Announcing HashiCorp Sentinel 0.16
Sentinel 0.16 unifies the policy authoring workflow by including HCL support and expanding the standard imports.
Today, we are pleased to announce the release of Sentinel 0.16. The release of 0.16 introduces several feature enhancements that improve the development experience. Recent additions include a standardized policy configuration syntax, the ability to manage policies from a central source, as well as a new import in the Sentinel standard library.
» HCL Configuration Format
The Sentinel CLI configuration file can now be defined using the HCL format. HCL has previously only been available to supply configurations in the form of Policy Sets for Terraform Cloud. This improvement brings Sentinel in-line with other HashiCorp products by allowing the configuration of sentinel apply
and the test configuration of sentinel test
to now use the HCL syntax.
For more information and examples on the new syntax format, see the configuration file documentation.
» Policy Sets
Policy block definitions can also take advantage of the HCL configuration update. This feature was already available within Terraform Cloud, and this release adds support within the Sentinel CLI. An example policy definition is as follows:
policy "terraform-maintenance-windows" {
source = "./terraform-maintenance-windows.sentinel"
enforcement_level = "hard-mandatory"
}
Previously, as part of the development process, policy authors were required to execute local policies one at a time using the sentinel apply
command. This workflow was fine when developing a single policy file, but became pretty unwieldy when applied to an ever-increasing library of policies.
With the addition of the policies configuration block, sentinel apply
will now evaluate all policies within a configuration file automatically. This is achieved by, running sentinel apply
without a policy argument within the working directory of your Sentinel configuration file.
$ sentinel apply
Pass - terraform-maintenance-windows.sentinel
For further details on defining a policy, see the policy configuration documentation.
» Remote Sources
To finish up the list of additions to Sentinel in 0.16 is the support for defining remotely sourced policies and modules. This allows for Sentinel files to be shared and encourages code reuse.
» Definition
To add a remote source, simply supply a URL to the source
attribute on either a policy or module definition, ensuring it meets the remote sources guidelines. An example of fetching a policy from a git repository is found below:
policy "remote-policy" {
source = "git::https://github.com/hashicorp/example.git//remote-policy.sentinel"
enforcement_level = "hard-mandatory"
}
Policies and modules, as well as modules within a test configuration, can all be defined with a remote source. When sentinel apply
is run, policies and modules will be fetched and available to the runtime. When sentinel test
is run, test modules will be downloaded and available for test cases to utilize.
» Apply Command
To simplify evaluation of a remote policy, sentinel apply
can now evaluate policy based on its key within a configuration. For example, the above policy "remote-policy"
block defines a remote policy with the key, remote-policy
. To evaluate this policy, simply run sentinel apply remote-policy
ensuring continued use of existing flags.
This is only a brief overview of the support for remote sources. Be sure to check out both the documentation for the new init command, and the remote source guidelines.
» Semantic Version Import
As part of the 0.16 release, we are also including a new version
import in the Sentinel standard import library. This import provides policy authors with the ability to parse versions and version constraints, and supports both arbitrary versions and versions that follow the semver.org specification.
Previously the handling of versions was achieved through some form of string manipulation via the strings
import and casting values to an int:
import "tfplan/v2" as tfplan
import "strings"
v = strings.split(tfplan.terraform_version, ".")
version_minor = int(v[1])
version_patch = int(v[2])
main = rule {
version_minor is 12 and version_patch >= 19
}
With the addition of the version
import, versions are parsed and values handled accordingly:
import "tfplan/v2" as tfplan
import "version"
v = version.new(tfplan.terraform_version)
main = rule {
v.minor == 12 and v.patch >= 19
}
For more information and examples, see the version import documentation.
» Available Now
The latest release of Sentinel includes several feature additions and the alignment with existing integrations make the process of authoring, mocking, and testing Sentinel policies seamless for engineers. Get started now by downloading the latest version of the Sentinel CLI from the Sentinel download page.
For more information on Sentinel language and specification, visit the Sentinel documentation page. If you would like to engage with the community to discuss information related to Sentinel use cases and best practices, visit the HashiCorp Community Forum.
Sign up for the latest HashiCorp news
More blog posts like this one
New Terraform integrations with Crowdstrike, Datadog, JFrog, Red Hat, and more
12 new Terraform integrations from 9 partners provide more options to automate and secure cloud infrastructure management.
Terraform delivers launch-day support for Amazon S3 Tables, EKS Hybrid Nodes, and more at re:Invent
The Terraform provider for AWS now enables users to manage a variety of new services just announced at re:Invent.
HashiCorp at re:Invent 2024: Infrastructure Lifecycle Management with AWS
A recap of HashiCorp infrastructure news and developments on AWS from the past year, from a new provider launch to simplifying infrastructure provisioning and more.