Terraform
Install the Sentinel CLI
HCP Terraform uses Sentinel to enable granular policy control for your infrastructure. Sentinel is a language and policy framework, which restricts Terraform actions to defined, allowed behaviors. Policy authors manage Sentinel policies in HCP Terraform with policy sets, which are groups of policies. Organization owners control the scope of policy sets by applying certain policy sets to the entire organization or to select workspaces.
Note
HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
The Policy-as-Code framework lets you manage governance requirements as you would your applications: written by operators, controlled in VCS, reviewed, and automated during your deployment process.
The Sentinel CLI (command-line interface) validates and tests rules so you can develop Sentinel policies.
After you install the Sentinel CLI, try the other Sentinel tutorials to practice writing, testing, and importing policies for HCP Terraform.
Install Sentinel CLI
To install the Sentinel CLI, find the appropriate package for your system and download it. The CLI is packaged as a zip archive.
After downloading Sentinel, unzip the package. The CLI runs as a single binary
named sentinel
. Any other files in the package can be safely removed and
Sentinel will still function.
Finally, make sure that the sentinel
binary is available on your PATH
. This process will differ depending on your operating system.
Have your terminal print a colon-separated list of locations in your PATH
.
$ echo $PATH
Move the sentinel
binary to one of the listed locations. The below command assumes that the binary is currently in your downloads folder and that your PATH
includes /usr/local/bin
, but you can customize it if your locations are different.
$ mv ~/Downloads/sentinel /usr/local/bin/sentinel
For more detail about adding binaries to your path, see this stack overflow article.
Verify Sentinel installation
After installing Sentinel CLI, verify the installation was successful by opening
a new terminal session and checking that the sentinel
binary is available.
By executing sentinel
, you should see help output similar to the following:
$ sentinel
Usage: sentinel [--version] [--help] <command> [<args>]
Available commands are:
apply Execute a policy and output the result
fmt Format Sentinel policy to a canonical format
test Test policies
version Prints the Sentinel runtime version
If you get an error that the binary could not be found, then your PATH
environment variable was not set-up properly. Please go back and ensure you set your PATH
correctly.
Run a policy
In order for Sentinel to run a policy, it needs data to test the policy against. Open the embedded terminal session and follow the instructions on the left side of the window to test a policy against pre-populated HCP Terraform plan data. The example policy ensures that S3 buckets have tags attached.
Launch Terminal
This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.
This is the policy you will test:
import "tfplan/v2" as tfplan
s3_buckets = filter tfplan.resource_changes as _, rc {
rc.type is "aws_s3_bucket" and
(rc.change.actions contains "create" or rc.change.actions is ["update"])
}
bucket_tags = rule {
all s3_buckets as _, instances {
instances.change.after.tags is not null
}
}
main = rule {
bucket_tags
}
Next Steps
Complete the following tutorials to learn how to use the Sentinel CLI and enforce Sentinel policies:
- Learn how to Generate Mock Policy Data
- Review how to Write a Sentinel Policy
- Review how to Test a Sentinel Policy
- Learn how to Upload a Sentinel Policy Set to HCP Terraform