HashiConf Our community conference is taking place in San Francisco and online October 10-12. Register now
Terraform
Policy

Generate Policy Mock Data

  • 5min

  • Team & Governance
  • Terraform

Note

This functionality is available in the Terraform Cloud Team & Governance tier, as well as Enterprise. Organization owners can enable a 30-day free trial in their settings under "Plan & Billing".

Terraform Cloud generates mock data during terraform plan operations in CLI or VCS-backed Terraform Cloud workspaces. You can import this mock data into Sentinel to test policies. Sentinel can use several types of imports from the Terraform Cloud API: configuration, plan, state, and run.

In this tutorial, you will use Terraform Cloud to generate mock data.

Prerequisites

For this tutorial, you will need:

You should also be familiar with how to configure VCS-driven workspaces and destroy Terraform Cloud workspaces.

Fork the sample repository

Fork the sample repository, which contains an example Terraform configuration to provision an EC2 instance.

Fork learn-sentinel-tfc repository

Navigate to the versions.tf file in your fork of the repository in the Github web UI, and click the pencil icon in the top right corner.

Edit versions.tf file in Github

In the backend configuration block, replace "<YOUR_TERRAFORM_ORG>" with the name of your Terraform Cloud organization. Commit the change.

Create a Terraform Cloud workspace

Navigate to your Terraform Cloud organization and create a new VCS-backed workspace connected to your fork of the learn-sentinel-tfc repository.

Configure workspace variables

Navigate to your learn-sentinel-tfc workspace's "Variables" page.

Define environment variables for your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Be sure to set both as sensitive.

Generate mock import data

Navigate to your learn-sentinel-tfc workspace in Terraform Cloud. Select "Start new plan" from the "Actions" menu, and run the default "Plan (most common)" option.

When you run a remote terraform plan operation, Terraform Cloud generates a group of files called mocks. These files contain mock data that you can use to test your Sentinel policies.

When the plan operation finishes, the Terraform Cloud UI will have a new option to "Download Sentinel Mocks".

Download the mock data in the Terraform Cloud UI from the run tab

Click "Download the Sentinel Mocks". Navigate to your downloads directory in your terminal.

Create a local Sentinel development directory

On your local machine, create a new directory named learn-sentinel-policies for your Sentinel development environment.

$ mkdir ../learn-sentinel-policies

Change into the directory.

$ cd ../learn-sentinel-policies

Unzip the mock data file you downloaded from Terraform Cloud into your Sentinel development environment. Change your run-xxxx filename to match the one you downloaded.

$ tar xzf <DOWNLOADS_PATH>/run-xxxx-sentinel-mocks

This directory should have the following files for you to test.

$ tree
.
├── mock-tfconfig-v2.sentinel
├── mock-tfconfig.sentinel
├── mock-tfplan-v2.sentinel
├── mock-tfplan.sentinel
├── mock-tfrun.sentinel
├── mock-tfstate-v2.sentinel
├── mock-tfstate.sentinel
└── sentinel.json

Review the mock data files

Open the sentinel.json file for review. Your file contents will be similar to those below.

{
  "mock": {
    "tfconfig": "mock-tfconfig.sentinel",
    "tfconfig/v1": "mock-tfconfig.sentinel",
    "tfconfig/v2": "mock-tfconfig-v2.sentinel",
    "tfplan": "mock-tfplan.sentinel",
    "tfplan/v1": "mock-tfplan.sentinel",
    "tfplan/v2": "mock-tfplan-v2.sentinel",
    "tfrun": "mock-tfrun.sentinel",
    "tfstate": "mock-tfstate.sentinel",
    "tfstate/v1": "mock-tfstate.sentinel",
    "tfstate/v2": "mock-tfstate-v2.sentinel"
  }
}

Each of the mock data files contains information Terraform captures during the plan operation. Sentinel parses these files when you import them into your policies. When testing your policies, import the mock data file that is appropriate for the restrictions or requirements defined in your policies.

Sentinel uses the four Terraform Cloud imports to define policy rules: plan, configuration, state, run.

  1. tfplan - This provides access to a Terraform plan, the file Terraform creates as a result of a plan. The plan data represent the changes that Terraform needs to make to infrastructure to reach the desired state represented by the configuration.
  2. tfconfig - This provides access to data describing a Terraform configuration, the set of ".tf" files that you write to describe the desired infrastructure state.
  3. tfstate - This provides access to data describing the Terraform state, the file Terraform uses to map real-world resources to your configuration.
  4. tfrun - This provides access to data associated with a run in Terraform Cloud, such as the run's workspace.

In addition to these, Sentinel also has a library of standard imports.

In the Terraform workflow, your terraform plan command creates an execution plan to determine which operations to run against your infrastructure. The output of terraform plan in the CLI represents the resources Terraform will create when you approve the plan. For a policy like the one in your requirements above, you would choose the tfplan import in your Sentinel policy files to determine if the planned resources meet your criteria.

Delete workspace

If you do not plan on exploring other Sentinel tutorials, you can delete the workspace you created. Terraform Cloud does not charge per workspace, so you are free to leave it if you would like.

Under your workspace's "Settings" menu, select the "Destruction and Deletion" option and then delete the workspace.

Next steps

You generated Sentinel mock data using Terraform Cloud and reviewed the different types of Sentinel imports. To learn more about Sentinel and how to enforce policies, review the following resources:

Previous
Next