From Infrastructure as Code to Policy as Code

 September 30, 2022

I still remember when 15 years ago, the topic of Infrastructure as Code was beginning to be discussed. At the time, the majority of tools we know and use for Infrastructure as Code did not exist. Some people and companies realized the need for such a paradigm, while many others were skeptical or against it.

In the last few months, I had a kind of a Deja Vu when I started to have conversations with some stakeholders around Policy as Code, or as someone prefers to call it, Compliance as Code. The idea behind Policy as Code is that if it was possible to write policies in a language that is both easily readable by a human and a computer, we could better govern IT. Policy as Code is not a new concept by itself. In fact, in Infrastructure as Code software such as Ansible, it is possible to create a Playbook to assess if a system is in the expected state. The problem, though, is that a Playbook written with Ansible with this scope is not always evident if read by people that are not highly trained on the topic.

To create a successful Policy as Code system, you should have policies for the Infrastructure as Code and the effective configuration in production. Having a set of policies for the Infrastructure as Code means preventing a change to land in the Infrastructure as Code codebase if it fails as policies. Using Policy as Code on the effective configuration in production means detecting possible nonconformities independently from the fact they were caused by the Infrastructure as Code tool or manual changes. I call the first way of working ex-ante and the second ex-post.

At the moment, it is possible to hack together a system that can do Policy as Code, but we are very far from having a clean and ready-to-use tool that allows every company to implement both ex-ante and ex-post checks. I think it will be fascinating to see the evolution of the current tools or the emergence of new ones in this space.