terraformhashicorp-sentinel

Hashicorp sentinel does not find tfplan/v2


I don't understand how I can analyse a plan with Hashicorp sentinel policies.

My test case

this is my main.tf file

provider "azurerm" {
  subscription_id = "XXX"
  features {
  }
}

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
    }
  }
}

resource "azurerm_resource_group" "rg1" {
  name     = "RG1"
  location = "westeurope"
}

Then I produce my plan:

terraform plan -out="plan.tfplan"

terraform show -json plan.tfplan >plan.json

Now using this modest policy:

import "tfplan/v2" as tfplan


main = rule {
    true
}

What I get

When running from command line:

sentinel apply policy.sentinel

I get

policy.sentinel - Runtime error while running the policy:

policy.sentinel:1:1: Import "tfplan/v2" is not available

A runtime error is a non-recoverable error due to some unexpected or invalid condition. When a runtime error is experienced, the result of the policy is "false".

Versions

Terraform v1.11.0

Sentinel v0.30.0

What I am looking for

I am interested from 2 things:

  1. Why I get this error message and what I am suppose to do
  2. In a general manner, how does sentinel know where is the plan output? Is there a file naming convention?

Thank you


Solution

  • Well I found the solution.

    I need to add un config file with something like:

    sentinel {
      features = {
        apply-all = true
        terraform = true
      }
    }
    
    import "plugin" "tfplan/v2" {
      config = {
        "plan_path": "./tfplan.json"
      }
    }
    

    Documentation is there:
    https://developer.hashicorp.com/sentinel/docs/configuration

    Could be a little bit clearer.