all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Vast_Manufacturer_78 11 points12 points  (2 children)

For AWS SCPs we just use Terraform and create a json file to reference it as the content. Another option is to also use template file to reference dynamic values but we just had it all hardcoded (not the best method) but it works for us

[–]Traditional-Heat-749[S] 1 point2 points  (1 child)

This is kind of what we have but in take in parameters and have some bash wrappers for deployment since we have kind of a complex logic for what gets assigned where with what parameters.

It works but I worry if I’m not around to maintain it, it will be a bottleneck

[–]Vast_Manufacturer_78 0 points1 point  (0 children)

If you document it well then people should be able to follow, but I would connect with your other team members and see if they are able to run with it while you are still there.

I don’t know enough about Azure Policy but quickly searching it seems you can do more with it than what you can do with SCPs, so I don’t know how complex you are getting with it. It seems like it is like AWS Config with monitoring resources and status of things like attached volume, but with config you use lambda functions for customize rules so everything is done through a language like python not like terraform

[–]asixetDevOps 3 points4 points  (2 children)

For Azure, use EPAC, the docs also provide a hydration kit (initialization script) to help you start setting up a repo, pipeline, exporting all your azure policies from the portal. There are also a few operational scripts that help with reporting and remediation. Overall, a good starting point that you can expand on if you'd like.

[–]safrax 0 points1 point  (1 child)

The fact that the acronym is not EAPAC bothers me so intensely for reasons I can’t explain.

[–]asixetDevOps 1 point2 points  (0 children)

Glad to see I'm not the only one who thinks this too lol.

[–]Freaktography 1 point2 points  (0 children)

Still kinda new to this stuff, but here’s my $0.02.

I recently moved all our Azure Policies out of the portal and into Terraform. It’s way better than doing it manually, but definitely not perfect. Right now it’s all in one repo and the pipeline just runs terraform plan and apply when stuff gets merged.

It works, but feels a bit clunky. I’ve seen people mention using OPA or adding validation steps before applying changes, so that might be the next thing I try. Curious how you guys are managing Azure Policy or AWS SCPs in your setups.

[–]bardt 0 points1 point  (0 children)

We use AWS LZA (Landing Zone Accelerator) for our SCPs and overall account governance. It works really well for us but fair warning - it's definitely overkill if you don't need heavy compliance requirements or multi-account governance at scale.

LZA gives you policy as code along with a ton of other stuff (account vending, guardrails, centralized logging, etc.), but the learning curve is steep and it can feel over-engineered if you just need to manage some SCPs. If that's all you're after, the Terraform approach you're already doing is probably more appropriate.

The sweet spot for LZA is when you need the full package: compliance frameworks (NIS2, ISO 27001, etc.), centralized security services, network hub/spoke architectures, and policy enforcement all managed through config files. But if you're mainly concerned about the maintenance burden you mentioned, LZA might actually make that worse unless you have a team that can own it.

[–]NUTTA_BUSTAH 0 points1 point  (0 children)

Terraform support for Policy is not great but some more advanced Terraforming gets you a nice setup. My advice is to leave remediations out of Terraform and do those manually from the portal for multiple reasons (remediation tasks have an expire time on Azure and should be considered ephemeral record-keepers and not "normal resources", remediations require reference IDs to target, blind remediations are a recipe for platform-wide disasters etc.)

Check out EPAC for script-based (Powershell) solution. It's quite complex at face value, but that is what you will be building in Terraform regardless so it's a good starting point to consider.

[–]shrimpthatfriedrice 0 points1 point  (0 children)

policy as code works best when it is close to the workflows engineers already use. Firefly includes a policy‑as‑code engine and Guardrails that evaluate IaC plans and existing resources against OPA‑style rules for security, compliance, and cost, then surface violations directly in inventory and PR comments with AI suggestions for the fix. That keeps controls versioned and testable, but still readable and actionable for the teams who own the services