Generate policy mock data
HCP Terraform generates mock data during terraform plan
operations in CLI
or VCS-backed HCP Terraform workspaces. You can import this mock data into
Sentinel to test policies. Sentinel can use several types of imports from the
HCP Terraform API: configuration, plan, state, and run.
Note
HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
In this tutorial, you will use HCP Terraform to generate mock data.
Prerequisites
For this tutorial, you will need:
- The Sentinel CLI
- An HCP Terraform account with access to the
owners
group - A GitHub account
- An AWS account to create example resources
You should also be familiar with how to configure VCS-driven workspaces and destroy HCP Terraform workspaces.
Fork the example repository
Fork the example repository, which contains Terraform configuration to provision an EC2 instance.
Create an HCP Terraform workspace
Navigate to your HCP Terraform organization and create a new VCS-backed
workspace connected to your fork of the learn-terraform-sentinel
repository.
Configure workspace variables
Navigate to your learn-terraform-sentinel
workspace's Variables page.
Define environment variables for your AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
. Be sure to set both as sensitive
.
Generate mock import data
Navigate to your learn-terraform-sentinel
workspace in HCP Terraform. Select Start new run from
the Actions menu, and select the Plan only option.
When you run a remote terraform plan
operation, HCP Terraform generates a collection of files called mocks. The mocks contain Terraform plan data that you can use to test your Sentinel policies.
After the plan completes, click Download Sentinel mocks.
Create a local Sentinel development directory
On your local machine, create a new directory named learn-sentinel-policies
for your Sentinel development environment.
$ mkdir learn-sentinel-policies
Change into the directory.
$ cd learn-sentinel-policies
Unzip the mock data file you downloaded from HCP Terraform into your Sentinel development environment. Change your run-xxxx
filename to match the one you downloaded.
$ tar xzf <DOWNLOADS_PATH>/run-xxxx-sentinel-mocks
This directory contains the following mock files for you to use to test and develop Sentinel policies.
$ tree.├── mock-tfconfig-v2.sentinel├── mock-tfconfig.sentinel├── mock-tfplan-v2.sentinel├── mock-tfplan.sentinel├── mock-tfrun.sentinel├── mock-tfstate-v2.sentinel├── mock-tfstate.sentinel└── sentinel.hcl
Review the mock data files
Open the sentinel.hcl
and review the contents.
sentinel.hcl
mock "tfconfig" { module { source = "mock-tfconfig.sentinel" }} mock "tfconfig/v1" { module { source = "mock-tfconfig.sentinel" }} mock "tfconfig/v2" { module { source = "mock-tfconfig-v2.sentinel" }} mock "tfplan" { module { source = "mock-tfplan.sentinel" }} mock "tfplan/v1" { module { source = "mock-tfplan.sentinel" }} mock "tfplan/v2" { module { source = "mock-tfplan-v2.sentinel" }} mock "tfstate" { module { source = "mock-tfstate.sentinel" }} mock "tfstate/v1" { module { source = "mock-tfstate.sentinel" }} mock "tfstate/v2" { module { source = "mock-tfstate-v2.sentinel" }} mock "tfrun" { module { source = "mock-tfrun.sentinel" }}
Each of the mock data files contains information Terraform captures during the plan operation. Sentinel parses these files when you import them into your policies.
Sentinel uses the four HCP Terraform imports to define policy rules: plan
, configuration
, state
, run
.
- The
tfplan
import contains the data of a Terraform plan. The plan data represent the changes that Terraform needs to make to infrastructure to reach the desired state represented by the configuration. - The
tfconfig
import contains the data describing a Terraform configuration, the set of ".tf" files that you write to describe the desired infrastructure state. - The
tfstate
import contains data describing the Terraform state, the file Terraform uses to map real-world resources to your configuration. - The
tfrun
import contains data associated with a run in HCP Terraform, such as the run's workspace.
Sentinel also has a library of standard imports that you can use as part of your policies, such as ones to perform time functions and string operations.
When testing your policies, import the mock data file that has the data relevant to your policy. For example, if you want your policy to validate the proposed changes to your infrastructure, use the tfplan
import to determine if the planned resources meet your criteria.
Delete workspace
If you are continuing on to the next tutorial, skip this step.
HCP Terraform does not charge per workspace, so you can keep the workspace if you will complete the remaining tutorials later. To delete it, navigate to your workspace's Settings, then select Destruction and Deletion and follow the prompts to delete the workspace.
Next steps
You generated Sentinel mock data using HCP Terraform and reviewed the different types of Sentinel imports. To learn more about Sentinel and how to enforce policies, review the following resources:
- Learn how to Write a Sentinel Policy.
- Learn how to Test a Sentinel Policy.
- Learn how to Upload a Sentinel Policy Set to HCP Terraform.
- Review the Mocking Terraform Sentinel data documentation to learn more about how to use mock data to develop your policies.
- Learn more about
import
in the Sentinel Language Specification Documentation.