Abstract
Policy as Code (PaC) is a paradigm that encodes security and compliancepolicies into machine-readable formats, enabling automated enforcement inInfrastructure as Code (IaC) environments. However, its adoption is hindered bythe complexity of policy languages and the risk of misconfigurations. In thiswork, we present ARPaCCino, an agentic system that combines Large LanguageModels (LLMs), Retrieval-Augmented-Generation (RAG), and tool-based validationto automate the generation and verification of PaC rules. Given naturallanguage descriptions of the desired policies, ARPaCCino generates formal Regorules, assesses IaC compliance, and iteratively refines the IaC configurationsto ensure conformance. Thanks to its modular agentic architecture andintegration with external tools and knowledge bases, ARPaCCino supports policyvalidation across a wide range of technologies, including niche or emerging IaCframeworks. Experimental evaluation involving a Terraform-based case studydemonstrates ARPaCCino's effectiveness in generating syntactically andsemantically correct policies, identifying non-compliant infrastructures, andapplying corrective modifications, even when using smaller, open-weight LLMs.Our results highlight the potential of agentic RAG architectures to enhance theautomation, reliability, and accessibility of PaC workflows.