In cases where constant values are defined in combination with variables in Terraform code, the constant values are not present in the resulting mocks. For example, mocks generated from this code:
provider "aws" {
version = "4.53.0"
default_tags {
tags = {
bazz = "qux"
foo = var.foo
region = "us-west-2"
}
}
}will not contain bazz = "qux" or region = "us-west-2" for the provider itself, but only for the individual resources that have been assigned these tags. This significantly complicates writing policies to effectively govern such values.
Cause
This is known behavior of Terraform. At present, any time that a given expression contains any reference to other objects, ONLY those references are returned for the subject of that expression, and any constant values present are omitted for a given Terraform Plan. As Sentinel uses a JSON representation of the Terraform plan to perform policy checks against, it inherits this behavior.
Solutions:
- At present, our Sentinel team recommends not mixing variables in with constant values, and to use constant values wherever possible in these types of configurations.