How do I import non-standard code in Sentinel running in TF Cloud?

Hi - I am running Sentinel checks inside TF Cloud. The code is running fine, the checks function well. My issue is that I am using several functions from https://raw.githubusercontent.com/hashicorp/terraform-guides/master/governance/third-generation/common-functions/tfconfig-functions/tfconfig-functions.sentinel directly in my code. In other words, I am copy/pasting functions such as filter_attribute_does_not_match_regex in my Sentinel code. That function comes with several dependencies, so I am also copy/pasting them. This makes my Sentinel code difficult to read.

How can I simply import that 3rd-gen repo and alias it, like I can with import “tfplan/v2” as tfplan for instance? I tried using modules with a source directive pointing to raw Github content: no luck. I tried pasting all the code from the 3rd-gen repo into my own .tf file and importing it with import “myModule” with no luck either.

Also, how can a developer figure out that “tfplan/v2” works as a standard import when the documentation at https://docs.hashicorp.com/sentinel/imports doesn’t list tfplan/v2 as a standard import?

Thank you!

Hi @cpaggen ,

Thanks for posting your questions here.

The common functions in terraform-guides/governance/third-generation/common-functions at master · hashicorp/terraform-guides · GitHub (that I wrote) are Sentinel Modules written in the Sentinel language. The actual modules are the files like tfplan-functions.sentinel and tfconfig-functions.sentinel, each of which contains multiple functions. Note that the directories containing those file contain extensive documentation pages for each function under the docs directories.

How you reference the functions in these Sentinel modules will depend on where you use them from. You could use them from the terraform-guides repository itself, or from a fork of that repository, or copy the modules into a repository containing your own policies.

If you call the functions from a policy that is in a different repository than the one containing the module, then you must use a raw URL. For example to call any functions from the tfconfig-functions.sentinel module in the terraform-guides repository itself, you would use https://raw.githubusercontent.com/hashicorp/terraform-guides/master/governance/third-generation/common-functions/tfconfig-functions/tfconfig-functions.sentinel rather than terraform-guides/tfconfig-functions.sentinel at master · hashicorp/terraform-guides · GitHub.

But if you copied the entire tfconfig-functions.sentinel module into a repository containing your own Sentinel policies, you would use local references that could include . for the current directory and .. to go up one directory from where your Sentinel CLI test case file or policy set configuration file lives. There are examples of local references to the modules in many test case files and in several entinel.hcl policy set definition files in the terraform-guides repository.

After declaring a Sentinel module in a Sentinel CLI test case file or in a policy set definition file, you can then import it into your policy with a line like import "tfplan-functions" as plan which gives the module the alias plan which should then be used before calls to the functions. Again, see the many examples in the terraform-guides repository.

For documentation on the above, see Managing Sentinel Policies - Sentinel - Terraform Cloud and Terraform Enterprise - Terraform by HashiCorp and Remote Sources | Sentinel by HashiCorp.

For your second question, while the tfplan/v2, tfstate/v2, tfconfig/v2, and trfun imports are “standard Terraform Cloud/Enterprise Sentinel imports”, they are not listed under Sentinel Language - Standard Imports | Sentinel by HashiCorp since they are only intended for use by Terraform Cloud and Terraform Enterprise customers. The documentation for them is under Defining Policies - Sentinel - Terraform Cloud and Terraform Enterprise - Terraform by HashiCorp. Please note, however, that they are usable by policies tested or run with the Sentinel CLI provided that you include mocks with your Sentinel CLI test cases. Those mocks can be downloaded from plans run against TFC/E workspaces. See Mocking Terraform Sentinel Data - Sentinel - Terraform Cloud and Terraform Enterprise - Terraform by HashiCorp for information on downloading mocks that can be used with the Sentinel CLI when testing Sentinel policies written for TFC/E.

Roger Berlind
Global Technology Specialist

1 Like

OK, that makes sense now! I have managed to clean up the code dramatically. I didn’t realize the module “foo” {} statement had to exist in sentinel.hcl and not in the Sentinel language file. Now I am pointing to raw Github content in sentinel.hcl for both the module source and the Sentinal language code itself. I used to rely on the implicit lookup for a file with the same name as the policy but read it’s going to be deprecated anyway, so I switched to the explicit reference. Thank you for the pointers, this helped a lot!