I don't understand how I can analyse a plan with Hashicorp sentinel policies.
My test case
this is my main.tf file
provider "azurerm" {
subscription_id = "XXX"
features {
}
}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
}
}
resource "azurerm_resource_group" "rg1" {
name = "RG1"
location = "westeurope"
}
Then I produce my plan:
terraform plan -out="plan.tfplan"
terraform show -json plan.tfplan >plan.json
Now using this modest policy:
import "tfplan/v2" as tfplan
main = rule {
true
}
What I get
When running from command line:
sentinel apply policy.sentinel
I get
policy.sentinel - Runtime error while running the policy:
policy.sentinel:1:1: Import "tfplan/v2" is not available
A runtime error is a non-recoverable error due to some unexpected or invalid condition. When a runtime error is experienced, the result of the policy is "false".
Versions
Terraform v1.11.0
Sentinel v0.30.0
What I am looking for
I am interested from 2 things:
- Why I get this error message and what I am suppose to do
- In a general manner, how does sentinel know where is the plan output? Is there a file naming convention?
Thank you
I don't understand how I can analyse a plan with Hashicorp sentinel policies.
My test case
this is my main.tf file
provider "azurerm" {
subscription_id = "XXX"
features {
}
}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
}
}
resource "azurerm_resource_group" "rg1" {
name = "RG1"
location = "westeurope"
}
Then I produce my plan:
terraform plan -out="plan.tfplan"
terraform show -json plan.tfplan >plan.json
Now using this modest policy:
import "tfplan/v2" as tfplan
main = rule {
true
}
What I get
When running from command line:
sentinel apply policy.sentinel
I get
policy.sentinel - Runtime error while running the policy:
policy.sentinel:1:1: Import "tfplan/v2" is not available
A runtime error is a non-recoverable error due to some unexpected or invalid condition. When a runtime error is experienced, the result of the policy is "false".
Versions
Terraform v1.11.0
Sentinel v0.30.0
What I am looking for
I am interested from 2 things:
- Why I get this error message and what I am suppose to do
- In a general manner, how does sentinel know where is the plan output? Is there a file naming convention?
Thank you
Share Improve this question edited Mar 15 at 12:03 Frédéric De Lène Mirouze asked Mar 14 at 21:45 Frédéric De Lène MirouzeFrédéric De Lène Mirouze 6191 gold badge7 silver badges37 bronze badges 2- The error message occurs when executed within TFE or HCPTF or otherwise? – Matthew Schuchard Commented Mar 15 at 10:34
- just running: sentinel apply policy.sentinel from command line – Frédéric De Lène Mirouze Commented Mar 15 at 12:01
1 Answer
Reset to default 0Well I found the solution.
I need to add un config file with something like:
sentinel {
features = {
apply-all = true
terraform = true
}
}
import "plugin" "tfplan/v2" {
config = {
"plan_path": "./tfplan.json"
}
}
Documentation is there:
https://developer.hashicorp/sentinel/docs/configuration
Could be a little bit clearer.