Mitchell Pronschinske, profile picture
Uploaded byMitchell Pronschinske
PPTX, PDF1,112 views

Using new sentinel features in terraform cloud

This document discusses new features in HashiCorp's Sentinel policy as code framework used with Terraform Cloud and Terraform Enterprise. It introduces Sentinel modules and new Terraform Sentinel v2 imports, and describes the evolution of Sentinel policies from first to third generation. It provides examples of prototypical third generation policies and discusses common functions, testing policies with the Sentinel CLI, and deploying policies.

Embed presentation

Downloaded 10 times
Copyright © 2020 HashiCorp Using New Sentinel Features in Terraform Cloud and Terraform Enterprise Roger Berlind Technology Specialist HashiCorp
Copyright © 2020 HashiCorp ▪ Sentinel in Terraform Cloud (TFC) and Terraform Enterprise (TFE) ▪ Two New Sentinel Features – Sentinel Modules – Terraform Sentinel v2 Imports ▪ The Evolution of Sentinel Policies ▪ Some Prototypical Third-Generation Sentinel Policies ▪ The Third-Generation Common Functions ▪ Testing and Using the Third Generation Sentinel Policies ▪ A Demo Agenda
Copyright © 2020 HashiCorp Sentinel in Terraform Cloud and Terraform Enterprise
Copyright © 2020 HashiCorp ▪ HashiCorp's Sentinel is a framework for implementing governance policies as code in the same way that Terraform implements infrastructure as code. ▪ It includes its own language and is embedded in HashiCorp's enterprise products. ▪ Using Sentinel ensures that your governance policies are actually being checked rather than just being listed in a spreadsheet. ▪ It supports fine-grained policies that use conditional logic. ▪ It includes a CLI that allows you to test and run policies. What is Sentinel?
Copyright © 2020 HashiCorp Terraform Cloud and Terraform Enterprise ▪ A User Interface ▪ Workspace Management ▪ Team Management ▪ State Management ▪ Secure Variable Management ▪ Remote Runs and State ▪ VCS Integrations ▪ HTTP/JSON API ▪ Private Module Registry ▪ Configuration Editor ▪ Sentinel (policy as code) ▪ SSO via SAML Integration ▪ Audit Logging Terraform Cloud (TFC) includes the following advanced functionality that makes it easier for teams and organizations to use Terraform: Customers can install Terraform Enterprise (TFE) servers to self-host TFC in their own virtual private networks or in their data centers.
Copyright © 2020 HashiCorp ▪ Sentinel policies are checked between the standard plan and apply steps of Terraform runs. ▪ Policies have different enforcement levels: advisory, soft-mandatory, and hard-mandatory. ▪ Violations prevent runs from being applied unless a user with sufficient authority overrides them. ▪ Sentinel policies can evaluate the attributes (arguments and exported attributes) of existing and new resources and data sources based on information from the current run: – the plan, the configuration, the current state, and other run data including cost estimates ▪ This ensures that resources comply with all policies before they are provisioned. Where is Sentinel Used in Terraform?
Copyright © 2020 HashiCorp How Terraform Works Without Sentinel VCS Terraform Infrastructureplan & apply
Copyright © 2020 HashiCorp How Terraform Works With Sentinel VCS Terraform Cloud Workspace Infrastructureplan Sentinel Policy Checks apply If cost estimates are enabled, they run right after the plan.
Copyright © 2020 HashiCorp All Policy Checks Passed
Copyright © 2020 HashiCorp ▪ HashiCorp customers are using Sentinel to implement governance policies like the following in Terraform Cloud/Enterprise: – Enforce security standards: ▪ Require all S3 buckets use the private ACL and be encrypted by KMS. ▪ Restrict which roles the AWS provider can assume. ▪ Blacklist/whitelist resources, data sources, providers, or provisioners. – Avoid excessive costs: ▪ Limit the sizes of VMs and Kubernetes clusters in public clouds. ▪ Limit the monthly spend of each Terraform workspace. – Enforce mandatory tags on resources provisioned by Terraform. – Mandate that all modules come from a Private Module Registry. – Enforce specific Terraform coding conventions. How Customers are Using Sentinel in Terraform
Copyright © 2020 HashiCorp Two New Sentinel Features
Copyright © 2020 HashiCorp ▪ A Sentinel Module defines Sentinel functions and rules in a file that can be used by Sentinel policies with a single import statement. ▪ This avoids the need to paste the functions into every policy that calls them, improving the reusability of Sentinel functions. ▪ Sentinel modules are registered in Sentinel CLI configuration files and in TFC/TFE policy set configuration files. ▪ The terraform-guides repository includes 5 "third-generation" modules: – tfplan-functions, tfstate-functions, tfconfig-functions, tfrun-functions, and aws-functions ▪ Each function is documented in a separate MD file. ▪ Note that these are NOT standard functions. Sentinel Modules
Copyright © 2020 HashiCorp ▪ The new v2 versions of three Terraform Sentinel imports (tfplan, tfstate, and tfconfig) are aligned more closely with native Terraform 0.12 data structures. ▪ This makes the v2 imports easier to use than the v1 imports. ▪ Additionally, since resource instances are stored in a single flat map that spans across all Terraform modules and resource types, it is much easier to find all resources instances of a specific type or a sub-collection of them. ▪ However, there is a catch: – The v2 imports can only be used with Terraform 0.12. New v2 Versions of the Terraform Sentinel Imports
Copyright © 2020 HashiCorp ▪ The tfplan/v2 gives data generated from Terraform plans. – https://www.terraform.io/docs/cloud/sentinel/import/tfplan-v2.html ▪ The tfconfig/v2 import gives data about the Terraform configuration. – https://www.terraform.io/docs/cloud/sentinel/import/tfconfig-v2.html ▪ The tfstate/v2 import gives data about the current state of a workspace. – https://www.terraform.io/docs/cloud/sentinel/import/tfstate-v2.html ▪ The tfrun import provides metadata for Terraform runs and their workspaces as well as cost estimate data. (There is no v2 version of it.) – https://www.terraform.io/docs/cloud/sentinel/import/tfrun.html Sentinel Imports in Terraform
