Arch as Code: automated architecture control compliance measurement

[yt-ms]

Feature Request

Description of Problem:

When delivering a new solution or change to an existing solution I want to make use of Architecture as Code to support automatically determining whether a given architecture (in prod or pre) conforms to the relevant architecture standards, policies and principles for the organisation, preferably as early in the lifecycle as possible, so I can avoid costly rework late in the cycle, evidence compliance, and potentially view the impact of policy changes before they are signed off.

Potential Solutions:

The use of Rego to describe policy controls and Open Policy Agent to test are report on the controls has spread beyond their early focus on Cloud Security controls and into a much broader use for describing policies in executable form and building automated verification into build and deployment pipelines. If we have sufficient detail in our architecture model, plus the ability to detect whether what was deployed matches what the model says, then it may be possible to shape the data and create Rego functions that can automatically test specific architecture standards of a wide variety of types, e.g.:

• Systems supporting critical business processes must be deployed to multiple availability zones in more than one region
• All ADRs must have someone who has been designated an architect as part of the advice/consultation process
• The architecture of a system must be reviewed at least annually to check it is still appropriate for the evolving environment
• Systems must have active chaos testing in a QA environment

There may well be better solutions than Rego/OPA available, but probably the key is determining what information we need to to support the automated control testing and looking at what the overhead would be of incorporating that into the architecture model (or auxiliary data).