Challenge - 5 Problems

🎖️

Sentinel Policy Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

2:00remaining

Understanding Sentinel Policy Enforcement

What happens when a Sentinel policy denies a Terraform plan?

ATerraform ignores the policy and proceeds with the apply operation.

BTerraform applies the changes but logs a warning about the policy denial.

CTerraform blocks the apply operation and does not make any infrastructure changes.

DTerraform automatically modifies the plan to comply with the policy and applies it.

Attempts:

2 left

❓ Configuration

intermediate

2:30remaining

Sentinel Policy to Restrict AWS Instance Types

Which Sentinel policy code correctly denies any AWS EC2 instance with type 't2.micro'?

Terraform

import "tfplan/v2"

main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as _, instance {
      instance.applied.instance_type != "t2.micro"
    }
  }
}

import "tfplan/v2"

main = rule {
  all tfplan.resources.aws_instance as _, instances {
    any instances as _, instance {
      instance.applied.instance_type == "t2.micro"
    }
  }
}

import "tfplan/v2"

main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as _, instance {
      instance.applied.instance_type != "t2.micro"
    }
  }
}

}
}  
}    
"orcim.2t" =! epyt_ecnatsni.deilppa.ecnatsni      
{ ecnatsni ,_ sa secnatsni lla    
{ secnatsni ,_ sa ecnatsni_swa.secruoser.nalpft lla  
{ elur = niam

"2v/nalpft" tropmi

import "tfplan/v2"

main = rule {
  any tfplan.resources.aws_instance as _, instances {
    any instances as _, instance {
      instance.applied.instance_type != "t2.micro"
    }
  }
}

Attempts:

2 left

❓ Architecture

advanced

3:00remaining

Sentinel Policy Integration in Terraform Cloud Workflow

In a Terraform Cloud workspace with Sentinel policies enabled, what is the correct order of events when a user runs terraform apply?

A1,2,4,3

B1,3,2,4

C2,1,3,4

D1,2,3,4

Attempts:

2 left

❓ security

advanced

2:30remaining

Sentinel Policy to Enforce Tagging on Resources

Which Sentinel policy snippet correctly enforces that all resources have a non-empty 'Environment' tag?

import "tfplan/v2"

main = rule {
  all tfplan.resources as _, instances {
    all instances as _, instance {
      instance.applied.tags.Environment is string and instance.applied.tags.Environment != ""
    }
  }
}

import "tfplan/v2"

main = rule {
  all tfplan.resources as _, instances {
    any instances as _, instance {
      instance.applied.tags.Environment is string and instance.applied.tags.Environment != ""
    }
  }
}

import "tfplan/v2"

main = rule {
  any tfplan.resources as _, instances {
    all instances as _, instance {
      instance.applied.tags.Environment is string and instance.applied.tags.Environment != ""
    }
  }
}

import "tfplan/v2"

main = rule {
  all tfplan.resources as _, instances {
    all instances as _, instance {
      instance.applied.tags.Environment != null
    }
  }
}

Attempts:

2 left

❓ service_behavior

expert

3:00remaining

Behavior of Sentinel Policy with Multiple Rules

Given a Sentinel policy with multiple rules where main is defined as main = rule1 and rule2, what is the behavior if rule1 passes but rule2 fails?

AThe policy fails because all rules combined with 'and' must pass.

BThe policy passes because at least one rule passed.

CThe policy result is undefined and depends on Terraform Cloud settings.

DThe policy passes but logs a warning about the failed rule.

Attempts:

2 left