Although we're big advocates of defining security policy as code, the tooling in this space has been fairly limited. If you're using HashiCorp products (such as Terraform or Vault) and don't mind paying for the enterprise versions, you have the option of using HashiCorp Sentinel. Sentinel is, in effect, a complete programming language for defining and implementing context-based policy decisions. For example, in Terraform it can be used to test for policy violations before applying infrastructure changes. In Vault, Sentinel can be used to define fine-grained access control on the APIs. This approach has all the benefits of encapsulation, maintainability, readability and extensibility that high-level programming languages offer, creating an attractive alternative to traditional, declarative security policy. Sentinel is in the same class of tools as Open Policy Agent but is proprietary, closed-source and only works with HashiCorp products.
