Sentinel policy to check VM agents getting deployed using custom-data/user-data

jhabikal21 · April 21, 2021, 12:21pm

Hi Team,

Can we write sentinel Policies to check specific VM agents are getting installed or not using user-data on AWS, custom data on VMs? I can still check if an extension I want is added to VM using azurerm_virtual_machine_extension but this still doesn’t help me to parse the init file for a specific agent lookup.

Based on security compliance, want to create a policy to evaluate all VMs before provisioning must have the required set of agents to be installed. And they can only do it either with custom data or with azurerm_virtual_machine_extension.

Can you help on this?

hcrhall · April 22, 2021, 1:59am

Hi @jhabikal21,

I’m sure the implementation between the two cloud providers vary but here is an example of how you could use the base64 import to decode the value of the custom_data that has been supplied in the terraform configuration. Then it’s a case of performing some regex magic to look for unsupported configuration.

I’m not sure if this is the best way of doing it, but it may give you some ideas.

lizaclarraa · May 15, 2024, 4:53am

Thanks for sharing these insights mate as I found it very much useful and informative.

Topic		Replies	Views
Azure Ubuntu VM custom_data issue - Terraform Azure	1	54	July 1, 2024
Sentinel policy to mandate AzurePolicyforLinux/AzurePolicyforWindows VM/VMSS extensions Sentinel hcp-terraform , azure , sentinel-release	4	890	February 9, 2022
Update VMSS (custom_data of instances) via Azure DevOps Terraform azure	1	2020	September 2, 2020
Migrating terraform local to terraform cloud, custom_data causes VM to rebuild HCP Terraform	0	183	February 8, 2024
VM deployment delay until custom_data script is complete Azure	0	194	November 24, 2022

Sentinel policy to check VM agents getting deployed using custom-data/user-data

Related topics