Copyright © 2020 HashiCorp The Evolution of Sentinel Policies
Copyright © 2020 HashiCorp ▪ The first-generation policies were written in late 2018 and used the original Terraform Sentinel v1 imports. ▪ They had several short-comings, including the following: – Most of the policies did not print violation messages for resources that violated them. – They stopped evaluating conditions as soon as a single resource instance violated them. – They failed when resources that were being destroyed violated conditions. – Their use of default Sentinel output was overly verbose. The First-Generation Policies
Copyright © 2020 HashiCorp ▪ The second-generation policies were written in 2019 and used the original Terraform Sentinel v1 imports: ▪ They made the following improvements: – They offloaded most processing from rules into some common parameterized functions. – Those common functions were written in a way that caused all violations of all rules to be reported. – They printed out the full address of each resource instance that did violate a policy. – By using a single main rule, they suppressed most of Sentinel’s default, overly verbose output. – They skipped resources that were being destroyed but not recreated. The Second-Generation Policies
Copyright © 2020 HashiCorp ▪ The new third-generation policies were written in the spring of 2020 and use the new Terraform Sentinel v2 imports and Sentinel modules. ▪ They have the following advantages: – Their use of the v2 imports and the Sentinel filter expression makes it easier to restrict policies to specific operations performed by Terraform. – The common functions defined in Sentinel modules do not need to be pasted into policies that use them. – Most of the policies do not have any for loops of if/else conditionals. This makes the policies easier to understand and copy. – They can evaluate the value of any attribute of any resource or data source, even those that are deeply nested. ▪ However, since they do use the v2 imports, they can only be used with Terraform 0.12 The New Third-Generation Policies
Copyright © 2020 HashiCorp Some Prototypical Third- Generation Sentinel Policies
Copyright © 2020 HashiCorp ▪ I'll review four prototypical third-generation Sentinel policies in order of increasing sophistication: – restrict-ec2-instance-type.sentinel (AWS) – restrict-vm-cpu-and-memory.sentinel (VMware) – restrict-vm-disk-size.sentinel (VMware) – restrict-publishers-of-current-vms.sentinel (Azure) Some Prototypical Third-Generation Policies
Copyright © 2020 HashiCorp The Third-Generation Common Functions
Copyright © 2020 HashiCorp ▪ As mentioned earlier, there are third-generation Sentinel modules with common functions for each of the Terraform Sentinel imports. ▪ The tfplan and tfstate modules have the following functions: – Find functions that find resources, data sources, and blocks. – Filter functions that filter collections of resources, data sources, or blocks. These each return two maps: resources and messages. – The evaluate_attribute function that can evaluate any attribute of any resource, data source, or block, even if deeply nested. – The to_string and print_violation functions that are used by the other functions. ▪ There is also a Sentinel module with some AWS-specific functions. The Third-Generation Common Functions
Copyright © 2020 HashiCorp Testing and Using the Third- Generation Sentinel Policies
Copyright © 2020 HashiCorp ▪ All the third-generation Sentinel policies have test cases and mocks that support testing the policies with the Sentinel CLI ▪ Do the following: – Download the Sentinel CLI from the Sentinel Downloads page. – Unzip the zip file and place the sentinel binary in your path. – Fork the terraform-guides repository and clone your fork to your local machine. – Navigate to any of the cloud directories (aws, azure, gcp, or vmware) or to the cloud-agnostic directory. – Run sentinel test to test all policies for that cloud. – Run sentinel test -run=<partial_policy_name> -verbose to test individual policies, using a string that partially matches name. Testing Policies with the Sentinel CLI
Copyright © 2020 HashiCorp { "modules": { "tfplan-functions": { "path": "../../../common-functions/tfplan-functions/ tfplan-functions.sentinel" } }, "mock": { "tfplan/v2": "mock-tfplan-pass.sentinel" }, "test": { "main": true } } An Example Test Case that References a Module
Copyright © 2020 HashiCorp ▪ After successfully testing a policy with the CLI and possibly also on TFC itself, you will want to deploy it to your TFC/TFE organizations. ▪ If you have not already added the policy to a policy set in your organizations, do that at this time. ▪ Add the new policy to an existing policy set that is already applied against desired workspaces, or create a new policy set for the policy and apply that policy set to desired workspaces across your organizations. ▪ Also add any parameters the policy requires to your policy set. ▪ And add references to any Sentinel Modules that policies in it use. Deploying Policies in TFC or TFE
Copyright © 2020 HashiCorp ▪ Here is an example policy set: module "tfplan-functions" { source = "../common-functions/tfplan-functions/tfplan -functions.sentinel" } policy "restrict-ec2-instance-type" { source = "./restrict-ec2-instance-type.sentinel" enforcement_level = "soft-mandatory" } Example Policy Set
Copyright © 2020 HashiCorp Demo
Copyright © 2020 HashiCorp ▪ Here are some useful Links ▪ Documentation – https://www.terraform.io/docs/cloud/sentinel/index.html – https://www.terraform.io/docs/cloud/sentinel/manage- policies.html – https://docs.hashicorp.com/sentinel ▪ Other Resources: – Blog for this webinar – Sentinel in Terraform v2 Workshop (including hands-on Instruqt track that teaches you how to write and test policies) Some Useful Links
Thank you. hello@hashicorp.comwww.hashicorp.com

