Policy as Code defines governance rules as machine-readable definitions. OPA/Conftest validates IaC at PR time. Azure Policy enforces rules at the ARM API level. HashiCorp Sentinel provides fine-grained control in Terraform Cloud.
Policy pipeline from PR to prod, with policy-as-code gates at each transition.
Rego is a declarative policy language. deny[msg] { ... } defines a rule. If any deny rule evaluates to true, the resource is non-compliant. Always test policies with conftest verify.
Group related Azure Policy definitions into an Initiative (Policy Set). Assign one Initiative to a management group to govern all child subscriptions. CIS Azure Foundations is a well-known initiative.
Deny: blocks non-compliant ARM API calls. Audit: logs violations, allows resource. DeployIfNotExists (DINE): auto-deploys a companion resource (e.g., diagnostics settings). Start with Audit, move to Deny after testing.
Azure Policy Deny is the last line of defense. Catching violations at PR time (OPA) is 10x cheaper — developers fix issues before they hit CI. Shift left as far as possible.
Grant policy exemptions (waiver/mitigated) for legitimate deviations. Exemptions have expiry dates. Track exemptions in Azure Policy → Exemptions blade. Audit exemption usage quarterly.
Azure provides built-in Regulatory Compliance initiatives: NIST SP 800-53, ISO 27001, PCI-DSS. Assign them to view your compliance score and map controls to Azure Policy definitions.
Sign in to share your feedback and join the discussion.