Unable to resolve local value

karvounis-form3 · January 3, 2024, 8:46am

Hello there,

We want to create a Sentinel policy that checks whether the region for the AWS provider belongs to a list of approved regions (like eu-west-1, eu-west-2 but not us-east-1). Policy works like a charm when the region attribute is a static string or a variable but it is not possible to evaluate it when it is a local value.
How do you suggest making sure we are able to evaluate local values in Sentinel? Is that even possible?

tfplan-v2.sentinel extract:

"module.creds:aws.local": {
	"alias": "local",
	"expressions": {
		"region": {
			"references": [
				"local.aws_region",
			],
		},
	},
	"full_name":      "registry.terraform.io/hashicorp/aws",
	"module_address": "module.creds",
	"name":           "aws",
},

sean.meininger · January 3, 2024, 5:09pm

Hello-

At present, governing locals with Sentinel does not work. This is because Sentinel mocks are generated based on information in the underlying Terraform run’s plan, and Terraform itself does not expose locals there.

The absence of the locals can be observed by using terraform show -json against a given plan file from a run that uses them.

marcello.romo · July 22, 2024, 4:49pm

Hi @sean.meininger did you try using this data sources? state.find_datasources, remember data sources are like a time.line (past, present and future) each data source shows different info depending what you want to grab.

Topic		Replies	Views
Local Execution Mode Enforcement Sentinel	3	1055	December 13, 2021
How to write Sentinel policies Sentinel	38	5338	April 22, 2021
Using `sentinel apply` cli to develop new policies by testing against real tf configs Sentinel	1	489	September 14, 2021
Sentinel checks of mixed values (references and constants) Sentinel	4	949	December 3, 2021
Enable/disable Sentinel Policies Based on Environment Sentinel testing	8	2382	May 14, 2021

Unable to resolve local value

Related topics