larger than medium)<\/p>\n

If you create an EC2 instance that does not meet all of these criteria, Sentinel will flag it with a FAIL. In Sentinel, you can have one of three things happen when a run doesn\u2019t pass a policy check:<\/p>\n

Stop the run and show the user a warning, but allow them to manually push through provisioning
\nOnly allow the run to continue if an admin manually accepts the run.
\nStop the run until the user modifies their configuration and passes policy checks<\/p>\n

Policy as code should be readable by non-experts<\/h3>\n

Policies can be built and reviewed in collaboration with stakeholders from compliance, finance, cybersecurity, and other departments, but in order to do that, the policy language must be simple to read and write by individuals with a limited background in programming.<\/p>\n

Sentinel is a good example of a policy language that\u2019s clear enough to parse even by a non-expert. This is a key benefit of policy as code.<\/p>\n

What are the benefits of policy as code?<\/h2>\n

As you automate more systems, your teams will get faster and more efficient, but the speed and scale at which you introduce security holes, compliance breaches, and outages increases as well.<\/p>\n

How do you keep security, compliance, and reliability intact?<\/p>\n

This is why policy as code exists: To maintain a set of guardrails<\/em>, or even hard gates<\/em>, that automatically warn or block deployment when operational requirements aren\u2019t being followed.<\/p>\n

The potential benefits of policy as code can be broken down into three categories: Increased productivity, lower risk, and reduced costs.<\/p>\n

Productivity benefits<\/h3>\n

Eliminates many manual ticketing and approval bottlenecks
\nEnables fast feedback loops and reduces deployment times from weeks to hours and minutes
\nShifts compliance left<\/a> to developers and \u201cdown\u201d into the deployment platform, so both developers and compliance offload work to automation
\nReduces onboarding time and improves developer experience
\nEnables developer self-service<\/a> by automating the last mile of software deployment
\nMakes end-to-end automation possible in large enterprises with strict requirements<\/p>\n

Security\/risk reduction benefits<\/h3>\n

Reduces human error through automated policy enforcement
\nCatches violations before production by enforcing secure-by-design infrastructure
\nProvides version-controlled policies with full visibility, accountability, traceability, and testability
\nEnables faster incident response with quick policy updates across systems
\nProvides a codebase that stakeholders from compliance, security, finance, etc. can collaborate on for better compliance outcomes.<\/p>\n

Cost reduction benefits<\/h3>\n

Enables leaner teams by automating manual review processes
\nEnforces resource limits, tag tracking, and usage policies to avoid unnecessary cloud costs
\nFrees security, compliance, and ops staff for strategic work<\/p>\n

Policy as code in real use cases<\/h2>\n

These benefits aren\u2019t just theoretical. Dozens of companies have spoken about their successes with policy as code:<\/p>\n

\u201cAll our departments, like governance and security and our central platform team, can now write policies as code that define what is allowed and what isn\u2019t. All users immediately see if their code is compliant or not. Also included is cost estimation<\/strong>.\u201d\u2014 MediaMarkt’s journey to compliance with Terraform<\/a><\/p>\n

\u201cWe wrote Sentinel policies \u2026 to be like, \u2018Did you set your metadata correctly?\u2019\u201d\u2014 Using Terraform Enterprise to support 3000 users at Booking.com<\/a><\/p>\n

We’ve written a bunch of Sentinel policies \u2014 a combination of advisory, soft mandatory, hard mandatory \u2014 mostly to guide folks away from dangerous configurations we’ve discovered over the years.\u2014 Transforming access to cloud infrastructure at Wayfair with Terraform Enterprise<\/a><\/p>\n

Sentinel is going to be that bouncer in a club that allows you to go in or out. For us, that gives us 100% confidence that anything provisioned by Terraform is following our security postures.\u2014 Scaling innovation: ADB’s cloud journey with Terraform<\/a><\/p>\n

You need resource guardrails in the cloud because you don’t want your CFO coming down to your office saying, “Why did you deploy 50 R5.16XLs? We just missed our quarterly objectives because of your deployment.” And this is a job for Sentinel.\u2014 Terraform for the rest of us: A Petco ops case study<\/a><\/p>\n

And Fannie Mae has a great presentation<\/a> about how they build policy as code.<\/p>\n

You don\u2019t have to write policy as code from scratch<\/h2>\n

The great thing about a common policy language is that users can share their policies with the community, and teams can benefit from the work that other organizations have already done building solid, reusable policies.<\/p>\n

The Terraform Registry includes plenty of publicly available Sentinel policy sets, including two highly tested, turnkey policy sets developed by HashiCorp and AWS engineers:<\/p>\n

Pre-written Sentinel policies for AWS CIS foundations benchmarking<\/a>
\nPre-written Sentinel policies for AWS FSBP foundations benchmarking<\/a><\/p>\n

Need your own ideas for how policy as code could help your organization? Take a look at some concrete examples for each policy category:<\/p>\n

Category<\/strong><\/p>\n

Example<\/strong><\/p>\n

Security<\/p>\n

Ensure DynamoDB server-side encryption and CMK are enabled<\/p>\n

Compliance<\/p>\n

Ensure CIS Benchmark policies<\/a> are followed<\/p>\n

Logging \/ Observability<\/p>\n

Ensure Amazon ECS task logging to CloudWatch is enabled<\/p>\n

Architecture<\/p>\n

Ensure Azure Application Gateway uses approved subnets and security groups<\/p>\n

Resilience<\/p>\n

Ensure multi-availability-zone for Amazon RDS is enabled in production<\/p>\n

FinOps<\/p>\n

Ensure only approved instance types and sizings are used<\/p>\n

Policy as code brings safe self-service<\/h2>\n

Overall, policy as code is a tool for automating requirements to create guardrails that keep infrastructure provisioning:<\/p>\n

Compliant
\nSecure
\nResilient
\nCost-effective<\/p>\n

Developers like policy as code<\/strong> because, although it may block them, they get instant feedback and can immediately try to start fixing their deployment, rather than having to manually create a ticket and then wait days or weeks for a review.<\/p>\n

Operations and other stakeholders<\/strong> who need to ensure compliance like policy as code<\/strong> because they no longer have to spend most of their time managing and reviewing tickets, and can instead focus on more strategic work and on the most critical reviews.<\/p>\n

We believe policy as code is a key requirement for many enterprises that want to modernize their software delivery processes. The implementation of policy as code in an organization helps to reduce human error, removes the need for a slow and error prone ticketing workflow, and minimizes dependencies on other teams as well. To enable a faster team that focuses on what matters, policy as code is a great next step in your infrastructure modernization journey.<\/p>\n

Learn more about how HashiCorp can partner with you on your infrastructure modernization journey, read Do cloud right with The Infrastructure Cloud<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

Infrastructure as code is steadily becoming mainstream. Why? Because without it, operations teams typically end up relying on pages and […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[],"class_list":["post-2429","post","type-post","status-publish","format-standard","hentry","category-terraform"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2429"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2429\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2429"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2429"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}