modified and working version of import script

raygj · raygj · commit a0b7718dfd7e · 2019-07-20T22:01:44.000-04:00
finalized import script, added CLI argument for policy set ID
updated README files for consistency
diff --git a/operations/automation-script/README.md b/operations/automation-script/README.md
@@ -75,7 +75,7 @@ Follow these instructions to run the script with with the included main.tf and v
 1. Generate a [team token](https://www.terraform.io/docs/enterprise/users-teams-organizations/service-accounts.html#team-service-accounts) for the owners team in your organization in the Terraform Enterprise UI by selecting your organization settings, then Teams, then owners, and then clicking the Generate button and saving the token that is displayed.
 1. `export TFE_TOKEN=<owners_token>` where \<owners_token\> is the token generated in the previous step.
 1. `export TFE_ORG=<your_organization>` where \<your_organization\> is the name of your target TFE organization.
-1. `export TFE_ADDR=<your_custom_address>` where \<your_custom_address\> is the address of your target TFE server in the format server.domain.tld. If you do not set this environment variable it will default to the Terraform Enterprise Cloud/SaaS address of app.terraform.io.
+1. `export TFE_ADDR=<your_address>` where \<your_address\> is the custom address of your target TFE server in the format server.domain.tld. If you do not set this environment variable it will default to the Terraform Enterprise Cloud/SaaS address of app.terraform.io.
 1. If you want, edit _loadAndRunWorkspace.sh_ to change the name of the workspace that will be created by editing the workspace variable. *Note* that you can also pass the workspace as the second argument to the script.
 1. If you want, you can change the sleep_duration variable which controls how often the script checks the status of the triggered run (in seconds). Setting a longer value would make sense if using Terraform code that takes longer to apply.
 1. If you are providing a URL to clone a git repository, you can add Terraform and environment variables needed by your Terraform code to [variables.csv](./variables.csv) and remove the "name" variable. You can also add the edited variables.csv file to your repository.
diff --git a/operations/sentinel-policies-scripts/README.md b/operations/sentinel-policies-scripts/README.md
@@ -5,11 +5,11 @@ These are scripts that can be used to export and import Sentinel policies betwee
 1. Generate a [team token](https://www.terraform.io/docs/enterprise/users-teams-organizations/service-accounts.html#team-service-accounts) for the owners team in your organization in the Terraform Enterprise UI by selecting your organization settings, then Teams, then owners, and then clicking the Generate button and saving the token that is displayed.
 1. `export TFE_TOKEN=<owners_token>` where \<owners_token\> is the token generated in the previous step.
 1. `export TFE_ORG=<your_organization>` where \<your_organization\> is the name of your target TFE organization.
-1. `export TFE_ADDR=<your_custom_address>` where \<your_custom_address\> is the address of your target TFE server in the format server.domain.tld. If you do not set this environment variable it will default to the Terraform Enterprise Cloud/SaaS address of app.terraform.io.
+1. `export TFE_ADDR=<your_address>` where \<your_address\> is the custom address of your target TFE server in the format server.domain.tld. If you do not set this environment variable it will default to the Terraform Enterprise Cloud/SaaS address of app.terraform.io.
 
 ## Exporting Policies
 
-The export_policies.sh script exports all the policies from a TFE organization to the directory in which you run the script. It currently is limited to exporting 100 policies since it does not handle multiple pages from the List Policies API that retrieves them.
+The `export_policies.sh` script exports all the policies from a TFE organization to the directory in which you run the script. It currently is limited to exporting 100 policies since it does not handle multiple pages from the List Policies API that retrieves them.
 
 The script uses curl to interact with Terraform Enterprise via the TFE API.  It performs the following steps:
 
@@ -24,12 +24,12 @@ The script uses curl to interact with Terraform Enterprise via the TFE API.  It
 1. Finally, it prints out the number of policies it exported.
 
 ## Importing Policies
+The `import_policies.sh` script imports all policies in a directory into a specified organization on a specified server.
+It also adds all of them to a specified policy set, using a **policy set ID** (which can be determined by looking at the policy set's URL).
 
-The import_policies.sh script imports all policies in a directory into a specified organization on a specified server. It also adds all of them to a specified policy set, using a policy set ID which is set through the first CLI argument. 
+**Note** that you must use the policy set's ID (e.g., polset-rCLeCwoSBUHXDC7L), not the name of the policy set.
 
