Announcing the Sentinel Playground
Sentinel is a policy as code framework that is embedded into the enterprise versions of HashiCorp Consul, Nomad, Terraform, and Vault. Sentinel enables DevOps teams to apply fine-grained, logic-based policy controls against their most critical services.
Today, the Sentinel team is pleased to announce the release of the Sentinel Playground.
We have built the Playground so that new and existing customers have access to a zero-install development environment. Now, practitioners can learn and experiment with policy as code in minutes without having to install and maintain runtime environments on their own machines.
The Sentinel Playground is useful for policy as code users of all skill levels:
- For beginners, it includes a real-world policy example out of the box, which provides a great starting point. We’ve also stripped back the contents of the mock data to make the learning process a little simpler.
- Seasoned Sentinel policy authors can use it to quickly prototype functions and rules by bringing their own policies and mock data.
» Sentinel Playground
When accessing the Sentinel Playground, you are presented with an example policy definition and all relevant mock data required to successfully evaluate the rules within the policy. As your ability to author policies improves, you can start including more advanced logic-based checks such as those found in the Terraform Foundational Policies Library.
» Hello World!
The Playground comes with an out-of-box policy but you are not limited to using only this policy. You have the freedom to delete all policy contents (including mock data) and start from scratch. This is really useful when you are just trying to familiarize yourself with the Sentinel language and specification.
In the above example we have deleted unused mock data and replaced the contents of the policy.sentinel
with the following:
print("Hello World!")
main = true
The print function is commonly used to output useful information when debugging policies that may not be behaving in an expected manner.
» Hello Parameters!
The Playground also has first-class support for Sentinel parameters. These help facilitate policy reuse and ensure sensitive values are not hard-coded in a policy.
In the above example, we are parameterizing our “Hello World!” policy.sentinel
so that we can dynamically greet an individual by name:
param name
print("Hello", name)
main = true
If you would like to explore Sentinel parameters in more detail, you can do so by referring to the parameters documentation.
» Mock Data
Sentinel has a built-in test framework to validate that a policy behaves as expected. The process of mimicking a production environment is achieved by providing global data and/or imports in the form of a mock. The Sentinel Playground provides the ability to add several mocks so that you can test multiple imports at once.
In the above example, we are adding mock data for the tfrun
import so that we can mimic the provisioning operation that is taking place in Terraform Cloud. We do so by adding a mock called tfrun
which contains the following:
created_at = "2020-08-01T01:48:37.081Z"
message = "Queued manually in Terraform Cloud"
speculative = false
is_destroy = false
variables = {}
organization = {
"name": "HashiCorp",
}
workspace = {
"auto_apply": false,
"created_at": "2020-08-01T01:48:37.081Z",
"description": null,
"name": "demo-workspace",
"vcs_repo": {
"branch": "demo",
"display_identifier": "hashicorp/demo-workspace",
"identifier": "hashicorp/demo-workspace",
"ingress_submodules": false,
},
"working_directory": "",
}
By amending the imports section of our policy.sentinel
to include the following:
import "tfrun"
import "tfplan/v2" as tfplan
And updating main
as follows:
main = rule {
aws_s3_bucket_acl_is_private and
tfrun.is_destroy is false
}
We now have the ability to ensure that Terraform Cloud will not perform a destroy operation.
» Available Now
The release of the Sentinel Playground focuses on delivering a core feature set and a single policy example for AWS. In future releases, the Terraform governance team will expand the policies to include Azure and GCP services as well as the ability to share and collaborate with others.
What would you like to see included in the Sentinel Playground? Do you have thoughts on how best to collaborate on policies? If so, please get in touch. We are currently in the early stages of development and are open to any ideas that you may have.
For more information on Sentinel language and specification, visit the Sentinel documentation page. If you would like to engage with the community to discuss information related to Sentinel use cases and best practices, visit the HashiCorp Community Forum.
Sign up for the latest HashiCorp news
More blog posts like this one
Vault integrations with MongoDB, Private Machines, and walt.id strengthen customer security
Three new HashiCorp Vault ecosystem integrations extend security use cases for customers.
New Terraform integrations with Crowdstrike, Datadog, JFrog, Red Hat, and more
12 new Terraform integrations from 9 partners provide more options to automate and secure cloud infrastructure management.
Terraform delivers launch-day support for Amazon S3 Tables, EKS Hybrid Nodes, and more at re:Invent
The Terraform provider for AWS now enables users to manage a variety of new services just announced at re:Invent.