Enable/disable Sentinel Policies Based on Environment

leonard · January 12, 2021, 11:17am

Is it possible for us to enable or disable Sentinel Policies based on a environment variable or a flag in Terraform Workspaces?

As a developer, I want to disable or ignore some network rules in development environment for debugging, but apply strict Deny All network rules for some cloud resources in production environment.

For example,

policy "azure-cis-3.7-storage-default-network-access-rule-set-to-deny" {
  source = "https://raw.githubusercontent.com/hashicorp/terraform-foundational-policies-library/master/cis/azure/storage/azure-cis-3.7-storage-default-network-access-rule-set-to-deny/azure-cis-3.7-storage-default-network-access-rule-set-to-deny.sentinel"
  enforcement_level = "hard-mandatory"
  enforcement_environment = "production,test"
}

policy "azure-cis-3.7-storage-default-network-access-rule-set-to-deny" {
  source = "https://raw.githubusercontent.com/hashicorp/terraform-foundational-policies-library/master/cis/azure/storage/azure-cis-3.7-storage-default-network-access-rule-set-to-deny/azure-cis-3.7-storage-default-network-access-rule-set-to-deny.sentinel"
  enforcement_level = "ignored"
  enforcement_environment = "development"
}

I understand that we can manage Sentinel Policies based on a different Policy Sets, but it becomes difficult to apply where each Terraform GitHub project has three or more Environment/Workspace.

rberlind · January 12, 2021, 2:08pm

Hi @leonard,

It is not possible to set flags on workspaces to make Sentinel policies selectively apply to them. But you can accomplish what you want based on the names of the workspaces.

I recommend using the tfrun import to check the name or other properties of the workspace and effectively only apply the policies when the name matches certain patterns. You can see an example of this in this limit-cost-by-workspace-name.sentinel policy which uses this common function. Note that you could enforce workspace naming conventions by writing your policy in a way that fails if the workspace name does not match one of several specific patterns.

Roger Berlind
Global Technology Specialist

hcrhall · January 12, 2021, 10:45pm

@leonard another method which I use all the time in the foundational policies, is the when predicate in a rule expression.

import "tfrun"
import "strings"

// Change this to prod to trigger production rule evaluation
environment = "dev"

prod_eval = rule when environment is "prod" {
	print("Production rule evaluated")
}

dev_eval = rule when environment is "dev" {
	print("Development rule evaluated")
}

main = rule {
	prod_eval and dev_eval
}

You can easily change this policy to use the value in tfrun.workspace.name to evaluate which environment is being provisioned by Terraform:

import "tfrun"
import "strings"

// Change this to prod to trigger production rule evaluation
environment = strings.split(tfrun.workspace.name, "-")[0]

prod_eval = rule when environment is "prod" {
	print("Production rule evaluated")
}

dev_eval = rule when environment is "dev" {
	print("Development rule evaluated")
}

main = rule {
	prod_eval and dev_eval
}

You can experiment with the above in the Sentinel Playground. Hope this helps