TF Attributes or Plan Attributes?

wblanchard-concurren · December 2, 2020, 3:48pm

I’m writing some Sentinel policies and have been using the TF docs to get the attributes for searching, etc. I ran into an issue and now think I may be doing this wrong. Should I instead be using the attributes in the plan? If so, which block do I use to get the attributes (planned_values, resource_changes, or configuration)?

rberlind · December 2, 2020, 7:32pm

Hi @wblanchard-concurren.

I recommend using the resource_changes collection in the tfplan/v2 import so you can prevent your policy from being applied when a resources is being permanently deleted. This is what I do in the find_resources() function in the hashicorp/terraform-guides repository that has a lot of good sample Sentinel policies and functions for use with Terraform Cloud and Terraform Enterprise under governance/third-generation. You can probably write 90% or more of the Sentinel policies you’ll want to write for TFC/E by calling the functions I’ve written in the tfplan-functions Sentinel module without having to use more complex Sentinel language elements like for loops and if/else conditionals.

I think you might also find the following documents useful:

The Sentinel language reference
The Terraform Sentinel docs
My Introduction to Sentinel slides
My Writing and Testing Sentinel Policies for Terraform guide.

And if you would like to do some hands-on exercises to learn how to write and test Sentinel policies for Terraform using the common-functions mentioned above, see the Sentinel for Terraform v3 workshop slides in which you’ll find links to 2 Instruqt tracks that contain that workshop’s labs.

I hope that helps,
Roger Berlind
Global Technology Specialist
HashiCorp

wblanchard-concurren · December 3, 2020, 4:14pm

Hey @rberlind Thanks for the links. I’ve reviewed all of those and was hoping for something a little more in-depth like The Java® Language Specification (oracle.com)

rberlind · December 3, 2020, 6:08pm

Hi @wblanchard-concurren,

The most detailed document on the Sentinel language is https://docs.hashicorp.com/sentinel/language/spec

I might be able to provide better guidance if you describe the actual issue you are having.

Roger

wblanchard-concurren · December 3, 2020, 6:28pm

Hey @rberlind ,

Just trying to get up to speed as quickly as possible as well as understand the limitations of Sentinel so I don’t overpromise.

William

Topic		Replies	Views
Sentinel policy that restricts resource deletion in TF-Cloud HCP Terraform	0	176	December 4, 2023
Using `sentinel apply` cli to develop new policies by testing against real tf configs Sentinel	1	446	September 14, 2021
How to write Sentinel policies Sentinel	38	5104	April 22, 2021
Common functions model Sentinel	3	1332	January 7, 2020
"Plan: 1 to add, 0 to change, 1 to destroy." : I want Terraform only to keep adding and destroy nothing Terraform	6	76	September 2, 2024

TF Attributes or Plan Attributes?

Related topics