Hello everyone!
We are happy to announce the release of version 0.17.0 of the Sentinel runtime.
For the most recent changes, see the release notes:
https://docs.hashicorp.com/sentinel/changelog
To download the latest version of the Sentinel CLI, see the downloads page:
https://docs.hashicorp.com/sentinel/downloads
This update includes a very pivotal change to the Sentinel runtime - the ability to return non-boolean data within a policy. For more details, read on!
About Rich Return Types
One of the core features of the Sentinel runtime and language is the rule. The purpose of the rule is essentially to define behavior that dictates whether or not a policy passes or fails. To determine this, it evaluates an expression based on other data within the policy, and stores the result for the duration of the policy.
Rules up until now have required boolean expressions, reflective of the general role of Sentinel as a policy engine that authorizes requested actions based on input data. As is generally the natural logical flow in a programming language, boolean expressions short-circuit when it’s determined that evaluation of the rest of the expression will not have an impact on the outcome, such as a true value in an or expression or a false value in an and expression.
While this makes sense in some applications where speed is important, in other applications, such as Terraform Cloud, we have been seeing practitioners circumvent this short-circuit behavior to log additional data about all violations, with main and other rules being relegated to simple length checks on the result.
In an effort to continue to bring value to all features of the Sentinel language, rules have been updated so that they can evaluate any expression now and hold all basic Sentinel types - not just booleans, but now also collections (lists and maps), strings, and numeric (floating-point and integer) values. Combined with the new higher order map expression, this allows practitioners to create rich sets of reporting data without having to resort to round-about tricks such as print messages and rules that would otherwise have no purpose.
We have also updated the trace to remove some not-so-helpful data, like the printing of boolean expressions within rules. We found that printing source code that a policy author more than likely had access to already, without any further context, was simply cluttering log output and not generating much value. We want to add a richer debugging experience in the future, but for now, the trace will mainly be showing you just rule output with the richer data.
Watch for rich return type support to be added in Sentinel’s integrations over the next few months, starting with Terraform Cloud. Most integrations will more than likely have basic support for the feature at first, so that policies returning non-boolean data work, with additional value-added features being added later.
For more details on how rich return types are used, see the Non-Boolean Values section of the rules page in the language reference.
What Else is New?
Rich return types is not the only feature new in 0.17.0. There is also:
- The addition of emptiness comparison expressions to help make checking empty collections more idiomatic.
- Maps are now comparable for equality.
- The CLI now has JSON output options for both
sentinel applyandsentinel test. - The addition of the
base64import for working with base64-encoded data.
What is the Sentinel Runtime?
The runtime represents the Sentinel language engine and is the technology that is integrated into the enterprise versions of our open source products such as Terraform, Vault, Consul, and Nomad. Updates to the runtime may fix bugs or add features that are generally associated with the language itself and the standard library.
Functionality specifically associated with one product (example: Terraform Cloud and Enterprise’s Terraform-related imports) are updated on a separate schedule and are generally tracked within that product’s release notes.
Watch that product’s release notes as well for when they update the runtime - each product tracks the runtime on different schedules.
What is the Sentinel CLI?
The Sentinel CLI is a command-line interface for developing and testing policies. Having a standard workflow to develop policies is critical for our mission of policy as code. The CLI allows full use of the Sentinel engine, standard library, and supplied mock data to effectively test policies before they are added to a product that integrates Sentinel.
We ship an up-to-date version of the Sentinel CLI for every release of the runtime. To use the newest changes, download the simulator at the downloads page referenced at the start of this message.
Thanks, and we hope you enjoy the release!