Practice : Policy as Code

Purpose and Strategic Importance

Policy as Code enables organisations to enforce security, compliance, and operational policies through machine-readable rules embedded in CI/CD pipelines and infrastructure workflows. It replaces manual gatekeeping with automated, scalable guardrails that improve both safety and developer autonomy.

By codifying policy, teams move faster with confidence—ensuring best practices are consistently applied across environments without compromising flexibility or trust.

Description of the Practice

  • Policy as Code defines organisational rules (e.g. access controls, tagging requirements, resource limits) as version-controlled code.
  • Policies are automatically evaluated during key workflows—such as pull requests, infrastructure provisioning, or deployment.
  • Common tools include Open Policy Agent (OPA), Sentinel, Conftest, and TFLint.
  • Violations result in actionable feedback, fail-safe execution, or approvals, depending on severity and context.

How to Practise It (Playbook)

1. Getting Started

  • Identify high-value policies to codify first—e.g. required tags, disallowed resource types, MFA enforcement.
  • Choose a policy engine that integrates with your tooling (e.g. OPA with Terraform, Kubernetes, or CI pipelines).
  • Start with “warn-only” mode to understand impact before enforcing failures.
  • Store policy definitions in version control alongside the systems they govern.

2. Scaling and Maturing

  • Create reusable policy libraries for teams to adopt across projects.
  • Integrate policy checks into CI/CD pipelines, pre-commit hooks, and platform tooling.
  • Establish workflows for proposing, reviewing, and updating policies as code evolves.
  • Track violations, exemptions, and adoption across teams to inform improvements.
  • Tie policies to compliance frameworks or internal standards for traceability.

3. Team Behaviours to Encourage

  • View policy as an enabler, not a blocker—build guardrails, not gates.
  • Treat policy definitions as shared, maintainable infrastructure code.
  • Encourage developers to contribute to policy evolution and propose safe exceptions.
  • Embed policy validation early in the workflow—not just at deployment time.

4. Watch Out For…

  • Writing overly rigid policies that block useful work or require constant overrides.
  • Lacking visibility into which policies apply where or who owns them.
  • Failing to review and update policies as systems and risks evolve.
  • Not measuring policy effectiveness—either too lax or overly strict.

5. Signals of Success

  • Policies are automatically enforced across environments with minimal manual intervention.
  • Developers understand and trust policy checks in their workflows.
  • Violations are rare, clear, and acted on quickly.
  • Exceptions are tracked and reduced over time through shared improvements.
  • Security, compliance, and engineering work together from a common playbook.