Add Terraform Cloud (Sentinel)

Integrate Prisma Cloud with Terraform Cloud (Sentinel) to enforce the policy as a code framework for Terraform workspaces that use Sentinel language with a predefined enforcement level that prevents any risky Terraform run. With the integration of Terraform Enterprise, Prisma Cloud will scan your Terraform frameworks for misconfiguration across Prisma Cloud default policies, out-of-the-box policies and custom policies. Each misconfiguration identified can either be resolved or suppressed on the Prisma Cloud console.
Terraform Cloud is a SaaS alternative for Terraform capabilities. At the basic level Terraform communicates with any number of supported cloud providers using a State file. A State file is used to communicate defined requirements of a policy creation or a policy update between Terraform and your cloud provider. By practice users usually maintain multiple versions of the state files during the creation or update of a policy, however in a larger organization maintenance and access of the state file is limited. Terraform Cloud (Sentinel) helps you store the state file on cloud and maintains version updates for you. Terraform Cloud (Sentinel) gives you control over access privileges giving an insight over who can view or edit your state file. The state file version history gives you an overview of what your infrastructure looks like and can help you restore a previous version in case something goes wrong. The integration of Terraform Cloud (Sentinel) with Prisma Cloud is for a Workspaces. As an owner of a workspace you may have one or more workspaces you want Prisma Cloud to scan. As a user of Terraform Cloud (Sentinel) you are required to integrate each workspace separately.
  1. Verify prerequisites.
    1. For Terraform Cloud (Sentinel) integration with Prisma Cloud Code Security, you need access and information to Terraform environments.
      • Terraform Cloud Console.
        Access to Terraform Cloud console enables you to gather information on Workspace ID, Workspace Name, Workspace Description, User or Team token and Sentinel Parameters all required to help integrate a workspace with the Prisma Cloud console.
        The Terraform Cloud (Sentinel) User token or Team token authorizes Prisma Cloud to access to your workspaces and helps create sentinel configuration file and policy file.
        The user or team must either have the
        Manage Workspaces
        permission at the organization level or admin permission on the workspace(s) being integrated.
        To create Terraform Cloud (Sentinel) policy sets from your version control system as code, you need two files to ensure a Terraform policy set runs for Prisma Cloud:
      • Sentinel configuration file (sentinel.hcl)
        A Sentinel configuration file contains the policy name, the enforcement level of the policy, and the source path of the policy. You are required to define the actual path for a policy source in the Sentinel configuration file.
      • - Policy file (policyname.sentinel) are individual policy files that are created in the same path as the Sentinel configuration file. The name of the policy file must be the same as the policy name in the configuration file with a .sentinel.
  2. Integrate and configure Terraform Cloud (Sentinel) with Prisma Cloud.
    1. Select
      Settings > Repositories > Add Repository
      .
    2. Select
      Terraform Cloud (Sentinel)
      .
    3. Add
      Workspace
      Id
      ,
      Workspace Name
      ,
      Workspace Description
      and
      Terraform User or Team Token
      .
      If you do not have the specific information access
      Terraform Cloud console > Workspace > Settings > General
      to view and copy the required information.
    4. Select
      Next
      .
  3. Create Sentinel files within your version control system.
    You need two Sentinel files — sentinel.hcl, which defines the relevant policies, and prismacloud.sentinel, which contains the actual policy logic - to ensure Terraform policy set runs with Prisma Cloud configurations.
    1. Create a sentinel.hcl file in your VCS (version control system).
    2. Copy and then paste the code from Prisma Cloud console in the new sentinel.hcl file.
      The code helps you define your policy and the enforcement level of the policy within Terraform Enterprise.
    3. Optionally, you can edit the default source path ./prismacloud.sentinel to the location of another sentinel file in the code and the select
      Next
      . It is recommend to use the default value.
    4. Create a prismacloud.sentinel file in your VCS (version control system).
    5. Copy and then paste the code from Prisma Cloud console in the new prismacloud.sentinel file (or another file if you are not using the default value), and then select
      Next
      .
  4. Connect Policy Set on Terraform Cloud console.
    1. Access Terraform Cloud console and then select
      Settings > Policy sets > Connect a new policy set
      .
    2. Select the version control system, the repository, branch and the repository path where you created the files.
    3. Add
      Name
      and
      Description
      of the policy.
    4. Select
      Scope of Policies
      .
      Policies enforced on selected workspaces
      is the default selection.
    5. Select
      Connect policy set
      .
    6. Select
      Settings > Policy Set > Sentinel Parameters
      and select
      Add parameter
      .
    7. Add
      api_key
      and then select
      Sensitive
      .
    8. Access
      Workspaces > Workspace > Actions > Start new plan
      to validate the new policy set against the workspace.
      Access
      Code Security > Projects
      to view the latest integrated Terraform Cloud (Sentinel) repository to Suppress or Fix the policy misconfigurations.

Recommended For You