Sentinel v0.11.0 - Language changes, decimal import, and more!

Greetings everyone!

We are happy to announce the release of version 0.11.0 of the Sentinel runtime.

For the most recent changes, see the release notes:

To download the latest version of the Sentinel Simulator, see the downloads page:

This is a large release and includes several things including a new import, new built-in, and important language features that deserve some breaking down. So let’s begin!

The decimal Import

We are very close to having cost estimation available in Terraform Cloud and Enterprise. An important part of our rollout strategy for this feature is the availability of an exact-precision decimal calculator for Sentinel. Sentinel’s floating-point number type is unsuitable for this task, as is floating-point in general, and incidentally has problems even representing numbers as innocuous as 1.1 or 2.2 when performing calculations.

Enter the decimal import. Using this import, you can represent numbers like this exactly and make calculations accurate up to 100 decimal places, offering much better accuracy than a simple floating-point number.

See the import documentation for more details! You will see this feature rolled out over the next couple of weeks in Terraform Cloud as the integrations update their respective versions of Sentinel.

The range Function

The range function was a previously unimplemented feature of the language spec, and was redacted until such time that we could re-add it. This is now complete, so you can now use this function to generate integer ranges as seen in the documentation.

List Comparison

Lists can now be compared for equality! This means that previously, ["foo", "bar"] is ["foo", "bar"] would give a runtime error, but no longer! This can possibly simplify policies that need to match specific lists, such as module paths in the Terraform imports. You can read all about the feature in the appropriate section of the lists reference.

Changes in Incomparable Types Behavior

In order to facilitate the above change to list equality, some key changes to the way we handle incomparable types needed to be made.

Previously, incomparable types for any operator would trigger an error in Sentinel, halting a policy. Going forward, only ordering (<, >, etc) will behave this way - equality (is, is not, ==, !=) will instead return false on incomparable types. You will want to take note of this and adjust your policies if this affects you.

Updates to Function Call Expressions and Method Calls on Imports

Finally, we have made changes to the import SDK and the runtime to allow for two important use cases. We’ll use the time import for the examples:

  • Multiple function calls in a single import expression. Previously, time.load(some_timestamp_here).before(another_timespace_here) would not work, due to limitations in the import plugin protocol and SDK. These have been fixed, and this example - in addition to others like it - now work.
  • Calling methods on the return data of an import . This allows you to do something like t = time.load(some_timestamp_here), and then call t.after(another_timespace_here). We hope that this extra functionality will open up new possibilities for import development!

For other changes, see the changelog!

What is the Sentinel Runtime?

The runtime represents the Sentinel language engine and is the technology that is integrated into the enterprise versions of our open source products such as Terraform, Vault, Consul, and Nomad. Updates to the runtime may fix bugs or add features that are generally associated with the language itself and the standard library.

Functionality specifically associated with one product (example: Terraform Cloud and Enterprise’s Terraform-related imports) are updated on a separate schedule and are generally tracked within that product’s release notes.

Watch that product’s release notes as well for when they update the runtime - each product tracks the runtime on different schedules.

What is the Sentinel Simulator?

The Sentinel Simulator is a command-line interface (CLI) for developing and testing policies. Having a standard workflow to develop policies is critical for our mission of policy as code. The simulator allows full use of the Sentinel engine, standard library, and supplied mock data to effectively test policies before they are added to a product that integrates Sentinel.

We ship an up-to-date version of the Sentinel Simulator for every release of the runtime. To use the newest changes, download the simulator at the downloads page referenced at the start of this message.

Thanks, and we hope you enjoy the release!