Skip to content
IaC & Policy as Code

Infrastructure as Code & Policy as Code

Why This Matters in 2026

Writing infrastructure as code stopped being a differentiator years ago — every team with a Terraform file in a repo can claim it. What now separates a strong profile is policy as code: codifying security, cost, and compliance rules so violations are blocked at pull-request time, instead of being discovered in a cloud security audit or a 3 a.m. incident. By 2026, organizations are judged less on whether their infrastructure is codified and more on whether that code is governed — with guardrails that scale faster than the headcount reviewing changes.

If your policy enforcement happens after a resource is already running in production, you don’t have policy as code — you have a dashboard. The bar in 2026 is a check that fails the pull request, not an alert that fires after the fact.

Core Skills & Tools

  • Terraform/OpenTofu module design, versioning, and distribution through an internal module registry
  • Helm chart and Kustomize overlay standardization across environments and teams
  • Kubernetes admission policy with OPA/Gatekeeper and Kyverno (mutating and validating policies)
  • Static policy scanning in CI with Conftest, Checkov, and tfsec against Rego or YAML policy bundles
  • Designing PR-time policy gates that fail fast, with actionable error messages instead of opaque rejections
  • Infrastructure drift detection at the cloud-resource level (distinct from GitOps application-state drift) using tools like terraform plan in CI, driftctl, or cloud-native config recorders
  • Encoding tagging, naming, and resource-sizing conventions as enforceable policy rather than wiki documentation
  • Versioning and testing policy bundles themselves (unit tests for Rego/Kyverno policies, not just for infrastructure code)

What You Must Have Operated

  • Built and published a reusable IaC module (or module set) that other teams actually consume from an internal registry, not just a copy-pasted example
  • Implemented at least one PR-blocking policy check that caught and stopped a real violation before it reached production — not a theoretical rule that has never fired
  • Migrated a category of manual or out-of-band infrastructure changes (console clicks, ad hoc scripts) into a fully codified, reviewed pipeline
  • Run drift detection in production long enough to use it for an actual remediation, not just a one-time audit

Evidence You Can Show

ArtifactWhat it proves
IaC module registry or repository with consumption metricsYou design infrastructure code as a reusable product, not one-off scripts
OPA/Gatekeeper or Kyverno policy set (with tests)You can encode organizational rules as enforceable, testable code
Screenshot or CI log of a PR check blocking a real violationYour policy gates have actually prevented a problem, not just documented one
Provisioning-time before/after reportYou can quantify the operational impact of codifying previously manual work

KPIs & Metrics

  • Infrastructure provisioning time — time from request/PR merge to usable resource
  • % of manual/out-of-band changes — share of infrastructure changes made outside the codified pipeline
  • Policy violation detection rate — violations caught pre-merge vs. found post-deploy
  • Module reuse count — number of teams/services consuming a shared IaC module
  • Supporting metrics: policy check false-positive rate, mean time to remediate drift, PR rejection-to-merge turnaround for policy failures

Maturity Levels

LevelWhat you can demonstrate
AssociateCan write and apply a Terraform/OpenTofu resource using an existing internal module; understands the difference between IaC and policy as code
ProfessionalHas authored a reusable IaC module consumed by at least one other team and written a basic Conftest/Checkov policy enforced in CI
SeniorHas implemented a PR-blocking OPA/Gatekeeper or Kyverno policy set that prevented a real violation, and led a migration of manual infra changes into a codified pipeline
PrincipalHas made policy as code a mandatory, org-wide merge gate, with module registries and policy bundles adopted as shared platform infrastructure across multiple teams

Proof Statements You Can Use

  • “Cut average infrastructure provisioning time from 5 days to 45 minutes by replacing manual ticket-based requests with a self-service Terraform module registry.”
  • “Built an OPA/Gatekeeper policy set that blocked 34 non-compliant Kubernetes manifests at PR time in its first quarter, preventing them from reaching production.”
  • “Reduced manual/out-of-band infrastructure changes from 40% to under 5% by migrating networking and IAM provisioning into a fully codified pipeline.”
  • “Published an internal Terraform module library adopted by 9 teams, cutting duplicate module code by roughly 70% across the organization.”