Sentinel policy to use tf-run to not let a plan run when AWS_SECRET_ACCESS_KEY be non-sensitive

tpiercy · April 20, 2022, 6:50pm

I am trying to get use tf-run in Sentinel to stop any workspace for running a plan when AWS_SECRET_ACCESS_KEY environment variable is not marked as sensitive.

terraform-guides/sensitive.sentinel at master · tpiercy6/terraform-guides · GitHub I am trying something along these lines. Anyone have any feedback?

hcrhall · April 20, 2022, 9:26pm

Hi @tpiercy,

Thanks for reaching out. Unfortunately the outcome you are looking for is not achievable in the current implementation of Terraform Policies. Policy checks are triggered between the plan and apply stage. Since the plan stage has already taken place, Sentinel cannot block the run. You can block the run from progressing to the apply stage, but you cannot block the plan. This is definitely something that we would like to address in the future.

Hope this helps.

Ryan Hall

tpiercy · April 20, 2022, 10:51pm

How specifically would you block it in the apply stage? Do you have any examples ?

Tyler Piercy
Senior Solutions Engineer
321-298-9834

hcrhall · April 21, 2022, 12:46am

Not in a repo, but the following example should help:

https://play.sentinelproject.io/p/hU8hPkIs5Jt

tpiercy · April 21, 2022, 1:36am

Thank you!

Tyler Piercy
Senior Solutions Engineer
321-298-9834