Terraform > Include policy checks from terraform plan in MRs
Problem to solve
If a user is has Sentinel policies enabled, Terraform Cloud will check whether terraform plan
obeys the policies to determine whether they can be applied.
Intended users
Further details
This is currently available within Terraform Cloud
Proposal
Document how to use OPA with Terraform
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Links / references
Designs
- Show closed items
Relates to
- #205911Backlog
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Taurie Davis added Category:Infrastructure as Code UX backend devopsconfigure [DEPRECATED] frontend terraform typefeature + 1 deleted label
added Category:Infrastructure as Code UX backend devopsconfigure [DEPRECATED] frontend terraform typefeature + 1 deleted label
- Taurie Davis marked this issue as related to #39402 (closed)
marked this issue as related to #39402 (closed)
- Taurie Davis marked this issue as related to #205911
marked this issue as related to #205911
- Taurie Davis changed the description
Compare with previous version changed the description
- Taurie Davis mentioned in epic &1960
mentioned in epic &1960
- Taurie Davis added to epic &1960
added to epic &1960
- Taurie Davis mentioned in issue #39402 (closed)
mentioned in issue #39402 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue #206837 (closed)
mentioned in issue #206837 (closed)
- 🤖 GitLab Bot 🤖 mentioned in issue #207773 (closed)
mentioned in issue #207773 (closed)
- Viktor Nagy (GitLab) changed milestone to %Backlog
changed milestone to %Backlog
- Viktor Nagy (GitLab) added workflowproblem validation label
added workflowproblem validation label
- Viktor Nagy (GitLab) assigned to @nagyv-gitlab
assigned to @nagyv-gitlab
- 🤖 GitLab Bot 🤖 added groupconfigure [DEPRECATED] label and removed 1 deleted label
added groupconfigure [DEPRECATED] label and removed 1 deleted label
@nagyv-gitlab At a high level, how will this be implemented? via API's to Terraform Cloud or Terraform Enterprise or is this something net new we'll be building out in our product to provide the same existing capabilities in Terraform?
Collapse replies - Developer
@mayanktahil This feature is in the backlog. We don't plan to add Sentinel support in any way yet. As a result, I don't have answers to your questions.
- Developer
An interesting tool in this area is https://github.com/accurics/terrascan
- 🤖 GitLab Bot 🤖 added sectionops label
added sectionops label
- Viktor Nagy (GitLab) unassigned @nagyv-gitlab
unassigned @nagyv-gitlab
- 🤖 GitLab Bot 🤖 added [deprecated] Accepting merge requests label
added [deprecated] Accepting merge requests label
I'm also very interested in this feature.
My suggestion would be to work with the "List Policy Checks" endpoint of the Terraform Cloud/Enterprise "Policy Checks API": https://www.terraform.io/docs/cloud/api/policy-checks.html#list-policy-checks
This produces a JSON output with all required information, such as:
- total passed and failed
- detailed failed information for different enforcement levels (hard-mandatory, soft-mandatory and advisory)
- details on each checked policy: name, result, trace/details, etc.
A graphical representation could be similar to the JUnit artifact report (policy checks and details) and/or the Terraform artifact report (show the numbers of hard- and soft-failed and mandatory checks)
{ "data": [{ "id": "polchk-4mLtk2NXXXXXXXX", "type": "policy-checks", "attributes": { "result": { "result": true, "passed": 1, "total-failed": 0, "hard-failed": 0, "soft-failed": 0, "advisory-failed": 0, "duration-ms": 0, "sentinel": { "schema-version": 1, "data": { "terraform-test-sentinel-policies": { "can-override": false, "error": null, "policies": [{ "allowed-failure": false, "error": null, "policy": "terraform-test-sentinel-policies/require-modules-from-pmr", "result": true, "trace": { "description": "", "error": null, "print": "", "result": true, "rules": { "main": { "ident": "main", "root": { "children": null, "expression": "modules_in_pmr", "value": "true" }, "string": "Rule \"main\" (byte offset 499) = true\n" } } } }], "result": true } } } }, "status": "passed", "status-timestamps": { "passed-at": "2020-06-22T13:40:10+00:00", "queued-at": "2020-06-22T13:40:08+00:00" }, "permissions": { "can-override": false }, "actions": { "is-overridable": false }, "scope": "organization" }, "relationships": { "run": { "data": { "id": "run-PxYo4f5zXXXXXXXX", "type": "runs" } } }, "links": { "output": "/api/v2/policy-checks/polchk-4mLtk2NfGXXXXXXX/output" } }] }
- Viktor Nagy (GitLab) added environmentsparked workflowvalidation backlog labels and removed workflowproblem validation label
added environmentsparked workflowvalidation backlog labels and removed workflowproblem validation label