Sentinel policy to check VM agents getting deployed using custom-data/user-data

Hi Team,

Can we write sentinel Policies to check specific VM agents are getting installed or not using user-data on AWS, custom data on VMs? I can still check if an extension I want is added to VM using azurerm_virtual_machine_extension but this still doesn’t help me to parse the init file for a specific agent lookup.

Based on security compliance, want to create a policy to evaluate all VMs before provisioning must have the required set of agents to be installed. And they can only do it either with custom data or with azurerm_virtual_machine_extension.

Can you help on this?

Hi @jhabikal21,

I’m sure the implementation between the two cloud providers vary but here is an example of how you could use the base64 import to decode the value of the custom_data that has been supplied in the terraform configuration. Then it’s a case of performing some regex magic to look for unsupported configuration.

I’m not sure if this is the best way of doing it, but it may give you some ideas.