Run pre-written Sentinel policies
This topic describes how to run Sentinel policies created and maintained by HashiCorp. For instructions about how to create your own custom Sentinel policies, refer to Define custom Sentinel policies.
Overview
Pre-written Sentinel policy libraries streamline your compliance processes and enhance security across your infrastructure. HashiCorp's ready-to-use policies can help you enforce best practices and security standards across your AWS environment.
Refer to the following resources for details about working with pre-written policies and information about the Sentinel language and framework:
- Sentinel documentation.
- The
README.md
documentation included with each of the policy libraries.
Complete the following steps to implement pre-written Sentinel policies in your workspaces:
- Obtain the policies you want to implement. Download policies directly into your repository or create a fork of the HashiCorp repositories. Alternatively, you can add the Terraform module to your configuration, which acquires the policies and connects them to your workspaces in a single step.
- Connect policies to your workspace. After you download policies or fork policy repositories, you must connect them to your HCP Terraform or Terraform Enterprise workspaces.
Requirements
You must use one of the following Terraform applications:
- HCP Terraform
- Terraform Enterprise v202406-1 or newer
Permissions
To create new policy sets and policies, your HCP Terraform or Terraform Enterprise user account must either be a member of the owners team or have the Manage Policies organization-level permissions enabled. Refer to the following topics for additional information:
Version control system
You must have a GitHub account connected to HCP Terraform or Terraform Enterprise to manually connect policy sets to your workspaces. Refer to Connecting VCS Providers for instructions.
Obtain policies
You can use the policy libraries created and maintained by HashiCorp. The libraries are stored in the following GitHub repositories:
- policy-library-cis-aws-efs-terraform
- policy-library-cis-aws-rds-terraform
- policy-library-cis-aws-vpc-terraform
- policy-library-cis-aws-iam-terraform
- policy-library-cis-aws-s3-terraform
- policv-library-cis-aws-cloudtrail-terraform
- policy-library-cis-aws-kms-terraform
- policy-library-cis-aws-ec2-terraform
Use one of the following methods to obtain pre-written policies:
- Download policies from the registry: Use this method if you want to assemble custom policy sets without customizing policies.
- Fork the HashiCorp policy GitHub repository: Use this method if you intend to customize the policies.
- Add the Terraform module to your configuration: Use this method to implement specific versions of the policies as-is. This method also connects the policies to workspaces in the Terraform configuration file instead of connecting them as a separate step.
Download policies from the registry
Complete the following steps to download policies from the registry and apply them directly to your workspaces.
- Browse the policy libraries available in the Terraform registry.
- Click on a policy library and click Choose policies.
- Select the policies you want to implement. The registry generates code in the USAGE INSTRUCTIONS box.
- Click Copy Code Snippet to copy the code to your clipboard.
- Create a GitHub repository to store the policies and the policy set configuration file.
- Create a file called
sentinel.hcl
in the repository. - Paste the code from your clipboard into
sentinel.hcl
and commit your changes. - Complete the instructions for connecting the policies to your workspace.
Create a fork of the policy libraries
Create a fork of the repository containing the policies you want to implement. Refer to the GitHub documentation for instructions on how to create a fork.
HashiCorp Sentinel policy libraries include a sentinel.hcl
file. The file defines an example policy set using the policies included in the library. Modify the file to customize your policy set. Refer to Sentinel Policy Set VCS Repositories for additional information.
After forking the repository, complete the instructions for connecting the policies to your workspace.
Add the Terraform module to your configuration
This method enables you to connect the policies to workspaces in the Terraform configuration file. As a result, you can skip the instructions described in Connect policies to your workspaces.
Go to the module in the Terraform registry and copy the code generated in the Provision Instructions tile.
Add the
module
block to your Terraform configuration and define the following arguments:source
: Specify the path to the module you downloaded.tfe_organization
: Specify the name of your organization on Terraform Enterprise or HCP Terraform.policy_set_workspace_names
: Specify a list of workspace names that you want to apply the policies to.
The following example configuration applies invokes the module for
target_workspace_1
:module "cis_v1-2-0_policies" { source = "../prewritten-policy" name = "cis-1-2-0" tfe_organization = "<your-tfe-org>" policy_set_workspace_names = ["target_workspace_1"] }
Run
terraform plan
to view the plan.Run
terraform apply
to apply the changes. After running the command, Terraform will evaluate Sentinel policies for each following run of the workspaces you specified.
Connect policies to your workspace
Skip this step if you added the Terraform module to your configuration. When you use the module, the policy_set_workspace_names
argument instructs Terraform to connect the policies to the HCP Terraform workspaces specified in the configuration.
- Log into your organization and click Settings in the sidebar.
- Click Policy Sets and click Connect a new policy set.
- Click the Version control provider (VCS) tile.
- Enable the Sentinel option as the policy framework.
- Specify a name and description for the set.
- Configure any additional options for the policy set and click Next.
- Choose the GitHub connection type, then choose the repository you created in Set up a repository for the policies.
- If the
sentinel.hcl
policy set file is stored in a subfolder, specify the path to the file in the Policies path field. The default is the root directory. - If you want to apply updated policy sets to the workspace from a specific branch, specify the name in the VCS branch field. The default is the default branch configured for the repository.
- Click Next and specify any additional parameters you want to pass to the Sentinel runtime and click Connect policy set to finish applying the policies to the workspace.
Run a plan in the workspace to trigger the connected policies. Refer to Start a Terraform run for additional information.
Next steps
- Group your policies into sets and apply them to your workspaces. Refer to Create policy sets for additional information.
- View results and address Terraform runs that do not comply with your policies. Refer to View results for additional information.
- You can also view Sentinel policy results in JSON format. Refer to View Sentinel JSON results for additional information.