search

hashicorp / sentinel-sdk

This SDK allows developers to extend Sentinel to source external information for use in their policies.
Mozilla Public License 2.0
51 stars 13 forks source link

No uniformity of functionality because module() call doesn't work locally #16

Closed aidanSoles closed 5 years ago

aidanSoles commented 5 years ago

Per the docs here:

There are currently some limitations mocking tfstate data in Sentinel. These issues
will be fixed in future releases of the import and core runtime.

As functions cannot be mocked in the current Sentinel testing framework, the
module() function is not available. As a result, only root module data can be mocked
at this time.

This is a huge limitation when using sentinel test because the call to module() only works when policies are run in TFE. module() calls don't work locally, even if the local testing data is formatted to match the structure of the tfplan data in TFE.

So, as it stands, a policy can't be reliably written using the Sentinel simulator and local test data, then picked up and dropped in to TFE as is because the call to module() doesn't exist in both environments--which is the ideal workflow.

sarcasticadmin commented 5 years ago

This issue is also mentioned here: https://github.com/hashicorp/terraform-guides/issues/64

aidanSoles commented 5 years ago

The 0.8.0 release allows the module(...) functionality to be mocked, so it can now be worked around (whereas there was no straightforward workaround before). The ideal workflow (IMO) would be to mimic the data format that exists in TFE and have the module(...) call act as it does in TFE, instead of having to mock the module(...) function and the data.