Policy-as-Code Governance Skill

Policy Layers

Core Policy Set

1. Resource Tagging (IaC + Azure Policy)

Required tags: tenant, env, owner, cost_center, managed_by

# conftest/terraform/tagging.rego
package terraform.tagging

required_tags := {"tenant", "env", "owner", "cost_center", "managed_by"}

deny[msg] {
  resource := input.resource_changes[_]
  resource.change.actions[_] == "create"
  missing := required_tags - {tag | resource.change.after.tags[tag]}
  count(missing) > 0
  msg := sprintf(
    "Resource %v is missing required tags: %v",
    [resource.address, missing]
  )
}

# Run at PR time
conftest test terraform/plan.json -p conftest/terraform/

2. Approved Regions Only (Azure Policy)

{
  "if": {
    "not": {
      "field": "location",
      "in": ["eastus", "westeurope", "southeastasia", "global"]
    }
  },
  "then": { "effect": "Deny" }
}

3. Approved VM SKUs

{
  "if": {
    "allOf": [
      { "field": "type", "equals": "Microsoft.Compute/virtualMachines" },
      { "field": "Microsoft.Compute/virtualMachines/sku.name",
        "notIn": ["Standard_D2s_v3","Standard_D4s_v3","Standard_D8s_v3",
                  "Standard_E2s_v3","Standard_E4s_v3"] }
    ]
  },
  "then": { "effect": "Deny" }
}

4. No Public IPs on Production VMs

# conftest/terraform/network.rego
package terraform.network

deny[msg] {
  resource := input.resource_changes[_]
  resource.type == "azurerm_network_interface"
  resource.change.after.ip_configuration[_].public_ip_address_id != null
  contains(resource.change.after.tags.env, "prod")
  msg := sprintf(
    "Production NIC %v must not have a public IP",
    [resource.address]
  )
}

Kubernetes Gatekeeper Policies

Install Gatekeeper

helm upgrade --install gatekeeper gatekeeper/gatekeeper \
  --namespace gatekeeper-system --create-namespace \
  --set replicas=3

Policy: Require Resource Limits

apiVersion: templates.gatekeeper.sh/v1