Anyone had any experience using the Hashicorp Sentinel language for Atlantis policy checking? It seems like the standalone Sentinel CLI can be run anywhere but only issue right now is how do I pass in the input Terraform plan file to Sentinel to be evaluated? https://www.hashicorp.com/sentinel

there is a env var called PLANFILE that you can pass , check the docs for run step

Here is a plan step of using PLANFILE as mentioned above of course this is using conftest but should be similar for sentinel

policy_check:
            steps:
              - env:
                  name: TERRAGRUNT_TFPATH
                  command: 'echo "terraform${ATLANTIS_TERRAFORM_VERSION}"'
              - run: "terragrunt show -json $PLANFILE > ${PLANFILE}.json"
              - run: "conftest test ${PLANFILE}.json -p /home/atlantis/conftest_policies/terraform/

thanks for the inputs but in sentinel case, the CLI doesn’t allow passing in input file. It only has parameter for policy file. This might be intentional from Hashicorp to avoid people circumvent their Terraform Cloud offering and running Sentinel manually using CLI instead. In Terraform cloud, the equivalent of planfile data is available through module import (similar to how

data

is available for use in conftest). It seems like you can write plugin for Sentinel that might able to do that so that’s why I’m asking here if anybody already looked into that before.