More Related Content

PPTX
Terraform Basics
byMohammed Fazuluddin
 
PDF
Azure Arc Overview from Microsoft
byDavid J Rosenthal
 
PPTX
HA/DR options with SQL Server in Azure and hybrid
byJames Serra
 
PDF
VMware Cloud on AWSネットワーク詳細解説
byNoritaka Kuroiwa
 
PDF
AWS初心者向けWebinar RDBのAWSへの移行方法(Oracleを例に)
byAmazon Web Services Japan
 
PDF
Best Practices of Infrastructure as Code with Terraform
byDevOps.com
 
PPTX
Transforming Infrastructure into Code - Importing existing cloud resources u...
byShih Oon Liong
 
PDF
Terraform -- Infrastructure as Code
byMartin Schütte
 
Terraform Basics
byMohammed Fazuluddin
 
Azure Arc Overview from Microsoft
byDavid J Rosenthal
 
HA/DR options with SQL Server in Azure and hybrid
byJames Serra
 
VMware Cloud on AWSネットワーク詳細解説
byNoritaka Kuroiwa
 
AWS初心者向けWebinar RDBのAWSへの移行方法(Oracleを例に)
byAmazon Web Services Japan
 
Best Practices of Infrastructure as Code with Terraform
byDevOps.com
 
Transforming Infrastructure into Code - Importing existing cloud resources u...
byShih Oon Liong
 
Terraform -- Infrastructure as Code
byMartin Schütte
 

What's hot

PDF
Azure Monitoring Overview
bygjuljo
 
PDF
TechnicalTerraformLandingZones121120229238.pdf
byMIlton788007
 
PPTX
Terraform training - Modules 🎒
byStephaneBoghossian1
 
PPTX
Azure Site Recovery Bootcamp
byAsaf Nakash
 
PPTX
Azure key vault
byRahul Nath
 
PDF
AWS Summit Seoul 2023 | 실시간 CDC 데이터 처리! Modern Transactional Data Lake 구축하기
byAmazon Web Services Korea
 
PDF
Azure governance v4.0
byMarcos Oikawa
 
PDF
Oracle GoldenGate Cloud Service(GGCS)概要
byオラクルエンジニア通信
 
PDF
Az 104 session 6 azure networking part2
byAzureEzy1
 
PDF
[Oracle DBA & Developer Day 2016] しばちょう先生の特別講義!!ストレージ管理のベストプラクティス ~ASMからExada...
byオラクルエンジニア通信
 
PDF
Oracle GoldenGate Veridata概要
byオラクルエンジニア通信
 
PPTX
詳説!Azure AD 条件付きアクセス - 動作の仕組みを理解する編
byYusuke Kodama
 
PDF
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
byWinWire Technologies Inc
 
PDF
Office365勉強会 #23 Azure AD のテナント設計(Office365管理者向け)
byGenki WATANABE
 
PDF
3分でわかる Azure Managed Diskのしくみ
byToru Makabe
 
PDF
[Cloud OnAir] Google Cloud における RDBMS の運用パターン 2020年11月19日 放送
byGoogle Cloud Platform - Japan
 
PDF
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
byEdureka!
 
