Unable to get valid policy results on TFE server (on prem)

ashwinkupatkar · March 15, 2023, 9:33pm

Facing a weird issue:

On terraform cloud (team and governance subscription) :

when i try to run the terrafrom plan the sentinle policies are working as expected (i.e pass and fail scenarios working as expected)

When I try to run the same terraform plan for terraform enterprise on prem server , the sentinel policy passes eevrything , even the fail scenario it passess, which is incorrect.

on prem terraform enterprise server is v202209-2

I checked the mock data of the plan on both of these servers and they are identical.

Not sure, why on the terraform enterprise server the sentinel policy is failing to fail the terraform plan

Has anyone encountered an issue like this ?

hcrhall · March 15, 2023, 10:33pm

Are you using newer capabilities in the Sentinel configuration file that may not be available in the on-premises instance?

ashwinkupatkar · March 15, 2023, 10:54pm

Hi @hcrhall , thanks for responding…

my sentinel.hcl configuration file looks like below:

module "tfplan-functions" {
    source = "../common-functions/tfplan-functions/tfplan-functions.sentinel"
}

module "tfstate-functions" {
    source = "../common-functions/tfstate-functions/tfstate-functions.sentinel"
}

module "tfconfig-functions" {
    source = "../common-functions/tfconfig-functions/tfconfig-functions.sentinel"
}

module "azure-functions" {
    source = "./azure-functions/azure-functions.sentinel"
}

policy "storage-acccount-policy" {
    source = "./storage-account-policy.sentinel"
    enforcement_level = "soft-mandatory"
}

policy "vm-policy" {
    source = "./vm-policy.sentinel"
    enforcement_level = "soft-mandatory"
}

My policy files makes use of functions which are called from the main rule. I am using version 2 policy constructs.

Do you think this kind of sentinel.hcl configuration not supported for terraform enterprise server (on prem) ?

hcrhall · March 16, 2023, 12:22am

No that looks fine.

I think the best path forward is to raise a support request so we can try and work out what is happening at a platform level and compare the policy against all mock data. etc.

ashwinkupatkar · March 16, 2023, 4:23pm

I got the issue, the policy filter condition for provider name on tfe cloud was for public registry where as in the on prem setup it should have been a private registry so the policies were not working there.

I fixed it and its working as expected.

Thanks @hcrhall for looking into the issue.

Topic		Replies	Views
Sentinel pass param per policy issue with terraform entreprise Sentinel hcp-terraform	5	386	June 21, 2023
Error downloading Sentinel policy Sentinel testing	4	2575	September 21, 2021
Sentinel Policy To Evaluate Terraform Configuration for Azure NSG Ruleset Sentinel	4	1577	August 5, 2019
Using `sentinel apply` cli to develop new policies by testing against real tf configs Sentinel	1	449	September 14, 2021
Import "tfplan/v2" is not available Sentinel azure	9	3889	December 11, 2021

Unable to get valid policy results on TFE server (on prem)

Related topics