HashiCorp has released a number of improvements to Sentinel, their policy-as-code framework. The new features include an improved import configuration syntax, a new static import feature, support for named functions, and per-policy parameter values. There are also new helper functions to determine if a value is undefined.
The 0.19 release introduced an improved import configuration system. This provides a standardized naming convention and a more consistent import configuration that makes use of HCL syntax. The import block also now allows for overriding the default configuration for the imports and plugins that are used within a policy. This new syntax is shown below:
import "plugin" "time" {
config = {
timezone = "Australia/Brisbane"
}
}
import "module" "reporter" {
source = "./reporter.sentinel"
}
Version 0.19 also introduced a new static import feature. This allows for importing static, structured JSON data into policies. The block takes two configuration attributes: source representing the path to the data; and format which only supports JSON at this time.
import "static" "people" {
source = "./data/people.json"
format = "json"
}
Once imported, the data can be leveraged within the policy. Assuming the JSON has a key called names, the length of that object could be found using length(people.names). HashiCorp has indicated that support for additional data formats will be added in a later release.
Named functions were introduced in version 0.20. This functionality allows for defining functions that cannot be reassigned or reused. Note that anonymous functions can still be re-assigned, potentially causing the policy to fail if that function is called after. The syntax for named functions looks like this:
func sum(a, b) {
a + b
}
Version 0.21 added two helper functions to determine if a value is defined. In previous releases, policy authors had to use the else expression to recover from undefined values and provide an alternative value.
foo = undefined
// In versions prior to 0.21
foo else false is false // false
foo else true is true // true
// In version 0.21+
foo is defined // false
foo is not defined // true
This release also added per-policy parameter values. These are supplied once per policy and take precedence over globally supplied values. Previously, parameter values were supplied once within a config and shared across all policies.
policy "restrict-s3" {
source = "./deny-resource.sentinel"
params = {
resource_kind = "aws_s3_bucket"
}
}
Recent versions of Terraform Cloud have also added support for Open Policy Agent (OPA) as an alternative policy-as-code framework. OPA is an open-source policy engine that makes use of a high-level declarative language known as Rego.
Sentinel is available for download from the HashiCorp site. More details on these releases can be found on the HashiCorp blog or within the changelog.