Enforcing Standards on Terraform with HashiCorp Sentinel

Overview

Dive into a comprehensive tutorial on enforcing standards and best practices across Terraform code using HashiCorp's policy-as-code tool, Sentinel. Learn everything needed to get started with Sentinel, from writing policies from scratch to implementing vetted policies from the Terraform Registry. Explore the main components of Sentinel, understand policy as code concepts, and follow along with a detailed demo on creating and implementing Sentinel policies. Discover how to use Sentinel with Terraform Cloud Workspaces, handle resources with calculated values, and leverage existing policies for immediate production use. Gain insights into writing effective rules, using predicate rules, and integrating Sentinel into your infrastructure automation workflow.

Syllabus

- Introductions
- Agenda
- What is Policy as Code?
- What is HashiCorp Sentinel?
- What are the main components of Sentinel and getting started?
- Context for the Demo
- High level steps for getting Sentinel up and running
- Beginning of the Demo - Writing a Sentinel Policy from Scratch
- Creating the Sentinel root file
- Writing the Sentinel policy file
Q - - How does Sentinel work with Terraform Plan files?
Q - - What are Sentinel Params?
- Looking through changed resources in Sentinel
- Pulling tag values off of AWS EC2 instances in Sentinel
- Writing the rule helper and informational failure messages
- Grabbing all EC2 instances violating the Sentinel rules
Q - - is it better to write positive or negative test with Sentinel?
- Understanding and Using "Predicate Rules" in Sentinel
- Wrapping the "Predicate Rules" in a "Main Rule"
- Using the Sentinel policy with Terraform Cloud Workspaces
- Using existing Sentinel policies with Terraform Cloud Workspaces
Q - - Can you use Sentinel Policies with resources that have calculated values? e.g. post apply
- Summary and Conclusion