Sentinel Policy Advice - Merge multiple rules in one policy or 1 rule per policy?

I was wondering what is the recommended way of writing a sentinel policy in Terraform.

As an example, we have a policy that says

  1. AWS Security Rule must have a description
  2. AWS Security Rule must not allow port 22 from

I am currently leaning towards doing Rule 1 and Rule 2 in separate Sentinel policies

  • It is easier to identify the which policy the terraform plan has failed on
  • It is readable for auditors to identify which rules have been covered in Sentinel as each policy is directly mapped to a rule item

But at the same time my concerns are

  • Would the policy checks be slower in TFE? Since each policy loops through a list of TF resources - ever new policy I add is another loop that Sentinel has go through?

So my main question is should I be concerned about performance with Sentinel + Terraform and actually merge my policies to minimize the amount of looping required?

I’ve found the policy checks to be quite fast. I think separating them would be fine and be easier to manage with the new VCS workflow. Either way should be fine but keeping them separate would help maintainability.

Do you have a very large state? If that’s the case it would potentially slow down other operations and you might want to break up your config into separate workspaces.