Download Sentinel json data using API

Sentinel
1

We are trying to implement a sentinel policy in a hard-mandatory mode in our org. To do so, we want to basically run sentinel policy as an advisory mode across more than 300+ workspaces in terraform.io.

I have automation in place using API to get the workspace IDs, trigger a run for all the workspace and discard the apply as this is just to evaluate the sentinel scorecard for each workspace/team.

I didn’t find a way I can download the JSON output of the executed sentinel policy for workspace and share that with the team so if there is anything they have that needs an address, can be fixed timely.

2

@hcrhall Can you suggest something here?

3

Hi @jhabikal21,

There are two options when requesting the results of a policy evaluation for a given run:

  1. Policy Checks API
  2. Audit Trails API

The Policy Checks API is probably the best option as you will already have the :run_id value, so it should be the simplest API call. The API response will be similar to the following:

{
    "data": [
        {
            "id": "polchk-4tNLxoGPb9SF98ug",
            "type": "policy-checks",
            "attributes": {
                "result": {
                    "result": true,
                    "passed": 2,
                    "total-failed": 0,
                    "hard-failed": 0,
                    "soft-failed": 0,
                    "advisory-failed": 0,
                    "duration-ms": 0,
                    "sentinel": {
                        "schema-version": 1,
                        "data": {
                            "": {
                                "can-override": false,
                                "error": null,
                                "policies": [
                                    {
                                        "allowed-failure": false,
                                        "error": null,
                                        "policy": "Foo",
                                        "result": true,
                                        "trace": {
                                            "description": "",
                                            "error": null,
                                            "print": "",
                                            "result": true,
                                            "rules": {}
                                        }
                                    }
                                ],
                                "result": true
                            },
                            "sentinel-from-scratch": {
                                "can-override": false,
                                "error": null,
                                "policies": [
                                    {
                                        "allowed-failure": false,
                                        "error": null,
                                        "policy": "sentinel-from-scratch/policy",
                                        "result": true,
                                        "trace": {
                                            "description": "Exercise 09 - Debugging\n",
                                            "error": null,
                                            "print": "",
                                            "result": true,
                                            "rules": {
                                                "main": {
                                                    "desc": "This Sentinel policy ensures that server instance type configuration does not violate a list of allowed types.",
                                                    "ident": "main",
                                                    "position": {
                                                        "filename": "./policy.sentinel",
                                                        "offset": 583,
                                                        "line": 18,
                                                        "column": 1
                                                    },
                                                    "value": []
                                                }
                                            }
                                        }
                                    }
                                ],
                                "result": true
                            }
                        }
                    }
                },
                "status": "passed",
                "status-timestamps": {
                    "passed-at": "2021-06-02T22:09:26+00:00",
                    "queued-at": "2021-06-02T22:09:25+00:00"
                },
                "permissions": {
                    "can-override": true
                },
                "actions": {
                    "is-overridable": false
                },
                "scope": "organization"
            },
            "relationships": {
                "run": {
                    "data": {
                        "id": "run-xmmk1JMtETYv7wUi",
                        "type": "runs"
                    }
                }
            },
            "links": {
                "output": "/api/v2/policy-checks/polchk-4tNLxoGPb9SF98ug/output"
            }
        }
    ]
}
4

Yesterday was debugging it lately and was able to figure this out. Found this from the json output of /run API.

Thank you so much for your prompt help :slight_smile: