I am looking to implement our company’s control objectives in Hashicorp Sentinel. Does anybody have a good development workflow for Sentinel Policies? How are they developing, testing, and promoting Sentinel Policies to production? How are they versioning their policies? Basically, what’s the development workflow for Sentinel Policies in a production grade environment?
Thank you.
Regarding testing policies, there’s some documentation here: https://docs.hashicorp.com/sentinel/writing/testing
So you are able to bake these tests into your ci/cd.
If you are using Terraform Enterprise, the Sentinel version is also described in the release page: https://www.terraform.io/enterprise/releases
The terraform page also has some good tips around how to extract/use Terraform mocks: https://www.terraform.io/cloud-docs/sentinel/mock
Hope this helps as a starting point in your pipeline design.
EDIT: regarding versioning, in Terraform, you have 2 choices that I can see:
policy "enforce-module-versions" {
source = "https://raw.githubusercontent.com/hashicorp/terraform-guides/master/governance/third-generation/cloud-agnostic/require-all-modules-have-version-constraint.sentinel"
enforcement_level = "hard-mandatory"
}
Please note that source can be a git link as per the documentation.