HashiCorp has unveiled a quantity of advancements to Sentinel, their policy-as-code framework. The new characteristics consist of an enhanced import configuration syntax, a new static import function, assistance for named capabilities, and for each-coverage parameter values. There are also new helper features to figure out if a price is undefined.
The .19 release released an improved import configuration method. This delivers a standardized naming convention and a much more regular import configuration that helps make use of HCL syntax. The
import block also now will allow for overriding the default configuration for the imports and plugins that are utilised within a policy. This new syntax is revealed under:
import "plugin" "time" config = timezone = "Australia/Brisbane" import "module" "reporter" supply = "./reporter.sentinel"
Version .19 also introduced a new static import aspect. This makes it possible for for importing static, structured JSON facts into policies. The block usually takes two configuration attributes:
resource symbolizing the route to the data and
structure which only supports JSON at this time.
import "static" "individuals" source = "./data/folks.json" format = "json"
Once imported, the knowledge can be leveraged in just the coverage. Assuming the JSON has a important called
names, the size of that object could be identified making use of
duration(people.names). HashiCorp has indicated that assistance for more details formats will be extra in a later launch.
Named functions have been released in variation .20. This operation permits for defining functions that can not be reassigned or reused. Be aware that anonymous functions can still be re-assigned, likely causing the coverage to fall short if that perform is named right after. The syntax for named functions appears like this:
func sum(a, b) a + b
Model .21 added two helper features to identify if a benefit is outlined. In past releases, policy authors had to use the
else expression to recuperate from undefined values and deliver an option benefit.
foo = undefined // In variations prior to .21 foo else phony is false // wrong foo else accurate is true // legitimate // In version .21+ foo is described // phony foo is not described // correct
This launch also included per-coverage parameter values. These are equipped when for each plan and get precedence more than globally provided values. Previously, parameter values have been supplied once within a config and shared across all insurance policies.
policy "limit-s3" supply = "./deny-resource.sentinel" params = useful resource_variety = "aws_s3_bucket"
Current variations of Terraform Cloud have also additional aid for Open up Plan Agent (OPA) as an alternate policy-as-code framework. OPA is an open up-supply plan engine that would make use of a superior-degree declarative language known as Rego.