Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VCDL-250 Taxonomy Alignment - HCP Terraform #417

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 20 additions & 20 deletions docs/slides/sentinel/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ name: benefits-of-policy
- All the same benefits of Infrastructure as Code!
- Version History, Change Control, Collaboration

- Easily share-able and consumable across multiple organizations and teams in Terraform Cloud
- Easily share-able and consumable across multiple organizations and teams in HCP Terraform

- Can be tested and iterated on in an automated fashion with real test data!
- We'll discuss mock data and testing in this training!!!
Expand Down Expand Up @@ -229,15 +229,15 @@ name: policy-sets

- **Policy Sets** are groups of **Sentinel Policies** (and optionally Sentinel Modules)
- They can be enforced on all workspaces or only on selected workspaces within one or more organizations.
- They are usually created in VCS repositories and then registered with organizations using the Terraform Cloud UI or API.
- They are usually created in VCS repositories and then registered with organizations using the HCP Terraform UI or API.
- Additionally, **Parameters** can be added to policy sets allowing the secure introduction of credentials needed by API endpoints invoked with the Sentinel HTTP import.

---
name: chapter-summary
# Chapter Summary

- Sentinel is Policy as Code framework
- Terraform Cloud automatically runs Sentinel checks between **plan and apply**
- HCP Terraform automatically runs Sentinel checks between **plan and apply**
- Sentinel has different enforcement levels, **Advisory, Soft and Hard Mandatory**

---
Expand All @@ -258,7 +258,7 @@ name: c1-references
- [Sentinel Overview](https://www.terraform.io/cloud-docs/sentinel)
- High level overview of Sentinel and Terraform
- [Manage Policies](https://www.terraform.io/cloud-docs/sentinel/manage-policies)
- Managing Policies in Terraform Cloud
- Managing Policies in HCP Terraform
- [Enforcement Levels](https://www.terraform.io/cloud-docs/sentinel/enforce)
- The various enforcement levels

Expand Down Expand Up @@ -337,7 +337,7 @@ name: mock-intro
# Sentinel Mocks in Terraform

- Sentinel **Mocks** simulate the data from Terraform plans
- They can be generated from Terraform Cloud
- They can be generated from HCP Terraform
- **Mocks** can be edited and modified to simulate other data
- Using the Sentinel CLI with mocks speeds up development of new policies since additional plans do not need to be run.

Expand Down Expand Up @@ -444,10 +444,10 @@ name: types-of-policies-3
name: chapter-summary
# Chapter Summary

- Sentinel can 'import' data from several sources in Terraform and Terraform Cloud
- Sentinel can 'import' data from several sources in Terraform and HCP Terraform
- The Terraform Plan, Config, State and Run Data!
- You can 'simulate' this life-cycle by using **Mocks**
- Mocks can be generated from Terraform Cloud
- Mocks can be generated from HCP Terraform
- Mocks can then be tested with **Sentinel CLI**

---
Expand Down Expand Up @@ -891,10 +891,10 @@ resource "aws_instance" "ubuntu" {

---
name: methodology-4
# Integrate with Terraform Cloud
# Integrate with HCP Terraform

