Hello all,
I’m new to policy as code and trying a few things, so I’m giving a look at Sentinel which seems really cool.
I saw the json import (over here) which sounded like a good way to provide data to validate to sentinel, but I’m not sure I understand it well… To me it seems like the only way to pass json data to Sentinel is to declare a variable within the policy definition containing those datas.
It feel strange to me, as I don’t see any easy way to provide external “dynamic” data to sentinel this way.
The example state Typically the input for this would come from an external source.. Do you have some examples on how to integrate with external sources ?
Is there a way to read json from a file, or from stdin ? Am I missing something ?
Thanks in advance =)
Pierre.
Hi @pbenefice,
Thanks for reaching out.
I think the most practical example of how to use the json import is contained in the documentation for the http import. You can review this example by browsing to the following:
In this example, we show how one could go about requesting data from a GitHub API but as I am sure you can imagine this methodology can be applied to pretty much any API.
The most common use-case that I have for the json import is when I am evaluating IAM policies. As an example:
import "tfplan/v2" as tfplan
import "json"
allUnsupportedMembers = [
"allUsers",
"allAuthenticatedUsers",
]
allBucketIAMPolicies = filter tfplan.resource_changes as _, resource_changes {
resource_changes.type is "google_storage_bucket_iam_policy" and
resource_changes.mode is "managed" and
(resource_changes.change.actions contains "create" or
resource_changes.change.actions is ["update"])
}
deny_unsupported_bucket_iam_policies = rule {
all allBucketIAMPolicies as _, policy {
all json.unmarshal(policy.change.after.policy_data).bindings as _, binding {
all binding.members as _, member {
member not in allUnsupportedMembers
}
}
}
}
main = rule {
deny_unsupported_bucket_iam_policies
}
Unfortunately, we do not currently support the ability to read JSON from a local file but you can use the http import to request JSON data. I recommend taking the following example and running it locally using the Sentinel CLI:
import "http"
import "json"
req = http.request("https://releases.hashicorp.com/sentinel/index.json")
resp = json.unmarshal(http.get(req).body)
main = rule {
all resp["versions"] as _, versions {
print(versions.version)
}
}
I hope you find this useful and gets you started. If you require more information or would like to provide feedback please reach out as I’m always interested in how can make the Sentinel experience better for customers 
1 Like
Hi @hcrhall, thanks for the answer.
I see what it could be used for. I clearly had something different in mind.
I was hoping to be able to use this import to input my tfplan as a json and still use Sentinel even without the tfplan/tfconfig imports of the enterprise plan in my CI pipelines.
I guess I could still find some workaround to achieve what I want but it won’t be clean.
Maybe I’ll try terraform cloud out of curiosity, but I’m not sure i’ll be able to use Sentinel for my use case (my client don’t plan to subscribe). Too bad it seemed easier than OPA.
In anycase thanks for the precisions and the quick answer.
Have a nice day.