Prisma Cloud Application Security Administrator's Guide
    : Add Terraform Enterprise (Sentinel)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Application Security Administrator's Guide
    5. Get Started with Prisma Cloud Application Security
    6. Connect Code & Build Providers
    7. CI/CD Runs
    8. Add Terraform Enterprise (Sentinel)
    Download PDF

    Prisma Cloud Application Security Administrator's Guide

    Add Terraform Enterprise (Sentinel)

    Table of Contents

    Add Terraform Enterprise (Sentinel)

    Integrate Prima Cloud with Terraform Enterprise (Sentinel) to enforce the policy as a code framework for Terraform workspaces that use Sentinel language with a predefined enforcement level that prevents any risky Terraform run. With the integration of Terraform Enterprise, Prisma Cloud will scan your Terraform frameworks for misconfiguration for Prisma Cloud default policies, out-of-the-box policies and custom policies.
    Terraform Enterprise is a self-hosted version of Terraform Cloud deployed either on-premises or in your public cloud. While locally, Terraform requires a working directory to manage a collection of infrastructure resources using Terraform CLI, Terraform Enterprise manages multiple collections through workspaces.
    As an administrator or operator of Terraform Enterprise, you can create multiple workspaces, each configured with a specific requirement through a policy set. Policy sets are groups of policies for workspaces that you can configure using any version control system (VCS). A policy set can be configured either for a select workspace or all workspaces in your enterprise. In addition to creating policy sets, you can plan runs for workspaces and customize runs for specific workspaces. Each Terraform run checks Sentinel policies for global and customized policy sets.
    Create Terraform Enterprise Sentinel policy sets from your version control system as code. You need two files to ensure a Terraform policy set runs:
    • A Sentinel configuration file (sentinel.hcl) A Sentinel configuration file contains the policy name, the enforcement level of the policy, and the source path of the policy. You are required to define the actual path for a policy source in the Sentinel configuration file.
    • Policy file (policyname.sentinel) Policy file (policyname.sentinel) are individual policy files that are created in the same path as the Sentinel configuration file. The name of the policy file must be the same as the policy name in the configuration file with a .sentinel.
    1. Verify prerequisites.
      For Terraform Enterprise (Sentinel) integration with Prisma Cloud Application Security, you need access and information to multiple environments.
      • Access Key
        The Prisma Cloud access key enables you to integrate Sentinel files with Prisma Cloud console and Terraform Enterprise console. If you do not have an access key, see generate access key.
      • Secret Key
        The Prisma Cloud secret key generates with your access key. Save your secret key once it is generated, as you cannot view it again on Prima Cloud.
        The Access Key and Secret Key help initiate the integration from Prisma Cloud to Terraform Enterprise (Sentinel).
      • Terraform Enterprise Console
        Access to Terraform Enterprise Console enables you to provide Admin user token, Terraform Enterprise URL, configure policy sets, and Sentinel Parameters. The Terraform Enterprise (Sentinel) User token or Team token authorizes Prisma Cloud to access to your workspaces and helps create sentinel configuration file and policy file. The user or team must either have the
        Manage Workspaces
         permission at the organization level or admin permission on the workspace(s) being integrated.
      • Cloud Database
        Access to the cloud database enables you to verify the Prisma Cloud integration through sentinel files.
    2. Integrate Terraform Enterprise (Sentinel) with Prisma Cloud.
      1. Select
        Settings > Repositories > Add Repository
        .
      2. Select
        Terraform Enterprise (Sentinel)
        .
      3. Add
        Terraform Enterprise URL
        .
        Ensure an IP address and your Terraform Enterprise URL are on the allow list for Prisma Cloud. To know more about the allow list see enable access to the Prisma Cloud Console.
      4. Add
        Terraform Enterprise User / Team token
         and then select
        Next
        .
    3. Create Sentinel files within your version control system.
      You need two Sentinel files — sentinel.hcl, which defines the relevant policies, and prismacloud.sentinel, which contains the actual policy logic - to ensure Terraform policy set runs with Prisma Cloud configurations.
      1. Create a sentinel.hcl file in your VCS (version control system).
      2. Copy and then paste the code from Prisma Cloud console in the new sentinel.hcl file.
        The code helps you define your policy and the enforcement level of the policy within Terraform Enterprise. The enforcement level can be set to one of three values:
        • hard-mandatory means your Terraform cannot be applied until you resolve or suppress all failing Application Security policies.
        • soft-mandatory means your Terraform runs are blocked but can be overridden to still apply the IaC
        • advisory means Application Security will report and record policy violations but will not block a Terraform apply.
      3. Optionally, you can edit the default source path ./prismacloud.sentinel to the location of another sentinel file in the code and then
        Next
        .
        We recommend using the default value ./prismacloud.sentinel.
      4. Create a prismacloud.sentinel file in your VCS (version control system).
      5. Copy and then paste the code from Prisma Cloud console in the new prismacloud.sentinel file (or another file if you are not using the default value), and then select
        Next
        .
    4. Create Sentinel Policy Sets on Terraform Enterprise console.
      1. Access Terraform Enterprise console and then select
        Settings > Policy sets > Connect a new policy set > Add new Sentinel parameters
        .
      2. Define the scope of the policy set.
        You can enforce policies for a single workspace or to all workspaces.
      3. Add the Prisma Cloud
        Access Key
         and Prisma Cloud
        Secret Key
         and then select
        Save policy set
        .
      4. Access the Prisma Cloud console and then select
        Next
        .
    5. Connect Policy Set on Terraform Enterprise (Sentinel).
      1. On the Prisma Cloud console select the organization to integrate the policy set and then select
        Next
        .
      2. Access Terraform Enterprise console and then select
        Workspaces > Workspace > Actions >Start new plan
        .
      3. Select
        Start Plan
         to run the new policy set for the resources.
        Terraform triggers the plan for the workspace.
    6. Verify the Terraform Enterprise (Sentinel) integration with Prisma Cloud.
      1. Access your cloud database to verify the Sentinel files (.sentinel `and `sentinel.hcl) integration.
        In this example, in your cloud database, you can verify the access_token that is your Terraform user or team token and domain strings that are auto populated based on your token entry.
      2. Access the Prisma Cloud console and then select
        Done
        .
        Access
        Application Security > Projects
         to view the latest integrated Terraform Enterprise (Sentinel) repository to Suppress or Fix the policy misconfigurations if any.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.