Import "tfplan/v2" is not available

OceaneLonneux-CAL · March 30, 2021, 11:26am

Hello!
I am currently working on Sentinel, following this guide on github (terraform-guides/governance/third-generation/azure at master · hashicorp/terraform-guides · GitHub).
I am getting the error Import "tfplan/v2" is not available when trying to run it from your guide, as well as in my own code (which is more or less a copy paste of your guide).
Here is what my folders organisation looks like:

├── test                            
│   └── policy-one                  
|       └──  fail.hcl        
|       └──  pass.hcl        
|       └──  mock-tfplan-fail.sentinel
|       └──  mock-tfplan-pass.sentinel
|
├── sentinel.hcl                    
└── policy-one.sentinel
└── azure-functions
└── common functions #this is located outside of the folder in the guide. In my personal code, I have brought it at the same level and adjusted the code to target it

I am currently in the situation where sentinel test passes for both of my mocks, but sentinel apply is not accepted.

I have had a look at this other topic (How to write Sentinel policies - #3 by rberlind) but it wasn’t too clear what I was supposed to do. I understand tfplan/v2 refers to the terraform plan, but I thought the mocks would be used…?

Apologies, this is my first time working on Sentinel.

rberlind · March 30, 2021, 5:18pm

Hi @OceaneLonneux-CAL ,

I wrote most of the policies in the repository you referenced. I’m sorry to hear you’re having problems with them or with new ones that you have written.

Can you clarify whether the problem occurs when running sentinel apply or sentinel test. To be honest, I only ever use sentinel test and I therefore do not even create a sentinel.hcl file except for the purpose of using when creating TFC/E policy sets from them.

Also, could you share your fail.hcl and pass.hcl files and also confirm that the mocks were copied or renamed from a file called mock-tfplan-v2.sentinel that was downloaded in a zip along with other mocks and that your are NOT using a copy or renamed vesion of a mock that was called mock-tfplan.sentinel? The latter would be a v1 mock and could account for your error.

A tfplan/v2 mock would start with the terraform_version while a tfplan/v1 mock would start with import "strings".

Roger Berlind

OceaneLonneux-CAL · March 31, 2021, 7:19am

Hello,
thanks a lot for your answer.
This happens when I run sentinel apply. Could you give me more information on the difference between the commands test and the apply one? Looking at the docs, I have to say I am not exactly sure. Thank you.

My fail.hcl looks like that (pass looks the same, just the name of the file and the rules main change):

module "azure-functions" {
  source = "../../azure-functions/azure-functions.sentinel"
}

module "tfplan-functions" {
  source = "../../../common-functions/tfplan-functions/tfplan-functions.sentinel"
}

mock "tfplan/v2" {
  module {
    source = "mock-tfplan-fail.sentinel"
  }
}

test {
  rules = {
    main = false
  }
}

I can see in the files of your guide the file you are talking about (terraform-guides/azure-vm-mock-tfplan-v2.sentinel at master · hashicorp/terraform-guides · GitHub), but nothing seems to happen?
When trying to run sentinel apply from your guide, I am position at governance\third-generation\azure.

EDIT: If this wasn’t clear, I would like to mention I am currently testing from a Sentinel CLI.

OceaneLonneux-CAL · March 31, 2021, 3:31pm

UPDATE: I actually found out what was wrong.

For anyone that is having the same error:
You just need to add this to your sentinel.hcl.

module "tfplan/v2" {
  source = "./mocks/azure-vm-mock-tfplan-v2.sentinel"
}

In the mocks folder, I then have a mock-tfplan-fail-v2.sentinel, a mock-tfplan-pass-v2.sentinel and a azure-vm-mock-tfplan-v2.sentinel. You don’t have to do like me, just be sure to link policies and module to their right folder/file.

@rberlind I do think this should be added to the guide. I saw online other docs mentioning json (when the latest version mentions json is legacy) and some mentioning a “mock” category in setinel.hcl (when it doesn’t actually seem to be accepted?) and found this a bit confusing.

I do still wonder what is the difference between apply and test.

I understand this is a young product, please be assured that I thank you for the hard work you guys are putting in.

hcrhall · April 1, 2021, 3:56am

@OceaneLonneux-CAL thanks for the feedback. I was wondering if you’ve come across the following learn track which covers Terraform Policies including mocking, testing and may clear up some confusion? If it is adding to the confusion, please let me know, and we can work on changing things to make things clearer.

I think for your use-case you want to test the policy and therefore should be using the sentinel test command with the required mock data to assert that your policy is working as expected.

Regarding the module block, this is one way of mimicking plan data when using the sentinel apply command, however there is not much value in doing so with the Sentinel Terraform integration and think that using sentinel test is the best way forward in this scenario.

The sentinel apply command is useful when it comes to validating policy configurations dynamically as you can specify global and param values on the command-line. This provides a bit more flexibility in that you could script policy testing to test against dynamic values. In most cases, customers only need to use sentinel test.

Note: The sentinel.hcl configuration file that is used to define a Terraform Policy set only supports the module and policy blocks.

zulfiqarhaider · August 8, 2021, 12:26pm

I am trying to run few Sentinel policy and almost every one of them is having some issue:
below code was also tried with: import “tfplan-functions” as plan
Error: Import “tfplan-functions” is not available

‘’’

import "tfplan-functions/v2" as plan

allowed_zones = [
  "ap-southeast-1a","ap-southeast-1b","ap-southeast-1c",
]

# Get all EC2 instances
allEC2Instances = plan.find_resources("aws_instance")

violatingEC2Instances = plan.filter_attribute_not_in_list(allEC2Instances,
                        "availability_zone", allowed_zones, true)

hcrhall · August 8, 2021, 10:41pm

@zulfiqarhaider,

A couple of things to check:

In the sentinel.hcl, make sure that you have a block defined for the tfplan-functions module as seen in the following example
Make sure that you have the common-functions directory available in the same path where you have defined your sentinel.hcl and that it contains the tfplan-functions module.
Change the import declaration at the top of the policy to the following:
import "tfplan-functions" as plan

zulfiqarhaider · August 9, 2021, 9:42pm

Just checked; this will be depreciated in the future.
Let me read the documentation in more detail.
thanks.

jboero · October 18, 2021, 9:49am

As usual Roger & Ryan come to my rescue in an older thread. Thanks @hcrhall & @rberlind !

paladin-devops · December 11, 2021, 8:13pm

The discussion in this forum really helped me out a lot. “common-functions” was a huge help for writing my policy!

Topic		Replies	Views
Can't import tfplan/v2 Sentinel	1	11	March 15, 2025
Using `sentinel apply` cli to develop new policies by testing against real tf configs Sentinel	1	461	September 14, 2021
Modules in sentinel.hcl at root rather than in pass.hcl/fail.hcl Sentinel	3	726	February 10, 2021
Unexpected error of Sentinel test after upgrading to 0.19.x Sentinel	16	795	January 27, 2023
How do I import non-standard code in Sentinel running in TF Cloud? Sentinel hcp-terraform	5	1782	August 10, 2022

Import "tfplan/v2" is not available

Related topics