Writing and Testing Sentinel Policies for Terraform Enterprise
We are excited to announce the publication of a new Writing and Testing Sentinel Policies for Terraform Enterprise Guide to our Resource Library. This comprehensive guide teaches you how to write and test governance policies that restrict the infrastructure provisioned by Terraform Enterprise. The guide includes many examples (for AWS, Google, and Azure) and five exercises that are carefully matched to the sections of the guide that precede them.
»Sentinel
HashiCorp’s Sentinel is a language and framework that implements Policy as Code with fine-grained, logic-based policy decisions just as HashiCorp’s Terraform implements Infrastructure as Code. Terraform Enterprise (TFE) enforces Sentinel policies between the plan and apply stages of runs, ensuring that resources can only be created or modified if all policies checked against them pass or are overridden by authorized users. Using Sentinel policies is much more reliable than using policy spreadsheets since the policies are codified and executed as part of your provisioning pipeline.
»Sentinel Concepts
The following useful Sentinel concepts are covered in the guide: rules, for loops, any/all expressions, set operators, comparison operators, logical operators, the matches operator (which does regex comparisons), the else operator (which avoids undefined expressions), the built-in length function, the strings import, and the types import.
The guide also shows you how to use the Sentinel print function to debug errors in Sentinel policies as you are writing and testing them.
»Methodology for Writing and Testing Policies
There are three primary types of Sentinel policies in Terraform Enterprise, corresponding to the three types of Sentinel imports: tfplan, tfstate, and tfconfig. The guide includes a basic four-step methodology for restricting the attributes of Terraform resources with the tfplan import.
The four steps of the methodology are:
- Create Terraform configurations (code) that create instances of the resource you want to restrict with the TFE Sentinel policy you will write.
- Create TFE workspaces that use your Terraform configurations.
- Create a new TFE Sentinel policy that restricts specific resource attributes.
- Test your Sentinel policy against your workspaces by triggering runs against them, either in the TFE UI or with the Terraform CLI.
»Testing with the Sentinel Simulator
The guide also shows you how to use the Sentinel Simulator to test your TFE Sentinel policies with TFE Sentinel mocks without actually running your Terraform code on a TFE server. The mocks give Sentinel data that simulate what an actual terraform plan would provide. There are three kinds of TFE Sentinel mocks, corresponding to the three TFE Sentinel imports. The guide gives an example of using the tfconfig mock.
»Conclusion
We are excited to share this guide with our users. For more on Sentinel see our docs and the Governance section of our terraform-guides repository.
Sign up for the latest HashiCorp news
More blog posts like this one
Which Terraform workflow should I use? VCS, CLI, or API?
Learn about the three levels of HCP Terraform run workflows and key considerations to guide your decision on when to use each approach.
Access Azure from HCP Terraform with OIDC federation
Securely access Azure from HCP Terraform using OIDC federation, eliminating the need to use long-lived credentials for authentication.
Enabling fast, safe migration to HCP Terraform with Terraform migrate (tf-migrate)
There’s a faster, safer way to migrate your infrastructure state files from Terraform Community Edition to HCP Terraform and Terraform Enterprise.