├── LICENSE ├── README.md ├── aws ├── enforce-mandatory-tags.sentinel └── sentinel.hcl ├── azure ├── enforce-mandatory-tags.sentinel └── sentinel.hcl ├── bonus_lab ├── aws-restrict-all-but-ssh.sentinel ├── azure-restrict-vm-size.sentinel ├── gcp-restrict-machine-type.sentinel └── sentinel.hcl └── gcp ├── enforce-mandatory-labels.sentinel └── sentinel.hcl /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019 HashiCorp, Inc. 2 | 3 | Mozilla Public License Version 2.0 4 | ================================== 5 | 6 | 1. Definitions 7 | -------------- 8 | 9 | 1.1. "Contributor" 10 | means each individual or legal entity that creates, contributes to 11 | the creation of, or owns Covered Software. 12 | 13 | 1.2. "Contributor Version" 14 | means the combination of the Contributions of others (if any) used 15 | by a Contributor and that particular Contributor's Contribution. 16 | 17 | 1.3. "Contribution" 18 | means Covered Software of a particular Contributor. 19 | 20 | 1.4. "Covered Software" 21 | means Source Code Form to which the initial Contributor has attached 22 | the notice in Exhibit A, the Executable Form of such Source Code 23 | Form, and Modifications of such Source Code Form, in each case 24 | including portions thereof. 25 | 26 | 1.5. "Incompatible With Secondary Licenses" 27 | means 28 | 29 | (a) that the initial Contributor has attached the notice described 30 | in Exhibit B to the Covered Software; or 31 | 32 | (b) that the Covered Software was made available under the terms of 33 | version 1.1 or earlier of the License, but not also under the 34 | terms of a Secondary License. 35 | 36 | 1.6. "Executable Form" 37 | means any form of the work other than Source Code Form. 38 | 39 | 1.7. "Larger Work" 40 | means a work that combines Covered Software with other material, in 41 | a separate file or files, that is not Covered Software. 42 | 43 | 1.8. "License" 44 | means this document. 45 | 46 | 1.9. "Licensable" 47 | means having the right to grant, to the maximum extent possible, 48 | whether at the time of the initial grant or subsequently, any and 49 | all of the rights conveyed by this License. 50 | 51 | 1.10. "Modifications" 52 | means any of the following: 53 | 54 | (a) any file in Source Code Form that results from an addition to, 55 | deletion from, or modification of the contents of Covered 56 | Software; or 57 | 58 | (b) any new file in Source Code Form that contains any Covered 59 | Software. 60 | 61 | 1.11. "Patent Claims" of a Contributor 62 | means any patent claim(s), including without limitation, method, 63 | process, and apparatus claims, in any patent Licensable by such 64 | Contributor that would be infringed, but for the grant of the 65 | License, by the making, using, selling, offering for sale, having 66 | made, import, or transfer of either its Contributions or its 67 | Contributor Version. 68 | 69 | 1.12. "Secondary License" 70 | means either the GNU General Public License, Version 2.0, the GNU 71 | Lesser General Public License, Version 2.1, the GNU Affero General 72 | Public License, Version 3.0, or any later versions of those 73 | licenses. 74 | 75 | 1.13. "Source Code Form" 76 | means the form of the work preferred for making modifications. 77 | 78 | 1.14. "You" (or "Your") 79 | means an individual or a legal entity exercising rights under this 80 | License. For legal entities, "You" includes any entity that 81 | controls, is controlled by, or is under common control with You. For 82 | purposes of this definition, "control" means (a) the power, direct 83 | or indirect, to cause the direction or management of such entity, 84 | whether by contract or otherwise, or (b) ownership of more than 85 | fifty percent (50%) of the outstanding shares or beneficial 86 | ownership of such entity. 87 | 88 | 2. License Grants and Conditions 89 | -------------------------------- 90 | 91 | 2.1. Grants 92 | 93 | Each Contributor hereby grants You a world-wide, royalty-free, 94 | non-exclusive license: 95 | 96 | (a) under intellectual property rights (other than patent or trademark) 97 | Licensable by such Contributor to use, reproduce, make available, 98 | modify, display, perform, distribute, and otherwise exploit its 99 | Contributions, either on an unmodified basis, with Modifications, or 100 | as part of a Larger Work; and 101 | 102 | (b) under Patent Claims of such Contributor to make, use, sell, offer 103 | for sale, have made, import, and otherwise transfer either its 104 | Contributions or its Contributor Version. 105 | 106 | 2.2. Effective Date 107 | 108 | The licenses granted in Section 2.1 with respect to any Contribution 109 | become effective for each Contribution on the date the Contributor first 110 | distributes such Contribution. 