Introduction
In some use cases, due to security requirements or other considerations that disallow VCS, it can be necessary to manage Sentinel Policy Sets via the Terraform Enterprise API.
Use Case
For third generation sentinel policies, it is ideal to bundle the common functions from our governance repository. It is possible to include these policies inline with your sentinel code, however this approach does not adhere to best practices for dealing with modules. The process for bundling modules with your sentinel policies for API upload is described below.
Procedure
-
First, create an archive of your files into .tar.gz format from the root directory of the sentinel policy. In the below example, it is assumed that the sentinel.hcl file contains the appropriate module block specifying where policy_name can import the common functions from. Once the directory structure and contents are verified, you can compress the file using the tar command.
$:~/policy-set> tree
.
├── common-functions
│ └── tfplan-functions
│ └── tfplan-functions.sentinel
├── policy_name.sentinel
└── sentinel.hcl
$:~/policy-set> tar -czvf policy-set.tar.gz *
common-functions/
common-functions/tfplan-functions/
common-functions/tfplan-functions/tfplan-functions.sentinel
policy_name.sentinel
sentinel.hcl
-
Once the tar archive is created, you will need to make a call against the list policy sets API, in order to obtain the ID for subsequent API calls.
curl \
--header "Authorization: Bearer $TOKEN" \
https://<YOUR-TFE-URL>/api/v2/organizations/<YOUR-ORG-NAME>/policy-sets
-
Once the ID of the policy set is obtained, you then call the create a policy set version API, specifying the id obtained in the previous step. The response will contain an upload URL that is required for the last API call in the series. The polsetver ID is useful for verifying policy set readiness, so you may wish to make note of it for after the upload is initiated.
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
https://<YOUR-TFE-URL>/api/v2/policy-sets/<YOUR-POLSET-ID>/versions
- The final upload requires you to specify the .tar.gz created initially as the request body to the upload policy set version API.
curl \
--header "Content-Type: application/octet-stream" \
--request PUT \
--data-binary @policy-set.tar.gz \
https://<YOUR-UPLOAD-URL>/v1/object/dmF1bHQ6djE6NWJPbHQ4QjV4R1ox...
If desired, you can check that the upload is complete either via the timestamp for your policy set in the Policy Sets section of settings, or use the show policy set version API in combination with the polsetver id from the Create a Policy Set Version API call in the previous step- the status will change from pending to ready when the policy is ready for implementation.
Additional Information
- If the issue persists or you have any additional questions, please reach out to Hashicorp Support.