Generate policy mock data

5min
|
Terraform Cloud
Terraform

Terraform Cloud generates mock data during terraform plan operations in CLI or VCS-backed Terraform Cloud workspaces. You can import this mock data into Sentinel to test policies. Sentinel can use several types of imports from the Terraform Cloud API: configuration, plan, state, and run.

Note

Terraform Cloud Free Edition includes one policy set of up to five policies. In Terraform Cloud Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to Terraform Cloud pricing for details.

In this tutorial, you will use Terraform Cloud to generate mock data.

Prerequisites

For this tutorial, you will need:

The Sentinel CLI
A Terraform Cloud account with access to the owners group
A GitHub account
An AWS account to create example resources

You should also be familiar with how to configure VCS-driven workspaces and destroy Terraform Cloud workspaces.

Fork the example repository

Fork the example repository, which contains Terraform configuration to provision an EC2 instance.

Fork learn-sentinel-tfc repository

Create a Terraform Cloud workspace

Navigate to your Terraform Cloud organization and create a new VCS-backed workspace connected to your fork of the learn-sentinel-tfc repository.

Configure workspace variables

Navigate to your learn-sentinel-tfc workspace's Variables page.

Define environment variables for your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Be sure to set both as sensitive.

Generate mock import data

Navigate to your learn-sentinel-tfc workspace in Terraform Cloud. Select Start new run from the Actions menu, and select the Plan only option.

When you run a remote terraform plan operation, Terraform Cloud generates a collection of files called mocks. The mocks contain Terraform plan data that you can use to test your Sentinel policies.

After the plan completes, click Download Sentinel mocks.

Download the mock data in the Terraform Cloud UI from the run tab

Create a local Sentinel development directory

On your local machine, create a new directory named learn-sentinel-policies for your Sentinel development environment.

$ mkdir learn-sentinel-policies

Change into the directory.

$ cd learn-sentinel-policies

Unzip the mock data file you downloaded from Terraform Cloud into your Sentinel development environment. Change your run-xxxx filename to match the one you downloaded.

$ tar xzf <DOWNLOADS_PATH>/run-xxxx-sentinel-mocks

This directory contains the following mock files for you to use to test and develop Sentinel policies.

$ tree
.
├── mock-tfconfig-v2.sentinel
├── mock-tfconfig.sentinel
├── mock-tfplan-v2.sentinel
├── mock-tfplan.sentinel
├── mock-tfrun.sentinel
├── mock-tfstate-v2.sentinel
├── mock-tfstate.sentinel
└── sentinel.hcl

Review the mock data files

Open the sentinel.hcl and review the contents.

sentinel.hcl

mock "tfconfig" {
  module {
    source = "mock-tfconfig.sentinel"
  }
}

mock "tfconfig/v1" {
  module {
    source = "mock-tfconfig.sentinel"
  }
}

mock "tfconfig/v2" {
  module {
    source = "mock-tfconfig-v2.sentinel"
  }
}

mock "tfplan" {
  module {
    source = "mock-tfplan.sentinel"
  }
}

mock "tfplan/v1" {
  module {
    source = "mock-tfplan.sentinel"
  }
}

mock "tfplan/v2" {
  module {
    source = "mock-tfplan-v2.sentinel"
  }
}

mock "tfstate" {
  module {
    source = "mock-tfstate.sentinel"
  }
}

mock "tfstate/v1" {
  module {
    source = "mock-tfstate.sentinel"
  }
}

mock "tfstate/v2" {
  module {
    source = "mock-tfstate-v2.sentinel"
  }
}

mock "tfrun" {
  module {
    source = "mock-tfrun.sentinel"
  }
}

Each of the mock data files contains information Terraform captures during the plan operation. Sentinel parses these files when you import them into your policies.

Sentinel uses the four Terraform Cloud imports to define policy rules: plan, configuration, state, run.

The tfplan import contains the data of a Terraform plan. The plan data represent the changes that Terraform needs to make to infrastructure to reach the desired state represented by the configuration.
The tfconfig import contains the data describing a Terraform configuration, the set of ".tf" files that you write to describe the desired infrastructure state.
The tfstate import contains data describing the Terraform state, the file Terraform uses to map real-world resources to your configuration.
The tfrun import contains data associated with a run in Terraform Cloud, such as the run's workspace.

Sentinel also has a library of standard imports that you can use as part of your policies, such as ones to perform time functions and string operations.

When testing your policies, import the mock data file that has the data relevant to your policy. For example, if you want your policy to validate the proposed changes to your infrastructure, use the tfplan import to determine if the planned resources meet your criteria.

Delete workspace

If you are continuing on to the next tutorial, skip this step.

Terraform Cloud does not charge per workspace, so you can keep the workspace if you will complete the remaining tutorials later. To delete it, navigate to your workspace's Settings, then select Destruction and Deletion and follow the prompts to delete the workspace.

Next steps

You generated Sentinel mock data using Terraform Cloud and reviewed the different types of Sentinel imports. To learn more about Sentinel and how to enforce policies, review the following resources:

Learn how to Write a Sentinel Policy.
Learn how to Test a Sentinel Policy.
Learn how to Upload a Sentinel Policy Set to Terraform Cloud.
Review the Mocking Terraform Sentinel data documentation to learn more about how to use mock data to develop your policies.
Learn more about import in the Sentinel Language Specification Documentation.

Install

Policies