Modules in sentinel.hcl at root rather than in pass.hcl/fail.hcl

Sentinel
1

I currently have the tfplan-functions and tfconfig-functions defined in both my sentinel.hcl at the root and in the pass.hcl/fail.hcl. My guess is that it’s not needed in both. Where should these modules be defined and how are they referenced?

sentinel.hcl

module "tfplan-functions" {
    source = "git::https://github.com/hashicorp/terraform-guides.git//governance/third-generation/common-functions/tfplan-functions/tfplan-functions.sentinel"
}

module "tfconfig-functions" {
    source = "git::https://github.com/hashicorp/terraform-guides.git//governance/third-generation/common-functions/tfconfig-functions/tfconfig-functions.sentinel"
}


pass.hcl

module "tfplan-functions" {
    source = "git::https://github.com/hashicorp/terraform-guides.git//governance/third-generation/common-functions/tfplan-functions/tfplan-functions.sentinel"
}

module "tfconfig-functions" {
    source = "git::https://github.com/hashicorp/terraform-guides.git//governance/third-generation/common-functions/tfconfig-functions/tfconfig-functions.sentinel"
}

mock "tfplan/v2" {
    module {
        source = "./mockdata/mock-tfplan-pass.sentinel"
    }
}

mock "tfconfig/v2" {
    module {
        source = "./mockdata/mock-tfconfig-pass.sentinel"
    }
}

test {
    rules = {
        main = true
    }
}
2

Hi @wblanchard-concurren,

In your case, you are actually referring to the tfplan-functions and tfconfig-functions modules in the hashicorp/terraform-guides repository using remote references. So, those modules are only being defined once, within that repository. But it is true that you are referencing them both multiple time, once in sentinel.hcl and once in each of your test cases such as pass.hcl and fail.hcl.

In fact the references are indeed needed in all 3 files if you are using both the sentinel apply and the sentinel test commands with your policy. The references in sentinel.hcl are needed for use with sentinel apply while the references in the pass.hcl and fail.hcl test cases are needed for use with the sentinel test command. If you are only using sentinel test, then you do not need the sentinel.hcl file with the Sentinel CLI at all. However, you would still need to define policy sets for use with Terraform Cloud or Terraform Enterprise with a sentinel.hcl file.

Note that the same file, sentinel.hcl, can be used both to define a policy set for TFC/E and as a configuration file for the Sentinel CLI’s apply command. However anything other than modules and policies listed in the file will be ignored when the file is registered with TFC/E as a policy set.

Roger Berlind
Global Technology Specialist

P.S. Since you are asking several questions in this forum about Sentinel, I’m interested in knowing what company you work for. If that company has a support contract and/or a technical account manager, you might be able to get faster help via other channels.

3

Hey @rberlind,

Thanks for the information. I didn’t understand the use cases for each file. Thanks for explaining it to me.

4

Glad to have helped you.
Roger