An example of using Sentinel policies in VCS in Terraform Enterprise
MPL-2.0 License
This repo demonstrates a complete VCS-backed Sentinel workflow for Terraform Enterprise (TFE). It includes the following components:
It is intended to be combined with the following:
See also: This repo shows an end-to-end workflow with many parts, and uses a small number of Sentinel policies to keep things simple. If you'd rather see a wider range of how to govern specific kinds of infrastructure with Sentinel policies, see the example policies in the hashicorp/terraform-guides repo.
Fork this repo, then create a Terraform Enterprise workspace linked to your fork. Set values for the following Terraform variables:
tfe_hostname
(optional; defaults to app.terraform.io
) the hostname of your TFE instance.tfe_organization
the name of your TFE organization.tfe_token
(SENSITIVE) the organization token or owners team token for your organization.Add and remove Sentinel policies as desired, and edit main.tf
to ensure your policies are enforced on the correct workspaces. Queue an initial run to set up your policies, then continue to iterate on the policy repo and approve Terraform runs as needed.
For more details, see Managing Sentinel Policies with Version Control.
Run all tests:
> sentinel test
Manually apply a policy using a specific test config:
> sentinel apply -config ./test/aws-restrict-instance-type-prod/dev-not-prod.json aws-restrict-instance-type-prod.sentinel
(This example results in a policy failure, as intended; see the "test"
property of any test config for the expected behavior.)
This repo contains an example of running sentinel test
against your sentinel files as PR checks. It uses a third-party action called thrashr888/sentinel-github-actions/test
to run the tests. After submitting a PR, you'll see any test errors show up as a comment on the PR.