This repository contains a library of policies that can be used within Terraform Cloud to enforce cost controls with Infracost. To learn more about the Sentinel language and framework, please review the Sentinel documentation.
- Prerequisites
- Documentation
- Setup & Integration
- Version Control System (VCS)
- Setup & Integration
- Useful Resources
- Contribution Guide
Before you start adopting policies within this library, it is recommended that you complete the following:
-
Install the Sentinel CLI.
-
Visit https://app.terraform.io/signup/account and follow the prompts to create a free Terraform Cloud account.
-
Have access to a supported version control system (VCS) provider.
-
Sign up for an Infracost Cloud organization by following the Get Started guide.
-
Retrieve your API key from your Infracost Cloud Org Settings.
Note: You will need this API key when you define your policy set parameters in a later step.
The file and directory structure within this repository follow an opinionated standard that makes it easy to test and publish policies to the Terraform Registry. You can learn more about the structure by reviewing the Sentinel testing documentation, as well as the Publishing Policy Library documentation.
.
├── Makefile
├── README.md
├── docs
│ ├── modules
│ │ └── infracost.md
│ └── policies
│ └── manage_project_costs.md
├── images
├── imports
│ ├── modules
│ │ └── infracost.sentinel
│ └── static
│ └── response.json
├── policies
│ └── manage_project_costs
│ ├── manage_project_costs.sentinel
│ ├── test
│ │ └── manage_project_costs
│ │ ├── fail.hcl
│ │ └── pass.hcl
│ └── testdata
│ ├── fail.sentinel
│ ├── infracost-fail.sentinel
│ ├── infracost-pass.sentinel
│ └── pass.sentinel
└── sentinel.hclBefore you can use any of the policies within this library, you need to configure Terraform Cloud. The following sections detail the high-level steps required to deploy a policy from this library. The Enforce Policy with Sentinel learning track covers the end-to-end process in greater detail. If this is your first time setting up a Sentinel policy, we encourage you to familiarize yourself with this track prior to proceeding further.
Terraform Cloud provides first-class support for VCS integration. This allows VCS repositories to contain all of the policies and configuration needed to manage Sentinel policies at scale. Integrating with VCS is as simple as:
- Connect a VCS Provider to Terraform Cloud.
- Create a repository in your VCS provider that will be used as the source of your Policy Set configuration.
- Clone the source repository to a local directory.
Once VCS is integrated with Terraform Cloud, configure your Terraform Policy Set as follows:
-
Add the
manage_project_costspolicy from the library that should be enforced on a Terraform Workspace. -
Review the policy documentation and copy the configuration snippet for the policy of your choice.
-
Create a
sentinel.hclconfiguration file within the local directory for your repository. -
Edit the contents of the
sentinel.hclby pasting the configuration snippet into the body of the configuration file.import "module" "infracost" { source = "./imports/modules/infracost.sentinel" } policy "manage_project_costs" { source = "./policies/manage_project_costs/manage_project_costs.sentinel" enforcement_level = "hard-mandatory" }
-
Commit your changes to your local repository content and then use the
git pushcommand to upload the changes to your remote repository.
Once the Policy Set is configured, it's time to enforce this configuration on a Terraform Cloud workspace. To add a policy set in the Terraform Cloud UI:
-
Go to Policy Sets in your organization’s settings.
-
Click Connect a new policy set.
-
Create version control policies, choose a version control provider and then select the repository with your policy set.
-
Configure the policy set settings:
-
Policy Framework: Select Sentinel as the policy framework for the policies you want to add.
-
Name: Add a name containing letters, numbers,
-, and_. -
Description: Describe the policy set’s purpose.
-
Scope of policies: Choose whether Terraform Cloud should automatically enforce the policy set on all workspaces, or only on a specific subset.
-
Workspaces: A Workspaces section appears on the bottom of the form when you scope the policy set to selected workspaces. Select workspaces where Terraform Cloud should apply the policy set.
-
VCS Branch: Specify the branch within your VCS repository where Terraform Cloud should import new versions of policies. If you do not set this field, Terraform Cloud uses the default branch of the VCS repository you selected.
-
Policies Path: Specify the sub-directory in your VCS repository containing the policy set files. This action lets you maintain multiple policy sets within a single repository. Set this field to the directory path that contains the
sentinel.hclconfiguration file for the policy set. -
Sentinel Parameters: Add a new Sensitive parameter called x_api_key that contains the Infracost organization API key that was created in the prerequisites
-
When you add policy sets to a workspace, Terraform Cloud enforces those policy sets on every Terraform run. Terraform Cloud displays the results of policy checks in the UI for each run.
- Getting Started with Terraform Cloud
- Configuring Version Control Access
- Infracost Getting Started
- Infracost Plan JSON API
- Configuring Sentinel Policies
- Sentinel Overview
- Example Policies
- Sentinel Documentation
- Sentinel Language
- Sentinel Language Specification
This policy library is by no means exhaustive. If you have questions, comments, or have identified ways for us to improve, please create a new GitHub issue.
Alternatively, we welcome any contributions that improve the quality of this library! To learn more about contributing and suggesting changes to this library, refer to the contributing guide.