Scenario: much of the staff’s time is spent making sure that the infrastructure as code (IaC) implementation is in compliance with the standards and policies that his company has for cloud resources. This was the reason why he brought me in to run a proof of concept (POC). The POC would validate what would become a Policy as Code solution based on one of the common IaC products. By Tim Coulter @redhat.com.
Policy As Code aligns technical environments, processes and resources to agreed standards. Many of the policies are applied by doing pattern matching or using boolean logic through a policy engine, validating the IaC. For example, checking to make sure that none of the computing resources have a direct route to the Internet (violating a security policy), or limiting the service ports to just HTTPS and SSH. The policy engine stores the policies and uses them to ensure the resource creation will be in compliance. Most of the solutions allow for deny, warn or report based on compliance for business requirements of the specific attribute. This is a simplistic use case, but there can be variations and much more complex policies requiring a greater compliance need in frequency and scale.
The article covers in great detail:
- What is “Policy as Code?”
- Applying Policy As Code to Ansible Automation Platform
- High level details of the tasks
- Resources and tools
- Overview of the solution
- Details