Problem
When a Terraform configuration block contains a mix of constant values and variable references, the constant values may not appear in Sentinel mocks. This behavior complicates writing policies to govern these values.
For example, mocks generated from the following provider configuration will not include bazz = "qux" or region = "us-west-2" for the provider itself. These values will only appear for individual resources that inherit the tags.
provider "aws" {
version = "4.53.0"
default_tags {
tags = {
bazz = "qux"
foo = var.foo
region = "us-west-2"
}
}
}Cause
This is known behavior in Terraform. When a configuration expression contains a reference to another object (like a variable), Terraform's plan output for that expression may only include the referenced objects and omit any constant values defined alongside them.
Because Sentinel uses a JSON representation of the Terraform plan to perform policy checks, it inherits this behavior from Terraform.
Solutions
Solution 1: Isolate Constant and Variable Definitions
The Sentinel team recommends avoiding mixing variables with constant values within the same configuration block. To ensure all values appear in Sentinel mocks, define them separately where possible. Using constant values exclusively in a block is the most reliable method to ensure they are represented in the plan data used by Sentinel.
Additional Information
- For community discussion, please visit the Sentinel Discuss forum.