Import "tfplan/v2" is not available

Hello!
I am currently working on Sentinel, following this guide on github (terraform-guides/governance/third-generation/azure at master · hashicorp/terraform-guides · GitHub).
I am getting the error Import "tfplan/v2" is not available when trying to run it from your guide, as well as in my own code (which is more or less a copy paste of your guide).
Here is what my folders organisation looks like:

├── test                            
│   └── policy-one                  
|       └──  fail.hcl        
|       └──  pass.hcl        
|       └──  mock-tfplan-fail.sentinel
|       └──  mock-tfplan-pass.sentinel
|
├── sentinel.hcl                    
└── policy-one.sentinel
└── azure-functions
└── common functions #this is located outside of the folder in the guide. In my personal code, I have brought it at the same level and adjusted the code to target it

I am currently in the situation where sentinel test passes for both of my mocks, but sentinel apply is not accepted.

I have had a look at this other topic (How to write Sentinel policies - #3 by rberlind) but it wasn’t too clear what I was supposed to do. I understand tfplan/v2 refers to the terraform plan, but I thought the mocks would be used…?

Apologies, this is my first time working on Sentinel.

Hi @OceaneLonneux-CAL ,

I wrote most of the policies in the repository you referenced. I’m sorry to hear you’re having problems with them or with new ones that you have written.

Can you clarify whether the problem occurs when running sentinel apply or sentinel test. To be honest, I only ever use sentinel test and I therefore do not even create a sentinel.hcl file except for the purpose of using when creating TFC/E policy sets from them.

Also, could you share your fail.hcl and pass.hcl files and also confirm that the mocks were copied or renamed from a file called mock-tfplan-v2.sentinel that was downloaded in a zip along with other mocks and that your are NOT using a copy or renamed vesion of a mock that was called mock-tfplan.sentinel? The latter would be a v1 mock and could account for your error.

A tfplan/v2 mock would start with the terraform_version while a tfplan/v1 mock would start with import "strings".

Roger Berlind

Hello,
thanks a lot for your answer.
This happens when I run sentinel apply. Could you give me more information on the difference between the commands test and the apply one? Looking at the docs, I have to say I am not exactly sure. Thank you.

My fail.hcl looks like that (pass looks the same, just the name of the file and the rules main change):

module "azure-functions" {
  source = "../../azure-functions/azure-functions.sentinel"
}

module "tfplan-functions" {
  source = "../../../common-functions/tfplan-functions/tfplan-functions.sentinel"
}

mock "tfplan/v2" {
  module {
    source = "mock-tfplan-fail.sentinel"
  }
}

test {
  rules = {
    main = false
  }
}

I can see in the files of your guide the file you are talking about (terraform-guides/azure-vm-mock-tfplan-v2.sentinel at master · hashicorp/terraform-guides · GitHub), but nothing seems to happen?
When trying to run sentinel apply from your guide, I am position at governance\third-generation\azure.

EDIT: If this wasn’t clear, I would like to mention I am currently testing from a Sentinel CLI.

UPDATE: I actually found out what was wrong.

For anyone that is having the same error:
You just need to add this to your sentinel.hcl.

module "tfplan/v2" {
  source = "./mocks/azure-vm-mock-tfplan-v2.sentinel"
}

In the mocks folder, I then have a mock-tfplan-fail-v2.sentinel, a mock-tfplan-pass-v2.sentinel and a azure-vm-mock-tfplan-v2.sentinel. You don’t have to do like me, just be sure to link policies and module to their right folder/file.

@rberlind I do think this should be added to the guide. I saw online other docs mentioning json (when the latest version mentions json is legacy) and some mentioning a “mock” category in setinel.hcl (when it doesn’t actually seem to be accepted?) and found this a bit confusing.

I do still wonder what is the difference between apply and test.

I understand this is a young product, please be assured that I thank you for the hard work you guys are putting in.

@OceaneLonneux-CAL thanks for the feedback. I was wondering if you’ve come across the following learn track which covers Terraform Policies including mocking, testing and may clear up some confusion? If it is adding to the confusion, please let me know, and we can work on changing things to make things clearer.

I think for your use-case you want to test the policy and therefore should be using the sentinel test command with the required mock data to assert that your policy is working as expected.

Regarding the module block, this is one way of mimicking plan data when using the sentinel apply command, however there is not much value in doing so with the Sentinel Terraform integration and think that using sentinel test is the best way forward in this scenario.

The sentinel apply command is useful when it comes to validating policy configurations dynamically as you can specify global and param values on the command-line. This provides a bit more flexibility in that you could script policy testing to test against dynamic values. In most cases, customers only need to use sentinel test.

Note: The sentinel.hcl configuration file that is used to define a Terraform Policy set only supports the module and policy blocks.