111 | 112 | 2.3. Limitations on Grant Scope 113 | 114 | The licenses granted in this Section 2 are the only rights granted under 115 | this License. No additional rights or licenses will be implied from the 116 | distribution or licensing of Covered Software under this License. 117 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 118 | Contributor: 119 | 120 | (a) for any code that a Contributor has removed from Covered Software; 121 | or 122 | 123 | (b) for infringements caused by: (i) Your and any other third party's 124 | modifications of Covered Software, or (ii) the combination of its 125 | Contributions with other software (except as part of its Contributor 126 | Version); or 127 | 128 | (c) under Patent Claims infringed by Covered Software in the absence of 129 | its Contributions. 130 | 131 | This License does not grant any rights in the trademarks, service marks, 132 | or logos of any Contributor (except as may be necessary to comply with 133 | the notice requirements in Section 3.4). 134 | 135 | 2.4. Subsequent Licenses 136 | 137 | No Contributor makes additional grants as a result of Your choice to 138 | distribute the Covered Software under a subsequent version of this 139 | License (see Section 10.2) or under the terms of a Secondary License (if 140 | permitted under the terms of Section 3.3). 141 | 142 | 2.5. Representation 143 | 144 | Each Contributor represents that the Contributor believes its 145 | Contributions are its original creation(s) or it has sufficient rights 146 | to grant the rights to its Contributions conveyed by this License. 147 | 148 | 2.6. Fair Use 149 | 150 | This License is not intended to limit any rights You have under 151 | applicable copyright doctrines of fair use, fair dealing, or other 152 | equivalents. 153 | 154 | 2.7. Conditions 155 | 156 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 157 | in Section 2.1. 158 | 159 | 3. Responsibilities 160 | ------------------- 161 | 162 | 3.1. Distribution of Source Form 163 | 164 | All distribution of Covered Software in Source Code Form, including any 165 | Modifications that You create or to which You contribute, must be under 166 | the terms of this License. You must inform recipients that the Source 167 | Code Form of the Covered Software is governed by the terms of this 168 | License, and how they can obtain a copy of this License. You may not 169 | attempt to alter or restrict the recipients' rights in the Source Code 170 | Form. 171 | 172 | 3.2. Distribution of Executable Form 173 | 174 | If You distribute Covered Software in Executable Form then: 175 | 176 | (a) such Covered Software must also be made available in Source Code 177 | Form, as described in Section 3.1, and You must inform recipients of 178 | the Executable Form how they can obtain a copy of such Source Code 179 | Form by reasonable means in a timely manner, at a charge no more 180 | than the cost of distribution to the recipient; and 181 | 182 | (b) You may distribute such Executable Form under the terms of this 183 | License, or sublicense it under different terms, provided that the 184 | license for the Executable Form does not attempt to limit or alter 185 | the recipients' rights in the Source Code Form under this License. 186 | 187 | 3.3. Distribution of a Larger Work 188 | 189 | You may create and distribute a Larger Work under terms of Your choice, 190 | provided that You also comply with the requirements of this License for 191 | the Covered Software. If the Larger Work is a combination of Covered 192 | Software with a work governed by one or more Secondary Licenses, and the 193 | Covered Software is not Incompatible With Secondary Licenses, this 194 | License permits You to additionally distribute such Covered Software 195 | under the terms of such Secondary License(s), so that the recipient of 196 | the Larger Work may, at their option, further distribute the Covered 197 | Software under the terms of either this License or such Secondary 198 | License(s). 199 | 200 | 3.4. Notices 201 | 202 | You may not remove or alter the substance of any license notices 203 | (including copyright notices, patent notices, disclaimers of warranty, 204 | or limitations of liability) contained within the Source Code Form of 205 | the Covered Software, except that You may alter any license notices to 206 | the extent required to remedy known factual inaccuracies. 207 | 208 | 3.5. Application of Additional Terms 209 | 210 | You may choose to offer, and to charge a fee for, warranty, support, 211 | indemnity or liability obligations to one or more recipients of Covered 212 | Software. However, You may do so only on Your own behalf, and not on 213 | behalf of any Contributor. You must make it absolutely clear that any 214 | such warranty, support, indemnity, or liability obligation is offered by 215 | You alone, and You hereby agree to indemnify every Contributor for any 216 | liability incurred by such Contributor as a result of warranty, support, 217 | indemnity or liability terms You offer. You may include additional 218 | disclaimers of warranty and limitations of liability specific to any 219 | jurisdiction. 