Using `sentinel apply` cli to develop new policies by testing against real tf configs

Hi, I’m somewhat new to Sentinel and have been tasked with developing a new policy using the tfconfig module against Terraform 0.13.7 in Terraform Enterprise.

When I cd to a terraform config directory and run sentinel apply [../../path/to/my-policy].sentinel I get the following error: my-policy.sentinel:6:1: Import "tfconfig" is not available. My sentinel.hcl file in the same dir as the policy only contains a single “policy” block and nothing else.

My understanding is that the “correct/suggested” way to test policies is to create test cases and run sentinel test, but I would really like to run something like sentinel apply ... on a local Terraform config directory just to see what the output would be for a particular policy against a particular config during active development. Of course, I intend to solidify all minimal cases into true tests and check them with sentinel test before committing and uploading to TFE, but right now I’m looking for a lower-friction way to explore/demo candidate policies before fully committing to specific tests.

Not only would this interaction model help me explore the tool with less friction, it would also enable me to demonstrate the effects and capabilities of a new potential policy to less technical stakeholders who respond better to dynamic real-world examples than unreadable or aggressively simplified test cases that are best suited to CI automation.

I would be grateful for answers to any of these questions:

1. Is using the sentinel cli to check examples of local terraform configs a reasonable thing to want to do?
   a. Am I just doing it wrong? / How can I use one of the built-in imports such as tfconfig or tfplan/v2 with the cli?
   b. -OR- What should I be doing instead?
2. Are there any other resources that would help me develop sentinel policies?

Resources I’ve found:

• General Sentinel docs / Docs for built-in imports
• Third generation sentinel policies
• Related topic: Import “tfplan/v2” is not available

Hi @infogulch,

Not sure if you have read my response in the related topic that you have referenced, but I think that you are missing the following from your sentinel.hcl.

module "tfplan/v2" {
  source = "./<path>/mock-tfplan-v2.sentinel"
}

Note: This will need to be removed or commented out before you can use the file as the configuration of a Terraform Policy Set.

In response to your questions:

Is using the sentinel cli to check examples of local terraform configs a reasonable thing to want to do?

This seems like a perfectly reasonable request, however, this is currently achievable through the use of mock data generated from TFC/E. The most common workflow is testing, which uses the test command. Prerequisites for this flow usually involve the creation of mock data that allows you to mimic behavior when a policy passes or fails.

The apply command is primarily used to ensure that the configuration in your sentinel.hcl file is valid and will surface errors when a policy blocks share the same name etc.

This policy learn track may assist with understanding the workflow a bit better.

Are there any other resources that would help me develop sentinel policies?

There are a number of resources available. The third generation repository has a couple of examples within and has a great module library that abstracts away a lot of the complexity of writing policy.

There is also the Terraform Foundational Policy Library which contains a number of policies that are based on the CIS Benchmark. These policies show a common pattern for policy development, which is a single policy check for each resource configuration that requires validation.