Terraform
tfstate/v2 Sentinel import
Note: This is documentation for the next version of the tfstate
Sentinel import, designed specifically for Terraform 0.12. This import requires
Terraform 0.12 or higher, and must currently be loaded by path, using an alias,
example: import "tfstate/v2" as tfstate.
The tfstate/v2 import provides access to a Terraform state.
Note: HCP Terraform Free edition includes one policy set of up to five policies. In HCP Terraform Plus and Premium editions, you can connect a policy set to a version control repository or create policy set versions with the API. Refer to HCP Terraform pricing for details.
The state is the data that Terraform has recorded about a workspace at a particular point in its lifecycle, usually after an apply. You can read more general information about how Terraform uses state here.
NOTE: Since HCP Terraform currently only supports policy checks at plan
time, the usefulness of this import is somewhat limited, as it will usually give
you the state prior to the plan the policy check is currently being run for.
Depending on your needs, you may find the
planned_values collection in
tfplan/v2 more useful, which will give you a predicted state by applying
plan data to the data found here. The one exception to this rule is data
sources, which will always give up to date data here, as long as the data
source could be evaluated at plan time.
The data in the tfstate/v2 import is sourced from the JSON configuration file
that is generated by the terraform show -json command. For more information on
the file format, see the JSON Output Format
page.
Import Overview
The tfstate/v2 import is structured as currently two collections, keyed in
resource address and output name, respectively.
(tfstate/v2)
├── terraform_version (string)
├── resources
│ └── (indexed by address)
│ ├── address (string)
│ ├── module_address (string)
│ ├── mode (string)
│ ├── type (string)
│ ├── name (string)
│ ├── index (float (number) or string)
│ ├── provider_name (string)
│ ├── values (map)
│ ├── depends_on (list of strings)
│ ├── tainted (boolean)
│ └── deposed_key (string)
└── outputs
└── (indexed by name)
├── name (string)
├── sensitive (boolean)
└── value (value)
The collections are:
resources- The state of all resources across all modules in the state.outputs- The state of all outputs from the root module in the state.
These collections are specifically designed to be used with the
filter
quantifier expression in Sentinel, so that one can collect a list of resources
to perform policy checks on without having to write complex module traversal. As
an example, the following code will return all aws_instance resource types
within the state, regardless of what module they are in:
all_aws_instances = filter tfstate.resources as _, r {
r.mode is "managed" and
r.type is "aws_instance"
}
You can add specific attributes to the filter to narrow the search, such as the
module address. The following code would return resources in a module named
foo only:
all_aws_instances = filter tfstate.resources as _, r {
r.module_address is "module.foo" and
r.mode is "managed" and
r.type is "aws_instance"
}
The terraform_version Value
The top-level terraform_version value in this import gives the Terraform
version that recorded the state. This can be used to do version validation.
import "tfstate/v2" as tfstate
import "strings"
v = strings.split(tfstate.terraform_version, ".")
version_major = int(v[1])
version_minor = int(v[2])
main = rule {
version_major is 12 and version_minor >= 19
}
NOTE: The above example will give errors when working with pre-release
versions (example: 0.12.0beta1). Future versions of this import will include
helpers to assist with processing versions that will account for these kinds of
exceptions.
The resources Collection
The resources collection is a collection representing all of the resources in
the state, across all modules.
This collection is indexed on the complete resource address as the key.
An element in the collection has the following values:
address- The absolute resource address - also the key for the collection's index.module_address- The address portion of the absolute resource address.mode- The resource mode, eithermanaged(resources) ordata(data sources).type- The resource type, example:aws_instanceforaws_instance.foo.name- The resource name, example:fooforaws_instance.foo.index- The resource index. Can be either a number or a string.provider_name- The name of the provider this resource belongs to. This allows the provider to be interpreted unambiguously in the unusual situation where a provider offers a resource type whose name does not start with its own name, such as thegooglebetaprovider offeringgoogle_compute_instance.Note: Starting with Terraform 0.13, the
provider_namefield contains the full source address to the provider in the Terraform Registry. Example:registry.terraform.io/hashicorp/nullfor the null provider.values- An object (map) representation of the attribute values of the resource, whose structure depends on the resource type schema. When accessing proposed state through theplanned_valuescollection of the tfplan/v2 import, unknown values will be omitted.depends_on- The addresses of the resources that this resource depends on.tainted-trueif the resource has been explicitly marked as tainted in the state.deposed_key- Set if the resource has been marked deposed and will be destroyed on the next apply. This matches the deposed field in theresource_changescollection in thetfplan/v2import.
The outputs Collection
The outputs collection is a collection of outputs from the root module of the
state.
Note that no child modules are included in this output set, and there is no way to fetch child module output values. This is to encourage the correct flow of outputs to the recommended root consumption level.
The collection is indexed on the output name, with the following fields: