BasicLearn

Enforcing Governance with Sentinel in Terraform

Sebastien Legrand Ngembou's photo
Sebastien Legrand Ngembou
·

3 min read

In today's fast-paced cloud infrastructure landscape, ensuring compliance, security, and cost control is critical. HashiCorp's Sentinel, a policy-as-code framework, integrates seamlessly with Terraform to enforce governance and compliance policies across your infrastructure. This article will explore how Sentinel works with Terraform, its benefits, and how to get started.

What is Sentinel?

Sentinel is a policy-as-code framework developed by HashiCorp. It allows you to define and enforce policies across HashiCorp tools like Terraform, Vault, Consul, and Nomad. With Sentinel, you can ensure that your infrastructure adheres to organizational standards, security best practices, and compliance requirements before it is provisioned.

Why Use Sentinel with Terraform?

Terraform is a powerful tool for provisioning infrastructure as code (IaC). However, without proper governance, teams can inadvertently deploy non-compliant, insecure, or overly expensive resources. Sentinel addresses this by:

  • Enforcing policies before Terraform applies changes.

  • Preventing misconfigurations that could lead to security vulnerabilities or cost overruns.

  • Ensuring compliance with organizational and regulatory standards.

How Sentinel Works with Terraform

Sentinel integrates with Terraform Cloud and Terraform Enterprise to evaluate policies during Terraform runs. Here's how it works:

  1. Policy Definition: Write Sentinel policies using the Sentinel policy language.

  2. Policy Enforcement: Attach policies to workspaces or organizations in Terraform Cloud/Enterprise.

  3. Policy Evaluation: During a Terraform plan or apply, Sentinel evaluates the plan against the policies.

  4. Policy Outcome: If a policy is violated, the run is either blocked (hard-mandatory) or flagged with a warning (soft-mandatory).

Sentinel Workflow in Terraform Cloud / Enterprise

Key Benefits of Using Sentinel

  1. Governance and Compliance: Enforce organizational standards and regulatory requirements.

  2. Security: Prevent insecure configurations, such as publicly accessible storage buckets.

  3. Cost Control: Limit resource sizes or types to avoid unexpected cloud costs.

  4. Collaboration: Ensure consistent policies across teams and projects.

  5. Real-Time Feedback: Get immediate feedback on policy violations before deployment.

Example Sentinel Policies

Here are some practical examples of Sentinel policies for Terraform:

1. Enforce Tagging

Ensure all AWS resources have required tags:

import "tfplan"

required_tags = ["Environment", "Owner"]

main = rule {
  all tfplan.resources.aws as _, instances {
    all instances as _, r {
      all required_tags as tag {
        r.applied.tags contains tag
      }
    }
  }
}

2. Restrict Instance Types

Allow only specific EC2 instance types:

import "tfplan"

allowed_instance_types = ["t2.micro", "t3.micro"]

main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as _, r {
      r.applied.instance_type in allowed_instance_types
    }
  }
}

3. Prevent Public S3 Buckets

Block the creation of publicly accessible S3 buckets:

import "tfplan"

main = rule {
  all tfplan.resources.aws_s3_bucket as _, buckets {
    all buckets as _, r {
      r.applied.acl != "public-read" and
      r.applied.acl != "public-read-write"
    }
  }
}

Getting Started with Sentinel

1. Set Up Terraform Cloud/Enterprise

Sentinel is available in Terraform Cloud (Team & Governance tier) and Terraform Enterprise. Sign up for an account if you don’t already have one.

2. Write Sentinel Policies

Use the Sentinel policy language to define policies. Start with simple policies and gradually expand as needed.

3. Attach Policies to Workspaces

Attach policies to specific workspaces or organizations in Terraform Cloud/Enterprise.

4. Test and Iterate

Test policies in development environments before enforcing them in production.

Sentinel Policy Lifecycle

  1. Define: Write policies using the Sentinel language.

  2. Test: Use mock data to validate policies.

  3. Enforce: Attach policies to workspaces or organizations.

  4. Monitor: Review policy violations and refine policies as needed.

    Sentinel Policy Lifecycle

Conclusion

Sentinel is a game-changer for enforcing governance, security, and compliance in Terraform. By integrating Sentinel into your Terraform workflows, you can prevent costly mistakes, improve security, and ensure compliance with organizational standards. Start small, iterate, and gradually expand your policy library to build a robust governance framework for your infrastructure.

Usefull link: Terraform Cloud Sentinel

sentinel