OPA & Rego for compliance
Controls as declarative, tested policy.
Policy as code is what turns a written control into an enforced one, and OPA with its Rego language is the general-purpose engine at the center of it. Instead of a standard that lives in a wiki and gets ignored, the control becomes an executable check that fails a build or rejects a resource.
Rego: declarative policy over documents
Open Policy Agent evaluates policy written in Rego — a declarative language where you describe what a violation looks like in structured input (JSON/YAML), and OPA finds it. The same engine judges any document: a Terraform plan, a Kubernetes manifest, a Dockerfile, an API request. A policy is a set of rules that produce violation messages when their conditions hold, so a non-empty result means "non-compliant, here is why". Because it is declarative and data-driven, one policy engine covers many control points, and the policy itself is code you version, review, and test.
# Control: "storage must be encrypted." Expressed once in Rego, reusable.package compliance.storagedeny[msg] {resource := input.resource_changes[_]resource.type == "aws_s3_bucket"not encrypted(resource)msg := sprintf("bucket %v is not encrypted (violates CC6.1 / PCI 3.4)", [resource.address])}encrypted(r) { r.change.after.server_side_encryption_configuration }# A non-empty deny set = non-compliant. The message names the control it maps to.
Enforce at multiple points
The strength of a general policy engine is that the same rule can enforce a control at every stage: in CI against a Terraform plan (block the non-compliant infra before deploy), at Kubernetes admission via Gatekeeper (reject the non-compliant resource at runtime), and in an audit pass over live state. Write the control once, run it everywhere, and each run produces a pass/fail record that doubles as compliance evidence. Keep policies in version control, test them with fixtures, and tie each policy’s message to the control ID it enforces, so a failing check tells you exactly which requirement was violated. Policy as code is the mechanism that makes a control real rather than aspirational.