This is a demo of HashiCorp Terraform's Enterprise feature set, including:
- Sentinel Policy Enforcement
- VCS Integration
- Cloud Cost Controls
This demo can be run in Terraform Cloud (Team & Governance, Business editions) as well as Terraform Enterprise (self-hosted).
- A TFC/E account & organization. Sign up for a free trial of TFC here
- Cloud provider credentials to provision resources (only AWS supported at the moment)
- Terraform CLI installed locally
-
Fork this repository to a GitHub Organizations account (Free for 1 user/org)
-
Set your TFC/E organization name in
demo-terraform-sentinel/aws/backend.tf
& commit your changes. -
Configure AWS credentials on a per-workspace basis (if using dynamic credentials) or using a Variable Set and applying to the new workspace (static credentials)
-
Connect the policies to Terraform via Policy Sets
- to enforce all policies, point to sentinel.hcl in the root CSP directory
- Example: sentinel-policies/aws/sentinel.hcl
- to enforce individual policies, point to sentinel.hcl within the specific policy subdirectory
- Example: sentinel-policies/aws/enforce-cost-contro/sentinel.hcl
- to enforce all policies, point to sentinel.hcl in the root CSP directory
By default, the following Sentinel policies are being evaluated:
- ec2_instance type is t2.micro, t2.small, or t2.medium (Hard Mandatory)
- Cost Control must be less than $10/month (Soft Mandatory)
To trigger a policy check failure, leave the configurations as-is and start the plan:
CLI-driven Run Method
Initialize the configuration:
terraform init
Create the execution plan:
terraform plan
or
terraform plan --var-file=variables.tfvars
You should see a failure for both policies in the output. To pass, simply change the instance type to one of the allowed instances, and re-execute the plan.
You'll get a warning for the cost control policy but the plan will still be allowed to execute.