Summary

This document details our Sentinel configuration and provide administration guidance. It’s not meant to be a Sentinel tutorial, but I’ll provide links to them on HashiCorp’s website. The intended audience is the ACE Infra Team and anyone else who pushes infrastructure code processed by our Terraform Cloud organization.

So what is Sentinel? Sentinel is HashiCorp’s policy-as-code framework for its enterprise products. This framework enables us to write and manage our security, compliance and governance policies as code so that we can automate compliance checks that we previously had to do manually.

NOTE: My LucidChart license was revoked so I can’t create diagrams. I’ve re-requested a license and will replace the text below with pictures as soon as I can.

Workflow

Policies are written as *.sentinel files in our terraform-sentinel-policies repository. that define the functions, mock data and variable inputs (parameters) required to test.
The location of the *.sentinel files today depends on whether it’s an AWS policy or a cloud-agnostic policy. This was a structure that we got from HashiCorp and is subject to change.
Each policy (./{policy-name}.sentinel) is accompanied by test directory located in test/{policy-name}. These directories contain mock data representing pass and fail scenarios (test/{policy-name}/*.sentinel) along with configuration files (test/{policy-name}/*.hcl)
Sentinel policies are connected to Terraform Cloud in the form of Policy Sets.
Policy sets provide a section called Sentinel Parameters where policy input variables are defined. These parameters will be identical to the ones defined in (test/{policy-name}/*.hcl) so that tests provide an accurate representation of our live environment.

More coming soon.

Security Alert Triage Runbook Okta SSO Broker