Terraform compliance and governance involves ensuring infrastructure configurations meet regulatory frameworks (SOC 2, PCI-DSS, HIPAA, DORA, NIST) and internal organizational rules. The primary mechanism is policy as code (PaC), where rules written in a policy language are enforced by an engine scanning Terraform plans before apply. The post covers OPA with the Rego language and conftest as the main example, walking through installing conftest, writing a Rego policy for AWS Lambda code signing, and integrating it into a GitHub Actions workflow. It also discusses scaling this approach across an organization using shared workflows and repository rulesets, and outlines seven best practices: use established PaC frameworks, leverage pre-written policies, shift enforcement left, introduce policies gradually in advisory mode, test policy code, make compliance easy for consumers, and communicate the rationale behind policies.
Table of contents
What is Terraform compliance and governance?What is policy as code?How to enforce compliance and governance in Terraform workflowsBest practices for Terraform compliance and governanceHow to improve your infrastructure governance with SpaceliftKey takeawaysFrequently asked questionsSort: