Add Terraform Enterprise (Sentinel)

Integrate Prima Cloud with Terraform Enterprise (Sentinel) to enforce the policy as a code framework for Terraform workspaces that use Sentinel language with a predefined enforcement level that prevents any risky Terraform run. With the integration of Terraform Enterprise, Prisma Cloud will scan your Terraform frameworks for misconfiguration for Prisma Cloud default policies, out-of-the-box policies and custom policies.
Terraform Enterprise is a self-hosted version of Terraform Cloud deployed either on-premises or in your public cloud. While locally, Terraform requires a working directory to manage a collection of infrastructure resources using Terraform CLI, Terraform Enterprise manages multiple collections through workspaces.
As an administrator or operator of Terraform Enterprise, you can create multiple workspaces, each configured with a specific requirement through a policy set. Policy sets are groups of policies for workspaces that you can configure using any version control system (VCS). A policy set can be configured either for a select workspace or all workspaces in your enterprise. In addition to creating policy sets, you can plan runs for workspaces and customize runs for specific workspaces. Each Terraform run checks Sentinel policies for global and customized policy sets.
Create Terraform Enterprise Sentinel policy sets from your version control system as code. You need two files to ensure a Terraform policy set runs:
  • A Sentinel configuration file (sentinel.hcl) A Sentinel configuration file contains the policy name, the enforcement level of the policy, and the source path of the policy. You are required to define the actual path for a policy source in the Sentinel configuration file.
  • Policy file (policyname.sentinel) Policy file (policyname.sentinel) are individual policy files that are created in the same path as the Sentinel configuration file. The name of the policy file must be the same as the policy name in the configuration file with a .sentinel.
  1. Verify prerequisites.
    For Terraform Enterprise (Sentinel) integration with Prisma Cloud Code Security, you need access and information to multiple environments.
    • Access Key
      The Prisma Cloud access key enables you to integrate Sentinel files with Prisma Cloud console and Terraform Enterprise console. If you do not have an access key, see generate access key.
    • Secret Key
      The Prisma Cloud secret key generates with your access key. Save your secret key once it is generated, as you cannot view it again on Prima Cloud.
      The Access Key and Secret Key help initiate the integration from Prisma Cloud to Terraform Enterprise (Sentinel).
    • Terraform Enterprise Console
      Access to Terraform Enterprise Console enables you to provide Admin user token or organization token, Terraform Enterprise URL, configure policy sets, and Sentinel Parameters. The Terraform Enterprise (Sentinel) User token/Org token authorizes Prisma Cloud to access to your workspaces and helps create sentinel configuration file and policy file.
    • Cloud Database
      Access to the cloud database enables you to verify the Prisma Cloud integration through sentinel files.
  2. Integrate Terraform Enterprise (Sentinel) with Prisma Cloud.
    1. Select
      Settings > Repositories > Add Repository
    2. Select
      Terraform Enterprise (Sentinel)
    3. Add
      Terraform Enterprise URL
      Ensure an IP address and your Terraform Enterprise URL are on the allow list for Prisma Cloud. To know more about the allow list see enable access to the Prisma Cloud Console.
    4. Add
      Terraform Enterprise User /Org token
      and then select
  3. Create Sentinel files within your version control system.
    You need two Sentinel files — sentinel.hcl file and prismacloud.sentinel file to ensure Terraform policy set runs with Prisma Cloud configurations.
    1. Create a sentinel.hcl file locally or in your VCS (version control system).
    2. Copy and then paste the code from Prisma Cloud console in the new sentinel.hcl file.
      The code helps you define your policy and the enforcement level of the policy within Terraform Enterprise.
    3. Edit the source path {PATH_TO_FILE} to the location of the sentinel.hcl file in the code and then select
    4. Create a prismacloud.sentinel file locally or in your VCS (version control system).
    5. Copy and then paste the code from Prisma Cloud console in the new prismacloud.sentinel file and then select
  4. Create Sentinel Policy Sets on Terraform Enterprise console.
    1. Access Terraform Enterprise console and then select
      Settings > Policy sets > Connect a new policy set > Add new Sentinel parameters
    2. Define the scope of the policy set.
      You can enforce policies for a single workspace or to all workspaces.
    3. Add the Prisma Cloud
      Access Key
      and Prisma Cloud
      Secret Key
      and then select
      Save policy set
    4. Access the Prisma Cloud console and then select
  5. Connect Policy Set on Terraform Enterprise (Sentinel).
    1. On the Prisma Cloud console select the organization to integrate the policy set and then select
    2. Access Terraform Enterprise console and then select
      Workspaces > Workspace > Actions >Start new plan
    3. Select
      Start Plan
      to run the new policy set for the resources.
      Terraform triggers the plan for the workspace.
  6. Verify the Terraform Enterprise (Sentinel) integration with Prisma Cloud.
    1. Access your cloud database to verify the Sentinel files (.sentinel `and `sentinel.hcl) integration.
      In this example, in your cloud database, you can verify the access_token that is your Terraform user or Org token and domain strings that are auto populated based on your token entry.
    2. Access the Prisma Cloud console and then select
      Code Security > Projects
      to view the latest integrated Terraform Enterprise (Sentinel) repository to Suppress or Fix the policy misconfigurations if any.

Recommended For You