Announcing HashiCorp Sentinel 0.16
Sentinel 0.16 unifies the policy authoring workflow by including HCL support and expanding the standard imports.
Today, we are pleased to announce the release of Sentinel 0.16. The release of 0.16 introduces several feature enhancements that improve the development experience. Recent additions include a standardized policy configuration syntax, the ability to manage policies from a central source, as well as a new import in the Sentinel standard library.
»HCL Configuration Format
The Sentinel CLI configuration file can now be defined using the HCL format. HCL has previously only been available to supply configurations in the form of Policy Sets for Terraform Cloud. This improvement brings Sentinel in-line with other HashiCorp products by allowing the configuration of sentinel apply and the test configuration of sentinel test to now use the HCL syntax.
For more information and examples on the new syntax format, see the configuration file documentation.
»Policy Sets
Policy block definitions can also take advantage of the HCL configuration update. This feature was already available within Terraform Cloud, and this release adds support within the Sentinel CLI. An example policy definition is as follows:
policy "terraform-maintenance-windows" { source = "./terraform-maintenance-windows.sentinel" enforcement_level = "hard-mandatory"}Previously, as part of the development process, policy authors were required to execute local policies one at a time using the sentinel apply command. This workflow was fine when developing a single policy file, but became pretty unwieldy when applied to an ever-increasing library of policies.
With the addition of the policies configuration block, sentinel apply will now evaluate all policies within a configuration file automatically. This is achieved by, running sentinel apply without a policy argument within the working directory of your Sentinel configuration file.
$ sentinel applyPass - terraform-maintenance-windows.sentinel For further details on defining a policy, see the policy configuration documentation.
»Remote Sources
To finish up the list of additions to Sentinel in 0.16 is the support for defining remotely sourced policies and modules. This allows for Sentinel files to be shared and encourages code reuse.
»Definition
To add a remote source, simply supply a URL to the source attribute on either a policy or module definition, ensuring it meets the remote sources guidelines. An example of fetching a policy from a git repository is found below:
policy "remote-policy" { source = "git::https://github.com/hashicorp/example.git//remote-policy.sentinel" enforcement_level = "hard-mandatory"}Policies and modules, as well as modules within a test configuration, can all be defined with a remote source. When sentinel apply is run, policies and modules will be fetched and available to the runtime. When sentinel test is run, test modules will be downloaded and available for test cases to utilize.
»Apply Command
To simplify evaluation of a remote policy, sentinel apply can now evaluate policy based on its key within a configuration. For example, the above policy "remote-policy" block defines a remote policy with the key, remote-policy. To evaluate this policy, simply run sentinel apply remote-policy ensuring continued use of existing flags.
This is only a brief overview of the support for remote sources. Be sure to check out both the documentation for the new init command, and the remote source guidelines.
»Semantic Version Import
As part of the 0.16 release, we are also including a new version import in the Sentinel standard import library. This import provides policy authors with the ability to parse versions and version constraints, and supports both arbitrary versions and versions that follow the semver.org specification.
Previously the handling of versions was achieved through some form of string manipulation via the strings import and casting values to an int:
import "tfplan/v2" as tfplanimport "strings" v = strings.split(tfplan.terraform_version, ".")version_minor = int(v[1])version_patch = int(v[2]) main = rule { version_minor is 12 and version_patch >= 19}With the addition of the version import, versions are parsed and values handled accordingly:
import "tfplan/v2" as tfplanimport "version" v = version.new(tfplan.terraform_version) main = rule { v.minor == 12 and v.patch >= 19}For more information and examples, see the version import documentation.
»Available Now
The latest release of Sentinel includes several feature additions and the alignment with existing integrations make the process of authoring, mocking, and testing Sentinel policies seamless for engineers. Get started now by downloading the latest version of the Sentinel CLI from the Sentinel download page.
For more information on Sentinel language and specification, visit the Sentinel documentation page. If you would like to engage with the community to discuss information related to Sentinel use cases and best practices, visit the HashiCorp Community Forum.
Sign up for the latest HashiCorp news
More blog posts like this one
HCP Terraform bridges the skills gap, adds no-code module version upgrades
No-code provisioning module version upgrades are now GA in HCP Terraform, providing validated self-service infrastructure to reduce toil and lower cloud spend.
Introducing The Infrastructure Cloud
Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.
A blueprint for cloud success with HashiCorp at Google Cloud Next
A recap of HashiCorp infrastructure and security news and developments from Google Cloud Next, from scaling infrastructure as code to fighting secrets sprawl and more.