SE Hangout

Using Sentinel Policies Across Multiple Terraform Cloud Organizations

Published 7:00 AM UTC Sep 26, 2019

Learn how to enforce, test, and version control policy as code across Terraform teams and organizations using Sentinel.

Speakers

One of the most important features of Terraform Cloud's Teams & Governance tier and Terraform Enterprise is Sentinel, which lets you implement and enforce infrastructure governance policies as code.

In this webinar, HashiCorp solutions engineer Roger Berlind demonstrates how to use and share a common set of Sentinel policies (Policy Sets) stored in a Version Control System (VCS) repository across multiple Terraform organizations.

Storing policy sets and their policies in a repository avoids the need to maintain multiple copies of the policies. Additionally, changes made to them in the master branch of the repository are automatically updated across all Terraform organizations that use them.

He'll also discuss how GitHub Actions can be used to automatically run Sentinel Simulator test cases against policy sets that are modified in pull requests. This ensures that modified policies that fail your Sentinel Simulator test cases cannot be merged into the master branch or used in your Terraform organizations.

Outline

  • 0:00 — Intro to Sentinel and version controlling policies as code

  • 11:50 — Managing Sentinel policies across multiple teams and organizations

  • 14:57 — Demo: Sentinel policy sets for Terraform Cloud

  • 31:44 — Q&A

Q&A

  • If you’re just getting started with Sentinel in Terraform Cloud, where do you recommend getting started?
  • Is it possible to write Sentinel policies that only apply to specific team members and not others?
  • Can we create policies that would check for Terraform best practices? For example: check .tf files to make sure that variables are in a file named variables.tf for a given module/all modules in a repo.
  • Do you have an example of how to check your Sentinel changes with GitLab (as opposed to GitHub)? What is a use case for hardening and compliance policies?
  • Can you implement a policy that checks the total cost estimates across your organization or policy set over a period of time that takes into account multiple workspaces?
  • Can a soft fail require specific people or teams to approve the change? For example, the team leader might be the only one that should be able to approve a high-risk change.
  • How would you create a policy that checks for the usage of a specific resource? For example, say we only want people to use our custom modules.
  • Are there any webhook integrations?

Additional resources

There is a companion blog post for this webinar on the HashiCorp Solutions Engineering Blog

Slides

More resources like this one

  • 3/15/2023
  • Presentation

Advanced Terraform techniques

  • 2/3/2023
  • Case Study

Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones

  • 2/1/2023
  • Case Study

Should My Team Really Need to Know Terraform?

  • 1/20/2023
  • Case Study

Packaging security in Terraform modules

View all resources