Aiman Ismail

05/19/2023, 5:44 AM
Anyone had any experience using the Hashicorp Sentinel language for Atlantis policy checking? It seems like the standalone Sentinel CLI can be run anywhere but only issue right now is how do I pass in the input Terraform plan file to Sentinel to be evaluated?
I find Sentinel to be more readable and easier to write than Rego (OPA).

PePe Amengual

05/19/2023, 5:51 AM
there is a env var called PLANFILE that you can pass , check the docs for run step

Tyler Allen

05/19/2023, 1:05 PM
Here is a plan step of using PLANFILE as mentioned above of course this is using conftest but should be similar for sentinel
              - env:
                  name: TERRAGRUNT_TFPATH
                  command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
              - run: "terragrunt show -json $PLANFILE > ${PLANFILE}.json"
              - run: "conftest test ${PLANFILE}.json -p /home/atlantis/conftest_policies/terraform/
:this: 1

Aiman Ismail

05/22/2023, 1:42 PM
thanks for the inputs but in sentinel case, the CLI doesn’t allow passing in input file. It only has parameter for policy file. This might be intentional from Hashicorp to avoid people circumvent their Terraform Cloud offering and running Sentinel manually using CLI instead. In Terraform cloud, the equivalent of planfile data is available through module import (similar to how
is available for use in conftest). It seems like you can write plugin for Sentinel that might able to do that so that’s why I’m asking here if anybody already looked into that before.
Just wondering if anyone done this before since for me at least reading and writing Sentinel is easier compared to Rego.