Introduction
When managing large numbers of workspaces, there are times when it logistically makes sense to run specific policies only against specific workspaces for reasons of compatibility.
Procedure
Update 04/04/23:
Thanks to recent updates in Sentinel, there are now several ways to implement exceptions either through static JSON or parameter values (per policy). For further information, see this announcement:
https://www.hashicorp.com/blog/devex-improvements-in-hashicorp-sentinel
While there is no builtin way to exclude specific workspaces from Sentinel checks, it is possible to accomplish the same thing by using the tfrun import to check the workspace name against a list.
Consider the following example:
import "strings"
import "tfrun"
# List of workspaces that sentinel policies are not supposed to operate on
workspaces_to_exclude = ["sentinel-example", "sentinel-example-2"]
# Get the the name of the workspace in the current run
workspace_name = tfrun.workspace.name
sentinel_eval = rule when workspace_name not in workspaces_to_exclude {
# Here you would insert your logic operate against workspaces
print("Workspace not in excluded list")
}
excluded_workspace_eval = rule when workspace_name in workspaces_to_exclude {
print("Workspace in excluded list")
}
main = rule {
sentinel_eval and excluded_workspace_eval
}
Please note that writing code for customers is outside the scope of Support, and this example isn't formally supported, it is provided strictly as a proof of concept and should be tested thoroughly prior to any implementation in your environment.
Additional Information
-
https://discuss.hashicorp.com/t/enable-disable-sentinel-policies-based-on-environment/19642/3