Sentinel policy that looks for values that do not start with value

I am trying to find a way to make sure all of my azurerm_app_service_environment_v3 resources are using cipher value of TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

the value is in the mock files as

after": {
	"cluster_setting": [
			"name":  "InternalEncryption",
			"value": "true",
			"name":  "FrontEndSSLCipherSuiteOrder",
			"value": "asdfasdf",
			"name":  "DisableTls1.0",
			"value": "1",

here is the link to the playground not sure where I am making my mistake

It looks like you are trying to use the tfplan-functions helpers, but have not made them available to the playground for your testing.

I’ve copied over the tfplan-functions file as another mock and your code is working!

Thank you for correcting that error,

When I test with the pass values the policy shows as failed

I have updated the mock test case with the string value on the playground.

Hi @frank.lugo,

I’ve spent some time refactoring your policy to avoid the use of tfplan-functions. This allows a clearer picture of what is required to successfully evaluate the result.

The trick is that the ciphers are a string, and using a prefix check may not guarantee the correct result.


@cam-stitt, I am not exactly sure what you mean by “avoid the use of tfplan-functions”. I was under the impression that reference still goes back to tfplan-functions.sentinel file in the common functions folder.

The example I most recently shared does not make any use of the tfplan functions. It is using only using the tfplan/v2 import and the strings import.