220 | 221 | 4. Inability to Comply Due to Statute or Regulation 222 | --------------------------------------------------- 223 | 224 | If it is impossible for You to comply with any of the terms of this 225 | License with respect to some or all of the Covered Software due to 226 | statute, judicial order, or regulation then You must: (a) comply with 227 | the terms of this License to the maximum extent possible; and (b) 228 | describe the limitations and the code they affect. Such description must 229 | be placed in a text file included with all distributions of the Covered 230 | Software under this License. Except to the extent prohibited by statute 231 | or regulation, such description must be sufficiently detailed for a 232 | recipient of ordinary skill to be able to understand it. 233 | 234 | 5. Termination 235 | -------------- 236 | 237 | 5.1. The rights granted under this License will terminate automatically 238 | if You fail to comply with any of its terms. However, if You become 239 | compliant, then the rights granted under this License from a particular 240 | Contributor are reinstated (a) provisionally, unless and until such 241 | Contributor explicitly and finally terminates Your grants, and (b) on an 242 | ongoing basis, if such Contributor fails to notify You of the 243 | non-compliance by some reasonable means prior to 60 days after You have 244 | come back into compliance. Moreover, Your grants from a particular 245 | Contributor are reinstated on an ongoing basis if such Contributor 246 | notifies You of the non-compliance by some reasonable means, this is the 247 | first time You have received notice of non-compliance with this License 248 | from such Contributor, and You become compliant prior to 30 days after 249 | Your receipt of the notice. 250 | 251 | 5.2. If You initiate litigation against any entity by asserting a patent 252 | infringement claim (excluding declaratory judgment actions, 253 | counter-claims, and cross-claims) alleging that a Contributor Version 254 | directly or indirectly infringes any patent, then the rights granted to 255 | You by any and all Contributors for the Covered Software under Section 256 | 2.1 of this License shall terminate. 257 | 258 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 259 | end user license agreements (excluding distributors and resellers) which 260 | have been validly granted by You or Your distributors under this License 261 | prior to termination shall survive termination. 262 | 263 | ************************************************************************ 264 | * * 265 | * 6. Disclaimer of Warranty * 266 | * ------------------------- * 267 | * * 268 | * Covered Software is provided under this License on an "as is" * 269 | * basis, without warranty of any kind, either expressed, implied, or * 270 | * statutory, including, without limitation, warranties that the * 271 | * Covered Software is free of defects, merchantable, fit for a * 272 | * particular purpose or non-infringing. The entire risk as to the * 273 | * quality and performance of the Covered Software is with You. * 274 | * Should any Covered Software prove defective in any respect, You * 275 | * (not any Contributor) assume the cost of any necessary servicing, * 276 | * repair, or correction. This disclaimer of warranty constitutes an * 277 | * essential part of this License. No use of any Covered Software is * 278 | * authorized under this License except under this disclaimer. * 279 | * * 280 | ************************************************************************ 281 | 282 | ************************************************************************ 283 | * * 284 | * 7. Limitation of Liability * 285 | * -------------------------- * 286 | * * 287 | * Under no circumstances and under no legal theory, whether tort * 288 | * (including negligence), contract, or otherwise, shall any * 289 | * Contributor, or anyone who distributes Covered Software as * 290 | * permitted above, be liable to You for any direct, indirect, * 291 | * special, incidental, or consequential damages of any character * 292 | * including, without limitation, damages for lost profits, loss of * 293 | * goodwill, work stoppage, computer failure or malfunction, or any * 294 | * and all other commercial damages or losses, even if such party * 295 | * shall have been informed of the possibility of such damages. This * 296 | * limitation