Integrate external data with Sentinel static imports

3min
|
Sentinel

In the previous tutorial, you implemented one type of Sentinel import by creating and using modules. Sentinel's import system is a powerful feature that lets you extend your policies with additional data and functionality.

In this tutorial, you will use static imports to incorporate external JSON data into your HashiCups policy, simulating a scenario where you might need to validate orders against externally defined criteria. Static import lets you separate your data from your policy logic, making both easier to manage and update independently. This is particularly useful when you need to work with structured data from external sources, such as Terraform plan files in infrastructure-as-code workflows.

Tip

You can find the configuration for this tutorial in 04-static-imports branch of the Learn Sentinel Get Started GitHub repository.

Create a JSON data file

You need to create a JSON file containing sample order data. This simulates external data that you want to use in your policy.

First, create the directory to store the JSON file.

$ mkdir -p imports/order

Then, create the order JSON file.

$ touch imports/order/order.json

Open imports/order/order.json in your text editor, paste in the configuration below, and save the file.

{
  "items": [
    {
      "name":     "Vaulatte",
      "size":     "medium",
      "quantity": 2
    },
    {
      "name":     "Nomadicano",
      "size":     "large",
      "quantity": 1
    }
  ]
}

Update the policy

Now that you have external data, update your policy to import the static data. Replace the contents of policies/validate_coffee_order.sentinel with the following.

import "hashicups"
import "order"

# Main rule to validate a coffee order
main = rule {
  all order.items as item {
    hashicups.validate_name(item.name) and
    hashicups.validate_size(item.size)
  }
}

Notice how the policy replaced the order params with the order static import. Sentinel will apply the policy against the order JSON file.

Update the Sentinel configuration

To use your new JSON file as a static import, you need to update the Sentinel configuration file. Replace the contents of sentinel.hcl with the following.

import "static" "order" {
  source = "./imports/order/order.json"
  format = "json"
}

import "module" "hashicups" {
  source = "./imports/modules/helper/hashicups.sentinel"
}

policy "validate_coffee_order" {
  source = "./policies/validate_coffee_order.sentinel"
}

This configuration adds a static import for your order JSON file, specifying its location and format. It also retains the module import from the previous tutorial. Finally, the configuration no longer has the validate_coffee_order_override policy, since you replaced the parameters with static imports in the validate_coffee_order.sentinel policy.

You can create different order JSON files and update the source to validate different scenarios.

Apply the policy

Apply your policy with the Sentinel CLI. The policy pass with the static imports as expected.

$ sentinel apply
Pass - validate_coffee_order.sentinel
Pass - validate_coffee_order_override.sentinel

Next steps

In this tutorial, you learned how to create a JSON file for static import and configure your policy and Sentinel configuration files to use the static imports. In the next tutorial, you will learn how to write tests for your Sentinel policies to verify your policies are performing as expected under multiple scenarios.

For more information on topics covered in this tutorial, refer to the following documentation:

Sentinel modules

Test Sentinel