I have a use case where a policy will be downloading a TFC workspace’s outputs so it can make decisions based on that output. I’ve been able to get a working sample going where I can download the data and print out some of the properties. When we deploy this policy set, we will use a sensitive Sentinel parameter that contains the API key to connect to TFC.
However, I’m stuck on how I can mock this http call without putting the actual API key into the mock .hcl file. Any ideas?
Hi @pshamus,
From what I can understand, you could make use of the environment variable variation of parameters. This is available both within the CLI and the TFC UI. Here are a few links to help:
If this doesn’t work for you, let me know and we can try to find another way.
Thanks,
Cameron
Hi @cam-stitt,
Thanks for the info. Do you know how I can mock an import? The documentation here doesn’t seem to work. All I get is this error:
Unsupported argument; An argument named "module" is not expected here. Did you mean to define a block of type "module"?
Ah! This seems to be a typo in the documentation. This should read:
mock "foo" {
module {
source = "mock-foo.sentinel"
}
}
Note that the module is a block, not an attribute, within the mock block.
@cam-stitt Thanks! That gets me a little further in my progress.
Other than relying on http for pulling external data, is there another option for a policy to reference a dataset in order to do some comparisons? This dataset is custom and not available via any APIs.
Glad to hear you’ve made progress!
Potentially, but it depends on a few things. If you are using TFC, I would suggest having this dataset be made available by a module. If it’s a static dataset, it will make it reusable across policies.
If you are using this outside of TFC, you could create a custom import that makes this dataset available. TFC does not support custom imports at this time.
You could potentially place the dataset into TFC/CLI as a parameter also, but I do not recommend this.
For a custom module, what’s the best way to reference static data? Would it be to use a function that returns the dataset? Or is there a way to have a module contain a variable that can be used by the policy which imports it?
Modules can supply data in all sorts of ways. It depends on where your data is currently located and how it needs to be accessed. A good place to understand how modules work is the Sentinel Playground. The initial example showcases a mock (which is a module deep down) and how it can provide data.
https://play.sentinelproject.io/p/8rbhvV9yI2C
The challenge is if the static data needs to be loaded from a JSON file or such. Currently, we do not have a way to directly load files via a standard import. If this seems like what you are after please let me know.
I will be creating a static map/list with data directly in the module, so no loading from some external source. So I would just follow the same pattern as the mock data files, it looks like.