- In order to use the Remote Backend against a TFC/TFE server;
- Authenticate to Terraform Cloud `terraform login`
- Authenticate to HCP Terraform `terraform login`
- Configure your backend

```
Expand Down Expand Up @@ -940,8 +940,8 @@ Start a Terraform Plan then get your Mocks!

- From your local directory containing main.tf and backend.tf, run _terraform init_ to initialize your Terraform configuration.
- Then run terraform plan.
- The plan will run on the TFC server, but its results will be visible locally and in the TFC UI.
- To see the run in the TFC UI, copy the URL displayed near the top of the local version of the plan and navigate to it with a browser.
- The plan will run on the HCP Terraform server, but its results will be visible locally and in the HCP Terraform UI.
- To see the run in the HCP Terraform UI, copy the URL displayed near the top of the local version of the plan and navigate to it with a browser.
- To generate mocks against your plan, click the "Download Sentinel mocks" button.
- After a minute, a tar.gz file will be downloaded with 7 mocks.
- Extract the mock files from the tar.gz file.
Expand Down Expand Up @@ -1255,15 +1255,15 @@ class: title, smokescreen, shelf
background-image: url(https://hashicorp.github.io/field-workshops-assets/assets/bkgs/HashiCorp-Title-bkg.jpeg)
count: false

# Chapter 5 - Using Sentinel in Terraform Cloud and Terraform Enterprise
# Chapter 5 - Using Sentinel in HCP Terraform and Terraform Enterprise

![:scale 10%](https://hashicorp.github.io/field-workshops-assets/assets/logos/logo_terraform.png)

---
name: test-policies
# Testing Policies in Terraform Cloud
# Testing Policies in HCP Terraform

- After successfully testing a policy with the CLI, you might also want to test it against actual Terraform code on a TFC or TFE server.
- After successfully testing a policy with the CLI, you might also want to test it against actual Terraform code on a HCP Terraform or TFE server.
- When doing this, we suggest you follow these recommendations:
- Put each new policy in a policy set that does not contain any other policies.
- Assign the workspaces you will be using to test your policy to that policy set.
Expand All @@ -1281,7 +1281,7 @@ name: creating-policies
- Each policy set contains the policies and a configuration file called "sentinel.hcl" that lists the policies and their enforcement levels.
- The "sentinel.hcl" file can also specify Sentinel modules to load.
- Policies and Modules can be in any directory of the current repository and even in remote repositories.
- You then configure the policy set in the Terraform Cloud UI by registering it, indicating the repository, branch, and policies path.
- You then configure the policy set in the HCP Terraform UI by registering it, indicating the repository, branch, and policies path.
- You can specify **Parameters** for it including sensitive ones.
- You determine the workspaces it should be enforced on.

Expand Down Expand Up @@ -1344,9 +1344,9 @@ name: policy-pass-example

---
name: deploying
# Deploying Policies in Terraform Cloud
# Deploying Policies in HCP Terraform

- After successfully testing a policy with the CLI and possibly also on TFC itself, you will want to deploy it to your TFC organizations.
- After successfully testing a policy with the CLI and possibly also on HCP Terraform itself, you will want to deploy it to your HCP Terraform organizations.
- If you have not already added the policy to a policy set in your organizations, do that at this time.
- Add the new policy to an existing policy set that is already applied against desired workspaces, or create a new policy set for the policy and apply that policy set to desired workspaces across your organizations.
- Also add any parameters the policy requires to your policy set.
Expand Down Expand Up @@ -1677,7 +1677,7 @@ name: restricting
name: making-external
# Making Calls to External API Endpoints

- Sentinel policies in Terraform Cloud and Terraform Enterprise can use the http import to call external API endpoints.
- Sentinel policies in HCP Terraform and Terraform Enterprise can use the http import to call external API endpoints.
- Parameters can be added to policy sets allowing the secure introduction of credentials needed by API endpoints invoked with the Sentinel HTTP import.
- Currently, the http import supports the HTTP GET and POST operations against API endpoints that return JSON documents.
- The http import can send data to an API endpoint with the http import using headers or URL parameters.
Expand Down Expand Up @@ -1956,7 +1956,7 @@ count: false
name: modules-from-pmr
# Exercise 5: Require Modules from a PMR

- Your task in these challenges is to complete and test two versions of a Sentinel policy that requires that all modules loaded by the root module come from the Private Module Registry (PMR) of a Terraform Cloud organization.
- Your task in these challenges is to complete and test two versions of a Sentinel policy that requires that all modules loaded by the root module come from the Private Module Registry (PMR) of a HCP Terraform organization.
- This policy uses the tfconfig/v2 import.
- In the first version, you will write a custom validation function.
- In the second version, you will move this function into a Sentinel module.
Expand Down Expand Up @@ -2023,7 +2023,7 @@ name: mocks-in-tf
# Sentinel Mocks in Terraform

- Sentinel **Mocks** simulate the data that is made available to the Terraform Sentinel imports from Terraform plans.
- They can be generated from recent plans using the Terraform Cloud UI and API.
- They can be generated from recent plans using the HCP Terraform UI and API.
- They can also be copied and edited to simulate various combinations of resource and data source attributes.