PPTX
Microsoft Azure alerts
byStudent
 
PPTX
Azure Network Security Groups (NSG)
byShawn Ismail
 
PPTX
Comprehensive Terraform Training
byYevgeniy Brikman
 
Azure Monitoring Overview
bygjuljo
 
TechnicalTerraformLandingZones121120229238.pdf
byMIlton788007
 
Terraform training - Modules 🎒
byStephaneBoghossian1
 
Azure Site Recovery Bootcamp
byAsaf Nakash
 
Azure key vault
byRahul Nath
 
AWS Summit Seoul 2023 | 실시간 CDC 데이터 처리! Modern Transactional Data Lake 구축하기
byAmazon Web Services Korea
 
Azure governance v4.0
byMarcos Oikawa
 
Oracle GoldenGate Cloud Service(GGCS)概要
byオラクルエンジニア通信
 
Az 104 session 6 azure networking part2
byAzureEzy1
 
[Oracle DBA & Developer Day 2016] しばちょう先生の特別講義!!ストレージ管理のベストプラクティス ~ASMからExada...
byオラクルエンジニア通信
 
Oracle GoldenGate Veridata概要
byオラクルエンジニア通信
 
詳説!Azure AD 条件付きアクセス - 動作の仕組みを理解する編
byYusuke Kodama
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
byWinWire Technologies Inc
 
Office365勉強会 #23 Azure AD のテナント設計(Office365管理者向け)
byGenki WATANABE
 
3分でわかる Azure Managed Diskのしくみ
byToru Makabe
 
[Cloud OnAir] Google Cloud における RDBMS の運用パターン 2020年11月19日 放送
byGoogle Cloud Platform - Japan
 
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
byEdureka!
 
Microsoft Azure alerts
byStudent
 
Azure Network Security Groups (NSG)
byShawn Ismail
 
Comprehensive Terraform Training
byYevgeniy Brikman
 

Similar to Using new sentinel features in terraform cloud

PPTX
Using Sentinel Policies Across Multiple Terraform Cloud Organizations
byMitchell Pronschinske
 
PPTX
Policy as Code: IT Governance With HashiCorp Sentinel
byMitchell Pronschinske
 
PDF
Controlling Cloud Costs with HashiCorp Terraform
byDevOps.com
 
PPTX
Hashicorp Terraform Open Source vs Enterprise
byStenio Ferreira
 
PPTX
Securing Data in Hybrid on-premise and Cloud Environments using Apache Ranger
byDataWorks Summit
 
PDF
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
bySBA Research
 
PDF
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Terraform - Taming Modern Clouds
byNic Jackson
 
PPTX
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
byssuser0d6c88
 
PDF
introduction to Azure Sentinel
byRobert Crane
 
Using Sentinel Policies Across Multiple Terraform Cloud Organizations
byMitchell Pronschinske
 
Policy as Code: IT Governance With HashiCorp Sentinel
byMitchell Pronschinske
 
Controlling Cloud Costs with HashiCorp Terraform
byDevOps.com
 
Hashicorp Terraform Open Source vs Enterprise
byStenio Ferreira
 
Securing Data in Hybrid on-premise and Cloud Environments using Apache Ranger
byDataWorks Summit
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
bySBA Research
 
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Terraform - Taming Modern Clouds
byNic Jackson
 
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
byssuser0d6c88
 
introduction to Azure Sentinel
byRobert Crane
 

More from Mitchell Pronschinske

PDF
Getting Started with Kubernetes and Consul
byMitchell Pronschinske
 
PDF
Multi-Cloud with Nomad and Consul Connect
byMitchell Pronschinske
 
PDF
Code quality for Terraform
byMitchell Pronschinske
 
PDF
Dynamic Azure Credentials for Applications and CI/CD Pipelines
byMitchell Pronschinske
 
PPTX
Migrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
byMitchell Pronschinske
 
PPTX
Empowering developers and operators through Gitlab and HashiCorp
byMitchell Pronschinske
 
PPTX
Automate and simplify multi cloud complexity with f5 and hashi corp
byMitchell Pronschinske
 
PDF
Vault 1.5 Overview
byMitchell Pronschinske
 
PDF
Military Edge Computing with Vault and Consul
byMitchell Pronschinske
 
PDF
Unlocking the Cloud operating model with GitHub Actions
byMitchell Pronschinske
 
