Computed/ Known after apply values in Hashicorp Sentinel

In my time helping people troubleshoot Sentinel, a very large portion of issues can be traced back to a single concept:

computed or known after apply values.

This is a simple concept in theory- say that you wanted to perform a Sentinel policy check against a newly created AWS instance via it's instance ID- this wouldn't be possible, as Sentinel takes place between the Terraform plan and apply phases. There's no way of knowing what a given instance ID is going to be until after the AWS API call that Terraform makes is complete(after the apply).

This behavior is pretty straightforward- if you can't see the value before the apply, you can't easily use Sentinel(at least tfplan) to check them.

Whether a value is computed depends on how the resource in the associated provider is written.

However, it can be complex at times, as you may be operating on a static item (such as IAM policy) that may use computed values within. If any portion of an given item is computed, Sentinel treats the entire thing as computed.

As such, it's best to break things up into individual items, which reduces the chance that a given piece of that item is computed. For IAM policies, you can use the aws_iam_policy_document data source.

Because of a quirk of the behavior of terraform show -json(which generates the data that Sentinel policies run against), data sources without computed values appear in tfstate/v2 and not tfplan/v2– you'll need the associated import to effectively operate on them.

In Sentinel mocks, you can check for this by reviewing after_unknown, which contains a boolean indicating whether a given value is computed/known after apply.

The data source present in the mocks also contains this field, which will tell you the intended behavior of the value.

There are only a couple of realistic ways to deal with these values in Sentinel- either use tfconfig to operate against the Terraform configuration itself (this is fragile, error-prone, and might not even work), or use tfstate to check AFTER the run is completed to flag violating resources for developers to fix later.