I’d like to check if all modules used in a current Terraform Cloud workspace are also in use by another workspace. The goal is to ensure that no modules can be deployed to “production” without first being deployed to “staging”.
Is it possible to write such a policy using Sentinel? I couldn’t find any way to do such cross-workspace checks.
It really depends on your workflow. Sentinel has an HTTP import which you can use to make a call to an API endpoint and use the response as a dynamic data input within your policy.
Theoretically, you could make a call to the Terraform API and retrieve the JSON execution plan from the staging workspace but you would need to know the workspace id for staging. I would not recommend this though as the response is a redirect and it may be overly complex.
Have you considered writing a policy that just checks and validates the module version?
Essentially you would create an allow list that contains all semantic versions that are supported in production and staging and perform a version check during the planning stage to make sure that the in-use version is valid?
Here is an example policy that may help. It’s not the exact use case I have mentioned but it shows how you can use the tfconfig/v2 to check module configuration.