BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Creating and Enforcing "Policy as Code" with HashiCorp Sentinel

Creating and Enforcing "Policy as Code" with HashiCorp Sentinel

This item in japanese

HashiCorp have released Sentinel, an embedded "policy as code" framework that is integrated within the HashiCorp Enterprise products. Sentinel enables "fine-grained, logic-based policy decisions" that can be used to automatically audit and (if required) enforce organisational, compliance or security policies when working with Infrastructure as Code and other HashiCorp platform tooling.

The current HashiCorp suite of infrastructure automation tools enable engineers to provision, secure, connect, and run infrastructure - this is achieved with the popular open source Terraform, Vault, Consul and Nomad projects respectively. According to the Tao of HashiCorp, these tools are built on a foundation of "Infrastructure as Code (IaC)", which allows the codification and automation of infrastructure management at scale. This ability to create, change, and destroy infrastructure at scale comes with risks in large organizations, as less experienced users or incorrectly configured automation can make significant mistakes that impact business operations.

Many modern infrastructure platforms and tools have some degree of access control, and many of the cloud vendors offer Identity and Access Management (IAM) style policies and Access Control List (ACL) controls. This allows engineers to define identities and what they have access to. According to the HashiCorp Sentinel web page, these ACL systems "solve an immediate and necessary problem of locking down a system in very broad strokes", whereas Sentinel is a reusable system for more advanced software policy decisions.

Many existing policy or ACL systems do not practice policy as code. Many policies are set by clicking in a GUI, which isn't easily repeatable nor versionable. They usually don't provide any system for testing policies other than testing an action that would violate the policy. This makes it difficult for automated testing. And the policy language itself varies by product.

Sentinel can limit exposure by codifying organisation and regulatory policies as text-based configuration to ensure infrastructure changes are safe. Sentinel introduces policy as code into Terraform Enterprise, Vault Enterprise, Consul Enterprise, and Nomad Enterprise -- the open source versions of these tools are not currently supported by Sentinel -- and allows "guardrails", business requirements, legal compliance, and more to be actively enforced by running systems in real-time i.e. this is not an after-the-fact style auditing tool.

Sentinel enables:

  • Policy as code: Treat policy like an application e.g. version control, code review, test, and automate. Policy syntax and behavior can be easily validated with Sentinel, and automated testing can be implemented using the CLI provided. Paired with a VCS system, this allows a pull request workflow to verify that a policy keeps the system behavior as expected before merging.
  • Fine-grained, condition-based policy: Reject actions on any available input rather than coarse-grained read, write, and admin policies. Plugins to access external information from custom systems can be written by anyone using the public Sentinel SDK. By representing policy logic as code, the information and logic about a policy is directly represented in code and can be augmented with comments rather than relying on oral tradition to learn about the reason for policies.
  • Multiple Enforcement Levels: Advisory, soft-mandatory, and hard-mandatory levels allow policy writers to warn on or reject offending behavior with the appropriate severity, and all activities can be logged for audit.
  • Multi-cloud compatible. Ensure infrastructure changes are within business and regulatory policy on every infrastructure provider.

Sentinel defines and uses its own policy language. The language was designed to be approachable by non-programmers, because there are many use cases where the individual defining policy may not be a developer. More can be learned about the language in the writing policy section and the Sentinel language reference.

The sentinel apply command is used to execute a policy locally for development purposes e.g. sentinel apply [options] POLICY. This command executes the policy file at the path specified by POLICY. The output will indicate whether the policy passed or failed. A configuration file can be specified with -config to define available import plugins, mock data, and global values. This is used to simulate a policy embedded within an application. The list of available flags are:

  • -config=path - Path to a configuration file specifying available imports, mock data, globals, etc. The mock data can be define an arbitrarily complex scenario for testing with the built-in Sentinel Simulator.
  • -global key=value - Global values to inject into the running policy.
  • -explain - Always show the execution trace. This shows intermediate boolean expression values. This always shows for failed policies.

An example of a Terraform Sentinel policy file that does not allow resources to be provisioned without tags can be seen below:

import "tfplan"

main = rule {
    all tfplan.resources as r {
        r.attr contains "tags" and length(r.attr.tags) > 0
    }
}

Engineers that are not working with HashiCorp tooling but are keen to use this approach to policy as code can explore tooling such as: awspec - RSpec tests for AWS resources; Azure Resource Manager templates; or the Google Deployment Manager best practices. After-the-fact compliance and security auditing and reporting can also be implemented using tooling such as AWS Config or Azure Advisor.

Additional information on HashiCorp Sentinel can be found on the HashiCorp website, and in the Sentinel announcement blog post.

Rate this Article

Adoption
Style

BT