Skip to content

confluentinc/policy-library-confluent-terraform

Repository files navigation

Confluent Sentinel Policies for Terraform

This library, provides prescriptive Sentinel policies that can be used to establish well managed Terraform configuration for Confluent resources. Terraform Cloud/Enterprise users can use the policies in this library to establish an initial policy-as-code framework as they onboard new and additional use-cases in Confluent.

The policies primarily resources created and managed by the Confluent Provider.

NOTE:

This Policy Library is not an exhaustive list of all of possible policies for Confluent Cloud configuration. If you have questions, comments, or have identified ways for us to improve this library, please create a new GitHub issue.

We also welcome any contributions that improve the quality of this library! To learn more about contributing and suggesting changes to this library, refer to the contributing guide.

Policies included

  • All new API Keys should be owned by Service Accounts, not Users (docs | code)
  • API Keys should have a valid name (docs | code)
  • Only approved RBAC Roles may be assigned (docs | code)
  • Only approved resources may be provisioned (docs | code)
  • New clusters should only be created in specified cloud providers (docs | code)
  • New clusters should only be created in specified cloud regions (docs | code)
  • Only specified Connectors may be provisioned (docs | code)
  • All new Service Accounts should have a valid and descriptive name (docs | code)
  • Topics should have a partition count in a specified range (docs | code)
  • Topics should have a retention.ms of a specified range (docs | code)
  • Topics should have a retention.bytes of a specified range (docs | code)
  • Topic names should follow an appropriate standard (docs | code)
  • Brokers may not create topics automatically, auto.create.topics.enable should be false (docs | code)
  • Prevent the creation of Dedicated clusters, only Basic or Standard clusters (docs | code)
  • Prevent the deletion of topics (docs | code)