Run pre-written Sentinel policies

This topic describes how to run Sentinel policies created and maintained by HashiCorp. For instructions about how to create your own custom Sentinel policies, refer to Define custom Sentinel policies.

Overview

Pre-written Sentinel policy libraries streamline your compliance processes and enhance security across your infrastructure. HashiCorp's ready-to-use policies can help you enforce best practices and security standards across your AWS environment.

Complete the following steps to implement pre-written Sentinel policies in your workspaces:

Obtain the policies you want to implement. Download policies directly into your repository or create a fork of the HashiCorp repositories. Alternatively, you can add the Terraform module to your configuration, which acquires the policies and connects them to your workspaces in a single step.
Connect policies to your workspace. After you download policies or fork policy repositories, you must connect them to your HCP Terraform or Terraform Enterprise workspaces.

Refer to the Sentinel documentation for information about the Sentinel language.

Requirements

You must use one of the following Terraform applications:

HCP Terraform
Terraform Enterprise v202406-1 or newer

Permissions

To create new policy sets and policies, your HCP Terraform or Terraform Enterprise user account must either be a member of the owners team or have the Manage Policies organization-level permissions enabled. Refer to the following topics for additional information:

Version control system

You must have a GitHub account connected to HCP Terraform or Terraform Enterprise to manually connect policy sets to your workspaces. Refer to Connecting VCS Providers for instructions.

Get policies

Refer to the pre-written policy library reference for a complete list of available policy sets. You can also browse the registry to discover additional policy libraries.

Use one of the following methods to get pre-written policies:

Download policies from the registry: Use this method if you want to assemble custom policy sets without customizing policies.
Fork the HashiCorp policy GitHub repository: Use this method if you intend to customize the policies.
Add the Terraform module to your configuration: Use this method to implement specific versions of the policies as-is. This method also connects the policies to workspaces in the Terraform configuration file instead of connecting them as a separate step.

Complete the following steps to download policies from the registry and apply them directly to your workspaces.

Browse the policy libraries available in the Terraform registry.
Click on a policy library and click Choose policies.
Select the policies you want to implement. The registry generates code in the USAGE INSTRUCTIONS box.
Click Copy Code Snippet to copy the code to your clipboard.
Create a GitHub repository to store the policies and the policy set configuration file.
Create a file called sentinel.hcl in the repository.
Paste the code from your clipboard into sentinel.hcl and commit your changes.
Complete the instructions for connecting the policies to your workspace.

Create a fork of the repository containing the policies you want to implement. Refer to the GitHub documentation for instructions on how to create a fork.

The following repositories are available:

policy-library-CIS-Policy-Set-for-AWS-Terraform

HashiCorp Sentinel policy libraries include a sentinel.hcl file. The file defines an example policy set using the policies included in the library. Modify the file to customize your policy set. Refer to Sentinel Policy Set VCS Repositories for additional information.

After forking the repository, complete the instructions for connecting the policies to your workspace.

This method enables you to connect the policies to workspaces in the Terraform configuration file. As a result, you can skip the instructions described in Connect policies to your workspaces.

Go to the module in the Terraform registry and copy the code generated in the Provision Instructions tile.
Add the module block to your Terraform configuration and define the following arguments:
- source: Specify the path to the module you downloaded.
- tfe_organization: Specify the name of your organization on Terraform Enterprise or HCP Terraform.
- policy_set_workspace_names: Specify a list of workspace names that you want to apply the policies to.
The following example configuration applies invokes the module for target_workspace_1:
```
module "cis_v1-2-0_policies" {
   source = "../prewritten-policy"
   name                             = "cis-1-2-0"
   tfe_organization                 = "<your-tfe-org>"
   policy_set_workspace_names       = ["target_workspace_1"]
}
```
Run terraform plan to view the plan.
Run terraform apply to apply the changes. After running the command, Terraform will evaluate Sentinel policies for each following run of the workspaces you specified.

Connect policies to your workspace

Skip this step if you added the Terraform module to your configuration. When you use the module, the policy_set_workspace_names argument instructs Terraform to connect the policies to the HCP Terraform workspaces specified in the configuration.

Log into your organization and click Settings in the sidebar.
Click Policy Sets and click Connect a new policy set.
Click the Version control provider (VCS) tile.
Enable the Sentinel option as the policy framework.
Specify a name and description for the set.
Configure any additional options for the policy set and click Next.
Choose the GitHub connection type, then choose the repository you created in Set up a repository for the policies.
If the sentinel.hcl policy set file is stored in a subfolder, specify the path to the file in the Policies path field. The default is the root directory.
If you want to apply updated policy sets to the workspace from a specific branch, specify the name in the VCS branch field. The default is the default branch configured for the repository.
Click Next and specify any additional parameters you want to pass to the Sentinel runtime and click Connect policy set to finish applying the policies to the workspace.

Run a plan in the workspace to trigger the connected policies. Refer to Start a Terraform run for additional information.

Next steps

Group your policies into sets and apply them to your workspaces. Refer to Create policy sets for additional information.
View results and address Terraform runs that do not comply with your policies. Refer to View results for additional information.
You can also view Sentinel policy results in JSON format. Refer to View Sentinel JSON results for additional information.