Engineers configuring security groups and firewalls tend to focus on inbound/ingress rules to restrict the networks from which requests to their applications can originate. A common best practice has long been to prevent the use of the 0.0.0.0/0 CIDR — and aliases for it — that would allow inbound access from any IP.
However, the recent 2020 United States federal government data breach reminded me that it is also important to restrict outbound access. After all, the code originally loaded by supply chain attacks against SolarWinds and Microsoft software could not have sent any information to the Russian intelligence agencies…
This article was originally published on the HashiCorp Blog.
HashiCorp Vault Enterprise 1.5 added support for the Sentinel HTTP Import, which allows Sentinel policies to retrieve data from external API endpoints. This makes it possible for Vault Sentinel policies to apply sophisticated governance controls that were not previously possible with Vault’s traditional Access Control List (ACL) policies or with Vault’s Sentinel policies. And that makes Sentinel in Vault 1.5 much more powerful than it was in earlier versions.
In this blog post, I’ll describe a Vault Sentinel policy that requires all subgroups and member entities of a new Vault Group…
Terraform 0.13 adds a number of new features including improved usability of modules, automated installation of third-party providers, and custom validation of variable values.
Improved usability of modules is delivered in two ways:
countmeta-arguments just as they can currently do for resources in Terraform 0.12.
depends_onmeta-argument just as they can currently do for resources in Terraform 0.12.
This blog post discusses an example…
One of the most important features of Terraform Cloud (TFC) and Terraform Enterprise (TFE) (the self-hosted implementation of Terraform Cloud) is Sentinel, which lets you implement governance policies as code. Sentinel policies are checked between the plan and apply stages of runs in TFC and TFE.
HashiCorp recently released two new Sentinel features that improve the reusability of Sentinel functions and dramatically reduce the length and complexity of Sentinel policies written for Terraform Cloud and Terraform Enterprise.
In this blog post, I’ll discuss these new features and walk through some new third-generation example policies and functions that use them.
HashiCorp Nomad is an easy-to-use and flexible workload orchestrator that enables organizations to automate the deployment of any applications on any infrastructure at any scale across multiple clouds. While Kubernetes gets a lot of attention, Nomad is an attractive alternative that is easy to use, more flexible, and natively integrated with HashiCorp Vault and Consul. In addition to running Docker containers, Nomad can also run non-containerized, legacy applications on both Linux and Windows servers.
Like all of HashiCorp’s solutions, Nomad has both open source and enterprise versions. …
HashiCorp recently added two important new features, a new HTTP import and Parameters, to the 0.13.0 release of its policy-as-code solution, Sentinel. In this blog post, we discuss some example Sentinel policies that use these new features in Terraform Cloud.
The HTTP import allows Sentinel policies to retrieve data from external API endpoints that return JSON documents.
Parameters were primarily added to enable policy authors to define API credentials securely outside of the policies themselves since these are often stored in VCS repositories. However, parameters can also be used for other purposes, making Sentinel policies more flexible.
One of the most important features of Terraform Cloud (TFC) and Terraform Enterprise (TFE) (the self-hosted implementation of Terraform Cloud) is Sentinel, which lets you implement governance policies as code. In this blog post, we discuss how you can share Sentinel Policy Sets stored in a Version Control System (VCS) repository across multiple TFC Organizations. Storing policy sets and their policies in a repository avoids the need to maintain multiple copies of the policies. Additionally, changes made to them in the main branch of the repository are automatically updated across all TFC organizations that use them.
I wanted to announce the publication of a new Sentinel Validation Policies guide within HashiCorp’s vault-guides repository. The new guide illustrates how Sentinel policies can be used to validate that values written to Vault Enterprise secrets adhere to various formats or that they have allowed metadata values.
Using Sentinel policies in this fashion adds an extra dimension to the control that Vault’s ACL policies already give Vault administrators. …
I wanted to announce the second edition of my Writing and Testing Sentinel Policies for Terraform guide that was originally published in March 2019. This comprehensive guide teaches you how to write and test governance policies that restrict the infrastructure provisioned by Terraform.
I’ve completely rewritten the guide for two reasons:
I’m excited to announce the publication of my Writing and Testing Sentinel Policies for Terraform Enterprise Guide to HashiCorp’s Resource Library. This comprehensive guide teaches you how to write and test governance policies that restrict the infrastructure provisioned by Terraform Enterprise. The guide includes many examples (for AWS, Google, and Azure) and five exercises that are carefully matched to the sections of the guide that precede them. I’ve shared most of what I’ve learned about writing and testing Sentinel policies during the past year and a half while working as a solutions engineer at HashiCorp.
HashiCorp’s Sentinel is a language…
Roger is a Sr. Solutions Engineer at HashiCorp with over 20 years of experience explaining complex technologies like cloud, containers, and APM to customers.