Global param in Sentinel with TFCE

nabilAd · August 29, 2023, 12:10pm

Hello,

I have a problem setting a global param in sentinel with TFCE, my use case is to inject a json varible ( loaded from outside: gitlab API ) and pass that varible to all policies and use it to test if we execute the policy or no for a specific workspace, for that, i have tried to add a global param in my sentinel code and test if the varible is empty or not so i excute the API call just once, but the global param is only functionel in the Sentinel CLI and not with the TFCE, so i am getting this varible in each policy i have ( and that is not optimal for my use case because its a json that i can get only once and use it )

Any suggestions to optimize my code ?

Thank you

hcrhall · August 30, 2023, 4:30am

Hi @nabilAd

Thanks for reaching out. Before I respond with possible solutions, does the JSON variable have to live outside in GitLab or can you store it in the same repository where you store the policy set configuration?

nabilAd · August 30, 2023, 7:39am

Hello @hcrhall

Thank you for your response,
Well actually yes, it is used by multiple other teams in the company ( that are now allowed to modify the sentinel code ) so it has to be isolated from the policy set configuration.

hcrhall · August 30, 2023, 9:38pm

Thanks for confirming. Can you share your policy set configuration and how you have configured the parameters in TFCE for your policy set?

I’m unsure if you are configuring a global or a parameter so seeing something would help me assist further.

nabilAd · September 19, 2023, 9:19am

Hello @hcrhall

Sorry for the late response,

i have tried to add the global param in the policy set configuration in TFCE :

and i have a simple sentinel.hcl that i use in which i define all my policies like this :
policy “restrict-ec2-instance-type” {
source = “./restrict-ec2-instance-type.sentinel”
enforcement_level = “advisory”
}

policy “block-igw-creation” {
source = “./block-igw-creation.sentinel”
enforcement_level = “advisory”
}

But this will pass the variable as in every policy i have, and it is not global ( this is a varible that i intented to use to test if the json is loaded or not to avoid recalling the API in every policy )

i tried also to add a global param declaration in my sentinel.hcl like this :
global “exceptions_loaded” {
value = false
}

But in TF it is not working and asking to define that varible when using it in a policy !

hcrhall · September 20, 2023, 3:00am

Thanks @nabilAd

Global values are not supported in Terraform and are ignored when they are added to the configuration. This may change in the future, but currently it is working by design.

Have you tried using policy parameters as per the policies configuration syntax?

nabilAd · September 20, 2023, 7:42am

Thank you for your response,
You mean per policy param ? yes i used it in other use case and its working, but in this case it wont be a good solution because i will need to pass the API response to all my policies at once, testing if the param is loaded in not possible if we dont have a global value

hcrhall · September 20, 2023, 10:09pm

Are you saying that you cannot write a Setinel unit test to verify that the parameter value has been defined?

It might be useful if you share the policy and test data that you are using to test your policy because there should be no need to set a global value as global data is not used in the Terraform integration for Sentinel.