HashiCorp Sentinel Policies 3rd Gen (Part 1 of 3)

What are HashiCorp Sentinel Policies?

Context: as I began my new job in June, I was tasked to understand this new tool from HashiCorp. I wondered why I hadn't been exposed to this tool before in my previous workplaces until I realized this was actually a feature offered on Terraform Cloud.

In long:

Sentinel implements governance policies as code in the same way that Terraform implements infrastructure as code. Sentinel policies define rules that restrict the provisioning of resources by Terraform configurations. Terraform enforces Sentinel policies between the plan and apply phases of a run, preventing out of policy infrastructure from being provisioned. Unless overridden by an authorized user, only plans that pass all Sentinel policies checked against them are allowed to proceed to the apply step.

In short:

After theterraform plan stage, Terraform cloud would check with the configured Sentinel policy repository to check against a set of rules and fail them if it does not match the rules created.

Sentinel… What is it?

It is a policy framework created by HashiCorp. It uses its own syntax and language to evaluate conditions to a single true or false outcome to check for policy compliance. The full docs can be found here

How should I start?

First, one has to be a user of either Terraform Cloud or Terraform Enterprise. There are also Sentinel policies available to be written for HashiCorp’s other tools such as Vault, Nomad and Consul.

After that, set up the connection between the Sentinel Policies code repository and Terraform Cloud workspace. You may refer to these docs for an example.

Why are you writing this article?

I found it daunting at the beginning to refer to the official Github Repo when creating, testing and implementing Sentinel policy checks.
There are 3 main components when kickstarting in writing Sentinel Policies for Terraform.

• mock infra repository with its own Terraform Workspace
• Sentinel policy repository for governance as code
• Terraform Cloud organization to point to the above-mentioned governance repository for checking policies

Mock Data

Sentinel Framework makes use of the terraform plan v2 data to cross with the policies written. This v2 data is generated on Terraform Cloud whenever a terraform plan is ran. We store this mock data for local testing to reduce the amount of time spent waiting plan to run repeatedly.

In the next part, I will boil down to more of the technical details in detailed steps of writing, referencing and testing.

Stay tuned as I try to make out more time to challenge myself on what I have learnt on the new job!