Skip to content
/ HashiConf-2019 Public

Terraform code and Sentinel policies for HashiConf-2019 talk/demo

10 stars 10 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rberlind/HashiConf-2019

BranchesTags

Repository files navigation

HashiConf 2019

This repository contains Terraform code, Sentinel policies, and Sentinel mocks for my HashiConf 2019 session called Testing Terraform Sentinel Policies Using Mocks. This session was delivered on September 11. It shows how you can generate Terraform Sentinel mocks from Terraform Cloud plans and use them to test Sentinel policies with the Sentinel Simulator.

The full abstract is here.

GCP Compute Instance Example

The gcp-compute-instance directory contains some simple Terraform 0.12 code that creates two Google Cloud Platform (GCP) compute instances.

AWS S3 Bucket

The aws-s3-bucket directory contains some simple Terraform 0.12 code that creates a single S3 bucket that has the "private" canned ACL and is encrypted by a KMS key.

Sentinel Policies, Test Cases, and Mocks

The sentinel directory contains two Sentinel policies, restrict-gce-machine-type.sentinel and require-private-acl-and-kms-for-s3-buckets.sentinel, along with Sentinel test cases and mocks that allow the policies to be tested with the Sentinel Simulator.

The restrict-gce-machine-type.sentinel policy requires all GCP compute instances to have machine types n1-standard-1, n1-standard-2, and n1-standard-4. This example includes one test case that passes and one that fails the policy.

The require-private-acl-and-kms-for-s3-buckets.sentinel policy requires all S3 buckets to satisfy two conditions:

  1. They must use the "private" canned ACL.
  2. They must be encrypted with a KMS key.

This example includes one test case that passes (by satisfying both conditions) and three test cases that fail the policy. One test case has an invalid ACL, one does not have KMS encryption configured, and one fails both conditions. This example illustrates using more than one failure test case when a policy requires multiple conditions to be satisfied.

After downloading the Sentinel Simulator, adding it to your path, cloning or forking this repository, and navigating to the sentinel directory, you can test the poicies with these commands:

Test the GCP Policy:

sentinel test -run=gce
sentinel test -run=gce -verbose

Test the AWS policy:

sentinel test -run=s3
sentinel test -run=s3 -verbose

Note that the -run argument filters to policies with names that contain the argument and that the -verbose argument shows the outputs of print statements in the policies. If you do not include the -run argument, all policies in the current directory will be tested.

Test Both Policies:

sentinel test
sentinel test -verbose

About

Terraform code and Sentinel policies for HashiConf-2019 talk/demo

Resources

Readme
Activity

Stars

10 stars

Watchers

1 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages