Generate Policy Mock Data
Note
This functionality is available in the Terraform Cloud Team & Governance tier, as well as Enterprise. Organization owners can enable a 30-day free trial in their settings under "Plan & Billing".
Terraform Cloud generates mock data during terraform plan
operations in CLI
or VCS-backed Terraform Cloud workspaces. You can import this mock data into
Sentinel to test policies. Sentinel can use several types of imports from the
Terraform Cloud API: configuration, plan, state, and run.
In this tutorial, you will use Terraform Cloud to generate mock data.
Prerequisites
For this tutorial, you will need:
- The Sentinel CLI
- A Terraform Cloud account with access to the
owners
group - A GitHub account
- An AWS account to create example resources
You should also be familiar with how to configure VCS-driven workspaces and destroy Terraform Cloud workspaces.
Fork the sample repository
Fork the sample repository, which contains an example Terraform configuration to provision an EC2 instance.
Navigate to the versions.tf
file in your fork of the repository in the Github web
UI, and click the pencil icon in the top right corner.
In the backend configuration block, replace "<YOUR_TERRAFORM_ORG>"
with the name of your Terraform Cloud
organization. Commit the change.
Create a Terraform Cloud workspace
Navigate to your Terraform Cloud organization and create a new VCS-backed
workspace connected to your fork of the learn-sentinel-tfc
repository.
Configure workspace variables
Navigate to your learn-sentinel-tfc
workspace's "Variables" page.
Define environment variables for your AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
. Be sure to set both as sensitive
.
Generate mock import data
Navigate to your learn-sentinel-tfc
workspace in Terraform Cloud. Select "Start new plan" from
the "Actions" menu, and run the default "Plan (most common)" option.
When you run a remote terraform plan
operation, Terraform Cloud generates a group of files called mocks. These files contain mock data that you can use to test your Sentinel policies.
When the plan operation finishes, the Terraform Cloud UI will have a new option to "Download Sentinel Mocks".
Click "Download the Sentinel Mocks". Navigate to your downloads directory in your terminal.
Create a local Sentinel development directory
On your local machine, create a new directory named learn-sentinel-policies
for your Sentinel development environment.
Change into the directory.
Unzip the mock data file you downloaded from Terraform Cloud into your Sentinel development environment. Change your run-xxxx
filename to match the one you downloaded.
This directory should have the following files for you to test.
Review the mock data files
Open the sentinel.json
file for review. Your file contents will be similar to those below.
Each of the mock data files contains information Terraform captures during the plan operation. Sentinel parses these files when you import them into your policies. When testing your policies, import the mock data file that is appropriate for the restrictions or requirements defined in your policies.
Sentinel uses the four Terraform Cloud imports to define policy rules: plan
, configuration
, state
, run
.
tfplan
- This provides access to a Terraform plan, the file Terraform creates as a result of a plan. The plan data represent the changes that Terraform needs to make to infrastructure to reach the desired state represented by the configuration.tfconfig
- This provides access to data describing a Terraform configuration, the set of ".tf" files that you write to describe the desired infrastructure state.tfstate
- This provides access to data describing the Terraform state, the file Terraform uses to map real-world resources to your configuration.tfrun
- This provides access to data associated with a run in Terraform Cloud, such as the run's workspace.
In addition to these, Sentinel also has a library of standard imports.
In the Terraform workflow, your terraform plan
command creates an
execution plan to determine which operations to run against your infrastructure.
The output of terraform plan
in the CLI represents the resources Terraform
will create when you approve the plan. For a policy like the one in your
requirements above, you would choose the tfplan
import in your Sentinel
policy files to determine if the planned resources meet your criteria.
Delete workspace
If you do not plan on exploring other Sentinel tutorials, you can delete the workspace you created. Terraform Cloud does not charge per workspace, so you are free to leave it if you would like.
Under your workspace's "Settings" menu, select the "Destruction and Deletion" option and then delete the workspace.
Next steps
You generated Sentinel mock data using Terraform Cloud and reviewed the different types of Sentinel imports. To learn more about Sentinel and how to enforce policies, review the following resources:
- Learn how to Write a Sentinel Policy
- Learn how to Test a Sentinel Policy
- Learn how to Upload a Sentinel Policy Set to Terraform Cloud
- Learn more about the different Terraform-specific
import
types on the Terraform Cloud Defining Policies documentation page. - Learn more about
import
in the Sentinel Language Specification Documentation.