Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
CentOS EOL Here’s how to secure your CentOS infrastructure – even after EOL.
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
You’re scaling your IT infrastructure so you can do more – deploying across clouds and data center, adding servers, coding like crazy. Great! But how do you keep it all from falling apart? Policy as code is an approach to managing IT that strategically leverages infrastructure as code (IaC) and compliance as code to manage consistent policies across complex IT environments.
Sounds perfect, right? But there’s no single way to go about actually using policy as code, which can make it seem harder to utilize than it actually is. Read on to get ready to use policy as code (PaC) with an explainer, a list of common policy as code tools, and example use cases for policy as code that make your infrastructure resilient and repeatable at scale.
Table of Contents
Policy as code (PaC) is an approach to IT operations and software development that represents rules, best practices, and compliance standards as code (leveraging languages like Ruby, Python, YAML, and others).
For years, organizations have written their corporate or organizational security and compliance policies into a static Word document, Confluence page, a PDF, or something similarly dry. With the advent of policy as code (PaC), those policies can now be committed into code, which opens up new possibilities for "shifting left" and baking security and compliance into your day-to-day operations.
Even better, these policies can be tested and enforced with automation, which helps ensure your systems and applications are compliant with corporate security and configuration policies while reducing human effort and error.
Examples of policy as code include standardizing many aspects of IT operations, from compliance and security to infrastructure management, cost reduction, and code quality control.
The versatility of PaC makes it a beneficial strategy for establishing and enforcing policies across large and complex IT. PaC can be used to ensure consistency, repeatability, scalability, compliance, security, drift correction, and more common issues in the world of IT ops, like cloud misconfiguration.
Policy as code is used to maintain consistent configurations across complex infrastructure, with use cases in compliance, security, managing cloud configurations, and scaling infrastructure.
Here are a few specific use cases and examples of ways to use PaC:
An operator can write code that enforces specific encryption settings and role-based access controls. A policy as code solution will apply and enforce that code, as well as report on the impact of any code change prior to release as part of your CI/CD pipeline. For example, PaC establishes requirements for encryption and role-based access control (RBAC) configuration, and infrastructure as code defines configurations and encryption settings.
Compliance automation tools like the Puppet suite leverage policy as code to enforce server configurations that are compliant with PCI DSS, HIPAA, SOX, DISA STIG, CIS Benchmarks, and more. For example, you can write PCI DSS compliance policies with Puppet, then integrate those policy checks into your CI/CD pipeline so any code changes will be checked against the policy you’ve written.
Policy as code can define policies for cloud security, cost control, and cloud compliance. That gives infrastructure as code (IaC) a blueprint for building cloud resources according to the policies you’ve written as code. It also reduces the risk of cloud misconfiguration to make sure your infrastructure stays consistent across multi-cloud and hybrid deployments.
Policy as code is ideal for scaling infrastructure across environments. The policies you write using PaC can be updated easily to accommodate changes to security policies and resource configurations.
Policy as code has many benefits for IT organizations, from central IT and ops to the app layer. It’s a high-level, readable, easily understood way to state policies that enable version control and automation from provisioning to testing and deployment.
Despite 'code' being a bad word in some parts, most tools that offer PaC solutions are written in a very human readable language with the added benefit that what is written is executable and can be acted upon.
Here are a few specific benefits of policy as code:
The main difference between policy as code (PaC) and infrastructure as code (IaC) is that PaC is a set of guidelines for your IT environment, and IaC is the actual code used to build and manage infrastructure based on PaC rules.
PaC and IaC are defined by what they do, how they do it, and their use cases in setting and enforcing desired state in an IT system.
PaC is a set of rules for using IaC to build infrastructure according to the standards you’ve set for your IT environment. In contrast, IaC is a practical implementation of automation to provision and configure those resources.
Policy as code (PaC) and infrastructure as code (IaC) are similar, but not interchangeable. Policy as code refers to the strategy of using code to enforce policy, while infrastructure as code is the actual execution of those strategies.
The line between PaC and IaC isn’t always clear, and sometimes depends on your outlook. There are two different approaches to policy as code. One method is to use separate tooling for PaC and IaC – for example, using Sentinel inside Terraform to validate and enforce policy against Terraform projects trying to be deployed.
The other method is having policy code defined alongside your infrastructure as code. An example of this approach would be setting a password length rule in a common profile that is applied to all systems. That way, all configuration, be it security or otherwise, is all managed through the same workflow.
Common policy as code tools include infrastructure provisioning tools (like Puppet, Ansible, Terraform), CI/CD tools (like GitLab), and policy enforcement tools (including Puppet, Chef, Open Policy Agent, and more).
Strictly speaking, PaC isn’t a specific tool or piece of software. Policy as code tools include different pieces of software that can define and enforce policies in infrastructure code. In fact, several popular automation, configuration management, and CI/CD tools offer capabilities that can help build a PaC approach.
Puppet Enterprise can define, test, and enforce policies as human-readable expressions. Puppet policy as code allows IT operations managers to enforce policy across complex infrastructure, including public and private cloud, data centers, and hybrid infrastructure as human-readable expressions.
Your policy as code will probably leverage at least two of the tools above, if not more. The PaC tools you choose should be based on where your infrastructure is hosted (cloud or on-prem or both), what kind of resources you need to manage, and your security and compliance commitments (industry frameworks, regulatory standards, etc.).
Puppet is used to implement policy as code with automation, configuration management, and human-readable code. Here are a few ways Puppet can be used to establish and enforce policy as code:
Puppet’s Ruby-based domain-specific language (DSL) is human-readable, making it perfect for using policy as code to keep your infrastructure consistent. It’s also trusted by thousands of companies managing millions of resources across infrastructure in the cloud, data center, hybrid, and edge. Wherever your infrastructure is, Puppet Enterprise can power a resilient policy as code approach to enforce policies at scale.
Schedule time to get a personal demo of Puppet Enterprise or try it for yourself on up to 10 nodes with the free trial edition below.
DEMO PUPPET TRY PUPPET FREE