Sentinel Policy State in Terraform plan

amitbora12 · February 3, 2021, 6:36pm

I am going throiugh documents of sentinel policies, So Want to know more about as how would we know if the policy check is available or it is still running when we are using api call to get policy. As we need to add this to the current groovy code in speculative stage.so yeah, the state is one thing , but I am not sure if this is the final state of the run and we can really reply on that to always safely get this policy check in the console log.

How we can ensure that if this is final status of speculative run or planned_finished attribute is final state of the run?

Anyone can please describe more on this topic?

Regrads,
Amrita

vancluever · February 3, 2021, 9:05pm

Hey @amitbora12, you can access the policy check API to check the status of a policy check. Use the policy-checks field of the relationships field in the runs API to get the policy check attached to a run (see the sample response).

With regard to the final states of a policy check itself (the status field), the state will be one of passed, soft_failed, hard_failed, overridden, errored, or canceled. Some of these may not be relevant to speculative plans. You will want to ensure that the appropriate speculative plan run is complete before pulling down the final state of a policy check in any case; that should be when the run is in one of policy_checked (for passed), policy_soft_failed (for soft-mandatory failures), or errored (for hard-mandatory failures). For 100% confirmation on this, you can check with support (you should have access to support if you are using Sentinel in TFC).

PS: If you want more details and you can grok Go code, you can find more details on how speculative plans work by looking at plan in backend_plan.go and checkPoilcy in backend_common.go in the Terraform CLI source. This is what I was referencing for most of the detail I gave you.

Thanks!

amitbora12 · February 4, 2021, 10:50am

So, Do we have more than 1 policy check I’d per run and if yes how we can call specific policy check I’d and print their output in console
As till now, I have just create method for 1 policy check I’d and even I am not able to search Api for more than 2 policy check I’d
If anyone have any reference for this kind of API, please share with me as well.

If anyone has any idea,please let me know.

Regards,
Amrita