Blog home
Policy as Code

Why You Need Unified Policy as Code for Terraform Workflows

Scott Ford
August 28, 2025
5 min read

Terraform, HashiCorp’s Infrastructure as Code (IaC) tool, has become the de facto standard for provisioning and managing cloud infrastructure. From startups to Fortune 10 enterprises, it powers the provisioning of cloud resources at scale. But with this power comes risk: a single misconfiguration in Terraform can expose sensitive data, inflate cloud costs, or create compliance gaps and replicate this across hundreds of assets. That’s why Policy as Code is essential when using Terraform. By expressing rules as code, organizations can set guardrails directly into their IaC workflows. This ensures that security, compliance, and operational best practices are enforced automatically, without relying on manual reviews or tribal knowledge. However, many existing Policy as Code tools for Terraform come with significant limitations.

The challenge is that most Policy as Code tools only solve part of the Terraform workflow. They may scan HCL (HashiCorp Configuration Language), or sometimes evaluate a plan, but they stop short of state validation and runtime enforcement. This leaves gaps where real-world misconfigurations and drift slip through unchecked. The solution is a unified Policy as Code platform that applies consistently across the entire Terraform lifecycle (HCL, plan, state, and runtime) and only requires you to write the policy once.

Limitations of Policy as Code solutions for Terraform

Organizations often reach for tools like OPA (Styra), HashiCorp Sentinel, or Palo Alto checkov. While each provides value, they all come with limitations:

  • OPA (Styra): Open Policy Agent (OPA) is extremely flexible and can enforce complex policies, but it requires learning the Rego language, which has a steep learning curve. More importantly, it lacks seamless integration with Terraform state or runtime resources. This means you can only enforce policies at limited points in the workflow, and you risk misconfigurations slipping through once infrastructure is applied. (We’ve written a full comparison of Mondoo and Styra/OPA if you want to dig deeper into Mondoo as an alternative to Styra OPA/Rego).
  • HashiCorp Sentinel: Sentinel is tightly coupled to Terraform Cloud and Terraform Enterprise, which makes it effectively unusable outside of HashiCorp’s ecosystem. Teams running Terraform in GitHub Actions, GitLab, Jenkins, or other CI/CD pipelines can’t leverage Sentinel. This lack of portability means that organizations either have to fully commit to Terraform Cloud or stitch together multiple tools, leading to inconsistent enforcement.
  • checkov (Palo Alto): checkov is popular for scanning Terraform HCL files before a plan runs, and it also supports evaluating Terraform plans when they are exported to JSON. However, it does not evaluate Terraform state files or runtime infrastructure. As a result, Checkov can catch some issues earlier in the workflow, but it misses misconfigurations that arise later, such as drift in state or changes made outside of Terraform. This limited coverage leaves significant blind spots that weaken security, compliance, and cost control.

The result? Fragmented workflows, inconsistent coverage, and limited extensibility. Teams end up stitching multiple tools together and still miss critical security or compliance issues.

Mondoo’s differentiation: One policy to cover all stages

Mondoo is the only Policy as Code platform that spans the entire Terraform lifecycle:

Terraform state: Mondoo coverage:
Terraform HCL (Pre-Plan) Scans IaC before a plan runs.
Terraform Plan (Post-Plan) Catches drift and misconfigurations before they’re applied
Terraform State (Post-Apply) Validates applied resources as represented in Terraform state files.
Runtime (Live Infrastructure) Continuously monitors real-world infrastructure.

What is Mondoo Policy as Code?

Mondoo Policy as Code is a system for writing, automating, and scaling security, compliance, and cost-control policies across complex digital infrastructures using code, rather than traditional, static documents. It utilizes MQL, an open-source graph-based query language that is part of cnspec, allowing organizations to define policies once and enforce them everywhere, integrating security into every stage of the development lifecycle to reduce risks and misconfigurations.

Find and fix the security risks that pose the biggest threat to your business.

Get started

Mondoo Policy as Code: Define Once, Enforce Everywhere

Schedule demo

Let’s deconstruct an example of a Mondoo policy to show what this looks like in practice.

Example: Cloud storage buckets must have uniform bucket-level access

Mondoo policies are written in simple, declarative YAML. They are easy to read, easy to write, and designed for anyone who already works with Terraform or YAML a lot. Unlike OPA or Sentinel, it is far less complicated and easy to pick up, with Mondoo policies that are approachable and production-ready out of the box.Here’s an example check:

Sample check in Mondoo cnspec

The full code can be accessed here.

Anatomy of a Mondoo check

Every Mondoo check follows the same structure:

  • uid: A unique identifier for the check. This ensures consistency even if there are small changes to the title or check
  • title: A human-readable name that explains what the check enforces.
  • impact: A number between 0 (low) and 100 (critical). Higher values represent more critical security or compliance risks.
  • docs: Rich documentation that includes:
    • desc: Why this check matters. Explains the security, compliance, or cost rationale.
    • remediation: Step-by-step fixes in Markdown or code snippets that can be automated. Mondoo policies support adding multiple remediation steps. For example, you might include remediation steps using the cloud console (UI-based), CLI, and Terraform examples.
  • variants: The superpower of Mondoo. Variants express the same policy across the entire deployment lifecycle (Terraform HCL, Terraform Plan, Terraform State, and Runtime).

