How do I import non-standard code in Sentinel running in TF Cloud?

Hi - I am running Sentinel checks inside TF Cloud. The code is running fine, the checks function well. My issue is that I am using several functions from https://raw.githubusercontent.com/hashicorp/terraform-guides/master/governance/third-generation/common-functions/tfconfig-functions/tfconfig-functions.sentinel directly in my code. In other words, I am copy/pasting functions such as filter_attribute_does_not_match_regex in my Sentinel code. That function comes with several dependencies, so I am also copy/pasting them. This makes my Sentinel code difficult to read.

How can I simply import that 3rd-gen repo and alias it, like I can with import “tfplan/v2” as tfplan for instance? I tried using modules with a source directive pointing to raw Github content: no luck. I tried pasting all the code from the 3rd-gen repo into my own .tf file and importing it with import “myModule” with no luck either.

Also, how can a developer figure out that “tfplan/v2” works as a standard import when the documentation at https://docs.hashicorp.com/sentinel/imports doesn’t list tfplan/v2 as a standard import?

Thank you!

Hi @cpaggen ,

Thanks for posting your questions here.

The common functions in terraform-guides/governance/third-generation/common-functions at master · hashicorp/terraform-guides · GitHub (that I wrote) are Sentinel Modules written in the Sentinel language. The actual modules are the files like tfplan-functions.sentinel and tfconfig-functions.sentinel, each of which contains multiple functions. Note that the directories containing those file contain extensive documentation pages for each function under the docs directories.

How you reference the functions in these Sentinel modules will depend on where you use them from. You could use them from the terraform-guides repository itself, or from a fork of that repository, or copy the modules into a repository containing your own policies.

If you call the functions from a policy that is in a different repository than the one containing the module, then you must use a raw URL. For example to call any functions from the tfconfig-functions.sentinel module in the terraform-guides repository itself, you would use https://raw.githubusercontent.com/hashicorp/terraform-guides/master/governance/third-generation/common-functions/tfconfig-functions/tfconfig-functions.sentinel rather than terraform-guides/tfconfig-functions.sentinel at master · hashicorp/terraform-guides · GitHub.

But if you copied the entire tfconfig-functions.sentinel module into a repository containing your own Sentinel policies, you would use local references that could include . for the current directory and .. to go up one directory from where your Sentinel CLI test case file or policy set configuration file lives. There are examples of local references to the modules in many test case files and in several entinel.hcl policy set definition files in the terraform-guides repository.

After declaring a Sentinel module in a Sentinel CLI test case file or in a policy set definition file, you can then import it into your policy with a line like import "tfplan-functions" as plan which gives the module the alias plan which should then be used before calls to the functions. Again, see the many examples in the terraform-guides repository.

For documentation on the above, see Managing Sentinel Policies - Sentinel - Terraform Cloud and Terraform Enterprise - Terraform by HashiCorp and Remote Sources | Sentinel by HashiCorp.

For your second question, while the tfplan/v2, tfstate/v2, tfconfig/v2, and trfun imports are “standard Terraform Cloud/Enterprise Sentinel imports”, they are not listed under Sentinel Language - Standard Imports | Sentinel by HashiCorp since they are only intended for use by Terraform Cloud and Terraform Enterprise customers. The documentation for them is under Defining Policies - Sentinel - Terraform Cloud and Terraform Enterprise - Terraform by HashiCorp. Please note, however, that they are usable by policies tested or run with the Sentinel CLI provided that you include mocks with your Sentinel CLI test cases. Those mocks can be downloaded from plans run against TFC/E workspaces. See Mocking Terraform Sentinel Data - Sentinel - Terraform Cloud and Terraform Enterprise - Terraform by HashiCorp for information on downloading mocks that can be used with the Sentinel CLI when testing Sentinel policies written for TFC/E.

Roger Berlind
Global Technology Specialist

OK, that makes sense now! I have managed to clean up the code dramatically. I didn’t realize the module “foo” {} statement had to exist in sentinel.hcl and not in the Sentinel language file. Now I am pointing to raw Github content in sentinel.hcl for both the module source and the Sentinal language code itself. I used to rely on the implicit lookup for a file with the same name as the policy but read it’s going to be deprecated anyway, so I switched to the explicit reference. Thank you for the pointers, this helped a lot!

Hi @rberlind ,

Thank you for detailed explanation.

I am using Sentinel with TF Cloud.

I am writing own policies in my repository by referring your Third Generation Sentinel Policies examples. To reference the Sentinel Modules common functions in my policies, I am trying raw URL and also exploring other Git Protocol Remote Source options documented here. I am mainly exploring these options to avoid doing git fork and copying the modules into my repository.

Since I am calling the Sentinel Module functions from a policy that is in a different repository than the one containing the module, using a raw URL like this -https://raw.githubusercontent.com/hashicorp/terraform-sentinel-policies/main/common-functions/tfplan-functions/tfplan-functions.sentinel works as expected. But when I try to reference the same module using Git [ref](https://docs.hashicorp.com/sentinel/configuration/remote-sources#ref) to point to specific tags like this - git::git@github.com:hashicorp/terraform-sentinel-policies.git//common-functions/tfplan-functions/tfplan-functions.sentinel?ref=v1.0.1 then it is not working as explained in the documentation. When I test this in both using Sentinel CLI and TF Cloud I got the following error message -

An error occurred: 1 error occurred:
	* tfplan-functions installation failed: download not supported for scheme 'git'

I tried multiple combinations of git URL format by referring the following documents -

• Sentinel CLI Configuration File Syntax | Sentinel by HashiCorp

• Module Sources | Terraform by HashiCorp

• Module Sources | Terraform by HashiCorp

• Managing Sentinel Policies - Sentinel - Terraform Cloud and Terraform Enterprise | Terraform by HashiCorp

Can you please help me to understand - How can I reference the Sentinel Module using Git ref to point to specific git tags?

Thank you!
Seema G C

Hi Seema,

Unfortunately, Sentinel in Terraform Cloud only supports HTTP/S sources even though Sentinel itself is capable of supporting other remote sources. See the blue notes under

which also describes the need to use raw URLs withGitHub.

Please also note that I no longer work at HashiCorp. I’m only answering your question because I knew the answer right away and only needed to look up the link for you.

Roger

Hi @rberlind ,

Thank you so much for your reply!

I read that document before. But after looking into the other protocol options in the Sentinel Remote Source document, I thought to get clarified with HashiCorp on this. Thank you for making it clear.

Regards,
Seema G C