-For example: `./import_policies.sh sample` where \<sample>\ is the desired name of the policy set.
-
-Note that you will get errors if any of the policies you are importing already exist. Please delete any policies you plan to import first if they already exist in your organization.
+**Note** that you will get errors if any of the policies you are importing already exist. Please delete any policies you plan to import first if they already exist in your organization.
 
 The script uses curl to interact with Terraform Enterprise via the TFE API. It performs the following steps:
 
@@ -39,6 +39,35 @@ The script uses curl to interact with Terraform Enterprise via the TFE API. It p
 1. It uses curl to invoke the [Upload a Policy API](https://www.terraform.io/docs/enterprise/api/policies.html#upload-a-policy).
 1. Finally, it prints out the number of policies found and imported.
 
+### Using This Script
+
+You will need to grab the Policy Set ID from the TFE GUI to use as a CLI argument when running`import_policies.sh`
+
+1. Create Policy Set within the TFE GUI
+
+1a. Settings > Policy Sets > Create a new policy set
+
+1b. Provide friendly name, description
+
+1c. For the Policy Set Source, choose _Upload via API_
+
+1d. For the Scope of Policies, choose either option
+
+1e. Select _Create policy set_
+
+1. After creating the policy set you are returned to the Policy Sets sub-menu
+1. Select the policy set you just created
+1. Look at the URL of within your browser window
+1. The programmatic _Policy Set ID_ required for this script is contained within the URL immediately after `/policy-sets/` for example: https://app.terraform.io/app/jray-hashi/settings/policy-sets/**polset-6YVMugX6VX3FG1Zu**/edit
+1. Copy this data to your clipboard, working file, or directly terminal where you will run the `import_policies.sh` script
+1. Create the desired Sentinel policies files and copy them into the directory where the script will be executed. Be sure they have a `*.sentinel` extension
+1. Open `create-policy.template.json` and modify the value of `"mode":` to `advisory`, `soft-mandatory`, or `hard-mandatory` for the desired [enforcement type](https://www.terraform.io/docs/enterprise/api/policies.html#request-body)
+1. Execute the script as follows:
+
+`./import_policies.sh <polset-somenumber>` where \<polset-somenumber\> is your unique policy set ID
+
+**Note** if you receive the error message `Policy Upload Response:  {"errors":[{"status":"415","title":"invalid content type","detail":"content-type must be application/vnd.api+json"}]}` this means you have an existing policy with the same name that you are trying to load. Delete all policies using the `delete_policies.sh` script or manually from the GUI and try again.
+
 ## Deleting Policies
 The delete_policies.sh script **deletes all policies** from a TFE organization. It uses curl to invoke the [List Policies API](https://www.terraform.io/docs/enterprise/api/policies.html#list-policies) to retrieve all Sentinel policies. It then iterates through these and invokes the [Delete a Policy API](https://www.terraform.io/docs/enterprise/api/policies.html#delete-a-policy) to delete them one at a time.  It also prints out the ID of each deleted policy and finally gives a count of how many were deleted.
 
diff --git a/operations/sentinel-policies-scripts/import_policies.sh b/operations/sentinel-policies-scripts/import_policies.sh
@@ -8,7 +8,6 @@
 # to a user or team token that has the write or admin permission
 # for the workspace.
 
-
 if [ ! -z "$TFE_TOKEN" ]; then
   token=$TFE_TOKEN
   echo "TFE_TOKEN environment variable was found."
@@ -47,23 +46,16 @@ else
   echo "If you want to use a private TFE server, export/set TFE_ADDR."
 fi
 
-# Set workspace from first argument
+# Set policy set from first argument
 if [ ! -z "$1" ]; then
   policy_set_id=$1
-  echo "Using Policy Set ID: " $policy_set_id
+  echo "Using policy set ID: " $policy_set_id
 else
-  echo "Please provide an alphanumeric name with no spaces for the Policy Set ID."
+  echo "Please provide the policy set ID from an existing policy set."
   echo "Exiting."
   exit
 fi
 
-# Set ID of policy set that all policies should be added to
-# policy_set_id="sample"
-
-# echo "Using address: $address"
-# echo "Using organization: $organization"
-# echo "Using policy set ID: $policy_set_id"
-
 # Count the policies
 declare -i count=0
 
