Upload your Sentinel policy set to HCP Terraform

5min
|
Terraform Cloud
Terraform

To enable Sentinel policy enforcement on your Terraform runs, you must upload your policy to your HCP Terraform organization. In this tutorial, you will create a new Sentinel policy set in your organization, configure a workspace to apply your policy, and trigger the Sentinel policy checks.

Note

HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.

Prerequisites

For this tutorial you will need:

An HCP Terraform or Terraform Enterprise account
Access to the owners group of your Terraform organization
A GitHub account
An AWS account to create example resources

You should also be familiar with how to configure a VCS-driven workspace and destroy HCP Terraform workspaces.

Fork the example repository

Fork the example repository, which contains Terraform configuration to provision an EC2 instance.

Fork learn-sentinel-tfc repository

Create an HCP Terraform workspace

Navigate to your HCP Terraform organization and create a new VCS-backed workspace connected to your fork of the learn-terraform-sentinel repository.

Configure workspace variables

Navigate to your learn-terraform-sentinel workspace's "Variables" page.

Define a variable called instance_type and set the value to t2.large.

Define environment variables for your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Be sure to set both as sensitive.

When complete, your variable definitions will match the following:

HCP Terraform workspace variables

Fork the Sentinel policy set repository

Now fork the example policy repository, which contains a Sentinel policy and rule enforcement definition.

The restrict-aws-instances-type-and-tag.sentinel file contains a Sentinel policy that defines a main rule that consists of two other rules defining infrastructure requirements:

The mandatory_instance_tags rule checks that all EC2 instances have a Name tag.
The instance_types_allowed rule checks that EC2 instances are of type t2.micro, t2.small, or t2.medium.

Tip

To review the policy used in this tutorial and how to use Sentinel mock data when writing Sentinel policies in more detail, visit the Write a Sentinel Policy for a Terraform Deployment tutorial.

You must list all of the policies defined in the policy repository in the sentinel.hcl file. This file also sets the enforcement level for each policy, which specifies the behavior in the event of a policy failure. HCP Terraform evaluates the policies in the order they appear in this file.

This configuration contains one policy definition.

sentinel.hcl

policy "restrict-aws-instances-type-and-tag" {
  enforcement_level = "hard-mandatory"
}

Notice the configured enforcement_level for your policy. A policy can have one of three enforcement levels:

Advisory (default): The policy can fail. HCP Terraform records all failures in the audit log.
Soft mandatory: In the event of failure, organization owners or users with override permissions can override the policy to let the run proceed. HCP Terraform records all overrides in the audit log.
Hard mandatory: The policy must pass for the run to proceed.

Connect the policy set

In the HCP Terraform UI, navigate to Settings > Policy Sets. Then, click on Connect a new policy set to create a new policy set.

Create new Policy Set

Select your fork of the learn-sentinel-policy-upload repository as the source. For more information or for other VCS connection settings, visit our documentation on VCS Integrations.

Tip

The search bar for policy repositories is case sensitive.

HCP Terraform applies policy sets either across your organization, or to specific workspaces.

On the Configure Settings page:

Select the Sentinel policy framework.
Under Scope of policies, select Policies enforced on selected workspaces.
Select your learn-terraform-sentinel workspace and click Add workspace.
Click Connect policy set.

Tip

You can pin a policy set to a specific runtime version. To do so, choose the Enhanced policy set type, then select a runtime version from the Runtime version drop-down. Policy runtime version management is currently in beta.

Configure policy set workspaces

Trigger a Sentinel Check

Navigate to your learn-terraform-sentinel workspace. Click on the Actions menu and select Plan and apply (standard).

Because you set the instance_type variable to t2.large, this run will fail the policy check because it violates the instance_types_allowed rule. Terraform will not let you apply the plan.

Failed Sentinel policy check

Navigate to the workspace's Variables page and update the value of instance_type to t2.small. Save the variable.

Start another run. This time, Sentinel will validate the proposed changes and let you apply the plan.

Passed Sentinel policy check

Since this is the end of the tutorial, click Discard Run.

Delete the policy set

Navigate back to your policy set under Settings > Policy Sets, then click Delete policy set. Confirm by clicking "Yes, delete policy set".

Delete HCP Terraform policy set

Delete workspace

If you will continue with other policy tutorials, skip this step.

HCP Terraform does not charge per workspace, so you can keep the workspace if you will complete the remaining tutorials later. To delete it, navigate to your workspace's Settings, then select Destruction and Deletion and follow the prompts to delete the workspace.

Next steps

You have now uploaded a Sentinel policy set to HCP Terraform and triggered policy failures and passes. To learn more about Sentinel, review the following resources:

Learn how to Generate Mock Policy Data
Review how to Write a Sentinel Policy
Review how to Test a Sentinel Policy
Review Sentinel and HCP Terraform documentation
Experiment in the Sentinel Playground
Review Sentinel Language Specification documentation
Learn how to use policies from the Terraform registry

Testing

Cost estimation