@hcrhall I checked this thread and added a filter to check based on workspace name. However, the team is recommending using the filter for checking the “prod” keyword in the subscription name. Can you suggest if that’s possible as I can’t find the subscription name in the tf state file.

“Is is possible to grab the subscription name from the resource group Azure ID and apply regex which matches prod”

import “tfplan/v2” as tfplan
import “tfrun”
import “strings”

#Only apply this policy if its azurerm provider
provider = tfrun.providers contains “azurerm”

Validate the environment based on workspace and apply this policy

environment = strings.split(tfrun.workspace.name, “-”)

allVnet = filter tfplan.resource_changes as _, resource_changes {
resource_changes.type is “azurerm_virtual_network” and
resource_changes.mode is “managed” and
(resource_changes.change.actions contains “create” or
resource_changes.change.actions is [“update”])
}

allVnetDdosPlan = filter tfplan.resource_changes as _, resource_changes {
resource_changes.type is “azurerm_network_ddos_protection_plan” and
resource_changes.mode is “managed” and
(resource_changes.change.actions contains “create” or
resource_changes.change.actions is [“update”])
}

print(“Ensure that ddos protection plan is enabled for Vnet”)

allow_only_vnets_with_ddos_protection_plan = rule when (environment contains “prod” and provider is true){
all allVnet as _, ddos_protection {
all ddos_protection.change.after.ddos_protection_plan as ddos_protection_plan {
ddos_protection_plan.enable is true
}
}
}.

Also, if you can help in writing a post on integrating sentinel in CI/CD without using terraform.io. Our team is moving to use Jenkins with Spinnaker.