PDF
Vault 1.4 integrated storage overview
byMitchell Pronschinske
 
PDF
Unlocking the Cloud Operating Model
byMitchell Pronschinske
 
PPTX
Cisco ACI with HashiCorp Terraform (APAC)
byMitchell Pronschinske
 
PPTX
Governance for Multiple Teams Sharing a Nomad Cluster
byMitchell Pronschinske
 
PDF
Integrating Terraform and Consul
byMitchell Pronschinske
 
PPTX
Unlocking the Cloud Operating Model: Deployment
byMitchell Pronschinske
 
PPTX
Keeping a Secret with HashiCorp Vault
byMitchell Pronschinske
 
PPTX
Modern Scheduling for Modern Applications with Nomad
byMitchell Pronschinske
 
PPTX
Moving to a Microservice World: Leveraging Consul on Azure
byMitchell Pronschinske
 
PPTX
Remote Culture at HashiCorp
byMitchell Pronschinske
 
Getting Started with Kubernetes and Consul
byMitchell Pronschinske
 
Multi-Cloud with Nomad and Consul Connect
byMitchell Pronschinske
 
Code quality for Terraform
byMitchell Pronschinske
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
byMitchell Pronschinske
 
Migrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
byMitchell Pronschinske
 
Empowering developers and operators through Gitlab and HashiCorp
byMitchell Pronschinske
 
Automate and simplify multi cloud complexity with f5 and hashi corp
byMitchell Pronschinske
 
Vault 1.5 Overview
byMitchell Pronschinske
 
Military Edge Computing with Vault and Consul
byMitchell Pronschinske
 
Unlocking the Cloud operating model with GitHub Actions
byMitchell Pronschinske
 
Vault 1.4 integrated storage overview
byMitchell Pronschinske
 
Unlocking the Cloud Operating Model
byMitchell Pronschinske
 
Cisco ACI with HashiCorp Terraform (APAC)
byMitchell Pronschinske
 
Governance for Multiple Teams Sharing a Nomad Cluster
byMitchell Pronschinske
 
Integrating Terraform and Consul
byMitchell Pronschinske
 
Unlocking the Cloud Operating Model: Deployment
byMitchell Pronschinske
 
Keeping a Secret with HashiCorp Vault
byMitchell Pronschinske
 
Modern Scheduling for Modern Applications with Nomad
byMitchell Pronschinske
 
Moving to a Microservice World: Leveraging Consul on Azure
byMitchell Pronschinske
 
Remote Culture at HashiCorp
byMitchell Pronschinske
 

Recently uploaded

PDF
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
PDF
Langchain4J - An Introduction for Impatient Developers
byJuarez Junior
 
PDF
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
Langchain4J - An Introduction for Impatient Developers
byJuarez Junior
 
