Continuous Compliance
I’ve been lately diving deep into organisations that are introducing devops and also adopting cloud services.
The biggest challenge of devops adoption, as always, is to change the mindset. We still use the old mindset to adopt the new concepts, which never works. We don’t need to forget everything, but you need to be ready to assimilate new concepts.
“You are like this cup; you are full of ideas. You come and ask for teaching, but your cup is full; I can’t put anything in. Before I can teach you, you’ll have to empty your cup.” — Zen Master Ryutan, 760–840 AC
One of the biggest obstacles for cloud adoption in many organisations is the compliance. With current status, is legitimate to aim for adopting policy as code, and aim for Continuous Compliance.
I use extensively terraform from @hashicorp for cloud provisioning, in favour of cloudformation. Cloudformation is not bad, but it is very hard to make it bend to your old mindset. Terraform, slowly introduces you to a new mindset, and also brings other advantages such as multi-provider and hybrid support for deploying on-premises and off-premises.
But for me one of the major advantages of Terraform is the “terraform plan” command, which in advance can allow you to introduce some checks for your Compliance strategy. Meaning, at the code commit, and even before you use that Infrastructure code to provision anything on the Cloud, you can start to implement you Continuous Compliance strategy.
In the past, I spoke about the Infrastructure-as-Code workflow, expressing in on the follow diagram:
“Adapt what is useful, reject what is useless, and add what is specifically your own.” ― Bruce Lee
So, today I want to add something to this workflow, and include proper Infrastructure tests to aim achieving Continuous Compliance.
Stay tuned, because this is what I’m building right now.
