Generate policy mock data

5min
|
HCP Terraform
Terraform

HCP Terraform generates mock data during terraform plan operations in CLI or VCS-backed HCP Terraform workspaces. You can import this mock data into Sentinel to test policies. Sentinel can use several types of imports from the HCP Terraform API: configuration, plan, state, and run.

Note

HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.

In this tutorial, you will use HCP Terraform to generate mock data.

Prerequisites

For this tutorial, you will need:

The Sentinel CLI
An HCP Terraform account with access to the owners group
A GitHub account
An AWS account to create example resources

You should also be familiar with how to configure VCS-driven workspaces and destroy HCP Terraform workspaces.

Fork the example repository

Fork the example repository, which contains Terraform configuration to provision an EC2 instance.

Fork learn-sentinel-tfc repository

Create an HCP Terraform workspace

Navigate to your HCP Terraform organization and create a new VCS-backed workspace connected to your fork of the learn-terraform-sentinel repository.

Configure workspace variables

Navigate to your learn-terraform-sentinel workspace's Variables page.

Define environment variables for your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Be sure to set both as sensitive.

Generate mock import data

Navigate to your learn-terraform-sentinel workspace in HCP Terraform. Select Start new run from the Actions menu, and select the Plan only option.

When you run a remote terraform plan operation, HCP Terraform generates a collection of files called mocks. The mocks contain Terraform plan data that you can use to test your Sentinel policies.

After the plan completes, click Download Sentinel mocks.

Download the mock data in the HCP Terraform UI from the run tab

Create a local Sentinel development directory

On your local machine, create a new directory named learn-sentinel-policies for your Sentinel development environment.

$ mkdir learn-sentinel-policies

Change into the directory.

$ cd learn-sentinel-policies

Unzip the mock data file you downloaded from HCP Terraform into your Sentinel development environment. Change your run-xxxx filename to match the one you downloaded.

$ tar xzf <DOWNLOADS_PATH>/run-xxxx-sentinel-mocks

This directory contains the following mock files for you to use to test and develop Sentinel policies.

$ tree
.
├── mock-tfconfig-v2.sentinel
├── mock-tfconfig.sentinel
├── mock-tfplan-v2.sentinel
├── mock-tfplan.sentinel
├── mock-tfrun.sentinel
├── mock-tfstate-v2.sentinel
├── mock-tfstate.sentinel
└── sentinel.hcl

Review the mock data files

Open the sentinel.hcl and review the contents.

mock "tfconfig" {
  module {
    source = "mock-tfconfig.sentinel"
  }
}

mock "tfconfig/v1" {
  module {
    source = "mock-tfconfig.sentinel"
  }
}

mock "tfconfig/v2" {
  module {
    source = "mock-tfconfig-v2.sentinel"
  }
}

mock "tfplan" {
  module {
    source = "mock-tfplan.sentinel"
  }
}

mock "tfplan/v1" {
  module {
    source = "mock-tfplan.sentinel"
  }
}

mock "tfplan/v2" {
  module {
    source = "mock-tfplan-v2.sentinel"
  }
}

mock "tfstate" {
  module {
    source = "mock-tfstate.sentinel"
  }
}

mock "tfstate/v1" {
  module {
    source = "mock-tfstate.sentinel"
  }
}

mock "tfstate/v2" {
  module {
    source = "mock-tfstate-v2.sentinel"
  }
}

mock "tfrun" {
  module {
    source = "mock-tfrun.sentinel"
  }
}

Each of the mock data files contains information Terraform captures during the plan operation. Sentinel parses these files when you import them into your policies.

Sentinel uses the four HCP Terraform imports to define policy rules: plan, configuration, state, run.

The tfplan import contains the data of a Terraform plan. The plan data represent the changes that Terraform needs to make to infrastructure to reach the desired state represented by the configuration.
The tfconfig import contains the data describing a Terraform configuration, the set of ".tf" files that you write to describe the desired infrastructure state.
The tfstate import contains data describing the Terraform state, the file Terraform uses to map real-world resources to your configuration.
The tfrun import contains data associated with a run in HCP Terraform, such as the run's workspace.

Sentinel also has a library of standard imports that you can use as part of your policies, such as ones to perform time functions and string operations.

When testing your policies, import the mock data file that has the data relevant to your policy. For example, if you want your policy to validate the proposed changes to your infrastructure, use the tfplan import to determine if the planned resources meet your criteria.

Delete workspace

If you are continuing on to the next tutorial, skip this step.

HCP Terraform does not charge per workspace, so you can keep the workspace if you will complete the remaining tutorials later. To delete it, navigate to your workspace's Settings, then select Destruction and Deletion and follow the prompts to delete the workspace.

Next steps

You generated Sentinel mock data using HCP Terraform and reviewed the different types of Sentinel imports. To learn more about Sentinel and how to enforce policies, review the following resources:

Learn how to Write a Sentinel Policy.
Learn how to Test a Sentinel Policy.
Learn how to Upload a Sentinel Policy Set to HCP Terraform.
Review the Mocking Terraform Sentinel data documentation to learn more about how to use mock data to develop your policies.
Learn more about import in the Sentinel Language Specification Documentation.

Install

Policies