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 

Using new sentinel features in terraform cloud

  • 1.
    Copyright © 2020HashiCorp Using New Sentinel Features in Terraform Cloud and Terraform Enterprise Roger Berlind Technology Specialist HashiCorp
  • 2.
    Copyright © 2020HashiCorp ▪ Sentinel in Terraform Cloud (TFC) and Terraform Enterprise (TFE) ▪ Two New Sentinel Features – Sentinel Modules – Terraform Sentinel v2 Imports ▪ The Evolution of Sentinel Policies ▪ Some Prototypical Third-Generation Sentinel Policies ▪ The Third-Generation Common Functions ▪ Testing and Using the Third Generation Sentinel Policies ▪ A Demo Agenda
  • 3.
    Copyright © 2020HashiCorp Sentinel in Terraform Cloud and Terraform Enterprise
  • 4.
    Copyright © 2020HashiCorp ▪ HashiCorp's Sentinel is a framework for implementing governance policies as code in the same way that Terraform implements infrastructure as code. ▪ It includes its own language and is embedded in HashiCorp's enterprise products. ▪ Using Sentinel ensures that your governance policies are actually being checked rather than just being listed in a spreadsheet. ▪ It supports fine-grained policies that use conditional logic. ▪ It includes a CLI that allows you to test and run policies. What is Sentinel?
  • 5.
    Copyright © 2020HashiCorp Terraform Cloud and Terraform Enterprise ▪ A User Interface ▪ Workspace Management ▪ Team Management ▪ State Management ▪ Secure Variable Management ▪ Remote Runs and State ▪ VCS Integrations ▪ HTTP/JSON API ▪ Private Module Registry ▪ Configuration Editor ▪ Sentinel (policy as code) ▪ SSO via SAML Integration ▪ Audit Logging Terraform Cloud (TFC) includes the following advanced functionality that makes it easier for teams and organizations to use Terraform: Customers can install Terraform Enterprise (TFE) servers to self-host TFC in their own virtual private networks or in their data centers.
  • 6.
    Copyright © 2020HashiCorp ▪ Sentinel policies are checked between the standard plan and apply steps of Terraform runs. ▪ Policies have different enforcement levels: advisory, soft-mandatory, and hard-mandatory. ▪ Violations prevent runs from being applied unless a user with sufficient authority overrides them. ▪ Sentinel policies can evaluate the attributes (arguments and exported attributes) of existing and new resources and data sources based on information from the current run: – the plan, the configuration, the current state, and other run data including cost estimates ▪ This ensures that resources comply with all policies before they are provisioned. Where is Sentinel Used in Terraform?
  • 7.
    Copyright © 2020HashiCorp How Terraform Works Without Sentinel VCS Terraform Infrastructureplan & apply
  • 8.
    Copyright © 2020HashiCorp How Terraform Works With Sentinel VCS Terraform Cloud Workspace Infrastructureplan Sentinel Policy Checks apply If cost estimates are enabled, they run right after the plan.
  • 9.
    Copyright © 2020HashiCorp All Policy Checks Passed
  • 10.
    Copyright © 2020HashiCorp ▪ HashiCorp customers are using Sentinel to implement governance policies like the following in Terraform Cloud/Enterprise: – Enforce security standards: ▪ Require all S3 buckets use the private ACL and be encrypted by KMS. ▪ Restrict which roles the AWS provider can assume. ▪ Blacklist/whitelist resources, data sources, providers, or provisioners. – Avoid excessive costs: ▪ Limit the sizes of VMs and Kubernetes clusters in public clouds. ▪ Limit the monthly spend of each Terraform workspace. – Enforce mandatory tags on resources provisioned by Terraform. – Mandate that all modules come from a Private Module Registry. – Enforce specific Terraform coding conventions. How Customers are Using Sentinel in Terraform
  • 11.
    Copyright © 2020HashiCorp Two New Sentinel Features
  • 12.
    Copyright © 2020HashiCorp ▪ A Sentinel Module defines Sentinel functions and rules in a file that can be used by Sentinel policies with a single import statement. ▪ This avoids the need to paste the functions into every policy that calls them, improving the reusability of Sentinel functions. ▪ Sentinel modules are registered in Sentinel CLI configuration files and in TFC/TFE policy set configuration files. ▪ The terraform-guides repository includes 5 "third-generation" modules: – tfplan-functions, tfstate-functions, tfconfig-functions, tfrun-functions, and aws-functions ▪ Each function is documented in a separate MD file. ▪ Note that these are NOT standard functions. Sentinel Modules
  • 13.
    Copyright © 2020HashiCorp ▪ The new v2 versions of three Terraform Sentinel imports (tfplan, tfstate, and tfconfig) are aligned more closely with native Terraform 0.12 data structures. ▪ This makes the v2 imports easier to use than the v1 imports. ▪ Additionally, since resource instances are stored in a single flat map that spans across all Terraform modules and resource types, it is much easier to find all resources instances of a specific type or a sub-collection of them. ▪ However, there is a catch: – The v2 imports can only be used with Terraform 0.12. New v2 Versions of the Terraform Sentinel Imports
  • 14.
    Copyright © 2020HashiCorp ▪ The tfplan/v2 gives data generated from Terraform plans. – https://www.terraform.io/docs/cloud/sentinel/import/tfplan-v2.html ▪ The tfconfig/v2 import gives data about the Terraform configuration. – https://www.terraform.io/docs/cloud/sentinel/import/tfconfig-v2.html ▪ The tfstate/v2 import gives data about the current state of a workspace. – https://www.terraform.io/docs/cloud/sentinel/import/tfstate-v2.html ▪ The tfrun import provides metadata for Terraform runs and their workspaces as well as cost estimate data. (There is no v2 version of it.) – https://www.terraform.io/docs/cloud/sentinel/import/tfrun.html Sentinel Imports in Terraform
  • 15.
    Copyright © 2020HashiCorp The Evolution of Sentinel Policies
