Sentinel v0.15.0 - introducing modules!

Greetings everyone!

We are happy to announce the release of version 0.15.0 of the Sentinel runtime.

For the most recent changes, see the release notes:

https://docs.hashicorp.com/sentinel/changelog

To download the latest version of the Sentinel CLI, see the downloads page:

https://docs.hashicorp.com/sentinel/downloads

This update introduces a very important new addition to Sentinel - modules!

Additionally, similar to what happened in Sentinel 0.14.0, this is the first release where Windows binaries will now be signed. This will ensure that you can run the Sentinel binary on Windows without warnings or other restrictions that may be in place for unsigned programs.

Introducing Modules

With this release, we are formally introducing the ability to include modules within a Sentinel configuration - allowing you to load in Sentinel code as an import.

You can use modules to write re-usable helper functions, ship common rules, or abstract Sentinel imports in ways that are specific for your own organization’s use case, reducing the actual amount of code that needs to go into a policy itself.

At this point in time, modules can only be loaded off of the local filesystem, but we are currently working on remote module capabilities that will be released within the runtime soon.

We encourage you to read up on the Modules section of the documentation for further details!

Support for modules will be landing in Terraform Cloud within the next couple of weeks. For more details, see the Sentinel section of the Terraform Cloud documentation, particularly the Managing Sentinel Policies section.

What is the Sentinel Runtime?

The runtime represents the Sentinel language engine and is the technology that is integrated into the enterprise versions of our open source products such as Terraform, Vault, Consul, and Nomad. Updates to the runtime may fix bugs or add features that are generally associated with the language itself and the standard library.

Functionality specifically associated with one product (example: Terraform Cloud and Enterprise’s Terraform-related imports) are updated on a separate schedule and are generally tracked within that product’s release notes.

Watch that product’s release notes as well for when they update the runtime - each product tracks the runtime on different schedules.

What is the Sentinel CLI?

The Sentinel CLI is a command-line interface for developing and testing policies. Having a standard workflow to develop policies is critical for our mission of policy as code. The CLI allows full use of the Sentinel engine, standard library, and supplied mock data to effectively test policies before they are added to a product that integrates Sentinel.

We ship an up-to-date version of the Sentinel CLI for every release of the runtime. To use the newest changes, download the simulator at the downloads page referenced at the start of this message.

Thanks, and we hope you enjoy the release!

Sentinel v0.15.1 has been released!

This release is a minor update to the runtime VM that corrects how modules are handled in concurrent scenarios. Note that as of this release, we have yet to integrate modules into the HashiCorp product line (TFC/TFE, Vault/Consul/Nomad Enterprise), and this change does not affect the CLI, so it’s effectively zero-impact.

See the release notes and the downloads page for more details!

Sentinel v0.15.2 has been released!

There are two minor bug fixes included in this release. First up is a fix to the types import to ensure that undefined types are being returned correctly from type_of calls. Secondly, a fix to the printer to ensure empty # line comments do not cause a panic while using sentinel fmt.

Don’t forget to check the release notes and the downloads page!

Sentinel v0.15.3 has been released!

There are a number of bug fixes and aesthetic improvements in this release. We have fixed an issue in lang/printer where deeply nested structures and/or loops were slower than they could be. We also improved runtime/localast to rewrite IndexExpr expressions correctly, while also ensuring SelectorExpr updates with any nested rewrites.

Regarding improvements, within imports/decimal we added is_nan, is_inf and is_infinite as alias methods for isnan and isinfinite respectively, to improve naming consistency. Policy descriptions are now output within sentinel apply when a trace is requested via -trace. Lastly, the output formatting for the String method on EvalPolicyResult was improved to support larger policy descriptions.

Don’t forget to check the release notes and the downloads page!

Sentinel v0.15.4 has been released!

This is a small release that includes a single bug fix. There was issue with the standard imports that was affecting the handling of null data within lists that has been resolved.

Don’t forget to check the release notes and the downloads page!

Thats cool feature indeed, however i found it strict in terms of naming conventions. Do we really need to follow the same folder structure and naming convention ( common-functions/… e.g.) ?

Hi @rusticshiv86,

Do you have an example that you can share so we have a better understanding of the structure that you are referring to? Are you referring to the folder structure that is required for testing where the tests must be in a directory that is named the same as the policy?

Thanks @hcrhall.

Actually i am talking about common functions in general. Question is do we have to strictly follow https://github.com/hashicorp/terraform-guides/tree/master/governance/third-generation structure? When i try to rename common functions with policy-functions and create more folders inside it, results start failing. Of course, I am passing the updated correct paths in import.

Thanks for confirming @rusticshiv86.

To answer your question, no you do not need to strictly follow the pattern that is used in the terraform-guides example. These are sample policies for you to reference as you write your own policies. The only rule I know of where we have very strong opinions on the structure is when it comes to testing via the Sentinel CLI which is documented here.

If you are getting failures once you have restructured I would make a point of checking all known file types for the older paths by executing the following in the policy directory:

$ grep -r --include='*.json' --include='*.hcl' 'common-functions' .

I suspect that where you may be having issues is within the *.json configuration for the tests.

Hope this helps.

Ryan

Sentinel v0.15.6 has been released!

This is a small release that includes lower level changes related to managing policies. There are no user-facing changes.

Don’t forget to check the release notes and the downloads page!