HashiConf
Join us this September for 3 days of talks, training, product news & more. Book Your Ticket Now

Terraform Cloud [Paid Tiers]

Sentinel Policies

Prerequisites: Before starting this guide, make sure you've successfully completed a run.

Creating Policies

In your Terraform Cloud UI, create a new workspace called "Sentinel" and configure it with your AWS credentials. Once created and configured with your environment variables, fork https://github.com/tr0njavolta/sentinel-demo.git to your VCS account of choice. Once forked and downloaded, link the repository in your Terraform Cloud sentinel workspace. We'll create some resources with this demo and see Sentinel working in reality.

Back in our terminal, we'll make some changes to the Terraform config in this repo:

terraform {
  backend "remote" {
    organization = "<YOUR-ORG>"
    workspaces {
      name = "<YOUR-WORKSPACE>"
    }
  }
}

provider "aws" {
  region = "us-west-2"
}


data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}

resource "aws_instance" "web" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t2.micro"
}

Creating Policies & Policy Sets

By committing and pushing this to your git repo, a Terraform Cloud plan should be triggered. However, we want to ensure that members of your Terraform Cloud organization are abiding by your company or organization standards. Next, we will look at one way to apply a Sentinel policy to your workspace.

In the Terraform Cloud UI, navigate to Settings > Policies > Create a new policy.

New Policy

Add the example policy here and name it "Tags_Enforced". There are three levels of enforcement associated with policies in Terraform Cloud: hard-mandatory, soft-mandatory, and advisory. We will choose hard-mandatory here and see what happens when we fail that policy on purpose.

More New Policy

Once the policy is created, we can create policy sets to apply one or more policies to a single workspace. This is particularly useful if your organization has test workspaces and production workspaces that may need more granular security.

Triggering Sentinel Checks

Create a policy set called "Single_Workspace" and set the scope of the policies to selected workspaces. This policy is now applied in a set and will be applied to any runs in that workspace. In your terminal, trigger another terraform plan and follow the url to see what happens under this policy now.

Plan Failure

This speculative plan fails (as expected!) and the resources are not created. If we make a push to the repo to add a tag:

...
resource "aws_instance" "web" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t2.micro"
  tags = {
    Name = "Wolverine"
  }
}

Plan Success

When we commit and push these changes, Terraform Cloud will trigger an apply operation, but we still have to verify the policy check. Once we see the policy has passed in the UI, we can confirm and apply the changes.