Terraform
Upload your Sentinel policy set to HCP Terraform
To enable Sentinel policy enforcement on your Terraform runs, you must upload your policy to your HCP Terraform organization. In this tutorial, you will create a new Sentinel policy set in your organization, configure a workspace to apply your policy, and trigger the Sentinel policy checks.
Note
HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
Prerequisites
For this tutorial you will need:
- An HCP Terraform or Terraform Enterprise account
- Access to the
owners
group of your Terraform organization - A GitHub account
- An AWS account to create example resources
You should also be familiar with how to configure a VCS-driven workspace and destroy HCP Terraform workspaces.
Fork the example repository
Fork the example repository, which contains Terraform configuration to provision an EC2 instance.
Create an HCP Terraform workspace
Navigate to your HCP Terraform organization and create a new VCS-backed
workspace connected to your fork of the learn-terraform-sentinel
repository.
Configure workspace variables
Navigate to your learn-terraform-sentinel
workspace's "Variables" page.
Define a variable called instance_type
and set the value to t2.large
.
Define environment variables for your AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
. Be sure to set both as sensitive
.
When complete, your variable definitions will match the following:
Fork the Sentinel policy set repository
Now fork the example policy repository, which contains a Sentinel policy and rule enforcement definition.
The restrict-aws-instances-type-and-tag.sentinel
file contains a Sentinel
policy that defines a main
rule that consists of two other rules defining
infrastructure requirements:
- The
mandatory_instance_tags
rule checks that all EC2 instances have aName
tag. - The
instance_types_allowed
rule checks that EC2 instances are of typet2.micro
,t2.small
, ort2.medium
.
Tip
To review the policy used in this tutorial and how to use Sentinel mock data when writing Sentinel policies in more detail, visit the Write a Sentinel Policy for a Terraform Deployment tutorial.
You must list all of the policies defined in the policy repository in the sentinel.hcl
file. This file also sets the enforcement level for each policy, which specifies the behavior in the event of a policy failure. HCP Terraform evaluates the policies in the order they appear in this file.
This configuration contains one policy definition.
sentinel.hcl
policy "restrict-aws-instances-type-and-tag" {
enforcement_level = "hard-mandatory"
}
Notice the configured enforcement_level
for your policy. A policy can have one of three enforcement levels:
- Advisory (default): The policy can fail. HCP Terraform records all failures in the audit log.
- Soft mandatory: In the event of failure, organization owners or users with override permissions can override the policy to let the run proceed. HCP Terraform records all overrides in the audit log.
- Hard mandatory: The policy must pass for the run to proceed.
Connect the policy set
In the HCP Terraform UI, navigate to Settings > Policy Sets. Then, click on Connect a new policy set to create a new policy set.
Select your fork of the learn-sentinel-policy-upload
repository as the source. For more information or for other
VCS connection settings, visit our documentation on VCS
Integrations.
Tip
The search bar for policy repositories is case sensitive.
HCP Terraform applies policy sets either across your organization, or to specific workspaces.
On the Configure Settings page:
- Select the Sentinel policy framework.
- Under Scope of policies, select Policies enforced on selected workspaces.
- Select your
learn-terraform-sentinel
workspace and click Add workspace. - Click Connect policy set.
Tip
You can pin a policy set to a specific runtime version. To do so, choose the Enhanced policy set type, then select a runtime version from the Runtime version drop-down. Policy runtime version management is currently in beta.
Trigger a Sentinel Check
Navigate to your learn-terraform-sentinel
workspace. Click on the Actions menu and select Plan and apply (standard).
Because you set the instance_type
variable to t2.large
, this run will fail the policy check because it violates the instance_types_allowed
rule. Terraform will not let you apply the plan.
Navigate to the workspace's Variables page and update the value of
instance_type
to t2.small
. Save the variable.
Start another run. This time, Sentinel will validate the proposed changes and let you apply the plan.
Since this is the end of the tutorial, click Discard Run.
Delete the policy set
Navigate back to your policy set under Settings > Policy Sets, then click Delete policy set. Confirm by clicking "Yes, delete policy set".
Delete workspace
If you will continue with other policy tutorials, skip this step.
HCP Terraform does not charge per workspace, so you can keep the workspace if you will complete the remaining tutorials later. To delete it, navigate to your workspace's Settings, then select Destruction and Deletion and follow the prompts to delete the workspace.
Next steps
You have now uploaded a Sentinel policy set to HCP Terraform and triggered policy failures and passes. To learn more about Sentinel, review the following resources:
- Learn how to Generate Mock Policy Data
- Review how to Write a Sentinel Policy
- Review how to Test a Sentinel Policy
- Review Sentinel and HCP Terraform documentation
- Experiment in the Sentinel Playground
- Review Sentinel Language Specification documentation
- Learn how to use policies from the Terraform registry