of liability shall not apply to liability for death or * 297 | * personal injury resulting from such party's negligence to the * 298 | * extent applicable law prohibits such limitation. Some * 299 | * jurisdictions do not allow the exclusion or limitation of * 300 | * incidental or consequential damages, so this exclusion and * 301 | * limitation may not apply to You. * 302 | * * 303 | ************************************************************************ 304 | 305 | 8. Litigation 306 | ------------- 307 | 308 | Any litigation relating to this License may be brought only in the 309 | courts of a jurisdiction where the defendant maintains its principal 310 | place of business and such litigation shall be governed by laws of that 311 | jurisdiction, without reference to its conflict-of-law provisions. 312 | Nothing in this Section shall prevent a party's ability to bring 313 | cross-claims or counter-claims. 314 | 315 | 9. Miscellaneous 316 | ---------------- 317 | 318 | This License represents the complete agreement concerning the subject 319 | matter hereof. If any provision of this License is held to be 320 | unenforceable, such provision shall be reformed only to the extent 321 | necessary to make it enforceable. Any law or regulation which provides 322 | that the language of a contract shall be construed against the drafter 323 | shall not be used to construe this License against a Contributor. 324 | 325 | 10. Versions of the License 326 | --------------------------- 327 | 328 | 10.1. New Versions 329 | 330 | Mozilla Foundation is the license steward. Except as provided in Section 331 | 10.3, no one other than the license steward has the right to modify or 332 | publish new versions of this License. Each version will be given a 333 | distinguishing version number. 334 | 335 | 10.2. Effect of New Versions 336 | 337 | You may distribute the Covered Software under the terms of the version 338 | of the License under which You originally received the Covered Software, 339 | or under the terms of any subsequent version published by the license 340 | steward. 341 | 342 | 10.3. Modified Versions 343 | 344 | If you create software not governed by this License, and you want to 345 | create a new license for such software, you may create and use a 346 | modified version of this License if you rename the license and remove 347 | any references to the name of the license steward (except to note that 348 | such modified license differs from this License). 349 | 350 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 351 | Licenses 352 | 353 | If You choose to distribute Source Code Form that is Incompatible With 354 | Secondary Licenses under the terms of this version of the License, the 355 | notice described in Exhibit B of this License must be attached. 356 | 357 | Exhibit A - Source Code Form License Notice 358 | ------------------------------------------- 359 | 360 | This Source Code Form is subject to the terms of the Mozilla Public 361 | License, v. 2.0. If a copy of the MPL was not distributed with this 362 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 363 | 364 | If it is not possible or desirable to put the notice in a particular 365 | file, then You may include the notice in a location (such as a LICENSE 366 | file in a relevant directory) where a recipient would be likely to look 367 | for such a notice. 368 | 369 | You may add additional accurate notices of copyright ownership. 370 | 371 | Exhibit B - "Incompatible With Secondary Licenses" Notice 372 | --------------------------------------------------------- 373 | 374 | This Source Code Form is "Incompatible With Secondary Licenses", as 375 | defined by the Mozilla Public License, v. 2.0. 376 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Terraform Cloud Workshop Sentinel Policies 2 | This repository contains sample sentinel policies for use in Terraform Cloud workshops. 3 | 4 | Use with the curriculum available here: 5 | 6 | https://hashicorp.github.io/workshops 7 | -------------------------------------------------------------------------------- /aws/enforce-mandatory-tags.sentinel: -------------------------------------------------------------------------------- 1 | # This policy uses the Sentinel tfplan import to require that all EC2 instances 2 | # have all mandatory tags. 3 | # Note that the comparison is case-sensitive since AWS tags are case-sensitive. 