I’m writing some Sentinel policies and have been using the TF docs to get the attributes for searching, etc. I ran into an issue and now think I may be doing this wrong. Should I instead be using the attributes in the plan? If so, which block do I use to get the attributes (planned_values, resource_changes, or configuration)?
I recommend using the resource_changes collection in the tfplan/v2 import so you can prevent your policy from being applied when a resources is being permanently deleted. This is what I do in the find_resources() function in the hashicorp/terraform-guides repository that has a lot of good sample Sentinel policies and functions for use with Terraform Cloud and Terraform Enterprise under governance/third-generation. You can probably write 90% or more of the Sentinel policies you’ll want to write for TFC/E by calling the functions I’ve written in the tfplan-functions Sentinel module without having to use more complex Sentinel language elements like for loops and if/else conditionals.
I think you might also find the following documents useful:
- The Sentinel language reference
- The Terraform Sentinel docs
- My Introduction to Sentinel slides
- My Writing and Testing Sentinel Policies for Terraform guide.
And if you would like to do some hands-on exercises to learn how to write and test Sentinel policies for Terraform using the common-functions mentioned above, see the Sentinel for Terraform v3 workshop slides in which you’ll find links to 2 Instruqt tracks that contain that workshop’s labs.
I hope that helps,
Global Technology Specialist
The most detailed document on the Sentinel language is https://docs.hashicorp.com/sentinel/language/spec
I might be able to provide better guidance if you describe the actual issue you are having.
Hey @rberlind ,
Just trying to get up to speed as quickly as possible as well as understand the limitations of Sentinel so I don’t overpromise.