How to exclude specific workspaces from Sentinel Policy runs

Avatar
Sean
  • Updated

How to Exclude Specific Workspaces from Sentinel Policy Runs

Introduction

When managing many workspaces in HCP Terraform or Terraform Enterprise, you may need to apply certain Sentinel policies only to a specific subset of workspaces for compatibility or logistical reasons. This article outlines two approaches to exclude specific workspaces from policy checks.

Approaches

Approach 1: Using Sentinel Parameters (Recommended)

Recent updates to Sentinel allow you to define parameters for a policy, which you can set within the HCP Terraform or Terraform Enterprise UI. This approach is the most flexible and is recommended for managing exceptions.

You can define a parameter that accepts a list of workspace names to exclude. The policy can then reference this parameter to determine if it should be enforced for the current run.

For more details on this method, refer to the HashiCorp blog post on DevEx improvements in HashiCorp Sentinel.

Approach 2: Using a Static Exclusion List

As an alternative, you can hard-code a list of workspace names directly within your Sentinel policy. This approach uses the tfrunimport to check the current workspace's name against the static list.

The following example demonstrates a clear and maintainable way to implement this logic.

import "tfrun"

## Define the list of workspaces to exclude from this policy.
workspaces_to_exclude = ["sentinel-example", "sentinel-example-2"]

## Get the name of the current workspace and check if it is in the exclusion list.
workspace_name = tfrun.workspace.name
is_excluded = workspace_name in workspaces_to_exclude

## This rule contains the actual policy logic you want to enforce.
## It will only be evaluated for workspaces NOT in the exclusion list.
policy_logic = rule {
    ## Your actual policy logic goes here.
    ## For this example, we will just use `true`.
    print("Policy logic is being evaluated for an included workspace.")
    true
}

## The main rule passes if the workspace is excluded, or if the policy logic passes.
main = rule {
    is_excluded or policy_logic
}

Note: The example code is provided as a proof of concept. You should test it thoroughly before implementing it in a production environment.

 

Articles in this section

See more

Related articles