Unexpected error of Sentinel test after upgrading to 0.19.x

Hi Sentinel community,

Since the release of version 0.19.x of Sentinel, our tests are failing with an unexpected exception.

The error message states (example):

Error configuring module "tfplan-functions": 1 error occurred:
	* unexpected node type *localast.ImportExpr when walking

This is happening for both versions 0.19.0 and 0.19.1.

Our project structure looks as follows:

.
├── sentinel.hcl
├── 001-policy.sentinel
├── common-functions
│  └── tfplan-functions
│     └── tfplan-functions.sentinel
└── test
   └── 001-policy
      ├── test-xx-fails.hcl
      ├── test-yy-fails.hcl
      ├── test-zz-passes.hcl
      └── testdata
          ├── mock-tfplan-xx.sentinel
          ├── mock-tfplan-yy.sentinel
          └── mock-tfplan-zz.sentinel

Our test files look like the following:

mock "tfplan-functions" {
  module  {
    source = "../../common-functions/tfplan-functions/tfplan-functions.sentinel"
  }
}

mock "tfplan/v2" {
  module  {
    source = "testdata/mock-tfplan-xx.sentinel"
  }
}

test {
  rules = {
    main = false
  }
}

It seems that the way of importing modules and mocks has changed with 0.19. However, even updating the test files to e.g. the following does not solve the error:

import "module" "tfplan-functions" {
  source = "../../common-functions/tfplan-functions/tfplan-functions.sentinel"
}

mock "tfplan/v2" {
  module  {
    source = "testdata/mock-tfplan-xx.sentinel"
  }
}

test {
  rules = {
    main = false
  }
}

Does anybody else experience this behaviour and is there any solution / reference to the documentation to address it?

Many thanks in advance!

Hi @ddetering,

Thanks for raising the issue, we are looking into it. For now, you should be okay to revert to 0.18.13 for testing until the fix has been released.

Thanks for your reply @cam-stitt.

For internal reference: we also have a support ticket open addressing this issue: 93385.

For us it’s most important that no Terraform Enterprise upgrade is using 0.19.x as Sentinel runtime before that one is fixed, because that would block our patch management process.

Absolutely, no upgrade to 0.19 will happen until the new year, and this issue is resolved.

Perfect, thank you @cam-stitt

FYI, I’ve just released 0.19.2-rc1 which has a potential bug fix for your issue. If you are able to test it out and let me know the outcome that would be great.

https://releases.hashicorp.com/sentinel/0.19.2-rc1/

Thanks for taking a look at this issue that fast!

With 0.19.1, we’re getting 70 passing and 651 failing tests.
With 0.19.2-rc1 it’s getting better with 580 passing and 141 failing.

It’s creating the same error message for the failing tests (but now basically always outputting it twice):

  Error configuring policy 2 errors occurred:
	* unexpected node type *localast.ImportExpr when walking
	* unexpected node type *localast.ImportExpr when walking

Hi,

FWIW, I was also getting this same issue with 0.19.1 (0.19.0 partially fixed it in some new tests but not all). It would only pass the first (alphanumeric ordered) test which for a lot of my tests is 50% but for some of the cloud-agnostic ones there were multiple tests per policy.

I just want to report that when using 0.19.2-rc1 all of my tests are now passing.

Also ran into this issue today when attempting to setup github actions using hashicorp/sentinel-github-actions with stl_actions_version: ‘latest’

Posting to be notified of updates, thank you.

FWIW I tried to run the action with 0.19.2-rc1 and it seemed to throw less errors, but still a couple:

FAIL - github.sentinel

48 PASS - test/github/fail-all.hcl

49 ERROR - test/github/fail-stray-github-resource.hcl

50 Error configuring policy 1 error occurred:

51 * unexpected node type *localast.ImportExpr when walking

52

53

54 ERROR - test/github/pass-grandfathered-in-github-resource.hcl

55 Error configuring policy 1 error occurred:

56 * unexpected node type *localast.ImportExpr when walking

57

58

59 ERROR - test/github/pass.hcl

60 Error configuring policy 1 error occurred:

61 * unexpected node type *localast.ImportExpr when walking

Only this particular test folder seems to have an issue though.

sorry replied to wrong thread. /facepalm

Thank you everyone for providing us with details surrounding the ongoing issues, in particular any issues that were still present in 0.19.2-rc1. Our team is getting back up to speed after a well deserved holiday break and will be working on resolving this issue as soon as possible.

Hi @joshtrutwin Are you able to share the policies and test files for the failures? This would really help and speed up resolving the problem. Thanks.

I’d like to publicly share my latest finding I also already added to the support ticket:

Extract of a plan mock:

"security": [
    {
        "enable_backend_tls11":                           true,
        "enable_frontend_tls11":                          true,
        "tls_rsa_with_aes256_cbc_sha256_ciphers_enabled": true,
        "triple_des_ciphers_enabled":                     true,
    },
],

So far, we are addressing the specific attributes for policy checks by using the dot notation:
apim.change.after.security[0].enable_backend_tls11

This results in the exception already provided:

    Error configuring policy 1 error occurred:
        * unexpected node type *localast.ImportExpr when walking

When addressing the attribute the following way, it seems to work like before/expected:
apim.change.after.security[0]["enable_backend_tls11"]

To be honest, I’m not able to find the dot notation in the documentation, although it has worked perfectly fine before.

Hi all. We have a fix for this and will be working on getting a release out when possible. Thanks for your patience!

Hi all. Sorry that it took so long, but Sentinel 0.19.2 is out with a fix for test command. Thanks so much for raising the issue and your patience.

Many thanks for the update and for addressing the issue. I can confirm, that with 0.19.2 all of our tests are working again. Good job!