Using Sentinel for Terraform Validation

### When do Sentinel policies run? Where in a Terraform workspace is that described? Sentinel policies are executed during the "policy check" phase of a Terraform run within a Terraform Enterprise or Terraform Cloud workspace. The policy check phase occurs after the "plan" phase and before the "apply" phase. Here's a high-level overview of a Terraform run's lifecycle: 1. Queue run 2. Initialize working directory 3. Run plan 4. **Perform policy check (Sentinel policies)** 5. Confirm and apply 6. Finish run In a Terraform Enterprise or Terraform Cloud workspace, you can associate Sentinel policies with your workspaces using Policy Sets. Policy Sets can be either VCS-backed (Version Control System, like GitHub, GitLab, or Bitbucket) or uploaded directly through the web UI. To find Sentinel policies associated with a workspace, follow these steps: 1. Navigate to the main dashboard of your Terraform Enterprise or Terraform Cloud account. 2. Click on your workspace's name. 3. Click on the "Settings" tab. 4. Click on "Policies" in the left sidebar. 5. You will see a list of Policy Sets associated with your workspace. When you trigger a Terraform run (manually or via VCS), the Sentinel policies associated with the workspace will be evaluated during the policy check phase. If any policy fails and its enforcement mode is set to "hard-mandatory", the Terraform run will fail, and you won't be able to proceed to the "apply" phase. You can review the results of Sentinel policy checks by navigating to the "Runs" tab of your workspace, clicking on a specific run, and then clicking on the "Policy Check" tab. This will show you the results of each policy check and any violations that occurred. ### Can I manage the mapping of Sentinel policies via IAC rather than making edits in the TerraformEnterprise UI? Yes, you can manage the mapping of Sentinel policies to workspaces in Terraform Enterprise or Terraform Cloud using Infrastructure as Code (IAC) instead of making edits through the UI. To do this, you can use the ```tfe``` Terraform provider, which allows you to manage resources in Terraform Enterprise and Terraform Cloud programmatically. Here's an example of how you can create a policy set and associate it with a workspace using the ```tfe``` provider: 1. Install and configure the ```tfe``` provider: ```hcl { required_providers { tfe = { source = "hashicorp/tfe" version = "~> 0.27.0" } } } provider "tfe" { hostname = "app.terraform.io" # or your Terraform Enterprise hostname token = var.tfe_token } ``` Replace ```var.tfe_token``` with your Terraform Cloud or Terraform Enterprise API token. 2. Define a VCS-backed policy set and associate it with a workspace: ```hcl resource "tfe_organization" "example" { name = "example-org" email = "[email protected]" } resource "tfe_policy_set" "example" { name = "example-policy-set" description = "An example policy set" organization = tfe_organization.example.id # VCS settings for the policy set vcs_repo { identifier = "your-vcs-username/your-policy-repo" oauth_token_id = var.oauth_token_id } # Attach the policy set to a workspace workspace_ids = [tfe_workspace.example.id] } resource "tfe_workspace" "example" { name = "example-workspace" organization = tfe_organization.example.id } ``` Replace ```your-vcs-username/your-policy-repo``` with the VCS repository containing your Sentinel policies, and ```var.oauth_token_id``` with the VCS OAuth token ID used for authentication. This configuration will create an organization, a policy set, and a workspace in your Terraform Cloud or Terraform Enterprise account. The policy set will be associated with the workspace, and the Sentinel policies in the specified VCS repository will be applied to runs in that workspace. When using this approach, you can manage the mapping of Sentinel policies and their association with workspaces entirely through IAC, avoiding the need to make changes in the UI. For more information on using the ```tfe``` provider, refer to the official documentation: [https://registry.terraform.io/providers/hashicorp/tfe/latest/docs](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs) ### Are sentinel policies python? No, Sentinel policies are not Python. They are written in the Sentinel language, which is a custom language developed by HashiCorp specifically for policy as code. Sentinel is designed to be easily readable and expressive, with a syntax resembling Python, HCL, and JSON. The Sentinel language is a high-level, declarative language that enables you to write and enforce policies across HashiCorp products like Terraform, Vault, and Consul. Sentinel policies are typically used to validate, restrict, and enforce configurations and actions in these products. While the syntax might look similar to Python, it's essential to understand that Sentinel is a separate language with its own set of rules and constructs. You can find more details about the Sentinel language in the official Sentinel documentation: [https://docs.hashicorp.com/sentinel/language/](https://docs.hashicorp.com/sentinel/language/) ### Can I use Sentinel to fail a Terraform Run if the listed tags do not validate as being oneOf the members of a set of tags that I have defined somewhere else? 1. Create a script that generates the JSON for allowed tags (similar to the previous example). Name the script ```generate_allowed_tags.py```. ```python #!/usr/bin/env python3 import json # Define the allowed tags. Replace these with your own tags or any dynamic logic to fetch tags. allowed_tags = ["tag1", "tag2", "tag3"] # Output the allowed tags as JSON print(json.dumps({"allowed_tags": allowed_tags})) ``` Make the script executable using ```chmod +x generate_allowed_tags.py```. 2. Execute the script and save the output to a JSON file. You can do this by running the following command in your terminal: bashCopy code ```./generate_allowed_tags.py > allowed_tags_parameters.json``` This command will generate a JSON file named ```allowed_tags_parameters.json``` containing the allowed tags. 3. Upload the JSON file to your Terraform Enterprise workspace: * Navigate to the "Settings" section of your workspace. * Click on "Policy Sets" in the left sidebar. * Click on the policy set containing the ```allowed_tags.sentinel``` policy. * Click on the "Configuration" tab. * Upload the ```allowed_tags_parameters.json``` file under "Policy Set Parameters." * Set the "Enforcement mode" to "hard-mandatory" to fail the Terraform run if the policy is violated. By following these steps, you will have dynamically generated the JSON for allowed tags by calling a script outside of Terraform. The Sentinel policy will enforce that the tags associated with your resources are in the allowed tags list defined in the JSON file. If you want to automate this process, you can include the script execution and JSON file upload steps in your CI/CD pipeline or any other automation tool you use for your infrastructure management.