https://docs.hashicorp.com/sentinel/ https://github.com/hashicorp/tfe-policies-example https://docs.hashicorp.com/sentinel/language/
Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. A policy describes under what circumstances certain behaviors are allowed. Sentinel is an enterprise-only feature of HashiCorp Consul, Nomad, Terraform, and Vault.
vagrant up --provision-with basetools,docsify,sentinel
Bringing machine 'user.local.dev' up with 'virtualbox' provider...
==> user.local.dev: Checking if box 'ubuntu/bionic64' version '20191218.0.0' is up to date...
==> user.local.dev: [vagrant-hostsupdater] Checking for host entries
==> user.local.dev: [vagrant-hostsupdater] found entry for: 10.9.99.10 user.local.dev
==> user.local.dev: Running provisioner: sentinel (shell)...
user.local.dev: Running: /var/folders/7j/gsrjvmds05n53ddg28krf4_80001p9/T/vagrant-shell20200310-40084-1bbypjm.sh
user.local.dev: Reading package lists...
user.local.dev: Building dependency tree...
user.local.dev:
user.local.dev: Reading state information...
user.local.dev: unzip is already the newest version (6.0-21ubuntu1).
user.local.dev: jq is already the newest version (1.5+dfsg-2).
user.local.dev: curl is already the newest version (7.58.0-2ubuntu3.8).
user.local.dev: 0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
user.local.dev: ++++ Sentinel Simulator v0.9.2 already installed at /usr/local/bin/sentinel
user.local.dev: hour = 4
user.local.dev: main = rule { hour >= 0 and hour < 12 }
user.local.dev: ++++ cat /tmp/policy.sentinel
user.local.dev: hour = 4
user.local.dev: main = rule { hour >= 0 and hour < 12 }
user.local.dev: ++++ sentinel apply /tmp/policy.sentinel
user.local.dev: Pass
user.local.dev: ++++ Let's test some more advanced Sentinel Policies
user.local.dev: ++++ https://github.com/hashicorp/tfe-policies-example
user.local.dev: ++++ https://docs.hashicorp.com/sentinel/language/
user.local.dev: ++++ sentinel test aws-block-allow-all-cidr.sentinel
user.local.dev: PASS - aws-block-allow-all-cidr.sentinel
user.local.dev: PASS - test/aws-block-allow-all-cidr/empty.json
user.local.dev: PASS - test/aws-block-allow-all-cidr/fail.json
user.local.dev: PASS - test/aws-block-allow-all-cidr/pass.json
user.local.dev: ERROR - test/aws-block-allow-all-cidr/plan.json
user.local.dev:
user.local.dev: ++++ sentinel apply -config ./test/aws-block-allow-all-cidr/pass.json aws-block-allow-all-cidr.sentinel
user.local.dev: Pass
user.local.dev: ++++ sentinel apply -config ./test/aws-block-allow-all-cidr/fail.json aws-block-allow-all-cidr.sentinel
user.local.dev: Fail
user.local.dev:
user.local.dev: Execution trace. The information below will show the values of all
user.local.dev: the rules evaluated and their intermediate boolean expressions. Note that
user.local.dev: some boolean expressions may be missing if short-circuit logic was taken.
user.local.dev: FALSE - aws-block-allow-all-cidr.sentinel:69:1 - Rule "main"
user.local.dev: TRUE - aws-block-allow-all-cidr.sentinel:70:2 - ingress_cidr_blocks
user.local.dev: TRUE - aws-block-allow-all-cidr.sentinel:50:2 - all get_resources("aws_security_group") as sg {
user.local.dev: all sg.applied.ingress as ingress {
user.local.dev: all disallowed_cidr_blocks as block {
user.local.dev: ingress.cidr_blocks not contains block
user.local.dev: }
user.local.dev: }
user.local.dev: }
user.local.dev: FALSE - aws-block-allow-all-cidr.sentinel:71:2 - egress_cidr_blocks
user.local.dev: FALSE - aws-block-allow-all-cidr.sentinel:60:2 - all get_resources("aws_security_group") as sg {
user.local.dev: all sg.applied.egress as egress {
user.local.dev: all disallowed_cidr_blocks as block {
user.local.dev: egress.cidr_blocks not contains block
user.local.dev: }
user.local.dev: }
user.local.dev: }
user.local.dev:
user.local.dev: FALSE - aws-block-allow-all-cidr.sentinel:59:1 - Rule "egress_cidr_blocks"
user.local.dev:
user.local.dev: TRUE - aws-block-allow-all-cidr.sentinel:49:1 - Rule "ingress_cidr_blocks"
user.local.dev:
user.local.dev: ++++ sentinel test aws-alb-redirect.sentinel
user.local.dev: PASS - aws-alb-redirect.sentinel
user.local.dev: PASS - test/aws-alb-redirect/empty.json
user.local.dev: PASS - test/aws-alb-redirect/fail.json
user.local.dev: PASS - test/aws-alb-redirect/pass.json
user.local.dev: ERROR - test/aws-alb-redirect/plan.json
user.local.dev:
user.local.dev: ++++ sentinel apply -config ./test/aws-alb-redirect/fail.json aws-alb-redirect.sentinel
user.local.dev: Fail
user.local.dev:
user.local.dev: Execution trace. The information below will show the values of all
user.local.dev: the rules evaluated and their intermediate boolean expressions. Note that
user.local.dev: some boolean expressions may be missing if short-circuit logic was taken.
user.local.dev: FALSE - aws-alb-redirect.sentinel:69:1 - Rule "main"
user.local.dev: FALSE - aws-alb-redirect.sentinel:70:2 - default_action
user.local.dev: FALSE - aws-alb-redirect.sentinel:49:2 - all get_resources("aws_lb_listener") as ln {
user.local.dev: all ln.applied.default_action as action {
user.local.dev:
user.local.dev: all action.redirect as rdir {
user.local.dev:
user.local.dev: rdir.status_code == redirect_status_code
user.local.dev: }
user.local.dev: }
user.local.dev: }
user.local.dev:
user.local.dev: FALSE - aws-alb-redirect.sentinel:48:1 - Rule "default_action"
user.local.dev:
user.local.dev: ++++ sentinel apply -config ./test/aws-alb-redirect/pass.json aws-alb-redirect.sentinel
user.local.dev: Pass