  • 16.
    Copyright © 2020HashiCorp ▪ The first-generation policies were written in late 2018 and used the original Terraform Sentinel v1 imports. ▪ They had several short-comings, including the following: – Most of the policies did not print violation messages for resources that violated them. – They stopped evaluating conditions as soon as a single resource instance violated them. – They failed when resources that were being destroyed violated conditions. – Their use of default Sentinel output was overly verbose. The First-Generation Policies
  • 17.
    Copyright © 2020HashiCorp ▪ The second-generation policies were written in 2019 and used the original Terraform Sentinel v1 imports: ▪ They made the following improvements: – They offloaded most processing from rules into some common parameterized functions. – Those common functions were written in a way that caused all violations of all rules to be reported. – They printed out the full address of each resource instance that did violate a policy. – By using a single main rule, they suppressed most of Sentinel’s default, overly verbose output. – They skipped resources that were being destroyed but not recreated. The Second-Generation Policies
  • 18.
    Copyright © 2020HashiCorp ▪ The new third-generation policies were written in the spring of 2020 and use the new Terraform Sentinel v2 imports and Sentinel modules. ▪ They have the following advantages: – Their use of the v2 imports and the Sentinel filter expression makes it easier to restrict policies to specific operations performed by Terraform. – The common functions defined in Sentinel modules do not need to be pasted into policies that use them. – Most of the policies do not have any for loops of if/else conditionals. This makes the policies easier to understand and copy. – They can evaluate the value of any attribute of any resource or data source, even those that are deeply nested. ▪ However, since they do use the v2 imports, they can only be used with Terraform 0.12 The New Third-Generation Policies
  • 19.
    Copyright © 2020HashiCorp Some Prototypical Third- Generation Sentinel Policies
  • 20.
    Copyright © 2020HashiCorp ▪ I'll review four prototypical third-generation Sentinel policies in order of increasing sophistication: – restrict-ec2-instance-type.sentinel (AWS) – restrict-vm-cpu-and-memory.sentinel (VMware) – restrict-vm-disk-size.sentinel (VMware) – restrict-publishers-of-current-vms.sentinel (Azure) Some Prototypical Third-Generation Policies
  • 21.
    Copyright © 2020HashiCorp The Third-Generation Common Functions
  • 22.
    Copyright © 2020HashiCorp ▪ As mentioned earlier, there are third-generation Sentinel modules with common functions for each of the Terraform Sentinel imports. ▪ The tfplan and tfstate modules have the following functions: – Find functions that find resources, data sources, and blocks. – Filter functions that filter collections of resources, data sources, or blocks. These each return two maps: resources and messages. – The evaluate_attribute function that can evaluate any attribute of any resource, data source, or block, even if deeply nested. – The to_string and print_violation functions that are used by the other functions. ▪ There is also a Sentinel module with some AWS-specific functions. The Third-Generation Common Functions
  • 23.
    Copyright © 2020HashiCorp Testing and Using the Third- Generation Sentinel Policies
  • 24.
    Copyright © 2020HashiCorp ▪ All the third-generation Sentinel policies have test cases and mocks that support testing the policies with the Sentinel CLI ▪ Do the following: – Download the Sentinel CLI from the Sentinel Downloads page. – Unzip the zip file and place the sentinel binary in your path. – Fork the terraform-guides repository and clone your fork to your local machine. – Navigate to any of the cloud directories (aws, azure, gcp, or vmware) or to the cloud-agnostic directory. – Run sentinel test to test all policies for that cloud. – Run sentinel test -run=<partial_policy_name> -verbose to test individual policies, using a string that partially matches name. Testing Policies with the Sentinel CLI
  • 25.
    Copyright © 2020HashiCorp { "modules": { "tfplan-functions": { "path": "../../../common-functions/tfplan-functions/ tfplan-functions.sentinel" } }, "mock": { "tfplan/v2": "mock-tfplan-pass.sentinel" }, "test": { "main": true } } An Example Test Case that References a Module
  • 26.
    Copyright © 2020HashiCorp ▪ After successfully testing a policy with the CLI and possibly also on TFC itself, you will want to deploy it to your TFC/TFE organizations. ▪ If you have not already added the policy to a policy set in your organizations, do that at this time. ▪ Add the new policy to an existing policy set that is already applied against desired workspaces, or create a new policy set for the policy and apply that policy set to desired workspaces across your organizations. ▪ Also add any parameters the policy requires to your policy set. ▪ And add references to any Sentinel Modules that policies in it use. Deploying Policies in TFC or TFE
  • 27.
    Copyright © 2020HashiCorp ▪ Here is an example policy set: module "tfplan-functions" { source = "../common-functions/tfplan-functions/tfplan -functions.sentinel" } policy "restrict-ec2-instance-type" { source = "./restrict-ec2-instance-type.sentinel" enforcement_level = "soft-mandatory" } Example Policy Set
  • 28.
    Copyright © 2020HashiCorp Demo
  • 29.
    Copyright © 2020HashiCorp ▪ Here are some useful Links ▪ Documentation – https://www.terraform.io/docs/cloud/sentinel/index.html – https://www.terraform.io/docs/cloud/sentinel/manage- policies.html – https://docs.hashicorp.com/sentinel ▪ Other Resources: – Blog for this webinar – Sentinel in Terraform v2 Workshop (including hands-on Instruqt track that teaches you how to write and test policies) Some Useful Links
  • 30.

