How to Enforce Policy as Code in Terraform [Sentinel & OPA]

Infrastructure as Code (IaC) is a widely used practice to manage cloud infrastructure by defining it through configuration languages or high-level programming languages. However, another concept called Policy as Code (PaC) is gaining traction in the industry. PaC involves writing policies as code that dictate rules and constraints for resources, ensuring compliance with regulatory standards, security guidelines, and other external demands. Terraform, a popular IaC tool, uses HashiCorp Configuration Language (HCL). HCL is great for declaratively describing your resources with their desired properties but isn't good at complex logic and advanced validation. That's where PaC comes in. Policies are rules that your resources should respect. Two popular PAC frameworks are HashiCorp Sentinel and Open Policy Agent (OPA). Both can be used to enforce policy as code in Terraform. The benefits of using PaC include increased security, improved developer efficiency, a known good state for infrastructure, and better visibility into policies. PaC can be used for more than controlling individual settings of particular resource types. Some commonly applied types of policies for Terraform are: only allowing approved cloud regions for all resources and data, denying opening up certain high-risk ports in security groups and firewalls, requiring a set of common tags on resources, denying or restricting the use of certain instance types, sizes, SKUs, tiers, etc., and requiring backups to be configured for all database resources and other storage services. HashiCorp Sentinel is an ideal choice for policy as code if your organization uses HCP Terraform to manage infrastructure. It can work with dates and times, query HTTP endpoints read arbitrary JSON data, and more. OPA, another option for enforcing policy as code in Terraform, is open source and has a large community. To enforce PaC at scale on platforms like HCP Terraform or GitHub Actions, you must ensure policies are enforced and can't be bypassed. Automating Terraform deployments with Spacelift enhances infrastructure management by ensuring that your configurations adhere to defined compliance and maintain security standards.