Sentinel and Terraform Enterprise demo
Nov 01, 2017
Explore Sentinel, HashiCorp's policy-as-code framework, and its integration into Terraform Enterprise.
Sentinel is an embeddable policy as code framework to enable fine-grained, logic-based policy decisions that can be extended to source external information to make decisions.
This is the Terraform Enterprise UI. As you can see, I've already created a workspace called Sentinel demo. I haven't run any Terraform plans yet. If we come over into the console, you can see that I have a relatively simple AWS configuration in my Terraform config. This configuration is already hooked up in my workspace in Terraform Enterprise.
Come back over here into the UI and enter our organization's settings page, you'll see on the left-hand side we have a new item called Sentinel Policy. This allows us to create organization level policies. Organization level policies apply to all workspaces within that organization. Let's create a new policy. The policy name is a simple string identifier to identify the policy. We'll call this one all-instances-have-tags. The enforcement mode determines what happens in policy failure scenarios. We're going to choose advisory to start, which simply logs the errors and moves on.
Policy code is where we enter the Sentinel policy. This policy uses the tfplan import to grant us access to the Terraform plan data. Down here in the main rule, we iterate all AWS instance resources and check that each one of them has at least one tag. If we save this policy, we can head over into the workspace view to then queue our first plan. During the run, we should see the plan run normally. Shortly after, we should see it enter the new policy check phase. This is where the policy is actually enforced. You can see that here we have an advisory failure on the organization policy.
If we expand the output, we can see which policy it was that has the failure. In this case, it was all-instances-have-tags. This was an advisory failure. We still have the option to confirm and apply anyways or to discard the plan. We'll discard the plan in this case so that we can show the other enforcement modes. Coming into the policy settings page, we can change the advisory mode up to soft-mandatory. Soft-mandatory enforcement mode requires that an organization owner override any policy failure prior to it being applied. So, if we queue a new plan, we should see the plan go through once again. We should see the policy check fail in the same way.
This time the options available to us are a bit different. Overriding & Continue is available. Because I'm an organization owner, I can override the policy and allow it to be applied. If I were simply a workspace owner, I wouldn't see this option, and my only option would be to discard the plan. I can leave a comment here and then override this policy failure. You'll notice that the override doesn't automatically confirm the plan. There's still the option to confirm and apply here. At this point, the workspace owner would be able to come in and confirm and apply if they so chose. For now, we're going to discard the time.
Coming back into the policy settings once more will change the mode to hard-mandatory. Hard-mandatory mode requires that policies pass and does not allow anyone to override any failures. So, if we queue a new run, we should see the plan go through once more. We should see the policy check fail in the same way. Only this time, we don't have any option to override the policy. To make this policy pass, we can add a couple of tags into our ADWS instance resource. We'll add a single tag Name = hello. We'll commit this and we'll commit this and we'll push it up to GitHub.
This should automatically queue a new run in Terraform Enterprise. So, if we go to the latest run, we see that there's already a run planning. The plan succeeds and then the policy check also succeeds. Policy check has succeeded because you can see in the Terraform plan output that we do have tags present. At this point we're clear to go ahead and confirm and apply the plan.
The Sentinel integration in Terraform Enterprise is available to all beta users today. We hope you enjoy using it. Thanks for watching.