Whitelist or blacklist resources within a provider

Is there a way we can block developers from using a resource within a given provider?
For example I don’t want to allow the use of the xray_violations_report resource within the xray provider.

Terraform does not provide any way to do this.

HashiCorp’s Sentinel policy language in their paid-for Terraform Enterprise/Cloud products seems like it might offer this capability, but I do not have experience with doing that.

As @maxb noted, this sort of policy checking is outside of the scope of the core Terraform language.

If you want to do it then you’d need to do it in an orchestration layer that runs Terraform in a controlled environment where developers therefore can’t just disable the check by removing the rule from the configuration.

The flow for doing this is broadly the same as for Running Terraform in Automation – specifically the Automated Terraform CLI Workflow section, except that in step 3 along with “Have a human operator review that plan, to ensure it is acceptable” you also have some software of your own design perform automatic checks for policy concerns like the one you’ve described here.

The text on that page at the time I’m writing this describes Terraform CLI commands to run for steps 1, 2, and 4 but doesn’t say much about step 3 because it assumes a human is responsible for that step. You can wholly or partially automate step 3 by running terraform show -json tfplan to obtain a JSON description of the plan and passing that JSON document to your program that enforces whatever policy decisions you like.

Terraform Cloud has built-in Policy Enforcement features, which are built on the same principle I described above but with the orchestration parts pre-defined within Terraform Cloud so that you only need to describe the desired policies using either HashiCorp’s Sentinel language or Open Policy Agent policies written in Rego, and then Terraform Cloud will automatically evaluate the policy after completing the plan step.