Skip to content

Commit 54f55d6

Browse files
kawsarkkawsark
committed
Added lab 3
1 parent 84f3fc3 commit 54f55d6

File tree

3 files changed

+79
-2
lines changed

3 files changed

+79
-2
lines changed

lab02/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ Duration: 45 minutes
44

55
This lab demonstrates how to connect Terraform Enterprise to a source code management system (GitHub) and create a Workspace that can apply the Terraform configuration when changes are committed. This is called a [VCS-driven run workflow](https://www.terraform.io/docs/enterprise/run/ui.html).
66

7+
To perform this Lab you will create a new account in [Terraform Enterprise trial account](https://app.terraform.io/account/new), and create your own Organization within Terraform Enterprise.
8+
79
This lab is for use with a student's own AWS credentials and is intended to run on Terraform Enterprise, however, this lab can also be run locally, see [local.md](local.md) for steps.
810

911
The Terraform configuration in this directory will provision one or more AWS EC2 instances and deploy an example Go application. To install the application, Terraform will generate a RSA SSH public and private key pair by Terraform using the Terraform [tls_private_key](https://www.terraform.io/docs/providers/tls/r/private_key.html) provider.
@@ -51,7 +53,7 @@ $ git clone https://github.com/$USER/aws-terraform-workshop.git
5153

5254
#### Step 1.2: Connect GitHub to TFE
5355

54-
Please go to [https://app.terraform.io](https://app.terraform.io) and create a new Organization. You’ll see an empty page where your workplaces will be.
56+
Please go to [https://app.terraform.io](https://app.terraform.io) and create a new Organization, or Navigate to an Organization you created earlier. The URL format is: `https://app.terraform.io/app/<your-organization-name>`
5557

5658
- Go to [GitHub](https://github.com/settings/profile) and find your Settings page, accessed from the menu on your avatar.
5759

lab03/README.md

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,45 @@
1-
### Lab03 - Sentinel - to be implemented
1+
### Lab03 - Sentinel Policy as Code
2+
3+
In this Lab we will continue to use your Organization we setup in lab02. Using Sentinel policy-as-code framework we will restrict the AWS EC2 instance type being deployed.
4+
- The Sentinel policy code is included in lab03 directory: [restrict-aws-instance-type.sentinel](restrict-aws-instance-type.sentinel).
5+
- You can view [example Sentinel policies on AWS](https://github.com/hashicorp/terraform-guides/tree/master/governance/aws) in terraform-guides repo.
6+
7+
**Tasks:**
8+
- Task 1: Add Sentinel policy to Organization
9+
- Task 2: Queue a Plan
10+
- Task 3: View Sentinel policy failure and Override
11+
- Task 4: Destroy provisioned infrastructure
12+
13+
### Terraform Enterprise
14+
15+
### Task 1: Add Sentinel policy to Organization
16+
17+
**Steps:**
18+
- Go to your Organization URL, which is in the format: `https://app.terraform.io/app/<your-organization-name>`
19+
- Click on Settings at the top
20+
- Click on "Sentinel policies" from the Organization Settings menu on the left
21+
- Click "Add New Policy"
22+
- Set "POLICY NAME" to
23+
- Set "ENFORCEMENT MODE" to soft-mandatory (can override)
24+
- In "POLICY CODE", add the contents of [restrict-aws-instance-type.sentinel](restrict-aws-instance-type.sentinel).
25+
26+
- Click "Create policy"
27+
28+
### Task 2: Queue a plan
29+
30+
**Steps:**
31+
- Click on "Workspaces" from the top, and click on the Workspace you used for lab02.
32+
- Click on "Queue plan" from the top.
33+
34+
### Task 3: View Sentinel policy failure and Override
35+
36+
**Steps:**
37+
- The Run should show a Policy failure. View the Allowed EC2 instance types in Sentinel Policy code. You will see it is restricted to `t2.small`.
38+
- Our [main.tf](../lab02/server/main.tf) is using an instance type of `t2.medium` which is causing the Policy to fail.
39+
- Since you are the owner of the Organization, you are able to Override this Policy failure.
40+
- Click on "Override" button Optionally adding some comments
41+
- Click on "Confirm and Apply" button to allow the Run to complete.
42+
43+
### Task 4: Destroy provisioned infrastructure
44+
**Steps:**
45+
- Use the same steps as Lab02 to Destroy provisioned infrastructure

lab03/restrict-aws-instance-type.sentinel

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
import "tfplan"
2+
3+
# Get all AWS instances from all modules
4+
get_aws_instances = func() {
5+
instances = []
6+
for tfplan.module_paths as path {
7+
instances += values(tfplan.module(path).resources.aws_instance) else []
8+
}
9+
return instances
10+
}
11+
12+
# Allowed Types
13+
allowed_types = [
14+
"t2.small"
15+
]
16+
17+
aws_instances = get_aws_instances()
18+
19+
# Rule to restrict instance types
20+
instance_type_allowed = rule {
21+
all aws_instances as _, instances {
22+
all instances as index, r {
23+
r.applied.instance_type in allowed_types
24+
}
25+
}
26+
}
27+
28+
# Main rule that requires other rules to be true
29+
main = rule {
30+
(instance_type_allowed) else true
31+
}

0 commit comments

Comments
 (0)