- They enable testing of Terraform Sentinel policies with the Sentinel CLI.
- Using the Sentinel CLI with mocks speeds up development of new policies since additional plans do not need to be run.
Expand Down
18 changes: 9 additions & 9 deletions instructor-guides/sentinel_for_terraform_INSTRUCTOR_GUIDE.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Sentinel for Terraform - Instructor Guide

This guide will prepare you to deliver a full-day [Sentinel for Terraform Workshop](https://hashicorp.github.io/field-workshops-terraform/slides/sentinel/index.html#1), although the workshop is usually broken up into two sessions as described below. The workshop is a combination of [slides](https://hashicorp.github.io/field-workshops-terraform/slides/sentinel/index.html#1) and two hands-on [Instruqt tracks](https://play.instruqt.com/hashicorp/topics/sentinel) that teach students how to write and test Sentinel policies for Terraform. Participants will learn an 8-step methodology for writing and testing Sentinel policies. Everything is done using the Sentinel CLI provided within the Instruqt tracks, so access to Terraform Cloud or Terraform Enterprise is not required. All students need is a browser.
This guide will prepare you to deliver a full-day [Sentinel for Terraform Workshop](https://hashicorp.github.io/field-workshops-terraform/slides/sentinel/index.html#1), although the workshop is usually broken up into two sessions as described below. The workshop is a combination of [slides](https://hashicorp.github.io/field-workshops-terraform/slides/sentinel/index.html#1) and two hands-on [Instruqt tracks](https://play.instruqt.com/hashicorp/topics/sentinel) that teach students how to write and test Sentinel policies for Terraform. Participants will learn an 8-step methodology for writing and testing Sentinel policies. Everything is done using the Sentinel CLI provided within the Instruqt tracks, so access to HCP Terraform or Terraform Enterprise is not required. All students need is a browser.

This workshop content is suitable for HashiCorp customers who are already using Terraform Cloud or Terraform Enterprise; we recommend that all students first complete one of the Intro to Terraform workshops listed under https://hashicorp.github.io/workshops/ or have equivalent experience. It is not well-suited for prospects since it exposes the fact that using Sentinel can be complex.
This workshop content is suitable for HashiCorp customers who are already using HCP Terraform or Terraform Enterprise; we recommend that all students first complete one of the Intro to Terraform workshops listed under https://hashicorp.github.io/workshops/ or have equivalent experience. It is not well-suited for prospects since it exposes the fact that using Sentinel can be complex.

## Attendee prerequisites
Prerequisites are minimal. All that is required to participate in the workshop is a web browser and Internet access. No software needs to be downloaded or installed -- self-contained lab environments run on the Instruqt platform.
Expand Down Expand Up @@ -38,17 +38,17 @@ Please ask students to complete the [feedback survey](https://bit.ly/hashiworksh
*Session 1*

0:00 - 0:05 - Wait for attendees to arrive and Introductions<br>
0:05 - 0:25 - Sentinel in Terraform Cloud and Terraform Enterprise<br>
0:05 - 0:25 - Sentinel in HCP Terraform and Terraform Enterprise<br>
0:25 - 0:50 - The Sentinel Language<br>
0:50 - 1:05 - Lab 1 (The Sentinel CLI)<br>
1:05 - 1:10 - Review of Lab 1<br>
1:10 - 1:15 - Break<br>
1:15 - 1:30 - The Evolution of Sentinel Policies<br>
1:30 - 1:35 - Demo of Sentinel CLI
1:35 - 2:05 - Writing and Testing Sentinel Policies<br>
2:05 - 2:15 - Demo of Sentinel in Terraform Cloud
2:05 - 2:15 - Demo of Sentinel in HCP Terraform
2:15 - 2:25 - Break<br>
2:25 - 2:45 - Using Sentinel in Terraform Cloud<br>
2:25 - 2:45 - Using Sentinel in HCP Terraform<br>
2:45 - 3:00 - Q&A<br>

*Session 2*
Expand Down Expand Up @@ -101,7 +101,7 @@ sentinel test -verbose restrict-vm-disk-size.sentinel

Point out that the first of these two VMware Sentinel policies has three failure test cases with associated mocks. Point out that the second policy delays printing violation messages for disks created with VMware VMs so that the messages look like "Disk 0 has size with value 120 that is greater than 100" instead of the less meaningful "0 has size with value 120 that is greater than 100".

While presenting the "Writing and Testing Sentinel Policies for Terraform" slides, we recommend you show the Terraform Cloud UI opened to a workspace that points at Terraform code that creates an EC2 instance. You could use this [code](https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/aws-ec2-instance), although you will probably want to update it to be more modern and use a newer version of Terraform instead of Terraform 0.11. You can then do a plan and show how mocks can be downloaded from the plan. You can also show the restrict-ec2-instance-type.sentinel policy failing if you have registered this [policy set](https://github.com/hashicorp/terraform-sentinel-policies/blob/main/aws/sentinel.hcl) with your TFC organization.
While presenting the "Writing and Testing Sentinel Policies for Terraform" slides, we recommend you show the HCP Terraform UI opened to a workspace that points at Terraform code that creates an EC2 instance. You could use this [code](https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/aws-ec2-instance), although you will probably want to update it to be more modern and use a newer version of Terraform instead of Terraform 0.11. You can then do a plan and show how mocks can be downloaded from the plan. You can also show the restrict-ec2-instance-type.sentinel policy failing if you have registered this [policy set](https://github.com/hashicorp/terraform-sentinel-policies/blob/main/aws/sentinel.hcl) with your TFC organization.

