I was wondering what is the recommended way of writing a sentinel policy in Terraform.
As an example, we have a policy that says
- AWS Security Rule must have a description
- AWS Security Rule must not allow port 22 from 0.0.0.0/0
I am currently leaning towards doing Rule 1 and Rule 2 in separate Sentinel policies
- It is easier to identify the which policy the terraform plan has failed on
- It is readable for auditors to identify which rules have been covered in Sentinel as each policy is directly mapped to a rule item
But at the same time my concerns are
- Would the policy checks be slower in TFE? Since each policy loops through a list of TF resources - ever new policy I add is another loop that Sentinel has go through?
So my main question is should I be concerned about performance with Sentinel + Terraform and actually merge my policies to minimize the amount of looping required?