terraform

Announcing HashiCorp Sentinel 0.16

Sentinel 0.16 unifies the policy authoring workflow by including HCL support and expanding the standard imports.

Today, we are pleased to announce the release of Sentinel 0.16. The release of 0.16 introduces several feature enhancements that improve the development experience. Recent additions include a standardized policy configuration syntax, the ability to manage policies from a central source, as well as a new import in the Sentinel standard library.

» HCL Configuration Format

The Sentinel CLI configuration file can now be defined using the HCL format. HCL has previously only been available to supply configurations in the form of Policy Sets for Terraform Cloud. This improvement brings Sentinel in-line with other HashiCorp products by allowing the configuration of sentinel apply and the test configuration of sentinel test to now use the HCL syntax.

For more information and examples on the new syntax format, see the configuration file documentation.

» Policy Sets

Policy block definitions can also take advantage of the HCL configuration update. This feature was already available within Terraform Cloud, and this release adds support within the Sentinel CLI. An example policy definition is as follows:

  1. policy "terraform-maintenance-windows" {
  2. source = "./terraform-maintenance-windows.sentinel"
  3. enforcement_level = "hard-mandatory"
  4. }

Previously, as part of the development process, policy authors were required to execute local policies one at a time using the sentinel apply command. This workflow was fine when developing a single policy file, but became pretty unwieldy when applied to an ever-increasing library of policies.

With the addition of the policies configuration block, sentinel apply will now evaluate all policies within a configuration file automatically. This is achieved by, running sentinel apply without a policy argument within the working directory of your Sentinel configuration file.

  1. $ sentinel apply
  2. Pass - terraform-maintenance-windows.sentinel

For further details on defining a policy, see the policy configuration documentation.

» Remote Sources

To finish up the list of additions to Sentinel in 0.16 is the support for defining remotely sourced policies and modules. This allows for Sentinel files to be shared and encourages code reuse.

» Definition

To add a remote source, simply supply a URL to the source attribute on either a policy or module definition, ensuring it meets the remote sources guidelines. An example of fetching a policy from a git repository is found below:

  1. policy "remote-policy" {
  2. source = "git::https://github.com/hashicorp/example.git//remote-policy.sentinel"
  3. enforcement_level = "hard-mandatory"
  4. }

Policies and modules, as well as modules within a test configuration, can all be defined with a remote source. When sentinel apply is run, policies and modules will be fetched and available to the runtime. When sentinel test is run, test modules will be downloaded and available for test cases to utilize.

» Apply Command

To simplify evaluation of a remote policy, sentinel apply can now evaluate policy based on its key within a configuration. For example, the above policy "remote-policy" block defines a remote policy with the key, remote-policy. To evaluate this policy, simply run sentinel apply remote-policy ensuring continued use of existing flags.

This is only a brief overview of the support for remote sources. Be sure to check out both the documentation for the new init command, and the remote source guidelines.

» Semantic Version Import

As part of the 0.16 release, we are also including a new version import in the Sentinel standard import library. This import provides policy authors with the ability to parse versions and version constraints, and supports both arbitrary versions and versions that follow the semver.org specification.

Previously the handling of versions was achieved through some form of string manipulation via the strings import and casting values to an int:

  1. import "tfplan/v2" as tfplan
  2. import "strings"
  3. v = strings.split(tfplan.terraform_version, ".")
  4. version_minor = int(v[1])
  5. version_patch = int(v[2])
  6. main = rule {
  7. version_minor is 12 and version_patch >= 19
  8. }

With the addition of the version import, versions are parsed and values handled accordingly:

  1. import "tfplan/v2" as tfplan
  2. import "version"
  3. v = version.new(tfplan.terraform_version)
  4. main = rule {
  5. v.minor == 12 and v.patch >= 19
  6. }

For more information and examples, see the version import documentation.

» Available Now

The latest release of Sentinel includes several feature additions and the alignment with existing integrations make the process of authoring, mocking, and testing Sentinel policies seamless for engineers. Get started now by downloading the latest version of the Sentinel CLI from the Sentinel download page.

For more information on Sentinel language and specification, visit the Sentinel documentation page. If you would like to engage with the community to discuss information related to Sentinel use cases and best practices, visit the HashiCorp Community Forum.

Sign up for the latest HashiCorp news