Engineers configuring security groups and firewalls tend to focus on inbound/ingress rules to restrict the networks from which requests to their applications can originate. A common best practice has long been to prevent the use of the 0.0.0.0/0 CIDR — and aliases for it — that would allow inbound access from any IP.

However, the recent 2020 United States federal government data breach reminded me that it is also important to restrict outbound access. After all, the code originally loaded by supply chain attacks against SolarWinds and Microsoft software could not have sent any information to the Russian intelligence agencies…


This article was originally published on the HashiCorp Blog.

Introduction

HashiCorp Vault Enterprise 1.5 added support for the Sentinel HTTP Import, which allows Sentinel policies to retrieve data from external API endpoints. This makes it possible for Vault Sentinel policies to apply sophisticated governance controls that were not previously possible with Vault’s traditional Access Control List (ACL) policies or with Vault’s Sentinel policies. And that makes Sentinel in Vault 1.5 much more powerful than it was in earlier versions.

In this blog post, I’ll describe a Vault Sentinel policy that requires all subgroups and member entities of a new Vault Group


Introduction

Terraform 0.13 adds a number of new features including improved usability of modules, automated installation of third-party providers, and custom validation of variable values.

Improved usability of modules is delivered in two ways:

  1. Users can now instantiate multiple instances of a single module block with the for_each and count meta-arguments just as they can currently do for resources in Terraform 0.12.
  2. Users can now declare that a module depends on one or more external resources or even other modules with the depends_on meta-argument just as they can currently do for resources in Terraform 0.12.

This blog post discusses an example…


One of the most important features of Terraform Cloud (TFC) and Terraform Enterprise (TFE) (the self-hosted implementation of Terraform Cloud) is Sentinel, which lets you implement governance policies as code. Sentinel policies are checked between the plan and apply stages of runs in TFC and TFE.

How Sentinel fits into Terraform Cloud runs

HashiCorp recently released two new Sentinel features that improve the reusability of Sentinel functions and dramatically reduce the length and complexity of Sentinel policies written for Terraform Cloud and Terraform Enterprise.

In this blog post, I’ll discuss these new features and walk through some new third-generation example policies and functions that use them.

I…


HashiCorp Nomad is an easy-to-use and flexible workload orchestrator that enables organizations to automate the deployment of any applications on any infrastructure at any scale across multiple clouds. While Kubernetes gets a lot of attention, Nomad is an attractive alternative that is easy to use, more flexible, and natively integrated with HashiCorp Vault and Consul. In addition to running Docker containers, Nomad can also run non-containerized, legacy applications on both Linux and Windows servers.

A Single Workflow Across Multiple Clouds

Introduction

Like all of HashiCorp’s solutions, Nomad has both open source and enterprise versions. …


Introduction

HashiCorp recently added two important new features, a new HTTP import and Parameters, to the 0.13.0 release of its policy-as-code solution, Sentinel. In this blog post, we discuss some example Sentinel policies that use these new features in Terraform Cloud.

The HTTP import allows Sentinel policies to retrieve data from external API endpoints that return JSON documents.

Parameters were primarily added to enable policy authors to define API credentials securely outside of the policies themselves since these are often stored in VCS repositories. However, parameters can also be used for other purposes, making Sentinel policies more flexible.

At the same…


The HashiCorp Terraform logo
The HashiCorp Terraform logo

Introduction

One of the most important features of Terraform Cloud (TFC) and Terraform Enterprise (TFE) (the self-hosted implementation of Terraform Cloud) is Sentinel, which lets you implement governance policies as code. In this blog post, we discuss how you can share Sentinel Policy Sets stored in a Version Control System (VCS) repository across multiple TFC Organizations. Storing policy sets and their policies in a repository avoids the need to maintain multiple copies of the policies. Additionally, changes made to them in the main branch of the repository are automatically updated across all TFC organizations that use them.

We also discuss how…


I wanted to announce the publication of a new Sentinel Validation Policies guide within HashiCorp’s vault-guides repository. The new guide illustrates how Sentinel policies can be used to validate that values written to Vault Enterprise secrets adhere to various formats or that they have allowed metadata values.

Using Sentinel policies in this fashion adds an extra dimension to the control that Vault’s ACL policies already give Vault administrators. …


I wanted to announce the second edition of my Writing and Testing Sentinel Policies for Terraform guide that was originally published in March 2019. This comprehensive guide teaches you how to write and test governance policies that restrict the infrastructure provisioned by Terraform.

I’ve completely rewritten the guide for two reasons:

  1. I wanted to incorporate new second-generation Sentinel policies that give the full addresses of resources that violate policies and that report all violations that occur. This makes it easier for a user who causes violations to fix their Terraform code to remove them.
  2. I also wanted to incorporate the…


Introduction

I’m excited to announce the publication of my Writing and Testing Sentinel Policies for Terraform Enterprise Guide to HashiCorp’s Resource Library. This comprehensive guide teaches you how to write and test governance policies that restrict the infrastructure provisioned by Terraform Enterprise. The guide includes many examples (for AWS, Google, and Azure) and five exercises that are carefully matched to the sections of the guide that precede them. I’ve shared most of what I’ve learned about writing and testing Sentinel policies during the past year and a half while working as a solutions engineer at HashiCorp.

Sentinel

HashiCorp’s Sentinel is a language…

Roger Berlind

Roger is a Sr. Solutions Engineer at HashiCorp with over 20 years of experience explaining complex technologies like cloud, containers, and APM to customers.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store