4 | 5 | # Import common-functions/tfplan-functions/tfplan-functions.sentinel 6 | # with alias "plan" 7 | import "tfplan-functions" as plan 8 | 9 | # List of mandatory tags 10 | ### List of mandatory tags ### 11 | mandatory_tags = [ 12 | "Department", 13 | "Billable", 14 | ] 15 | 16 | # Get all EC2 instances 17 | allEC2Instances = plan.find_resources("aws_instance") 18 | 19 | # Filter to EC2 instances with violations 20 | # Warnings will be printed for all violations since the last parameter is true 21 | violatingEC2Instances = plan.filter_attribute_not_contains_list(allEC2Instances, 22 | "tags", mandatory_tags, true) 23 | 24 | # Main rule 25 | main = rule { 26 | length(violatingEC2Instances["messages"]) is 0 27 | } 28 | -------------------------------------------------------------------------------- /aws/sentinel.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | policy "enforce-mandatory-tags" { 5 | enforcement_level = "hard-mandatory" 6 | } 7 | 8 | module "tfplan-functions" { 9 | source = "https://raw.githubusercontent.com/hashicorp/terraform-sentinel-policies/main/common-functions/tfplan-functions/tfplan-functions.sentinel" 10 | } 11 | -------------------------------------------------------------------------------- /azure/enforce-mandatory-tags.sentinel: -------------------------------------------------------------------------------- 1 | # This policy uses the Sentinel tfplan import to require that all Azure VMs 2 | # have all mandatory tags. 3 | 4 | # Note that the comparison is case-sensitive even though Azure tags are not. 5 | # If you want to allow case variations, include them in your mandatory_tags list 6 | 7 | # Import common-functions/tfplan-functions/tfplan-functions.sentinel 8 | # with alias "plan" 9 | import "tfplan-functions" as plan 10 | 11 | ### List of mandatory tags ### 12 | mandatory_tags = [ 13 | "Billable", 14 | "Department", 15 | ] 16 | 17 | # Get all Azure VMs 18 | allAzureVMs = plan.find_resources("azurerm_linux_virtual_machine") 19 | 20 | # Filter to Azure VMs with violations 21 | # Warnings will be printed for all violations since the last parameter is true 22 | violatingAzureVMs = plan.filter_attribute_not_contains_list(allAzureVMs, 23 | "tags", mandatory_tags, true) 24 | 25 | #Main rule 26 | main = rule { 27 | length(violatingAzureVMs["messages"]) is 0 28 | } 29 | -------------------------------------------------------------------------------- /azure/sentinel.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | policy "enforce-mandatory-tags" { 5 | enforcement_level = "hard-mandatory" 6 | } 7 | 8 | module "tfplan-functions" { 9 | source = "https://raw.githubusercontent.com/hashicorp/terraform-sentinel-policies/main/common-functions/tfplan-functions/tfplan-functions.sentinel" 10 | } 11 | -------------------------------------------------------------------------------- /bonus_lab/aws-restrict-all-but-ssh.sentinel: -------------------------------------------------------------------------------- 1 | # This policy uses the Sentinel tfplan/v2 import to validate that no security group 2 | # rules have the CIDR "0.0.0.0/0". It covers both the aws_security_group and 3 | # the aws_security_group_rule resources which can both define rules. 4 | 5 | # Import the tfplan/v2 import, but use the alias "tfplan" 6 | import "tfplan/v2" as tfplan 7 | 8 | # Import common-functions/tfplan-functions/tfplan-functions.sentinel 9 | # with alias "plan" 10 | import "tfplan-functions" as plan 11 | 12 | # Forbidden CIDRs 13 | # Include "null" to forbid missing or computed values 14 | forbidden_cidrs = ["0.0.0.0/0"] 15 | 16 | # Get all Security Group Ingress Rules 17 | SGIngressRules = filter tfplan.resource_changes as address, rc { 18 | rc.type is "aws_security_group_rule" and 19 | rc.mode is "managed" and rc.change.after.type is "ingress" and 20 | (rc.change.actions contains "create" or rc.change.actions contains "update") 21 | } 22 | 23 | # Filter to Ingress Security Group Rules with violations 24 | # Warnings will be printed for all violations since the last parameter is true 25 | violatingSGRules = plan.filter_attribute_contains_items_from_list(SGIngressRules, 26 | "cidr_blocks",forbidden_cidrs, true) 27 | 28 | # Get all Security Groups 29 | allSGs = plan.find_resources("aws_security_group") 30 | 31 | # Validate Security Groups 32 | violatingSGsCount = 0 33 | for allSGs as address, sg { 34 | 35 | # Find the ingress rules of the current SG 36 | ingressRules = plan.find_blocks(sg, "ingress") 37 | 38 | # Filter to violating CIDR blocks 39 | # Warnings will not be printed for violations since the last parameter is false 40 | violatingIRs = plan.filter_attribute_contains_items_from_list(ingressRules, 41 | "cidr_blocks", forbidden_cidrs, false) 42 | 43 | # Print violation messages 44 | if length(violatingIRs["messages"]) > 0 { 45 | violatingSGsCount += 1 46 | print("SG Ingress Violation:", address, "has at least one ingress rule", 47 | "with forbidden cidr blocks") 48 | plan.print_violations(violatingIRs["messages"], "Ingress Rule") 49 | } // end if 50 | 51 | } // end for SGs 52 | 53 | # Main rule 54 | validated = length(violatingSGRules["messages"]) is 