HCP Terraform generates mock data during terraform plan operations in CLI or VCS-backed HCP Terraform workspaces. You can import this mock data into Sentinel to test policies. Sentinel can use several types of imports from the HCP Terraform API: configuration, plan, state, and run.
Note
HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
In this tutorial, you will use HCP Terraform to generate mock data.
For this tutorial, you will need:
owners groupYou should also be familiar with how to configure VCS-driven workspaces and destroy HCP Terraform workspaces.
Fork the example repository, which contains Terraform configuration to provision an EC2 instance.
Navigate to your HCP Terraform organization and create a new VCS-backed workspace connected to your fork of the learn-terraform-sentinel repository.
Navigate to your learn-terraform-sentinel workspace's Variables page.
Define environment variables for your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Be sure to set both as sensitive.
Navigate to your learn-terraform-sentinel workspace in HCP Terraform. Select Start new run from the Actions menu, and select the Plan only option.
When you run a remote terraform plan operation, HCP Terraform generates a collection of files called mocks. The mocks contain Terraform plan data that you can use to test your Sentinel policies.
After the plan completes, click Download Sentinel mocks.
On your local machine, create a new directory named learn-sentinel-policies for your Sentinel development environment.
$ mkdir learn-sentinel-policies
Change into the directory.
$ cd learn-sentinel-policies
Unzip the mock data file you downloaded from HCP Terraform into your Sentinel development environment. Change your run-xxxx filename to match the one you downloaded.
$ tar xzf <DOWNLOADS_PATH>/run-xxxx-sentinel-mocks
This directory contains the following mock files for you to use to test and develop Sentinel policies.
$ tree
.
├── mock-tfconfig-v2.sentinel
├── mock-tfconfig.sentinel
├── mock-tfplan-v2.sentinel
├── mock-tfplan.sentinel
├── mock-tfrun.sentinel
├── mock-tfstate-v2.sentinel
├── mock-tfstate.sentinel
└── sentinel.hcl
Open the sentinel.hcl and review the contents.
sentinel.hcl
mock "tfconfig" {
module {
source = "mock-tfconfig.sentinel"
}
}
mock "tfconfig/v1" {
module {
source = "mock-tfconfig.sentinel"
}
}
mock "tfconfig/v2" {
module {
source = "mock-tfconfig-v2.sentinel"
}
}
mock "tfplan" {
module {
source = "mock-tfplan.sentinel"
}
}
mock "tfplan/v1" {
module {
source = "mock-tfplan.sentinel"
}
}
mock "tfplan/v2" {
module {
source = "mock-tfplan-v2.sentinel"
}
}
mock "tfstate" {
module {
source = "mock-tfstate.sentinel"
}
}
mock "tfstate/v1" {
module {
source = "mock-tfstate.sentinel"
}
}
mock "tfstate/v2" {
module {
source = "mock-tfstate-v2.sentinel"
}
}
mock "tfrun" {
module {
source = "mock-tfrun.sentinel"
}
}
Each of the mock data files contains information Terraform captures during the plan operation. Sentinel parses these files when you import them into your policies.
Sentinel uses the four HCP Terraform imports to define policy rules: plan, configuration, state, run.
tfplan import contains the data of a Terraform plan. The plan data represent the changes that Terraform needs to make to infrastructure to reach the desired state represented by the configuration.tfconfig import contains the data describing a Terraform configuration, the set of ".tf" files that you write to describe the desired infrastructure state.tfstate import contains data describing the Terraform state, the file Terraform uses to map real-world resources to your configuration.tfrun import contains data associated with a run in HCP Terraform, such as the run's workspace.Sentinel also has a library of standard imports that you can use as part of your policies, such as ones to perform time functions and string operations.
When testing your policies, import the mock data file that has the data relevant to your policy. For example, if you want your policy to validate the proposed changes to your infrastructure, use the tfplan import to determine if the planned resources meet your criteria.
If you are continuing on to the next tutorial, skip this step.
HCP Terraform does not charge per workspace, so you can keep the workspace if you will complete the remaining tutorials later. To delete it, navigate to your workspace's Settings, then select Destruction and Deletion and follow the prompts to delete the workspace.
You generated Sentinel mock data using HCP Terraform and reviewed the different types of Sentinel imports. To learn more about Sentinel and how to enforce policies, review the following resources:
import in the Sentinel Language Specification Documentation.RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4