Filters: Precision, not noise

Each check comes with a filter that defines when it should run. This eliminates noise because you only see checks that are relevant.

Example:

filters: |  
asset.platform == 'terraform-plan' &&  
terraform.plan.resourceChanges.contains(type == 'google_storage_bucket')

This means:

  1. Only run this check when the scanned asset is a Terraform plan AND
  2. Only evaluate it when the plan includes a google_storage_bucket resource.

Filters use the full power of the Mondoo Query Language (MQL), so you can write precise, contextual policies that apply only when relevant. This eliminates noise and false positives, something competitors struggle with.

One policy for all Terraform stages

Mondoo shows the coded policy in the platform

Thanks to variants and filters, this single check enforces the same rule consistently across:

  • Terraform HCL (pre-plan)
  • Terraform Plan (post-plan)
  • Terraform State (post-apply)
  • Runtime (live GCP bucket)

That’s what makes Mondoo unique: Write once, enforce everywhere. The end result is a beautifully rendered policy in Mondoo Platform, where you see how well you are doing on any policy across all phases of your Terraform workflow. You can also get Terraform-based remediations for failures that you detect in your runtime. It avoids extracting and unifying this data and instead consolidates it for you. 

It also means you can manage exceptions holistically. For example, if you get an exception for a new security rule for the next 3 months, that exception now applies to both your build-time (CI/CD) and your runtime. This removes many headaches people face when trying to manage multiple tools for security.

Largest out-of-the-box policy library

Mondoo ships with the largest collection of production-ready policies for cloud, SaaS, Kubernetes, and operating systems. Certified frameworks include:

  • CIS Benchmarks
  • NIST policies
  • Compliance: SOC2, PCI, HIPAA, ISO
  • Cloud Cost Control Policies

These policies include all applicable compliance controls and CIS best practices, and work across the entire Terraform lifecycle, including HCL, plan, state, and runtime, without the need for rewriting or duplication. This saves teams manual work when creating and updating policies, and avoids inconsistent policies between the different Terraform states.

Why unified Policy as Code matters

Mondoo’s approach delivers unique advantages:

  • Reduced tool sprawl: With Mondoo you only need one tool, e.g. no need for OPA + checkov + custom scripts.
  • Consistent results: You write only one check in Mondoo to cover dev → test → prod.
  • Unified exceptions management: Mondoo is the only platform that applies exceptions across the Terraform workflow.
  • Developer-first experience: Mondoo works in any CI/CD platform, with VS Code plugins, Dev Containers, and a dev-first workflow.

Comparison: Mondoo compared to PaC alternatives

PaC tool: IaC (HCL) Plan State Runtime Policy Library Language
Mondoo Largest, ready-to-use MQL
OPA/Rego (Styra) Partial DIY only Rego
HashiCorp Sentinel Limited (TFE only) Some built-ins Sentinel
Checkov (Palo Alto) Medium-size Python/YAML

For a detailed breakdown of how Mondoo compares with Styra OPA/Rego, see our blog post: Mondoo as an Alternative to Styra OPA/Rego

FAQs

What is Policy as Code for Terraform?
Policy as Code ensures infrastructure adheres to security, compliance, and cost controls — automatically enforced in Terraform workflows.

What’s the difference between OPA, Sentinel, checkov, and Mondoo?
OPA requires custom coding, Sentinel is Terraform cloud-only, and checkov stops at IaC scanning. In contrast, Mondoo covers all Terraform stages: HCL (IaC), plan, state, and runtime. 

How do you secure Terraform runtime with Policy as Code?
Mondoo continuously monitors live infrastructure to catch drift and misconfigurations after deployment.

Conclusion

Mondoo is the only unified Policy as Code platform for Terraform that works across IaC, plan, state, and runtime. With the largest out-of-the-box policy library, built-in remediation, and unified exceptions management, Mondoo empowers teams to secure, govern, and optimize Terraform at scale. Schedule a demo to see the power of Mondoo Policy as Code. 

We’ll be exhibiting at HashiConf 2025 in San Francisco (Sep 24 - 26). We’d love to see you there. Please contact us to schedule a meeting.

Scott Ford

Scott Ford is a DevOps practitioner. In his current role as Principal Architect at Mondoo, he is focused on helping businesses automate security without adding friction to innovation. Prior to joining Mondoo, Scott held positions as Principal Architect of Lacework, and Distinguished Architect at Chef Software helping companies around the world transform the way they build their products through collaboration and automation.

You might also like

Policy as Code
Styra OPA Alternative for Infrastructure Security and Compliance Policies
Dominik Richter
August 21, 2025
Microsoft
Microsoft Patch Tuesday August 2025: How to Prioritize Vulnerabilities for Patching
Deborah Galea
Christian Zunker
August 15, 2025
Vulnerabilities
Introducing Agentic Vulnerability Patching Using Ansible
Chip Johnson
Deborah Galea
August 14, 2025

Stay informed with our news and new articles

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.