0 and violatingSGsCount is 0 55 | main = rule { 56 | validated is true 57 | } 58 | -------------------------------------------------------------------------------- /bonus_lab/azure-restrict-vm-size.sentinel: -------------------------------------------------------------------------------- 1 | # This policy uses the Sentinel tfplan/v2 import to require that 2 | # all Azure VMs have vm sizes from an allowed list 3 | 4 | # Import common-functions/tfplan-functions/tfplan-functions.sentinel 5 | # with alias "plan" 6 | import "tfplan-functions" as plan 7 | 8 | # Allowed Azure VM Sizes 9 | # Include "null" to allow missing or computed values 10 | allowed_sizes = ["Standard_A1", "Standard_A2", "Standard_D1_v2", "Standard_D2_v2"] 11 | 12 | # Get all Azure VMs 13 | allAzureVMs = plan.find_resources("azurerm_virtual_machine") 14 | 15 | # Filter to Azure VMs with violations 16 | # Warnings will be printed for all violations since the last parameter is true 17 | violatingAzureVMs = plan.filter_attribute_not_in_list(allAzureVMs, 18 | "vm_size", allowed_sizes, true) 19 | 20 | # Count violations 21 | violations = length(violatingAzureVMs["messages"]) 22 | 23 | # Main rule 24 | main = rule { 25 | violations is 0 26 | } 27 | -------------------------------------------------------------------------------- /bonus_lab/gcp-restrict-machine-type.sentinel: -------------------------------------------------------------------------------- 1 | # This policy uses the Sentinel tfplan/v2 import to require that 2 | # all GCE instances have machine types from an allowed list 3 | 4 | # Import common-functions/tfplan-functions/tfplan-functions.sentinel 5 | # with alias "plan" 6 | import "tfplan-functions" as plan 7 | 8 | # Allowed GCE Instance Types 9 | # Include "null" to allow missing or computed values 10 | allowed_types = ["n1-standard-1", "n1-standard-2", "n1-standard-4"] 11 | 12 | # Get all GCE instances 13 | allGCEInstances = plan.find_resources("google_compute_instance") 14 | 15 | # Filter to GCE instances with violations 16 | # Warnings will be printed for all violations since the last parameter is true 17 | violatingGCEInstances = plan.filter_attribute_not_in_list(allGCEInstances, 18 | "machine_type", allowed_types, true) 19 | 20 | # Count violations 21 | violations = length(violatingGCEInstances["messages"]) 22 | 23 | # Main rule 24 | main = rule { 25 | violations is 0 26 | } 27 | -------------------------------------------------------------------------------- /bonus_lab/sentinel.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | policy "aws-restrict-all-but-ssh" { 5 | enforcement_level = "hard-mandatory" 6 | } 7 | 8 | policy "azure-restrict-vm-size" { 9 | enforcement_level = "hard-mandatory" 10 | } 11 | 12 | policy "gcp-restrict-machine-type" { 13 | enforcement_level = "hard-mandatory" 14 | } 15 | 16 | module "tfplan-functions" { 17 | source = "https://raw.githubusercontent.com/hashicorp/terraform-sentinel-policies/main/common-functions/tfplan-functions/tfplan-functions.sentinel" 18 | } 19 | -------------------------------------------------------------------------------- /gcp/enforce-mandatory-labels.sentinel: -------------------------------------------------------------------------------- 1 | # This policy uses the Sentinel tfplan import to require that all GCP compute 2 | # instances have all mandatory labels. 3 | 4 | # Note that the comparison is case-sensitive but also that GCP labels 5 | # are only allowed to contain lowercase letters, numbers, and dashes. 6 | 7 | # Import common-functions/tfplan-functions/tfplan-functions.sentinel 8 | # with alias "plan" 9 | import "tfplan-functions" as plan 10 | 11 | ### List of mandatory labels ### 12 | mandatory_labels = [ 13 | "department", 14 | "billable", 15 | ] 16 | 17 | # Get all GCP compute instances 18 | allGCEInstances = plan.find_resources("google_compute_instance") 19 | 20 | # Filter to GCP compute instances with violations 21 | # Warnings will be printed for all violations since the last parameter is true 22 | violatingGCEInstances = plan.filter_attribute_not_contains_list(allGCEInstances, 23 | "labels", mandatory_labels, true) 24 | 25 | # Main rule 26 | main = rule { 27 | length(violatingGCEInstances["messages"]) is 0 28 | } 29 | -------------------------------------------------------------------------------- /gcp/sentinel.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | policy "enforce-mandatory-labels" { 5 | enforcement_level = "hard-mandatory" 6 | } 7 | 8 | module "tfplan-functions" { 9 | source = "https://raw.githubusercontent.com/hashicorp/terraform-sentinel-policies/main/common-functions/tfplan-functions/tfplan-functions.sentinel" 10 | } 11 | --------------------------------------------------------------------------------