## Hands-on Labs
At certain points in the slide deck there are references to the lab exercises. [Instruqt](https://instruqt.com/hashicorp) is our lab platform. Users must generally register on the Instruqt website to use these tracks unless you send an invite that allows anonymous access. There are two Instruqt tracks in this workshop.
Expand Down Expand Up @@ -173,17 +173,17 @@ Here is some boilerplate text you can use or customize when inviting or announci
Introduction to Sentinel for Terraform Workshop
A hands-on technical workshop

Learn how to write and test Sentinel policies that restrict the provisioning of resources done with Terraform Cloud and Terraform Enterprise workspace. Sentinel is HashiCorp's policy-as-code framework and language for codifying policies in the same way that Terraform codifies infrastructure as code. Beginners can create Sentinel policies that use common functions that avoid use of advanced Sentinel language constructs. Experts can write their own Sentinel functions that do use those constructs and implement more sophisticated policies.
Learn how to write and test Sentinel policies that restrict the provisioning of resources done with HCP Terraform and Terraform Enterprise workspace. Sentinel is HashiCorp's policy-as-code framework and language for codifying policies in the same way that Terraform codifies infrastructure as code. Beginners can create Sentinel policies that use common functions that avoid use of advanced Sentinel language constructs. Experts can write their own Sentinel functions that do use those constructs and implement more sophisticated policies.

Join us for two 3-hour training sessions that will teach you how to write and test Sentinel policies using standard and Terraform Sentinel imports and some common functions.

Topics covered in the workshop include:

* Sentinel in Terraform Cloud and Terraform Enterprise
* Sentinel in HCP Terraform and Terraform Enterprise
* The Sentinel Language
* The Evolution of Terraform Sentinel Policies
* Writing Sentinel Policies and Testing them with the Sentinel CLI
* Using Sentinel in Terraform Cloud
* Using Sentinel in HCP Terraform
* Advanced Techniques

All of these but the last will be covered during the first session which will also include one lab that teaches you how to use the Sentinel CLI.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ notes:
contents: |-
[Sentinel](https://docs.hashicorp.com/sentinel) allows customers to implement policy-as-code in the same way that Terraform implements infrastructure-as-code.

The Sentinel Command Line Interface (CLI) allows you to apply and test Sentinel policies including those that use mocks generated from Terraform Cloud and Terraform Enterprise plans.
The Sentinel Command Line Interface (CLI) allows you to apply and test Sentinel policies including those that use mocks generated from HCP Terraform and Terraform Enterprise plans.

You should run the **Sentinel CLI Basics** track before starting this track.
- type: text
Expand Down Expand Up @@ -160,7 +160,7 @@ Now open the test cases and mock files on the "Test Cases" tab.
- You'll see that the `fail.hcl` test case refers to the `tfplan-functions.sentinel` module and the `mock-tfplan-fail.sentinel` mock file and expects the main rule to return `false`.
- You'll also see that the `pass.hcl` test case refers to the same module and the `mock-tfplan-pass.sentinel` mock file and expects the main rule to return `true`.

The mock files are simplified versions of mocks generated from plans of Terraform Cloud runs done against Terraform code that used the Vault provider to create some auth methods. The key data that determines whether a test case will pass or fail is in the `after` stanza of the `change` stanza of resources under the `resource_changes` collection.
The mock files are simplified versions of mocks generated from plans of HCP Terraform runs done against Terraform code that used the Vault provider to create some auth methods. The key data that determines whether a test case will pass or fail is in the `after` stanza of the `change` stanza of resources under the `resource_changes` collection.

The `mock-tfplan-fail.sentinel` mock file creates instances of the Kubernetes, GitHub, and AWS auth methods; the first two are allowed, but the third is not. The `mock-tfplan-pass.sentinel` mock file creates instances of the Kubernetes, GitHub, and Azure auth methods, all of which are allowed.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ Your task is to complete and test a Sentinel policy that requires that all AWS I

Complete the First Version
===
1. Open the `require-access-keys-use-pgp-a.sentinel` policy on the "Poilicies" tab.
1. Open the `require-access-keys-use-pgp-a.sentinel` policy on the "Policies" tab.
- You'll see several placeholders in angular brackets throughout the policy.
- You need to replace those placeholders with suitable Sentinel expressions.

Expand Down Expand Up @@ -124,7 +124,7 @@ Using multiple fail test cases allows us to test multiple ways in which a policy

All 3 fail test cases expect the main rule to return `false`. Of course, we've also included a pass test case and a corresponding mock file that does include the desired attribute with an allowed value. The pass test case expects the main rule to return `true`.

The mock files are simplified versions of mocks generated from plans of Terraform Cloud runs done against Terraform code that used the AWS provider to create an AWS IAM access key.
The mock files are simplified versions of mocks generated from plans of HCP Terraform runs done against Terraform code that used the AWS provider to create an AWS IAM access key.

Test the First Version
===
Expand Down
Loading