Implementing Policy as Code with Sentinel and Terraform

Objective

The goal of this task is to enforce cloud governance by implementing Policy as Code (PaC) using HashiCorp Sentinel. Sentinel policies will be used to:

Restrict cloud resource provisioning to approved AWS regions.
Enforce cost controls by limiting instance types and ensuring resource tagging.
Validate infrastructure security configurations.

Architecture Overview

Terraform Cloud/Enterprise is used to provision infrastructure.
Sentinel policies are applied to restrict non-compliant deployments.
CI/CD Pipeline (Jenkins/GitHub Actions) triggers Terraform runs with Sentinel enforcement.
AWS Cloud Infrastructure is managed via Terraform.

Technology Stack

Infrastructure as Code (IaC): Terraform
Policy as Code (PaC): HashiCorp Sentinel
Cloud Provider: AWS
CI/CD Pipeline: Jenkins/GitHub Actions
Version Control: GitHub/GitLab/Bitbucket
Scripting: Shell, Python (if needed for automation)

Project Steps

Step 1: Setup Terraform Cloud/Enterprise

Create a Terraform Cloud/Enterprise account.
Configure a workspace for Terraform deployments.
Connect the workspace to a GitHub repository for IaC automation.

Step 2: Define AWS Infrastructure using Terraform

Create a main.tf file to define cloud infrastructure (e.g., EC2, S3, RDS).

Example Terraform Configuration (main.tf):

provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "web" {
  ami           = "ami-0abcdef1234567890"
  instance_type = "t2.micro"
  
  tags = {
    Name = "WebServer"
    Environment = "Production"
  }
}

Ensure instances are tagged for cost tracking.
Define variable files for flexibility.

Step 3: Write Sentinel Policies

Define policies in the .sentinel format.

Policy 1: Restrict AWS Regions (restrict-region.sentinel)

import "tfplan"
allowed_regions = ["us-east-1", "us-west-2"]
main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as instance {
      instance.applied.region in allowed_regions
    }
  }
}

Purpose: Ensures that EC2 instances are launched only in approved AWS regions.

Policy 2: Enforce Cost Constraints (cost-limits.sentinel)

import "tfplan"
allowed_instance_types = ["t2.micro", "t3.micro"]
main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as instance {
      instance.applied.instance_type in allowed_instance_types
    }
  }
}

Purpose: Ensures only cost-effective instance types are used.

Policy 3: Mandatory Tags for Resource Tracking (require-tags.sentinel)

import "tfplan"
required_tags = ["Environment", "Owner"]
main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as instance {
      all required_tags as tag {
        tag in instance.applied.tags
      }
    }
  }
}

Purpose: Ensures every resource has Environment and Owner tags for cost tracking.

Step 4: Integrate Sentinel Policies with Terraform Cloud

Navigate to Terraform Cloud → Policy Sets.
Upload the .sentinel policies.
Apply policies to the Terraform workspace.

Step 5: Automate Policy Enforcement in CI/CD Pipeline

Create a Jenkinsfile or GitHub Actions workflow to run Terraform with Sentinel checks.

Example: Jenkinsfile

pipeline {
    agent any
    stages {
        stage('Checkout') {
            steps {
                git 'https://github.com/user/repo.git'
            }
        }
        stage('Terraform Init') {
            steps {
                sh 'terraform init'
            }
        }
        stage('Terraform Plan with Sentinel') {
            steps {
                sh 'terraform plan -out=tfplan'
                sh 'terraform show -json tfplan > tfplan.json'
                sh 'sentinel apply policy.sentinel tfplan.json'
            }
        }
        stage('Terraform Apply') {
            when {
                expression {
                    return env.SENTINEL_CHECK == 'pass'
                }
            }
            steps {
                sh 'terraform apply -auto-approve'
            }
        }
    }
}

Step 6: Testing and Validation

Deploy Terraform with policies and observe failures for non-compliant configurations.
Modify configurations to pass Sentinel checks and redeploy.

Expected Outcome

✅ Sentinel prevents policy violations (e.g., incorrect regions, missing tags).
✅ Terraform Cloud enforces security and cost compliance automatically.
✅ CI/CD Pipeline ensures deployments adhere to governance policies.

This project provides a real-world, end-to-end implementation of Policy as Code (PaC) using HashiCorp Sentinel, Terraform, and CI/CD automation. 🚀