A team uses Terraform with remote state stored in a GCS bucket. They are implementing policy as code using Conftest to validate Terraform plans before apply. The Conftest checks run in a CI/CD pipeline. Which approach ensures that Conftest policies are enforced consistently across all Terraform workspaces?
A centralized policy repository ensures all workspaces use the same up-to-date policies.
Why this answer
Conftest uses Rego policies. To enforce consistently, the policies should be version-controlled in a separate repository and the CI/CD pipeline should fetch the latest policy bundle before running tests. Using a centralized policy repo ensures all workspaces are checked against the same rules.