Imports enable a Sentinel policy to access reusable libraries and external dataand functions. Anyone can write their own custom import.Imports are what enable Sentinel policies to do more than look at only localcontext for making policy decisions.
Sentinel also comes with a set of standard imports.Standard imports are available to every Sentinel policy to help policy writerswith common tasks such as working with the time, network addresses, and more.
This page is about writing policies that use imports. If you'reinterested in creating a new import, please see the section on extendingSentinel for information on how to write modules andimport plugins.
To use an import, you use the import
keyword at the top of your policy. Thisspecifies the name of the import you want to use. The application you're writingthe policy for must already beconfigured to provide thatimport.
Details on imports can be found in theimport section in the language reference.
In the example below, we use the time import:
Sentinel Playground
Edit in Playground Run
Loading the playground...
Press "Run" to get policy output
There are two options to develop a policy locally when using imports:configure Sentinel to launch the import on apply
, or mock the importusing mock
. The former requires access to the import while thelatter is faster (doesn't have to launch a process for plugins) anddoesn't require the import.
Mocking Imports
The first option to developing policies locally is to mock the import values.When mocking an import, you don't need the import to be available. This can beuseful since some imports may not be available as a plugin and may only beavailable to the application the policy runs in.
Mocks are specified via the configurationfile. Mocks can also be used fortesting.
You can supply mock configuration one of two ways, depending on your use case:
- Using static data:Use this method when you can accurately represent your mock data in JSON anddo not need to mock complex Sentinel features such as functions.
- Using Sentinel code:Use this method when using a static JSON object is insufficient, such as whenyou need to mock functions or other complex Sentinel features.
Our example does not require complex data to be mocked, so a static objectis sufficient:
mock "time" { data = { now = { hour = 12 weekday_name = "Tuesday" } }}
This can be used via the CLI:
$ sentinel apply -config=config.hcl policy.sentinelPass
If you have access to the plugin binary, you can launch the import. Thebenefit of this is that it is really using the import to test yourpolicy. If the import changes, your policies may start failing. If youonly use mock data and the import changes, your policies will stillappear to work.
Imports are configured in the configuration file:
import "plugin" "custom_time" { source = "/path/to/sentinel-time-import"}
This would require the sentinel-time-import
binary. For this examplethis doesn't currently exist. We plan on writing one to provide for thissection of the documentation.
Custom Imports
You can also create your own imports.
If your policy decisions could benefit from accessing external information,then you can use custom imports as a way to do this.