Using Sentinel Policies Across Multiple Terraform Cloud Organizations
Sep 26, 2019
Learn how to enforce, test, and version control policy as code across Terraform teams and organizations using Sentinel.
Senior Solutions Engineer, HashiCorp
In this webinar, HashiCorp solutions engineer Roger Berlind demonstrates how to use and share a common set of Sentinel policies (Policy Sets) stored in a Version Control System (VCS) repository across multiple Terraform organizations.
Storing policy sets and their policies in a repository avoids the need to maintain multiple copies of the policies. Additionally, changes made to them in the master branch of the repository are automatically updated across all Terraform organizations that use them.
He'll also discuss how GitHub Actions can be used to automatically run Sentinel Simulator test cases against policy sets that are modified in pull requests. This ensures that modified policies that fail your Sentinel Simulator test cases cannot be merged into the master branch or used in your Terraform organizations.
0:00 — Intro to Sentinel and version controlling policies as code
11:50 — Managing Sentinel policies across multiple teams and organizations
14:57 — Demo: Sentinel policy sets for Terraform Cloud
31:44 — Q&A
- If you’re just getting started with Sentinel in Terraform Cloud, where do you recommend getting started?
- Is it possible to write Sentinel policies that only apply to specific team members and not others?
- Can we create policies that would check for Terraform best practices? For example: check .tf files to make sure that variables are in a file named variables.tf for a given module/all modules in a repo.
- Do you have an example of how to check your Sentinel changes with GitLab (as opposed to GitHub)? What is a use case for hardening and compliance policies?
- Can you implement a policy that checks the total cost estimates across your organization or policy set over a period of time that takes into account multiple workspaces?
- Can a soft fail require specific people or teams to approve the change? For example, the team leader might be the only one that should be able to approve a high-risk change.
- How would you create a policy that checks for the usage of a specific resource? For example, say we only want people to use our custom modules.
- Are there any webhook integrations?