Hello,
I have a problem passing a param per policy in sentinel with terraform Cloud, in my sentinel.hcl i have this declaration:
policy "restrict-vpc-cidr" {
source = "./restrict-vpc-cidr.sentinel"
enforcement_level = "hard-mandatory"
params = {
"policy_name" = "restrict-vpc-cidr"
}
and in the .sentinel, i am using that param like this :
param policy_name
But in the execution in terraform enterprise i have this error :
An error occurred:
./restrict-vpc-cidr.sentinel:10:1: parameter "policy_name" required but no value provided
i need this to get the policy name in execution to make the relation between workspace/policy name.
but there is no buildin varible to get the policy name and use it in my .sentinel files so i m trying to pass the policy name in param to my policy.
Any suggestions ?
@nabilAd
- Can you confirm which version of Sentinel you are running and the TFE release version?
- Can you share the contents of the policy?
- Are you getting this error in TFE or in the Sentinel CLI? If it’s the latter and you are running the
test command, make sure you have provided the value for the parameter in the test case HCL configuration.
I have the following in my sentinel.hcl:
policy "advanced_security_is_enabled" {
source = "./policies/github_repository/github_repository_security_and_analysis.sentinel"
enforcement_level = "hard-mandatory"
params = {
feature = "advanced_security"
}
}
Policy contents is as follows:
import "tfplan/v2" as tfplan
import "spec"
param feature
resources = filter tfplan.resource_changes as _, rc {
rc.type is "github_repository" and
rc.mode is "managed" and
rc.change.actions[0] in ["create", "update", "no-op"]
}
violations = filter resources as _, resource {
resource.change.after.security_and_analysis is not defined or
resource.change.after.security_and_analysis[0][feature] is not spec.security_and_analysis[0][feature]
}
main = rule {
violations
}
@hcrhall
Thank you for your answer,
1- for Sentinel i m using version 0.21.1 to test, and TFE [v202305-2]
2. Here is the policy content :
import "tfplan-functions" as plan
import "policy-workspace-exceptions" as exceptions
param policy_name
print("The policy name : ", policy_name)
print ("THE EXCEPTIONS : " ,exceptions.is_exempt(policy_name))
# Discover any AWS VPCs in the Terraform plan
awsVpcInPlan = plan.find_resources("aws_vpc")
# Evaluate every VPC and validate that the cidr_block attribute starts with "10|172.*" using
# the filter_attribute_does_not_match_regex function from the tfplan-functions module
violatingVpcs = plan.filter_attribute_does_not_match_regex(
awsVpcInPlan,
"cidr_block",
"^(172|10)\\.*",
true,
)
main = rule {
length(violatingVpcs["messages"]) is 0 or exceptions.is_exempt(policy_name)
}
- in the Sentinel CLI its working fine with the test and apply commands, but i m getting the error on the TFE :
Hi @nabilAd ,
Unfortunately, there is an issue with per-policy params in TFE v202305-2. That TFE release actually only went to Sentinel 0.21.0, which had a bug with per-policy params. The next TFE release will include the fix, and should be coming out in the next few days.
Sorry for the hassle!
Hello @cam-stitt
Thank you for these informations, but even now i still have the same issue even after the new TFE version [v202306-1] that uses Sentinel [0.22.0] and in the patch notes there is the bug fixes for that.
Is there any explications ?
Thank you
Hi @nabilAd,
It seems there is another bug specific to per-policy params in the TF Sentinel workflow. I am working on a bug fix, which will release 0.22.1 and then have this flow into the worker.
I will see if it’s possible to backport this fix, however it may not be possible and may be in v202307-1.
I’m sorry about this and thank you for raising this issue.