Editor's Notes

  • #2 These slides are intended to accompany the Sentinel for Terraform v2 workshop They should be used with the Sentinel for Terraform v2 Instruqt track: https://instruqt.com/hashicorp/tracks/sentinel-for-terraform-v2
  • #4 Let's talk about Sentinel and how it fits into Terraform Cloud and Terraform Enterprise. We'll also discuss how customers are using Sentinel in TFC and TFE.
  • #5 Sentinel is a framework for implementing governance policies as code It has its own language It has a CLI for testing and running policies
  • #6 Let's level set about Terraform Cloud and Terraform Enterprise Note that Terraform Cloud (TFC) refers both to the actual application used and the implementation hosted by HashiCorp at app.terraform.io. Since TFE uses the TFC application, we will mostly just talk about TFC. But anything we say about TFC is true of TFE too except when we discuss very new features that have been released to TFC. But those new features generally end up in TFE within 4-6 weeks.
  • #7 Let's talk about where Sentinel is used in TFC and TFE. It is run between the plan and the apply of a run. If cost estimates are enabled for a workspace, the Sentinel policies are checked after the cost estimates are collected. "Arguments" are the inputs to Terraform resources and data sources. Each resource and data source also exports certain attributes that are computed during the apply. These are called "exported attributes". But since the arguments or a resource are also exported, it is common to use "attributes" to refer to the union of a resource's arguments and exported attributes.
  • #8 Here is how Terraform works without Sentinel.
  • #9 Here is how Terraform works with Sentinel. Note that if cost estimates are enabled for the workspace, they will run right after the plan.
  • #10 A screenshot from TFC showing that all policy checks passed for a run.
  • #11 Let's talk about some use cases for Sentinel in TFC and TFE.
  • #12 Let's spend some time discussing the Sentinel language.
  • #13 Sentinel modules allow for the reuse of Sentinel functions and rules. They are registered in Sentinel CLI configuration files and in TFC/TFE policy set configuration files.
  • #14 Sentinel has some builtin functions that you can use in any policy.
  • #15 This is a good point to discuss the Terraform-specific Sentinel imports. Terraform Cloud/Enterprise adds 4 Sentinel imports beyond the standard ones. This version of the workshop uses the v2 versions of the tfplan, tfconfig, and tfstate imports. The v2 versions are more closely aligned to Terraform 0.12's internal data structures. There is only 1 version of the tfrun import.
  • #16 Now we will do the first two workshop challenges on the Instruqt platform
  • #17 The first-generation policies had several limitations.
  • #18 The second-generation policies made many improvements.
  • #19 The new workshop exercises leverage the Instruqt platform and make solving the exercises much easier. Be sure to use the Sentinel Instruqt track that ends in v2, not the one that ends in v1.
  • #20 Now let's walk through the basic 8 step methodology of the Writing and Testing Sentinel Policies for Terraform guide.
  • #21 This slide gives the basic 8 step methodology of writing and testing Sentinel policies from the Writing and Testing Sentinel Policies for Terraform guide. We will focus on 5-7 in this workshop.
  • #22 Now let's walk through the basic 8 step methodology of the Writing and Testing Sentinel Policies for Terraform guide.
  • #23 After testing new Sentinel policies with the Sentinel CLI, you can test them in an organization on a TFC or TFE server.
  • #24 While we won't be using Sentinel in Terraform Cloud or Terraform Enterprise today, we did want to review this topic After all, that is where your Sentinel policies will really be running. You'll get a chance to complete and test some more Sentinel policies with the Sentinel CLI after this section.
  • #25 After testing new Sentinel policies with the Sentinel CLI, you can test them in an organization on a TFC or TFE server.
  • #26 The stanza at the top declares a Sentinel Modules with functions that can be called by Sentinel policies that import them. In this case, the file "tfplan-functions.sentinel" is being declared as the module "tfplan-functions". Recall that when we imported it in our policy, we gave it the alias "plan". We also indicate that the test case should use the mock-tfplan-pass.sentinel mock and that the main rule should evaluate to true. If using tfconfig/v2, tfstate/v2, or tfrun mock files, you need to specify the mock type accordingly (instead of using "tfplan/v2").
  • #27 After testing a policy with the Sentinel CLI and possibly in a TFC/TFE organization, you'll want to deploy it to your TFC organizations.
  • #28 You'll need to create policy sets that contain the policies you want to use in TFC or TFE You can now specify Sentinel modules in your policy sets, but the modules must be in or under the directory with the sentinel.hcl file at this time. In the near future, we will support loading of modules from remote locations.
  • #29 While we won't be using Sentinel in Terraform Cloud or Terraform Enterprise today, we did want to review this topic After all, that is where your Sentinel policies will really be running. You'll get a chance to complete and test some more Sentinel policies with the Sentinel CLI after this section.
  • #31 Thanks for attending the Sentinel in Terraform Workshop or reviewing these slides.