Some Sentinel policies were introduced to forbid managing production access in non-production TF workspaces and GCP projects. In other words, users of production shouldn’t be allowed to be managed from any WS that belongs to non-production deployments.
The configuration can be found in devops/terraform/tf-dispatcher/20_environments.tf.
Some comments on current and future implementation:
each policy file contains the whole library file which is weird but it’s a recommended practice
when creating another policies - we use 3rd version of Sentinel policies; don’t get confused by previous versions when searching for examples - the best path for this is https://github.com/hashicorp/terraform-guides/tree/master/governance/third-generation
Note that the policies at the time of writing this doc (01.12.2022) are more of PoC character - they have been tested that they work in terms of that resources cannot really be created but nothing more.