Generate policy mock data
Terraform Cloud generates mock data during terraform plan
operations in CLI
or VCS-backed Terraform Cloud workspaces. You can import this mock data into
Sentinel to test policies. Sentinel can use several types of imports from the
Terraform Cloud API: configuration, plan, state, and run.
Note
Terraform Cloud Free Edition includes one policy set of up to five policies. In Terraform Cloud Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to Terraform Cloud pricing for details.
In this tutorial, you will use Terraform Cloud to generate mock data.
Prerequisites
For this tutorial, you will need:
- The Sentinel CLI
- A Terraform Cloud account with access to the
owners
group - A GitHub account
- An AWS account to create example resources
You should also be familiar with how to configure VCS-driven workspaces and destroy Terraform Cloud workspaces.
Fork the example repository
Fork the example repository, which contains Terraform configuration to provision an EC2 instance.
Create a Terraform Cloud workspace
Navigate to your Terraform Cloud organization and create a new VCS-backed
workspace connected to your fork of the learn-sentinel-tfc
repository.
Configure workspace variables
Navigate to your learn-sentinel-tfc
workspace's Variables page.
Define environment variables for your AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
. Be sure to set both as sensitive
.
Generate mock import data
Navigate to your learn-sentinel-tfc
workspace in Terraform Cloud. Select Start new run from
the Actions menu, and select the Plan only option.
When you run a remote terraform plan
operation, Terraform Cloud generates a collection of files called mocks. The mocks contain Terraform plan data that you can use to test your Sentinel policies.
After the plan completes, click Download Sentinel mocks.
Create a local Sentinel development directory
On your local machine, create a new directory named learn-sentinel-policies
for your Sentinel development environment.
Change into the directory.
Unzip the mock data file you downloaded from Terraform Cloud into your Sentinel development environment. Change your run-xxxx
filename to match the one you downloaded.
This directory contains the following mock files for you to use to test and develop Sentinel policies.
Review the mock data files
Open the sentinel.hcl
and review the contents.
Each of the mock data files contains information Terraform captures during the plan operation. Sentinel parses these files when you import them into your policies.
Sentinel uses the four Terraform Cloud imports to define policy rules: plan
, configuration
, state
, run
.
- The
tfplan
import contains the data of a Terraform plan. The plan data represent the changes that Terraform needs to make to infrastructure to reach the desired state represented by the configuration. - The
tfconfig
import contains the data describing a Terraform configuration, the set of ".tf" files that you write to describe the desired infrastructure state. - The
tfstate
import contains data describing the Terraform state, the file Terraform uses to map real-world resources to your configuration. - The
tfrun
import contains data associated with a run in Terraform Cloud, such as the run's workspace.
Sentinel also has a library of standard imports that you can use as part of your policies, such as ones to perform time functions and string operations.
When testing your policies, import the mock data file that has the data relevant to your policy. For example, if you want your policy to validate the proposed changes to your infrastructure, use the tfplan
import to determine if the planned resources meet your criteria.
Delete workspace
If you are continuing on to the next tutorial, skip this step.
Terraform Cloud does not charge per workspace, so you can keep the workspace if you will complete the remaining tutorials later. To delete it, navigate to your workspace's Settings, then select Destruction and Deletion and follow the prompts to delete the workspace.
Next steps
You generated Sentinel mock data using Terraform Cloud and reviewed the different types of Sentinel imports. To learn more about Sentinel and how to enforce policies, review the following resources:
- Learn how to Write a Sentinel Policy.
- Learn how to Test a Sentinel Policy.
- Learn how to Upload a Sentinel Policy Set to Terraform Cloud.
- Review the Mocking Terraform Sentinel data documentation to learn more about how to use mock data to develop your policies.
- Learn more about
import
in the Sentinel Language Specification Documentation.