Is it possible for us to enable or disable Sentinel Policies based on a environment variable or a flag in Terraform Workspaces?
As a developer, I want to disable or ignore some network rules in development environment for debugging, but apply strict Deny All network rules for some cloud resources in production environment.
For example,
policy "azure-cis-3.7-storage-default-network-access-rule-set-to-deny" {
source = "https://raw.githubusercontent.com/hashicorp/terraform-foundational-policies-library/master/cis/azure/storage/azure-cis-3.7-storage-default-network-access-rule-set-to-deny/azure-cis-3.7-storage-default-network-access-rule-set-to-deny.sentinel"
enforcement_level = "hard-mandatory"
enforcement_environment = "production,test"
}
policy "azure-cis-3.7-storage-default-network-access-rule-set-to-deny" {
source = "https://raw.githubusercontent.com/hashicorp/terraform-foundational-policies-library/master/cis/azure/storage/azure-cis-3.7-storage-default-network-access-rule-set-to-deny/azure-cis-3.7-storage-default-network-access-rule-set-to-deny.sentinel"
enforcement_level = "ignored"
enforcement_environment = "development"
}
I understand that we can manage Sentinel Policies based on a different Policy Sets, but it becomes difficult to apply where each Terraform GitHub project has three or more Environment/Workspace.