HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
Well-Architected Framework

Policy as code

When you provision infrastructure, manage secrets, and manage your services, you want to ensure they follow certain behaviors. By managing policy with infrastructure as code, you can unify the process of maintaining and implementing policies across your entire infrastructure stack. This approach brings consistency, automation, and version control to policy management.

HCP Terraform uses Sentinel to enable granular policy control for your infrastructure. Sentinel is a language and policy framework, which restricts Terraform actions to defined, allowed behaviors. Policy authors manage Sentinel policies in HCP Terraform with policy sets, which are groups of policies. Organization owners control the scope of policy sets by applying certain policy sets to the entire organization or by selecting workspaces.

Sentinel SCM

A common Sentinel policy is to help control cloud cost. By using these policies, in combination with HCP Terraform, you can ensure your IaC doesn’t create infrastructure that isn't appropriate for your budget.

The following is an example of a policy that limits the creation of instances outside of the three listed instance types.

import "tfplan"

main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as _, r {
    r.applied.instance_type in ["t2.micro", "t2.small", "t2.medium"]
    }
  }
}

When organizations use Sentinel in HCP Terraform, they can ensure that all infrastructure changes adhere to corporate policies, security standards, and compliance requirements. This proactive approach to policy enforcement helps prevent misconfigurations, reduces security risks, and maintains consistency across the infrastructure lifecycle.

You can also enforce OPA policies with HCP Terraform. These policies, written in Rego, can validate resource configurations, enforce tagging standards, control costs, and ensure adherence to company or regulatory requirements. Terraform runs OPA policy checks before each plan or apply, preventing implementation of non-compliant changes.

HashiCorp resources:

Next steps

In this section of how to Compliance and governance, you learned how you can use policy as code to enforce rules using IaC and Terraform. Compliance and governance is part of the Secure systems pillar.

Edit this page on GitHub